Security News and Many Holes in Proprietary Software

posted by Roy Schestowitz on May 13, 2026

• OpenSSF (Linux Foundation) ☛ Hack to the Future: The Impact and Legacy of the DARPA AIxCC Challenge

• LWN ☛ Security updates for Tuesday

  Security updates have been issued by AlmaLinux (freerdp, glib2, libsoup3, and openexr), Debian (dnsmasq, p7zip, p7zip-rar, python-authlib, and rails), Fedora (chromium, firefox, httpd, and nss), SUSE (java-25-openj9, krb5, libmodsecurity3, and mcphost), and Ubuntu (imagemagick, linux, linux-aws, linux-aws-fips, linux-aws-hwe, linux-azure-4.15, linux-fips, linux-gcp, linux-gcp-4.15, linux-gcp-fips, linux-hwe, linux-kvm, linux-oracle, linux-azure, linux-azure-fips, linux-oracle, linux-azure-5.15, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, and linux-raspi).

• Security Week ☛ Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware

  CRPx0 is a complex, stealthy malware campaign that targets macOS and backdoored Windows systems, and appears to have GNU/Linux capabilities in development.

• OpenSSF (Linux Foundation) ☛ Secure Coding Guide for Python (pyscg) First Release

  New developers require a single, framework-independent resource to establish a baseline in secure coding practices.

  Python is one of the most widely adopted programming languages in the world, powering everything from web applications and data pipelines to AI/ML systems and cloud infrastructure.

• New York Times ☛ Is Anthropic’s Claude Mythos Really a Cybersecurity Risk?

  Anthropic said that Claude Mythos was too dangerous to release to the public. That claim has reopened an old debate over cybersecurity.

• Security Week ☛ SAP Patches Critical S/4HANA, Commerce Vulnerabilities

  The flaws could allow attackers to inject malicious code, leading to information disclosure and code execution.

• Security Week ☛ West Pharmaceutical Services Hit by Disruptive Ransomware Attack

  The company took systems offline globally after hackers exfiltrated data and deployed file-encrypting ransomware.

• Security Week ☛ BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months

  Threat actors obtained names and contact information for an unspecified number of BWH Hotels guests.

• Scoop News Group ☛ ‘Mini Shai-Hulud’ malware compromises hundreds of open-source packages in sprawling supply-chain attack

  The campaign hit major registries and hid behind legitimate-looking release signatures, showing how attackers can weaponize the software update process itself.

• Scoop News Group ☛ Google and Amnesty International teamed up to make it harder for spyware vendors to hide

  Intrusion Logging marks the first feature from a major device vendor to aid with forensic detection of sophisticated threats, Amnesty International said.

• Unicorn Media ☛ Exim Mail Server Hit by “Dead.Letter” TLS Flaw, Admins Told to Upgrade

  Use-after-free bug in Exim’s GnuTLS BDAT handling lets remote attackers corrupt memory, with no workaround other than upgrading to version 4.99.3.

• Securing Server Identities: Strategies for Linux and Windows Environments

  Don’t miss this webinar focused on the critical security of Linux and Windows servers, the backbone of your enterprise operations. With cyberattacks on the rise, it’s more important than ever to understand the unique challenges that server security requirements pose. We’ll discuss effective strategies for mitigating risks, including the implementation of best practices and leveraging cutting-edge security solutions. Our expert speakers will provide valuable insights to help you fortify your organization’s defenses.

• Apple and Microsoft TCO

  • OMG Ubuntu ☛ Downloaded Cemu for GNU/Linux recently? You may have malware

    If you’ve downloaded the Cemu Wii U emulator for GNU/Linux from the project’s official Microsoft's proprietary prison GitHub in the past few weeks, bad news: it may have added malware to your system when you ran it. The team who develop the the open-source emulator recently discovered that both the GNU/Linux AppImage and ZIP package of Cemu 2.6 on Microsoft's proprietary prison Microsoft's proprietary prison GitHub were “compromised” packages containing malware.

  • Krebs On Security ☛ Patch Tuesday, May 2026 Edition

    Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers -- including Apple, Google, Microsoft, Mozilla and Oracle -- fixing near record volumes of security bugs, and/or quickening the tempo of their patch releases.

  • Scoop News Group ☛ Microsoft addresses 137 vulnerabilities in May’s Patch Tuesday, including 13 rated critical

    The high volume of vulnerabilities reflects a growing trend researchers have been anticipating as artificial intelligence models are deployed to find previously uncovered defects in code.

  • Security Week ☛ Microsoft Patches 137 Vulnerabilities

    Fresh security updates resolve critical flaws in Azure, Windows, Dynamics 365, and the SSO Plugin for Jira & Confluence.

  • SANS ☛ Microsoft May 2026 Patch Tuesday, (Tue, May 12th)

    Today's Abusive Monopolist Microsoft patch Tuesday fixes 137 different vulnerabilities. In addition, the update addresses 137 Chromium-related issues affecting Abusive Monopolist Microsoft Edge.

  • Security Week ☛ Apple Patches Dozens of Vulnerabilities in macOS, iOS

    The tech giant has also ported the patch for a recent deleted chats recovery issue to older versions of iOS.

    >

  • Tom's Hardware ☛ Compromised Mistral Hey Hi (AI) and TanStack packages may have exposed Microsoft's proprietary prison GitHub, cloud and CI/CD credentials in 'mini Shai Hulud' malware infection — supply-chain campaign spreads across npm and Hey Hi (AI) developer ecosystems like wildfire

    Microsoft says attackers compromised the mistralai PyPI package with malware that executed on import, while researchers link related npm compromises affecting TanStack and Mistral SDKs to the broader “Mini Shai-Hulud” supply-chain campaign.

• Confidentiality

  • Hong Kong Free Press ☛ Over 72,000 students and staff at Hong Kong educational institutions affected in Canvas hack

    A global cyberattack on online learning platform Canvas has compromised the personal information of more than 72,000 students and staff at Hong Kong schools and universities, according to the city’s privacy watchdog.

  • New York Times ☛ Instructure Strikes Deal for Hackers for Return of Canvas Data

    Instructure, which provides Canvas software to thousands of schools and universities around the world, did not say what it had given the hackers in exchange for the stolen data.

  • Security Week ☛ Deal Reached With Hackers to Delete Data Stolen From the Canvas Educational Platform

    The company that operates online learning system Canvas said it struck a deal with hackers to delete the data they pilfered in a cyberattack that created chaos for students, many of them in the middle of finals.