Reaper swipes macOS passwords and crypto wallets, backdoors the machine, and pretends to be Apple, Microsoft, and Google in the same attack. Apple shipped an update in March to stop exactly this. Reaper already bypasses it.

Reaper belongs to a malware family called SHub Stealer, active since April 2025. SHub grew out of an earlier macOS stealer called MacSync, which itself was built on a foundation called Mac.c, first spotted in April 2025. Within months it turned into a commercial crime service, meaning the people who built the infrastructure rent access to different operators who run their own campaigns with their own targets and lures. Researchers at Malwarebytes, Jamf, Moonlock, and Microsoft’s Defender Security Research team had already documented earlier variants, but this version of Reaper does things none of the earlier builds could: a bypass of Apple’s latest security update, a persistent backdoor that survives reboots, and a method for permanently hijacking installed crypto wallet applications without triggering a single security warning.

A Windows zero-day called MiniPlasma gives any standard user full SYSTEM access on a fully patched machine. Microsoft patched it in December 2020, assigned it CVE-2020-17103, and marked it as fixed. Five and a half years later, the original Google proof-of-concept runs on a machine with all current updates installed without changing a single line of code and opens a SYSTEM shell. Microsoft patched this in 2020. It’s still there.

Google caught a criminal group that used AI to find a zero-day in a popular web admin tool and had a working exploit ready for a mass attack against thousands of systems. Google has never named the tool. The attack never launched. What gave them away was a CVSS severity score inside the code for a vulnerability that has never been officially rated. The AI made up a number that does not exist.

ssh-keysign-pwn is a newly disclosed Linux kernel vulnerability that gives any unprivileged local user direct access to the SSH host private keys of a server and every password hash stored on the system. It was reported on May 14, 2026, and a working exploit was on GitHub within hours of the patch landing.

The bug lives in a piece of kernel code called __ptrace_may_access(). This is the security check the kernel runs every time one program wants to look inside another program: reading its memory, accessing its open files. The kernel runs this check and asks: is this target process marked as safe to inspect, and does the caller have the right to do this? If either answer is no, access is denied. That is how it is supposed to work.

A folder copied to a USB stick is enough to bypass BitLocker encryption on Windows 11 and Windows Server 2022 and 2025, giving an attacker with a few minutes of physical access a command prompt with unrestricted access to everything on the encrypted drive.

The tool is called YellowKey. It was published on May 12, 2026, as a working proof of concept on GitHub. Windows 10 is not affected. There is no patch. Microsoft has not assigned a CVE number. And the researcher who found it believes it looks like something that was put there deliberately.

NGINX Rift: An 18-year-old memory corruption bug in NGINX, the web server running on roughly one-third of all websites globally, lets an unauthenticated attacker crash a server with a single crafted HTTP request. On systems where ASLR is disabled, that same request achieves remote code execution. The bug has been in every standard build since 2008. It was publicly disclosed yesterday, after being found by an AI system in six hours.

Microsoft patched a critical heap buffer overflow in the Windows DNS Client. An attacker needs no account and no help from the person sitting at the machine to trigger it. Every Windows machine that performs DNS lookups is potentially in scope, and every Windows machine performs DNS lookups constantly.

The vulnerability is tracked as CVE-2026-41096 with a CVSS score of 9.8. It sits in a component called dnsapi.dll, the file that handles DNS lookups on every Windows machine. DNS, which stands for Domain Name System, is the system that translates domain names into IP addresses so computers know where to connect. Every time a browser loads a page, an application connects to a server, a VPN establishes, or Windows checks for updates, the system sends out a DNS query asking what IP address belongs to a given name. The DNS Client receives the answer, processes it, and passes it along.

MacSync is spreading through Google ads that lead directly to claude.ai. The installation guide there was written by Claude itself. One Terminal command and the malware is running, your credentials are gone, and your crypto wallet applications have been replaced.

Security researcher Berk Albayrak spotted an active version of this campaign on May 9, 2026 and posted his findings on X. Researcher g0njxa also published findings on X tracing the campaign infrastructure. BleepingComputer independently confirmed a second variant running on completely separate infrastructure.

GhostLock locks every shared file on any Windows network in minutes using nothing but a standard login, and every security tool watching stays completely silent. This has been possible for over 30 years. Microsoft is not going to patch this.

Security researcher Kim Dvash published the proof of concept in May 2026, after discovering the technique during a prior authorized red team engagement.

SMB is the protocol Windows uses to share files across a network. When a program opens a file over SMB, it tells Windows how it wants to share that file with other programs at the same time. Set that sharing mode to zero using a parameter called dwShareMode in the CreateFileW API call, and Windows grants an exclusive deny-share handle. While that handle is held open, every other process, user, or system trying to open the same file gets back one thing:

A backdoor called PamDOORa targets Linux systems through PAM and steals SSH credentials from every user who logs in. It leaves no trace in process lists, antivirus, or logs. When the security team connects via SSH to investigate, their credentials get stolen too.

When someone logs into a Linux server, the system runs PAM to check the password. PAM stands for Pluggable Authentication Modules, and it handles authentication for everything that requires a login: SSH, sudo, the login prompt. Instead of building that check into each program separately, Linux sends everything through PAM using configuration files stored in /etc/pam.d/, one file per service. The file for SSH is /etc/pam.d/sshd. It tells PAM which modules to run, in what order, and what to do when one fails.