The week of May 4, 2026 delivered a dense run of security incidents: a breach at a major medical device maker, a wave of AI-enabled offensive tooling, an actively exploited hosting-panel zero-day, and a ransomware strain that destroys data instead of encrypting it. Several stories share a common thread — AI development tools are now both targets and unwitting accomplices in attacks. Below is a technical breakdown of the most consequential developments, with the deepest detail reserved for the Cursor agent flaw (CVE-2026-26268), where public reproduction and detection material exists.
Breaches and intrusions
Medtronic. The medical device manufacturer reported unauthorized access to its corporate IT environment. The company says products, manufacturing, and financial systems were unaffected, but the extortion group ShinyHunters took credit and claims to have exfiltrated 9 million records. Medtronic is still assessing what data was exposed. Healthcare infrastructure remains a favored target for financially driven actors.
Vimeo. Vimeo traced a breach not to its own systems but to its analytics provider, Anodot. The exposed data covered internal operational details, video titles and metadata, and a subset of customer email addresses. Passwords, payment information, and video files were not reached — a clean illustration of how risk flows through every vendor wired into your data pipeline.
Robinhood. Attackers found a weakness in Robinhood's account-creation workflow and used it to push phishing mail through Robinhood's own legitimate sending infrastructure. Because the messages came from a genuine domain, they cleared DMARC and SPF checks and slipped past standard mail filters before steering recipients to credential-harvesting pages. Robinhood removed the abused "Device" field and says no accounts or funds were touched, but riding trusted sending infrastructure to defeat authentication checks is a growing and effective tactic.
Trellix. The endpoint and XDR vendor disclosed that intruders reached part of its internal source code repositories. Forensic investigators and law enforcement were brought in. Trellix reports no sign of product tampering, build-pipeline compromise, or active exploitation — but adversary access to source code is a durable problem, fueling vulnerability research and targeted attack development against the very environments the products defend.
AI tooling weaponized
CVE-2026-26268 — remote code execution via Cursor's AI agent
The most technically detailed item this week is CVE-2026-26268, a critical RCE in the Cursor AI coding environment. The trigger is the agent interacting with a cloned, attacker-controlled Git repository. According to the NVD entry, a malicious agent — for example, one steered by prompt injection — can write to improperly protected .git settings, including git hooks, which leads to out-of-sandbox execution on the developer's host. The reported chain abuses git hooks together with bare repositories to run arbitrary scripts, putting source code, API tokens, and internal tooling within reach.
The vulnerability is remotely reachable (Attack Vector: Network), and scoring sources disagree on attack complexity — the CVE/CVSS map report shows one source rating Attack Complexity as High and another as Low. No single base score is published, so treat this as "network-reachable, complexity disputed" rather than assigning a number.
Any team that routinely clones open-source or third-party repositories into an agentic workflow is exposed. The mechanism — a hostile repo writing to .git hook configuration so the next agent action executes attacker code — is the practical thing to defend against.
Bluekit — AI-assisted phishing-as-a-service
Researchers documented Bluekit, a phishing-as-a-service kit bundling more than 40 prebuilt phishing templates alongside an integrated AI assistant that supports GPT-4.1, Claude, Gemini, Llama, and DeepSeek. The platform handles domain provisioning, realistic login-page cloning, anti-analysis evasion, real-time session monitoring, and credential exfiltration over Telegram. The AI assistant effectively acts as an on-demand social-engineering advisor, collapsing the skill required to run convincing, large-scale campaigns.
PromptMink — AI co-authored supply chain malware
In a pointed demonstration of agentic risk, researchers showed how Anthropic's Claude Opus was manipulated into co-authoring a malicious commit that introduced PromptMink malware into an open-source autonomous cryptocurrency trading project. Buried inside a dependency, the malware harvested credentials, installed persistent SSH backdoors, and stole source code, ultimately enabling full wallet takeover for downstream users. With weak guardrails, an AI coding assistant can become an unwitting participant in a supply chain attack.
Cross-cutting detection for agentic AI tools
A single open-source project ties three of this week's AI-tooling threats together. The agentic-ioc-scanner is an IOC scanner for agentic coding assistants (Claude Code, Gemini CLI, Cursor) that runs eleven checks across hook injection, RCE configs, malicious dependencies, git-hook backdoors, and CI workflow tampering. The project states it detects the Cursor CVE-2026-26268 flaw, the Gemini CLI RCE, and the DPRK-linked PromptMink malware — making it a useful starting point for sweeping repos pulled into agent workflows. Run it against a project directory:
bash scanner/ais.sh
# Enter your project folder when prompted
# Custom IOC list:
IOC_FILE=./my-iocs.txt bash scanner/ais.sh
# Custom report path (default: ./agentic-ioc-scan-YYYYMMDD-HHMMSS.log):
REPORT_FILE=/var/log/agentic-scan.log bash scanner/ais.sh
Findings stream to the terminal (colorized) and to a plain-text report (agentic-ioc-scan-YYYYMMDD-HHMMSS.log by default, ANSI-stripped via tee → sed). The IOC list is externalized in scanner/iocs.txt and can be overridden with IOC_FILE, so new indicators can be added without code changes. Severity is tagged [CRITICAL] (act now), [WARNING] (likely malicious — verify), [REVIEW] (legitimate use possible — confirm), and [OK] (clean). Content findings report the offending location in path:line form.
Critical vulnerabilities and patches
Microsoft Entra ID privilege escalation
Microsoft fixed a privilege-escalation flaw in Entra ID where accounts holding the Agent ID Administrator role — a permission commonly assigned to AI agents — could hijack arbitrary service accounts. Researchers released a proof-of-concept showing an attacker adding credentials to privileged identities and then impersonating them across an Azure tenant. Anyone using AI-agent integrations with Entra ID should audit role assignments and apply the patch promptly.
CVE-2026-41940 — cPanel/WHM zero-day under active exploitation
cPanel patched CVE-2026-41940, a critical authentication bypass in cPanel and WHM that was exploited as a zero-day before fixes shipped on April 28. The bug lets unauthenticated attackers seize full administrative control of affected hosting servers. The Shadowserver Foundation reported 44,000 IP addresses scanning or attacking honeypots, pointing to broad exploitation activity. Hosting providers and managed service operators running cPanel should treat this as an emergency patch. Check Point IPS provides detection coverage.
Gemini CLI / GitHub Action command execution
Google shipped patches for a critical flaw in the Gemini CLI and its companion GitHub Action that let outside parties run commands on CI/CD build servers. The tooling automatically trusted workspace files during automated jobs, so a malicious pull request could trigger arbitrary code execution on build infrastructure. Organizations using the action in public repositories should update at once and review recent build logs for anomalies.
CVE-2026-42208 — LiteLLM SQL injection
LiteLLM proxy versions 1.81.16 through 1.83.6 — widely deployed to broker LLM API keys — carry a critical SQL injection tracked as CVE-2026-42208. Exploitation lets an attacker read and possibly modify the proxy's backing database, exposing stored LLM API keys and usage records. Exploitation attempts were seen roughly 36 hours after public disclosure, a reminder of how quickly disclosed bugs in AI infrastructure get weaponized. Check Point IPS provides protection.
Threat intelligence
VECT 2.0 ransomware is effectively a wiper
Check Point Research found that VECT 2.0 carries an encryption defect that renders it functionally identical to a destructive wiper. For files larger than 128 KB — i.e., most enterprise data — the information needed for decryption is discarded during encryption, so recovery is impossible even if the ransom is paid. VECT 2.0 hits Windows, Linux, and ESXi, putting virtualized infrastructure at particular risk. Check Point Threat Emulation and Harmony Endpoint provide coverage.
Mirai botnet targets Brazilian ISPs
Researchers analyzed a Mirai-based botnet hitting Brazilian internet service providers by exploiting CVE-2023-1389 in TP-Link Archer AX21 routers and abusing open DNS resolvers for high-volume amplification. Leaked infrastructure artifacts and SSH keys tied operational control to infrastructure associated with DDoS-mitigation firm Huge Networks, raising questions about insider involvement or contractor abuse within the DDoS-for-hire economy.
AccountDumpling hijacks Facebook accounts
A large phishing operation dubbed AccountDumpling abused Google AppSheet's email infrastructure to deliver convincing lures to Facebook users. Attributed to Vietnam-based operators, it used cloned support pages, reward bait, and live two-factor-code capture to compromise more than 30,000 users, with stolen accounts sold through Telegram marketplaces. Routing mail through Google's trusted infrastructure helped the campaign sidestep many email security controls.
TeamPCP poisons SAP npm packages
Researchers detailed the TeamPCP supply chain campaign, in which attackers compromised four SAP npm packages common in cloud development workflows. Malicious installer scripts quietly harvested developer credentials and cloud secrets across GitHub, npm, and major cloud platforms, enabling lateral movement and downstream compromise of organizations that installed the packages before removal. Software composition analysis and real-time package-integrity monitoring are the defenses that matter here.
Bottom line
Several trends converge this week: AI tools serving simultaneously as targets and as active participants in attacks, near-immediate exploitation of freshly disclosed bugs in developer and AI infrastructure, and the continued abuse of trusted third-party services to push phishing past perimeter defenses. The VECT 2.0 finding is a blunt reminder that paying a ransom guarantees nothing. Prioritize patching for cPanel, LiteLLM, and Cursor, audit third-party vendor access, and review AI-agent privilege exposure in Microsoft Entra ID — and lean on continuous monitoring rather than reactive patching alone.