The digest of cybersecurity news stories from May 2026 has arrived! Check:
1. A staggering number of critical flaws in Chrome patched in May: Update now!
Google has released an urgent security update for Chrome, fixing 16 vulnerabilities, including two rated “critical”. The updated versions are 148.0.7778.178/179 for Windows and Mac, and 148.0.7778.178 for Linux. The two critical vulnerabilities are:
1. CVE-2026-9111 - A use-after-free vulnerability in WebRTC that could allow remote code execution through malicious web pages.
2. CVE-2026-9110 - An inappropriate implementation flaw in the UI that could enable attackers to bypass security restrictions.
In addition to the critical issues, nine high-severity flaws were also patched. Users are advised to ensure their browser is up to date and restart Chrome, while enterprise administrators should deploy the update via policy management tools. Earlier this month, Google had already addressed 79 vulnerabilities in a significant update.
2. Critical 0-Day BitLocker bypass vulnerability
Microsoft has revealed a critical zero-day vulnerability in Windows BitLocker (CVE-2026-45585) that enables attackers with physical access to bypass full-disk encryption, putting sensitive data at risk of exposure. The vulnerability, rated “Exploitation More Likely” and classified as a Security Feature Bypass, was made public on May 19, 2026. It affects Windows 11, Windows Server 2022, and Windows Server 2025. No patch is available yet, but Microsoft provided a multi-step manual mitigation guide to protect users in the interim. The vulnerability is linked to an exploit chain named YellowKey published on GitHub.
Physical access attacks on encrypted devices become an increasing threat, especially for lost or stolen enterprise laptops. Stay vigilant!
3. GitHub breached through a compromised employee’s device
GitHub confirmed unauthorised access to its internal repositories due to a compromised employee device infected by a malicious Visual Studio Code extension, as revealed on May 20, 2026. The breach involved data exfiltration from approximately 3,800 internal repositories, but no impact was confirmed on public or customer-hosted repositories.
Key actions taken by GitHub included isolating the affected device, removing the malicious extension, rotating critical credentials, and initiating ongoing log analysis to monitor for further attacker activity. This incident underscores the rising threat of supply chain attacks targeting developers.
4. Microsoft May 2026 Patch Tuesday
Microsoft’s May 2026 Patch Tuesday brings a significant focus on enterprise security, addressing 120 vulnerabilities across a range of products, including Windows, Office, Azure, developer tools, and Microsoft 365 apps. Among these, 29 remote code execution (RCE) flaws have been rated Critical. Unlike previous Tuesday patches, this update doesn’t include any zero-day vulnerabilities currently being exploited in the wild or publicly disclosed. Users are encouraged to update their systems promptly for optimal security.
5. Incident at Škoda online shop exposes customer data
Škoda Auto has reported a major IT security breach affecting its online shop. This incident involved unauthorised access to customer data, which was made possible through a flaw in the shop's software. The IT team identified the breach during routine monitoring, prompting an immediate shutdown of the online shop and the implementation of containment measures. Although the vulnerability has been remediated, an external forensics firm is conducting a comprehensive post-incident analysis.
While the potential for data exfiltration exists, there is currently no evidence of misuse. Affected customers are being notified, with risks including phishing attacks and credential stuffing. The incident highlights ongoing security challenges with e-commerce platforms using standard software without adequate protection.
6. 28 fraudulent apps on Google Play tricking users into paying, downloaded more than 7.3 M times
Fraudulent Android apps now known as CallPhantom amassed over 7.3 million downloads on Google Play before being removed. These apps falsely promised users the ability to access phone call histories of any number, but instead provided fake data and financial losses. They predominantly targeted users in India and the Asia-Pacific region, offering subscription packages ranging from weekly to yearly, with prices up to $80. A key tactic involved directing payment through channels that prevented Google from issuing refunds, leaving victims reliant on external payment providers or the scammers themselves.
7. Vimeo data breach compromises 119,000 unique email addresses
Vimeo, the widely used video hosting platform, recently faced a data breach that compromised 119,000 unique email addresses and metadata. This incident was linked to a security lapse with its analytics vendor, Anodot. The extortion group ShinyHunters claimed responsibility and published stolen data online, although actual video content, user passwords, and payment information remained secure. Vimeo’s operations were not disrupted, and upon discovery, the company revoked Anodot’s access and initiated an incident response. External cybersecurity experts were engaged for a forensic investigation. Vimeo has notified law enforcement while advising users to remain vigilant against potential phishing attacks.
We hope your systems remain safe and compliant with NIS2 through 2026. If you need assistance, please contact us for expert advice!