18th May – Threat Intelligence Report: Key Questions Answered

In the week of May 18, the cybersecurity landscape saw significant incidents ranging from source code leaks to AI-powered attacks and critical vulnerabilities. Below, we break down the most pressing threats in a Q&A format to help you understand the risks and implications.

What caused the Vodafone source code leak, and was customer data exposed?

Vodafone, a major international telecom, experienced a source code leak claimed by the extortion group Lapsus$. The breach occurred through compromised third-party development software that allowed unauthorized access to GitHub repositories. The company confirmed that while some source code files were accessed, customer data and core network infrastructure remained unaffected. This incident highlights the risks associated with third-party software dependencies, especially when they have elevated access to internal development platforms. Organizations should regularly audit and restrict permissions for external tools and enforce multi-factor authentication on code repositories to mitigate such leaks.

How did THORChain lose $10.7 million in a security breach?

THORChain, a Swiss-based cryptocurrency platform, suffered a security breach when one of its six vaults was compromised, leading to the theft of approximately $10.7 million. The attack exploited a vulnerability in the vault’s smart contract, allowing the attacker to drain protocol-owned assets across several blockchains. Trading was immediately halted to prevent further losses. The company stated that only protocol-owned funds were stolen, and user assets remained safe. This incident underscores the importance of rigorous smart contract audits and the need for decentralized platforms to implement robust monitoring and rapid incident response mechanisms.

What was the impact of the ransomware attack on West Pharmaceutical Services?

West Pharmaceutical Services, a global manufacturer of drug delivery components, was hit by a ransomware attack that disrupted shipping, manufacturing, and shared service functions. The attackers encrypted some systems and stole data, though no ransomware group has publicly claimed responsibility. The company worked to restore operations, but the incident caused temporary delays in production and distribution. The attack highlights the vulnerability of critical healthcare supply chains and the need for robust backup strategies, network segmentation, and employee training to detect phishing attempts that often precede ransomware.

How did the Nitrogen ransomware group attack Foxconn, and what data was stolen?

Foxconn, a global electronics manufacturer, confirmed a cyberattack on its North American operations after the Nitrogen ransomware group claimed to have stolen 8 TB of data. The attack caused disruption at some factories, but the company stated that affected facilities were resuming normal production. The stolen data reportedly includes sensitive corporate files and potentially intellectual property. This incident demonstrates the persistent threat posed by ransomware groups targeting large manufacturing firms, emphasizing the need for comprehensive security measures, including network monitoring, endpoint protection, and regular data backups stored offline.

What are the 'Claw Chain' vulnerabilities in OpenClaw, and how dangerous are they?

Researchers unveiled four vulnerabilities collectively called 'Claw Chain' in OpenClaw, an autonomous AI agent platform. These flaws allow attackers to bypass sandbox controls, expose restricted files, leak secrets, and gain owner-level access. The most critical vulnerability, CVE-2026-44112, has a CVSS score of 9.6, indicating severe risk. Exploitation could lead to complete compromise of the AI agent environment, granting attackers control over the platform's operations. Organizations using OpenClaw should urgently apply patches and restrict network access to the platform until fixes are deployed.

What malware was hidden in a Hugging Face repository, and how many downloads did it amass?

A popular repository on Hugging Face, a machine learning model hub, was found hosting malware disguised as OpenAI's privacy filter. The malicious package accumulated over 200,000 downloads before discovery. The malware installed an infostealer that harvested browser passwords, cookies, SSH keys, VPN configurations, and cryptocurrency wallets, exfiltrating the data to a remote server. This incident underscores the growing trend of supply chain attacks targeting AI/ML platforms. Developers and users should verify repository authenticity, check for suspicious dependencies, and use sandboxed environments when testing models from public repositories.

What do the YellowKey and GreenPlasma Windows zero-day vulnerabilities entail?

Two unpatched Windows zero-day vulnerabilities, named YellowKey and GreenPlasma, affect Windows 11 and recent Windows Server versions. YellowKey allows a BitLocker bypass through the Windows Recovery Environment, requiring physical access to the device. GreenPlasma abuses the CTFMON framework to escalate privileges from a standard user to SYSTEM level. Proof-of-concept code is publicly available, increasing the risk of exploitation. Until Microsoft releases patches, organizations should enforce BitLocker PIN complexity, limit physical access to devices, and monitor for privilege escalation attempts using security tools that detect unusual CTFMON behavior.