Cybersecurity Roundup May 2026
Published: 04 June 2026
May’s incidents included a Microsoft identity‑led breach, a large‑scale open‑source supply chain attack, password exposure risks in Microsoft Edge, fake FIFA websites driving World Cup fraud campaigns, and a phishing operation delivering remote access malware.
The headlines:
- Storm‑2949 turns one identity into a cloud breach
- “Mini Shai‑Hulud” spreads through open‑source packages
- Edge loads saved passwords into plaintext memory
- Fake FIFA sites scale World Cup scams
- RatPressto phishing kit delivers remote access malware
Read more about these key threats and recommended actions identified by our SOC team this month:
Storm‑2949 shows how one compromised identity can become a cloud-wide breach
Microsoft reported an attack in which threat actors gained access to user accounts by exploiting password reset flows and prompting MFA approvals. Once inside, they replaced authentication methods and maintained persistent access.
The attacker used built‑in Microsoft tools to map permissions, access Microsoft 365 data, and move into Azure services including storage, applications, and key management systems.
The activity relied on legitimate admin pathways rather than malware, allowing the attacker to expand access across the environment from a single compromised identity.
What are the risks?
- A single compromised account can expose large parts of the environment
- Legitimate admin tools can be used to move undetected
- High‑privilege identities create disproportionate impact
Recommended actions:
Mini Shai‑Hulud spreads through open‑source software supply chains
A large‑scale supply chain attack linked to TeamPCP has compromised more than 160 npm and open‑source packages, including widely used libraries.
The campaign uses a GitHub Actions weakness to inject malicious code and deploy a self‑propagating worm, “Mini Shai‑Hulud,” which steals credentials such as CI/CD tokens, cloud keys, and registry access.
These credentials are then used to publish further malicious packages, allowing the attack to spread across repositories, development environments, and organisations.
What are the risks?
- Trusted open‑source packages can be compromised at scale
- CI/CD credentials enable rapid lateral movement
- Compromises can spread through shared dependencies
Recommended actions:
Microsoft Edge password storage exposed in plaintext memory
A security researcher disclosed that Microsoft Edge loads all saved user passwords into memory in plaintext at browser startup, even if those credentials are not actively used.
This behaviour allows attackers with local access, such as through malware or administrative privileges, to extract stored credentials directly from system memory using relatively simple tools.
Microsoft initially described the behaviour as intentional, stating the risk requires a device to already be compromised, but has since confirmed it is changing how passwords are handled to reduce exposure.
What are the risks?
- Stored passwords can be accessed directly from memory in plaintext
- Local compromise increases the likelihood of credential exposure
- Multiple user credentials may be accessible in shared environments
Recommended actions:
Fake FIFA websites drive large‑scale World Cup scams
Ahead of the 2026 World Cup, attackers have created hundreds of spoofed FIFA websites designed to capture personal and financial information.
These sites mimic official domains using slight spelling variations and alternative domain endings and are promoted through search advertising and social media.
Victims are lured through ticket sales, hospitality packages and job offers, with entered data used for fraud or identity theft.
What are the risks?
- Convincing brand impersonation increases phishing success rates
- Search ads and social promotion extend attack reach
- High‑profile events create predictable attack windows
Recommended actions:
RatPressto phishing campaign deploys remote access malware
Researchers have identified an active phishing campaign using an Adobe‑themed kit to deliver remote access malware via compromised WordPress sites.
Victims are redirected to fake Document Cloud pages, while a hidden process installs a ScreenConnect‑based remote access trojan in the background.
The campaign uses standardised phishing templates and legitimate infrastructure, including GitHub, to deliver payloads and evade detection.
What are the risks?
- Legitimate tools can be used to bypass traditional controls
- Phishing infrastructure is repeatable and scalable
- Compromised websites act as distribution channels
Recommended actions:
From our blog
Why valid access is one of the most serious identity security risks
Valid credentials sit at the centre of many of the incidents covered in this roundup. Once obtained, they allow attackers to move through Microsoft 365 and Azure environments using legitimate access and trusted tools.
Kocho’s Security Engineering Manager, Adam Febery, examines how this access is used in real incidents and where organisations are most exposed. The emphasis is on strengthening authentication, reducing risk in account recovery, and limiting how far access can spread once a user is compromised.
References and Resources
With thanks to the Kocho Security Operations Centre (SOC) team.
Stay safe. Stay informed.
Get cyber confident
Real partnership. Microsoft expertise. Complete transparency.
Request a call back today.
- AI-powered rapid protection, from day one
- Dedicated Microsoft experts, by your side
- Powerful, intuitive reporting tools
- Collaboration and transparency as standard
Don't Miss
Great security & compliance resources
Why valid access is a serious identity security risk
Microsoft Identity Security Summit
Join industry thought leaders and Microsoft experts for presentations, seminars and strategy sessions.
Why Sentinel Data Federation shifts security spend from storage to investigation
Microsoft 365 E7: What the new frontier licence means for Zero Trust security
