Security briefing: May 2026

This Sysdig monthly roundup details several high-impact May incidents, including a claimed ShinyHunters exfiltration of ~275M Canvas records and subsequent extortion, a backdoored VS Code extension on the Marketplace that allowed a supply-chain worm to clone ~3,800 GitHub repositories, a six-month exposure of CISA AWS GovCloud credentials due to disabled guardrails, rapid LLM-driven intrusions that stole cloud credentials and internal DB data, multiple CVEs exploited within hours (PraisonAI, Langflow, DirtyFrag), a novel NATS-as-C2 technique, and an Azure VMAccess detection gap — concluding that attackers are accelerating exploitation via automation and cloud-native techniques and defenders must prioritize rapid detection, credential hygiene, and behavioral monitoring.