Microsoft, Drupal, Linux critical patches; OAuth phishing bypasses MFA on 340+ orgs

**Executive Summary:** Microsoft disrupted a malware-signing service tied to ransomware distribution; an EvilTokens OAuth phishing service has bypassed MFA across 340+ Microsoft 365 organizations; Drupal is issuing urgent core security updates (May 20); a public PoC exists for Linux kernel LPE CVE-2026-31635; and the Trapdoor Android campaign is generating massive ad-fraud traffic—organizations should patch immediately, audit OAuth consents, restrict local access, and remediate malicious Android apps.