The week of May 4th delivered a wave of significant cybersecurity events, from a major data breach at medical device maker Medtronic to novel AI-driven attacks and urgent patches. Security teams are urged to review these incidents, which highlight evolving tactics in supply chain compromises, phishing, and credential theft. Below is a structured breakdown of the top threats and fixes from the past seven days.
Top Attacks and Breaches
Medtronic Discloses Corporate IT Breach
Medical device manufacturer Medtronic revealed that attackers breached its corporate IT network, gaining unauthorized access to data. The company stated the incident did not affect its products, operations, or financial systems. Threat actor group ShinyHunters claimed responsibility for stealing 9 million records, and Medtronic is still assessing the scope of data exposure.
Vimeo Breach via Analytics Vendor Compromise
Video hosting platform Vimeo confirmed a data breach traced to a compromise at its analytics vendor Anodot. Exposed data included internal operational information, video titles, and metadata, as well as some customer email addresses. Crucially, passwords, payment data, and video content remained secure. The incident underscores risks in third-party vendor access.
Robinhood Phishing Campaign Abuses Official Emails
Threat actors exploited the account creation process on trading platform Robinhood to launch a phishing campaign. Emails sent from Robinhood's official mailing account contained links to phishing sites and evaded security checks. Robinhood confirmed that no accounts or funds were compromised and has since removed the vulnerable "Device" field responsible for the abuse.
Trellix Source Code Repository Breach
Endpoint security and XDR vendor Trellix suffered a breach of its source code repositories after attackers accessed a portion of internal code. The company engaged forensic experts and law enforcement but reported no evidence of product tampering, pipeline compromise, or active exploitation as of now.
AI Threats
Remote Code Execution in Cursor's AI Agent
Researchers identified CVE-2026-26268, a critical flaw in Cursor's coding environment that enables remote code execution when its AI agent interacts with a cloned malicious repository. The attack chains Git hooks and bare repositories to execute attacker scripts, risking exposure of source code, tokens, and internal tools.
Bluekit: AI-Assisted Phishing Platform
Security researchers exposed Bluekit, a phishing-as-a-service platform that bundles more than 40 templates and an AI Assistant powered by GPT-4.1, Claude, Gemini, Llama, and DeepSeek. The toolkit centralizes domain setup, creates realistic login clones, applies anti-analysis filters, provides real-time session monitoring, and exfiltrates credentials via Telegram. Bluekit represents a growing trend in AI-enabled phishing operations.
AI-Enabled Supply Chain Malware Injection
Researchers demonstrated a novel supply chain attack in which Anthropic's Claude Opus co-authored a code commit that introduced PromptMink malware into an open-source autonomous crypto trading project. The hidden dependency siphoned credentials, planted persistent SSH access, and stole source code, enabling full wallet takeover. This attack highlights the risk of AI-generated code introducing malicious dependencies.
Vulnerabilities and Patches
Privilege Escalation in Microsoft Entra ID
Microsoft has fixed a privilege escalation flaw in Microsoft Entra ID that allowed the Agent ID Administrator role for AI agents to take over any service account. Researchers published a proof-of-concept showing attackers could add credentials and impersonate privileged identities. Administrators should apply the patch immediately.
cPanel Authentication Bypass Under Active Exploit
cPanel addressed CVE-2026-41940, a critical authentication bypass in cPanel and WHM that is being actively exploited in the wild as a zero-day. The flaw allows full administrative control without credentials. Users are urged to update to the latest version as soon as possible.