Summary5 min read

Cybersecurity Headlines

Episode Summary: Linus Torvalds Talks AI Bug Hunters, 7-Eleven Ransom Demand, MENA's New Cybercrime Op

Date: May 19, 2026 | Host: Sarah Lane

Episode Overview

This episode covers a range of top stories from the information security world, including Linus Torvalds’ criticisms of AI-powered bug hunting, the 7-Eleven ransomware incident, a major coordinated cybercrime operation across the Middle East and North Africa, recent software supply chain threats, ongoing U.S. healthcare data breaches, and concerns over a serious Nginx vulnerability. The episode also features insights from notable security professionals about the impact of AI on vulnerability reporting.

Key Discussion Points and Insights

1. Linus Torvalds on AI Bug Hunting Tools

Theme: AI-driven bug reporting is overwhelming key open-source projects with duplicated and non-actionable findings.

Context:
- Linus Torvalds, Linux creator, criticizes the overwhelming number of duplicate vulnerability reports generated by AI bug hunting tools.
Key Issues Identified:
- Multiple independent researchers are submitting identical reports powered by similar AI tools.
- This is “making [the Linux kernel security mailing list] almost entirely unmanageable.”
- Value comes only when reports include meaningful contributions, like actual patches or in-depth analysis, not just rehashes of what automated tools already detect.
Notable Quote:
- “AI generated findings are useful only when paired with meaningful contributions like patches and technical analysis.” (Sarah Lane relaying Linus Torvalds, 00:22)
Memorable Moment:
- Torvalds disparaging “drive by reports that add little value.”

2. 7-Eleven Hit with Ransom Demand

Theme: Major retail chain faces extortion after data breach.

Incident Summary:
- Shiny Hunters group claims theft of over 600,000 Salesforce records containing personal and corporate data.
- Attackers accessed application document storage systems—specific affected totals undisclosed.
- Shiny Hunters attempted ransom/extortion, later offering the data for $250,000.
- Attack vector focused on phishing, third-party integrations, and config weaknesses rather than Salesforce platform vulnerabilities.
Notable Quote:
- “[Shiny Hunters] increasingly targeted salesforce environments through phishing attacks, third party integrations and configuration weaknesses.” (01:06)

3. MENA’s First Large-Scale Cybercrime Operation (“Operation RAMZ”)

Theme: Regional cyber law enforcement collaboration yields major results.

Overview:
- Interpol led the first coordinated cybercrime offensive across 13 Middle East and North Africa countries between October 2025 and February 2026.
Achievements:
- 201 arrests, identification of 3,867 victims, seizure of 53 servers, sharing of almost 8,000 intelligence records.
- Operation targeted phishing campaigns, malware infrastructure, and online fraud.
Notable Quote:
- “[The operation] involved 13 countries targeting phishing campaigns, malware infrastructure and online scams, resulting in 201 arrests…” (01:50)

4. Tanstack Supply Chain Attack and Security Response

Theme: Open-source project tightens contributor controls after CI pipeline compromise.

Incident:
- Supply chain attack via Shai Hulud worm exploited GitHub Actions and poisoned shared CI cache.
Immediate Actions:
- Inviting only trusted contributors for pull requests under consideration.
- Removal of vulnerable workflow patterns, disabling of shared cache, enhancements to dependency and authentication protocols.
Notable Quote:
- “Attackers exploited a feature to run malicious code through automated CI pipelines, poisoning a shared cache across the repository.” (02:25)

5. Shai Hulud Infostealer Campaign Expands

Theme: Typosquatting and open-source attacks threaten developers.

Incident Details:
- Leaked Shai Hulud malware code reused in NPM packages targeting developer ecosystems.
- Four fake packages stole credentials, configuration files, crypto wallet data; one package also added infected systems to a DDoS botnet.
- Over 2,600 downloads before takedown—developers advised to rotate all exposed keys/passwords.
Notable Quote:
- “Developers are urged to remove [infected packages] and rotate compromised credentials and API keys.” (03:25)

6. U.S. Healthcare Data Breaches Continue

Theme: Persistent large-scale breaches in the healthcare sector.

Major Incidents:
- New York City Health and Hospitals Corp: up to 1.8 million people affected via third-party vendor breach.
- Erie Family Health Centers: 570,000 affected.
- Florida Physician Specialists: 276,000 affected.
- Exposed data includes medical, insurance, biometric, and financial information.
Memorable Moment:
- “Attackers accessing Systems through a third party vendor…exposing sensitive personal, medical insurance, biometric and financial data tied to 1.8 million people.” (04:00)

7. Nginx Rift Vulnerability Under Attack

Theme: Exploitation attempts follow major web server flaw disclosure.

Vulnerability Details:
- “Nginx Rift” is an 18-year-old flaw enabling potential remote code execution in rare circumstances.
- Exploitable by specially crafted HTTP requests; mitigations (ASLR) typically prevent remote code execution on modern systems.
Quote & Analysis:
- “Exploitation attempts were already hitting the company’s canary. Systems…” (05:04) – Patrick Geraghty, Vulcancheck
- “Modern Linux defaults make widespread real world remote code execution attacks unlikely.” (05:19) – Kevin Beaumont

8. Debate: Can AI Fix the “Slop” in Vulnerability Reporting?

Theme: Security leaders discuss the real-world value—and limitations—of current AI bug hunting.

Takeaways:
- Jerome Brown (GitHub): Most AI-generated reports lack reproducible exploits or are duplicates; stricter standards are required.
- Grant Borzekis (Cloudflare): AI-generated findings increase triage workload with plausible-seeming, but often unverified, results.
- Cloudflare’s internal testing: Slight improvements observed, but the number of actionable findings remains low.
- Daniel Stenberg (curl): Most AI findings are “false positives or low impact,” incremental at best over previous tools.
Notable Quotes:
- “Many submissions lack reproducible proof of concept exploits or duplicate known issues requiring stricter validation standards.” (05:31) – Jerome Brown, GitHub
- “[AI tools are] worsening triage overload by producing large volumes of plausible but unverified findings that drain security teams.” (Cloudflare, 05:41)
- “Most findings were false positives or low impact, and argued the model’s gains over earlier tools are modest.” (Daniel Stenberg, 06:00)

Timestamps for Important Segments

00:22 – Linus Torvalds on AI bug hunting tools and impact on kernel mailing list
01:06 – 7-Eleven ransomware details and trends in Salesforce attacks
01:50 – Operation RAMZ: MENA’s first coordinated cybercrime clampdown
02:25 – Tanstack’s supply chain compromise and developer safeguards
03:25 – Shai Hulud infostealer campaign and NPM ecosystem risks
04:00 – Major U.S. healthcare data breaches and affected organizations
05:04 – Nginx Rift exploits and expert commentary
05:31 – AI in bug bounty: voices from GitHub, Cloudflare, and curl

Notable Quotes

“AI generated findings are useful only when paired with meaningful contributions like patches and technical analysis.”
— Sarah Lane (00:22), paraphrasing Linus Torvalds
“Shiny Hunters has increasingly targeted Salesforce environments through phishing attacks, third party integrations and configuration weaknesses.”
— Sarah Lane (01:06)
“Exploitation attempts were already hitting the company’s canary. Systems…”
— Patrick Geraghty, Vulcancheck (05:04)
“Most findings were false positives or low impact, and argued the model’s gains over earlier tools are modest.”
— Daniel Stenberg, curl (06:00)

Overall Tone & Style

The episode maintains a concise, fact-based, and slightly urgent tone common in professional information security circles, punctuated by expert perspectives and real-world impact assessments.

Loading summary

Transcript4 lines

[00:00]
Sarah Lane
From the CISO series. It's Cybersecurity Headlines
[00:07]
these are the cybersecurity headlines for Tuesday, May 19, 2026. I'm Sarah Lane. Linus Torvalds not into AI bug Hunters Linus Torvald says AI powered bug hunting tools are overwhelming the Linux kernel security mailing list with duplicate reports, making it almost entirely unmanageable. He says multiple researchers are using the same AI tools to uncover the same vulnerabilities, forcing maintainers to spend time redirecting reports or explaining the bugs were already fixed. Torvald said AI generated findings are useful only when paired with meaningful contributions like patches and technical analysis. Criticizing drive by reports this that add little value beyond what automated tools already surface 7:11 hit with ransom demand 7:11 confirmed a data breach after the Shiny Hunters group claimed it stole more than 600,000 Salesforce records containing personal and corporate data. The company said attackers access systems used to store application documents, though it hasn't disclosed the total number of affected individuals. Shiny Hunters allegedly tried to extort the company before offering the stolen data for $250,000. Shiny Hunters has increasingly targeted salesforce environments through phishing attacks, third party integrations and configuration weaknesses rather than flaws in Salesforce itself. Mina runs first of its kind cybercrime op Interpol said countries across the Middle east and North Africa known as mena. MENA carried out the region's first large scale coordinated cybercrime crackdown, dubbed Operation Rams R A M Z between October of 2025 and February of 2026. The operation involved 13 countries targeting phishing campaigns, malware infrastructure and online scams, resulting in 201 arrests, the identification of 3,867 victims, and the seizure of 53 servers. Authorities also shared nearly 8,000 intelligence records during the operation. Tanstack weighs Invitation only pull requests Tanstack is considering making pull requests invitation only after that supply chain attack from last week tied to the Shai Hulud worm compromised its GitHub Actions workflows. Attackers exploited a feature to run malicious code through automated CI pipelines, poisoning a shared cache across the repository. Tanstack has removed the vulnerable workflow pattern, disabled shared caches, strengthened dependency and authentication protections, and adopted new safeguards in the Node JS package manager. PM huge thanks to our sponsor threadlocker, threatlocker is extending Zero Trust beyond Endpoint Control with their recent release of Zero Trust Network Access and Zero Trust Cloud Access. Access isn't based on credentials alone. It requires the right user, the right device and the right conditions. Because as we've seen in recent large scale CRM breaches. Stolen credentials and misconfigurations can expose massive amounts of data. With ThreatLocker, nothing is exposed and access is limited to exactly what's needed. Learn more and start your free trial today@threatlocker.com CSEL New infostealer campaign gets bigger Researchers at Ox Security say copies of that leaked Shai Hulud malware are being used in various malicious NPM packages targeting developers noting for typosquatted or fake packages that stole credentials, cloud configuration files, crypto wallet data and other sensitive information. With one package also adding infected Systems to a DDoS botnet. The malware appears to be a largely unmodified copy of Shai Hulud's leaked source code, which which was previously linked to the Team PCP hacking group and recent supply chain attacks against Node JS ecosystems. The infected packages were downloaded more than 2,600 times and developers are urged to remove them and rotate compromised credentials and API keys. US Healthcare breaches continue Several major healthcare data breaches affecting potentially millions of people were recently added to the U.S. department of Health and Human Services breach tracker. New York City Health and Hospitals Corporation reported the largest confirmed incidents, with attackers accessing Systems through a third party vendor between late 2025 and early 2026, exposing sensitive personal, medical insurance, biometric and financial data tied to 1.8 million people. Other breaches include those at Erie Family health centers affecting 570,000 individuals and Florida physician specialists and affecting 276,000. Nginx Rift attackers target exposed servers Researchers at Vulcancheck say attackers are already probing and exploiting the newly disclosed nginx Rift vulnerability just days after patches and proof of concept code were released. The now 18 year old flaw in Nginx was originally disclosed by researchers at Depth first and can let sponsor specially crafted HTTP requests, Crash Worker processes and potentially enable remote code execution in rare cases where Linux memory protections like ASLR are disabled. Vulcanchek researcher Patrick Geraghty said exploitation attempts were already hitting the company's canary. Systems security researcher Kevin Beaumont noted that modern Linux defaults make widespread real world remote code execution attacks unlikely. AI won't stop the slop. GitHub product security engineer Jerome Brown warns that many submissions lack reproducible proof of concept exploits or duplicate known issues requiring stricter validation standards. Cloudflare Chief Security Officer Grant Borzekis says AI tools are worsening triage overload by producing large volumes of plausible but unverified findings that drain security teams time Cloudflare testing of Anthropic's Mythos showed some improvement in generating exploit chains and proof of concepts. But security researcher Daniel Stenberg, lead developer of Curl that's Curl, says most findings were false positives or low impact, and argued the model's gains over earlier tools are modest. Despite the hype, remember to join us this Friday at 4pm Eastern for our Department of Know livestream. This week we're joined by Mike Lockhart, CISO at Eagleview, and Kathleen Mullen, the former CISO@MyCargoRhythm. We'll be digging into how the news of the week applies to your security teams, what stories are more noise than signal, and having some fun with our live chats. Be sure you're subscribed to the ciso series on YouTube. You can and catch the stream at 4pm eastern time this Friday. If you have some thoughts on the news from today or about our show in general, be sure to reach out feedbackisoseries.com we'd love to hear from you. I am Sarah Lane reporting for the CISO series. Thank you for listening and we will talk to you tomorrow.
[08:21]
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines
[08:31]
Sam
Sam.