From the Editor

May 2026: The Month the Attack Chain Got a New Member

Hey there,

May 2026 handed defenders a sobering report card. In a single month, the threat landscape delivered a record-scale telecom breach, the FBI's most alarming extortion alert in years, the world's first documented AI-agent-driven intrusion, a mass phishing campaign targeting hundreds of millions of World Cup fans, and the quiet aftermath of an eleven-month national counteroperation.

What tied all five together? Not sophisticated zero-days or nation-state cyber weapons. A phone call. A fake IT tech. A vulnerable notebook no one patched. The through-line of May 2026 is that attackers consistently found the human before the firewall — and in at least one case, replaced the human entirely with an AI.

This edition of Just a Spoonful breaks down the five incidents your clients, your board, and your team need to understand heading into June — with a clear takeaway for each. Let's dig in.

Charter Communications (Spectrum) — ShinyHunters Vishing Attack

Breach date: April 1, 2026  ·  Disclosed: May 23–29, 2026

Charter Communications — the Spectrum brand serving over 32 million U.S. customers — confirmed that extortion group ShinyHunters had compromised its systems. The attack began with a vishing (voice phishing) call: an attacker impersonating IT support convinced a Charter employee to hand over their Microsoft Entra SSO credentials. The attacker then pivoted directly into Charter's Salesforce CRM and bulk-exported customer records.

ShinyHunters listed Charter on its dark web leak site claiming over 42 million PII records stolen, setting a ransom deadline of May 27. Charter declined. ShinyHunters published. Have I Been Pwned confirmed 4.9 million unique email addresses; independent estimates put the total at 13 million individuals affected plus ~27,000 employee records. The incident sits inside a broader campaign the group claims has compromised 1,000+ organizations via Salesforce environments.

Silent Ransom Group — FBI Warns of In-Person Data Theft at Law Firms

FBI FLASH Alert: May 26, 2026  ·  Campaign active since Spring 2023

The FBI issued a FLASH alert warning that Silent Ransom Group (SRG) — also known as Luna Moth — has escalated beyond phone calls. The group is now physically sending operatives into law firm offices disguised as IT support personnel. Once inside, they plug in a USB drive, walk out with terabytes of privileged legal data, leave no malware, no encryption, and no trace — until the ransom email arrives.

SRG has struck 100+ law firms, with 38+ having data publicly published on their clearnet leak site. The legal sector logged 134 extortion incidents in Q1 2026 alone — the fourth-most targeted industry. The group amplifies pressure by calling employees and clients of victim firms directly. In January 2026, Orrick, Herrington & Sutcliffe had data published after refusing to pay.

Marimo CVE-2026-39987 — The World's First Confirmed AI-Agent Intrusion

Exploit observed: May 10, 2026  ·  CISA KEV added: April 23, 2026

This is a landmark. Sysdig's Threat Research Team documented what they describe as the first AI-agent-driven intrusion ever confirmed in the wild. The entry point was CVE-2026-39987 — a 9.3 CVSS critical pre-authentication RCE flaw in Marimo, a popular Python notebook framework. A missing authentication check on a single WebSocket endpoint gave unauthenticated attackers a full interactive OS shell in one request. Exploits appeared within 10 hours of public disclosure.

After initial exploitation, the attacker fed stolen cloud credentials into an LLM agent. The AI autonomously replayed them through a distributed Cloudflare Worker egress pool, retrieved an SSH private key from AWS Secrets Manager, launched eight parallel SSH sessions against a downstream bastion server, and exfiltrated an entire internal PostgreSQL database — all in under one hour. The database extraction alone took under two minutes.

Operation GHOST STADIUM — FIFA World Cup Mass Phishing Campaign

Campaign identified: May 2026  ·  Tournament window: June 11 – July 19, 2026

Group-IB identified "GHOST STADIUM" — one of the most elaborate sports-event fraud operations ever documented. The campaign spans six distinct fraud schemes, four independent threat actor groups, and over 3,500 fraudulent domains impersonating FIFA's official infrastructure. The fake sites are full-ecosystem replicas: HTML pulled from attacker servers while legitimate FIFA logos and images are loaded directly from real FIFA URLs, making them visually indistinguishable.

Over 150 million ticket requests were submitted in the first 14 days of the sales window — the urgency scammers exploit most effectively. Victims entering credentials risk having real tickets stolen and scalped. Others are tricked into direct wire transfers for nonexistent tickets. With the World Cup opening June 11 across the U.S., Canada, and Mexico, this campaign is live and accelerating right now.

UNC3886 Compromises All Four Singapore Telecoms — Operation CYBER GUARDIAN

Disclosed: February 2026  ·  Counteroperation duration: 11 months

Singapore's Cyber Security Agency disclosed that China-linked threat group UNC3886 had successfully breached all four of the country's major telecommunications providers in a single sustained espionage campaign. The attackers used zero-day exploits and rootkits to establish deep, persistent access — silently monitoring communications infrastructure, not merely stealing data.

The discovery triggered CYBER GUARDIAN — Singapore's largest-ever cybersecurity counteroperation — running for eleven months to fully evict the attackers and harden all affected networks. UNC3886 is known across the Asia-Pacific for operating inside victim environments for extended periods without triggering detection. The lesson: even the most digitally advanced, security-conscious nations can host silent adversaries for nearly a year.

The Signal Behind the Noise

Five incidents. Five different sectors. One message repeating across all of them: the human layer is the attack surface, and the cloud is the blast radius.

Social engineering has fully replaced brute force as the primary entry point. One compromised SSO credential now opens your Salesforce, Slack, Zendesk, and every connected SaaS platform. And as of May 2026, an AI agent can autonomously pivot through all of that and exfiltrate your database before your team finishes triaging the first alert.

The biggest risk in your organization is not a zero-day sitting in a dark forum. It's the phone call your office manager answers on a Tuesday afternoon. Train for that. Patch for this. And stay spoonable. 🥄

Until next month,
Lori Imdad
LA Imdad · Just a Spoonful