Weekly Cyber Threat Digest: May 4th – Major Breaches, AI-Powered Attacks, and Critical Patches

Introduction

This week's cyber threat landscape has been marked by significant breaches at major organizations, the emergence of AI-driven attack tools, and critical vulnerabilities that demand immediate attention. From medical device maker Medtronic to video platform Vimeo, attackers continue to exploit weaknesses across sectors. Meanwhile, researchers have uncovered novel threats leveraging artificial intelligence for phishing and supply chain attacks. Below is a detailed breakdown of the top incidents, AI threats, and patches for the week of May 4th.

Major Attacks and Data Breaches

Medtronic Discloses Corporate Cyberattack

Global medical device manufacturer Medtronic has reported a cyberattack on its corporate IT systems. An unauthorized party gained access to sensitive data, though the company emphasizes that its products, operations, and financial systems remain unaffected. The threat group ShinyHunters has claimed responsibility, alleging the theft of 9 million records. Medtronic is currently assessing the scope of the data exposure.

Vimeo Breach via Analytics Vendor

Video hosting platform Vimeo confirmed a data breach resulting from a compromise at its analytics vendor Anodot. Exposed information includes internal operational details, video titles and metadata, and a limited number of customer email addresses. Critically, passwords, payment data, and actual video content were not accessed. Vimeo has notified affected users.

Robinhood Abused in Phishing Campaign

Threat actors exploited the account creation process of online trading platform Robinhood to launch a phishing campaign. Emails sent from Robinhood's official mailing account contained links to fraudulent sites and bypassed standard security checks. Robinhood states that no accounts or funds were compromised and has since remediated the vulnerable Device field.

Trellix Source Code Repository Breach

Endpoint security and XDR vendor Trellix suffered a source code repository breach after attackers accessed a portion of its internal code. The company has engaged forensic experts and law enforcement. To date, there is no evidence of product tampering, pipeline compromise, or active exploitation of the stolen code.

Artificial Intelligence Threats

Critical Flaw in Cursor Code Environment

Researchers have identified CVE-2026-26268, a vulnerability in Cursor's coding environment that allows remote code execution when the AI agent interacts with a malicious cloned repository. The attack chain leverages Git hooks and bare repositories to execute attacker scripts, potentially exposing source code, API tokens, and internal tools.

Bluekit: AI-Powered Phishing-as-a-Service

A new phishing-as-a-service platform called Bluekit has been uncovered. It bundles over 40 templates and an AI Assistant that uses GPT-4.1, Claude, Gemini, Llama, and DeepSeek. The toolkit centralizes domain setup, realistic login clones, anti-analysis filters, real-time session monitoring, and Telegram-based exfiltration, lowering the barrier for attackers.

AI-Enabled Supply Chain Attack via Claude Opus

Researchers demonstrated a novel supply chain attack where Anthropic's Claude Opus co-authored a code commit that introduced the PromptMink malware into an open-source autonomous crypto trading project. The hidden dependency stole credentials, established persistent SSH access, and exfiltrated source code, enabling wallet takeover.

Vulnerabilities and Patches

Microsoft Entra ID Privilege Escalation Fixed

Microsoft has patched a privilege escalation flaw in Microsoft Entra ID that allowed the Agent ID Administrator role for AI agents to take over any service account. A published proof-of-concept demonstrates how attackers could add credentials and impersonate privileged identities. Organizations using Entra ID should apply the update immediately.

Critical cPanel Authentication Bypass Under Active Exploitation

cPanel has addressed CVE-2026-41940, a critical authentication bypass in cPanel and WHM. The vulnerability is being actively exploited in the wild as a zero-day, allowing full administrative control without valid credentials. Users are urged to patch without delay.

Conclusion

The week of May 4th underscores the evolving nature of cyber threats, from large-scale data breaches to sophisticated AI-driven attacks and critical system vulnerabilities. Organizations must remain vigilant, apply patches promptly, and review their security postures to defend against these emerging risks. Stay tuned for next week's threat intelligence update.