Cybersecurity Incidents and Developments from Mid-May 2026

The video covers multiple cybersecurity incidents and developments from mid-May 2026, focusing on software supply chain attacks. A major rewrite of the JavaScript runtime Bun was merged, involving over a million code changes from Zig to Rust, raising concerns about production stability. RubyGems faced a spam attack on May 12, 2026, where 500 malicious packages were published in a DDoS-style assault, forcing a four-day account registration freeze. The mini Shai Hulud worm compromised 84 packages in the TanStack NPM namespace on May 11, 2026, using GitHub Actions cache poisoning and OIDC token extraction, later expanding to 373 packages across 169 namespaces. The worm included destructive payloads, such as a geographic kill switch triggering rm -rf if systems matched targeted regions, and a dead-man switch revoking GitHub tokens. A competition was announced, offering $1,000 in crypto for the largest supply chain attack using the open-sourced worm. Apple introduced end-to-end encryption for RCS messaging in iOS 26.5, while a 15-year-old Nginx vulnerability (CVE-2026-42945, CVSS 9.2) enabling RCE/DOS was disclosed.