DirtyDecrypt PoC Released — Security News 2026-05-19 briefing
DirtyDecrypt PoC Released — Security News 2026-05-19 briefing
Quick answer
On May 19, 2026, the clearest event-driven development was the release of DirtyDecrypt proof-of-concept code for Linux kernel CVE-2026-31635, alongside a CISA advisory focused on Kieback & Peter DDC building controllers. The same coverage window also highlighted a scheduled Drupal core security release, a compromised Nx Console extension, malicious AntV npm packages, and an OAuth consent phishing campaign that bypasses MFA.
Key facts
| Fact | Publisher | Source |
|---|---|---|
| PoC exploit code was released for Linux kernel CVE-2026-31635 LPE. | feeds.feedburner.com | https://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html |
| CISA emphasized OT zoning and firewalls for Kieback & Peter DDC controllers. | cisa.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-05 |
| Drupal planned a core security release for May 20, 2026, from 5-9 p.m. UTC. | feeds.feedburner.com | https://thehackernews.com/2026/05/drupal-to-release-urgent-core-security.html |
| A compromised Nx Console 18.95.0 targeted VS Code users with credential theft. | feeds.feedburner.com | https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html |
| Malicious AntV-related npm packages were tied to a compromised maintainer account. | feeds.feedburner.com | https://thehackernews.com/2026/05/mini-shai-hulud-pushes-malicious-antv.html |
| EvilTokens was linked to OAuth consent phishing that bypasses MFA protections. | feeds.feedburner.com | https://thehackernews.com/2026/05/the-new-phishing-click-how-oauth.html |
TL;DR
DirtyDecrypt moved this coverage window from patch status to exploitation relevance after proof-of-concept code was reported as public. At the same time, CISA's Kieback & Peter advisory kept operational technology exposure in focus, while the rest of the day clustered around supply-chain compromise, identity abuse, and pending CMS patching.
Why it matters
The May 19 set is notable because it spans both enterprise infrastructure and developer ecosystems. One side is operational resilience in building automation; the other is the rapid weaponization or distribution risk seen in Linux privilege escalation research, compromised extensions, malicious npm packages, and OAuth consent phishing.
Key entities
| Type | Items |
|---|---|
| Dates | 2026-05-19, 2026-05-20, 2026-05-09 |
| Publishers | cisa.gov, feeds.feedburner.com, NIST, Microsoft, Google |
| Main topics | DirtyDecrypt, Kieback & Peter DDC, Drupal, Nx Console, AntV, EvilTokens |
What changed
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
This is the strongest event-based headline because the change is explicit: feeds.feedburner.com: PoC exploit code was released for a recently patched Linux kernel flaw that could allow local privilege escalation. feeds.feedburner.com also adds timing context by saying the issue was reported on May 9, 2026, which sharpens the story from vulnerability awareness to exploitability pressure. NIST: vulnerability database for CVE records and severity metadata; Microsoft and Google appear in the draft as reference anchors rather than substantive reporting, so the cross-source picture shows breadth of mention but uneven depth rather than a direct contradiction.
Kieback & Peter DDC Building Controllers
cisa.gov frames this cluster around defensive architecture rather than a single dramatic exploit claim: cisa.gov: the system is protected by dividing operational technology zones with firewalls, and building automation systems should not be directly accessible from untrusted networks. cisa.gov also ties that design to organizational safety-management measures, which makes the advisory more about exposure reduction and operational discipline than a one-line patch announcement. One remediation line in the provided fact set refers to Siemens preparing fixes, and in this draft it reads as adjacent security guidance rather than a clearly matched Kieback & Peter product detail.
Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare
feeds.feedburner.com reports a defined timing window: Drupal intended to release a core security update on May 20, 2026, from 5-9 p.m. UTC. That makes this cluster less about a disclosed technical root cause and more about response readiness, especially because the source says exploits might be developed within hours or days. The significance is scheduling certainty paired with vulnerability ambiguity.
Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer
feeds.feedburner.com describes this as a compromised developer tool distribution issue, naming rwl.angular-console version 18.95.0 and noting more than 2.2 million installations. That combination matters because it joins a specific bad version to a large potential blast radius. The practical signal is not just compromise, but trust erosion in a widely used editor extension path.
Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account
feeds.feedburner.com places this inside an ongoing software supply-chain wave and ties it to packages associated with the @antv ecosystem. The strongest concrete detail is the compromised maintainer account and the mention of echarts-for-react with roughly 1.1 million weekly usage, which suggests scale even though the draft does not enumerate every affected package. This cluster reinforces that maintainer-account compromise remains a high-leverage attack path.
The New Phishing Click: How OAuth Consent Bypasses MFA
feeds.feedburner.com says EvilTokens went live in February 2026 and links it to OAuth consent abuse rather than classic password theft. That matters because the user action being abused is approval, not credential entry alone, which changes how defenders think about MFA coverage. In this briefing set, it functions as the identity-layer counterpart to the day's code and package trust issues.
Cross-source signals
Only one cluster, DirtyDecrypt, appears across multiple publishers in the draft, but the support is asymmetrical. feeds.feedburner.com carries the substantive narrative, while NIST, Microsoft, and Google mainly serve as institutional reference points, so the signal is better read as topic gravity than full independent confirmation.
What to check now
The most immediate operational watchpoint is whether the Drupal release window on May 20 changes downstream risk or update urgency. The clearest strategic pattern across the rest of the set is acceleration from disclosure to exploitability or from trusted distribution to malicious delivery.
What to watch next
Watch for follow-on reporting that turns advisory language into confirmed exploitation details, especially around DirtyDecrypt and building automation exposure. Also watch whether extension, npm, or OAuth-themed attacks expand from isolated cases into repeated campaign patterns.
How to use this
- Lead with DirtyDecrypt as the cleanest event headline.
- Use Kieback & Peter as the operational-technology risk and mitigation frame.
- Group Drupal, Nx Console, AntV, and OAuth consent phishing as the broader readiness and trust theme.
AI answer summary
The May 19 coverage is anchored by one exploitability milestone and several trust-boundary failures. DirtyDecrypt is the sharpest headline, while Kieback & Peter, Drupal, Nx Console, AntV, and EvilTokens show how infrastructure, software supply chains, and identity workflows were all under pressure in the same cycle.
Source appendix
Per-source summaryThis briefing on Security News 2026-05-19 is based on evidence collected from 5 sources (feeds.feedburner.com, cisa.gov, NIST, Microsoft, Google).
Each section is organized so you can compare topic, context, key points, verification points, and action angle at a glance.
What changed
feeds.feedburner.com - 2026-05-19
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
Summary bullets
- Main topic: DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
- Source context: feeds.feedburner.com RSS item reviewed for the 2026-05-19 window.
- Key points: Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that…
- Verification points: Check whether feeds.feedburner.com's framing is limited to the 2026-05-19 snapshot and whether later updates change the…
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: feeds.feedburner.com uses "DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is Proof-of-concept (PoC)…
Source: https://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html
cisa.gov - 2026-05-19
Kieback & Peter DDC Building Controllers
Summary bullets
- Main topic: Kieback & Peter DDC Building Controllers
- Source context: cisa.gov RSS item reviewed for the 2026-05-19 window.
- Key points: <p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-05.json&quo…
- Verification points: Check whether cisa.gov's framing is limited to the 2026-05-19 snapshot and whether later updates change the conclusion.
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: cisa.gov uses "Kieback & Peter DDC Building Controllers" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is <p><a href="https://github.com/cisagov/CSAF/blob/dev…
Source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-05
cisa.gov - 2026-05-19
Siemens RUGGEDCOM APE1808 Devices
Summary bullets
- Main topic: Siemens RUGGEDCOM APE1808 Devices
- Source context: cisa.gov RSS item reviewed for the 2026-05-19 window.
- Key points: <p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-02.json&quo…
- Verification points: Check whether cisa.gov's framing is limited to the 2026-05-19 snapshot and whether later updates change the conclusion.
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: cisa.gov uses "Siemens RUGGEDCOM APE1808 Devices" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is <p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_f…
Source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-02
cisa.gov - 2026-05-19
ABB CoreSense HM and CoreSense M10
Summary bullets
- Main topic: ABB CoreSense HM and CoreSense M10
- Source context: cisa.gov RSS item reviewed for the 2026-05-19 window.
- Key points: <p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-01.json&quo…
- Verification points: Check whether cisa.gov's framing is limited to the 2026-05-19 snapshot and whether later updates change the conclusion.
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: cisa.gov uses "ABB CoreSense HM and CoreSense M10" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is <p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_…
Source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-01
cisa.gov - 2026-05-19
ScadaBR
Summary bullets
- Main topic: ScadaBR
- Source context: cisa.gov RSS item reviewed for the 2026-05-19 window.
- Key points: <p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-03.json&quo…
- Verification points: Check whether cisa.gov's framing is limited to the 2026-05-19 snapshot and whether later updates change the conclusion.
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: cisa.gov uses "ScadaBR" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is <p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26…
Source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03
cisa.gov - 2026-05-19
ZKTeco CCTV Cameras
Summary bullets
- Main topic: ZKTeco CCTV Cameras
- Source context: cisa.gov RSS item reviewed for the 2026-05-19 window.
- Key points: <p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-04.json&quo…
- Verification points: Check whether cisa.gov's framing is limited to the 2026-05-19 snapshot and whether later updates change the conclusion.
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: cisa.gov uses "ZKTeco CCTV Cameras" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is <p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/…
Source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-04
feeds.feedburner.com - 2026-05-19
The New Phishing Click: How OAuth Consent Bypasses MFA
Summary bullets
- Main topic: The New Phishing Click: How OAuth Consent Bypasses MFA
- Source context: feeds.feedburner.com RSS item reviewed for the 2026-05-19 window.
- Key points: In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. / Within five weeks, it had com…
- Verification points: Check whether feeds.feedburner.com's framing is limited to the 2026-05-19 snapshot and whether later updates change the…
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: feeds.feedburner.com uses "The New Phishing Click: How OAuth Consent Bypasses MFA" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is In February 2026, a phishing-as-a-service (P…
Source: https://thehackernews.com/2026/05/the-new-phishing-click-how-oauth.html
feeds.feedburner.com - 2026-05-19
Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare
Summary bullets
- Main topic: Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare
- Source context: feeds.feedburner.com RSS item reviewed for the 2026-05-19 window.
- Key points: Drupal has issued an alert stating that it intends to release a "core security release" for all supported branches on M…
- Verification points: Check whether feeds.feedburner.com's framing is limited to the 2026-05-19 snapshot and whether later updates change the…
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: feeds.feedburner.com uses "Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is Drupal has issued a…
Source: https://thehackernews.com/2026/05/drupal-to-release-urgent-core-security.html
feeds.feedburner.com - 2026-05-19
SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access
Summary bullets
- Main topic: SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access
- Source context: feeds.feedburner.com RSS item reviewed for the 2026-05-19 window.
- Key points: Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email secu…
- Verification points: Check whether feeds.feedburner.com's framing is limited to the 2026-05-19 snapshot and whether later updates change the…
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: feeds.feedburner.com uses "SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is Critical security…
Source: https://thehackernews.com/2026/05/seppmail-secure-e-mail-gateway.html
feeds.feedburner.com - 2026-05-19
Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer
Summary bullets
- Main topic: Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer
- Source context: feeds.feedburner.com RSS item reviewed for the 2026-05-19 window.
- Key points: Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Micr…
- Verification points: Check whether feeds.feedburner.com's framing is limited to the 2026-05-19 snapshot and whether later updates change the…
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: feeds.feedburner.com uses "Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is Cybersecurity re…
Source: https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html
feeds.feedburner.com - 2026-05-19
Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials
Summary bullets
- Main topic: Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials
- Source context: feeds.feedburner.com RSS item reviewed for the 2026-05-19 window.
- Key points: In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, action…
- Verification points: Check whether feeds.feedburner.com's framing is limited to the 2026-05-19 snapshot and whether later updates change the…
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: feeds.feedburner.com uses "Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is In yet another…
Source: https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html
feeds.feedburner.com - 2026-05-19
Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account
Summary bullets
- Main topic: Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account
- Source context: feeds.feedburner.com RSS item reviewed for the 2026-05-19 window.
- Key points: Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various np…
- Verification points: Check whether feeds.feedburner.com's framing is limited to the 2026-05-19 snapshot and whether later updates change the…
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: feeds.feedburner.com uses "Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is Cybersecurity…
Source: https://thehackernews.com/2026/05/mini-shai-hulud-pushes-malicious-antv.html
NIST - 2026-05-19
National Vulnerability Database
Summary bullets
- Main topic: National Vulnerability Database
- Source context: NIST official source reviewed for the 2026-05-19 window.
- Key points: vulnerability database for CVE records and severity metadata. / Fallback reference for 2026-05-19 when dated collectors…
- Verification points: Check whether NIST's framing is limited to the 2026-05-19 snapshot and whether later updates change the conclusion.
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: NIST uses "National Vulnerability Database" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is Official U.S. vulnerability database for CVE records and severity metadata. Fallbac…
Source: https://nvd.nist.gov/
Microsoft - 2026-05-19
Microsoft Security Response Center
Summary bullets
- Main topic: Microsoft Security Response Center
- Source context: Microsoft official source reviewed for the 2026-05-19 window.
- Key points: Official Microsoft security update guide and vulnerability response information. / Fallback reference for 2026-05-19 wh…
- Verification points: Check whether Microsoft's framing is limited to the 2026-05-19 snapshot and whether later updates change the conclusion.
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: Microsoft uses "Microsoft Security Response Center" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is Official Microsoft security update guide and vulnerability response informa…
Google - 2026-05-19
Google Online Security Blog
Summary bullets
- Main topic: Google Online Security Blog
- Source context: Google official source reviewed for the 2026-05-19 window.
- Key points: Official Google security research, product security, and vulnerability disclosure posts. / Fallback reference for 2026-…
- Verification points: Check whether Google's framing is limited to the 2026-05-19 snapshot and whether later updates change the conclusion.
- Action angle: Use this for Security News 2026-05-19 write-ups, briefings, or to define the next verification step.
Summary: Google uses "Google Online Security Blog" to frame one evidence-backed angle on Security News 2026-05-19. For the 2026-05-19 window, the main takeaway is Official Google security research, product security, and vulnerability disclosure pos…
Source: https://security.googleblog.com/
What this means and next actions
Check publication timing, scope limits, and later updates before turning the draft into a stronger conclusion.
Morning Breaking Updates
- feeds.feedburner.com: Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps - Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users. The activity, per HUMAN's Satori Threa
FAQ
Q1. What is the main takeaway from May 19?
A. feeds.feedburner.com provided the clearest event update: DirtyDecrypt PoC code for CVE-2026-31635 was reported as released, while cisa.gov anchored the OT side with Kieback & Peter guidance.
Q2. Which item matters most for operational technology teams?
A. cisa.gov highlighted Kieback & Peter DDC building controllers and emphasized OT zoning, firewalls, and keeping BA systems off untrusted networks.
Q3. Which developer supply-chain issues stood out?
A. feeds.feedburner.com reported two major ones: Nx Console 18.95.0 in the VS Code Marketplace and malicious AntV-related npm packages tied to a compromised maintainer account.
Q4. What time-sensitive platform update was flagged?
A. feeds.feedburner.com said Drupal planned a core security release for May 20, 2026, from 5-9 p.m. UTC, with a warning that exploits could follow quickly.
Q5. Where was cross-source coverage strongest?
A. DirtyDecrypt had the broadest footprint across 4 publishers in the draft set: feeds.feedburner.com, NIST, Microsoft, and Google, although the narrative detail mainly came from feeds.feedburner.com.
Sources
- DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability - feeds.feedburner.com
- Kieback & Peter DDC Building Controllers - cisa.gov
- Siemens RUGGEDCOM APE1808 Devices - cisa.gov
- ABB CoreSense HM and CoreSense M10 - cisa.gov
- ScadaBR - cisa.gov
- ZKTeco CCTV Cameras - cisa.gov
- The New Phishing Click: How OAuth Consent Bypasses MFA - feeds.feedburner.com
- Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare - feeds.feedburner.com
- SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access - feeds.feedburner.com
- Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer - feeds.feedburner.com
- Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials - feeds.feedburner.com
- Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account - feeds.feedburner.com
- National Vulnerability Database - NIST
- Microsoft Security Response Center - Microsoft
- Google Online Security Blog - Google
- Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps - feeds.feedburner.com
Target queries
- Security News 2026-05-19
- Security News 2026-05-19 summary
- Security News 2026-05-19 sources
Update log
Last updated: 2026-05-20T11:00:19.169Z
