Here are today’s top cybersecurity stories for Thursday, May 28, 2026.
Carnival Corporation Confirms ~6 Million Customers Affected in ShinyHunters Breach
Carnival Corporation, the world’s largest cruise operator, has confirmed a data breach affecting nearly six million customers. An attacker used social engineering to deceive an employee and access a limited portion of the company’s IT systems on April 14, 2026. The stolen records include names, email addresses, dates of birth, genders, geographic locations, and loyalty program details. ShinyHunters listed Carnival on its pay-or-leak portal in April, and notifications to 5,995,277 affected individuals began May 27. Source: BleepingComputer
ClearFake Campaign Uses BNB Smart Chain Smart Contracts as C2 Infrastructure
Trend Micro researchers have documented a ClearFake campaign leveraging EtherHiding — a technique storing malicious payload and routing instructions inside BNB Smart Chain testnet smart contracts. The blockchain-based C2 is immutable and resistant to takedown. The attack delivers SectopRAT and ACRStealer simultaneously via ClickFix overlays on compromised WordPress sites, with separate payloads for Windows and macOS victims. Source: Trend Micro
CISA Adds Three Supply-Chain KEVs: Daemon Tools Lite, TanStack, and Nx Console
CISA added CVE-2026-8398, CVE-2026-45321, and CVE-2026-48027 to its Known Exploited Vulnerabilities catalog on May 27. CVE-2026-8398 covers trojanized DAEMON Tools Lite installers distributed from the official site between April 8 and May 5, 2026. CVE-2026-45321 covers 84 malicious @tanstack npm package versions published via GitHub Actions OIDC token theft. CVE-2026-48027 covers a malicious Nx Console VS Code extension (version 18.95.0) live for up to 36 minutes on May 19 before removal. Source: CISA
Pretalx CVE-2026-41241: Stored XSS Lets Conference Submitters Guarantee 100% Talk Acceptance
A stored cross-site scripting flaw in Pretalx, the open-source conference CFP management platform, allowed authenticated submitters to inject JavaScript into searchable fields. When an organizer searched the backend, the payload executed in their session and exposed CSRF tokens. Researchers at Novee discovered the flaw while preparing conference submissions; it is patched in Pretalx 2026.1.0. Source: SecurityWeek
PureLogs Infostealer Delivered via PawsRunner Steganography in Cat Photos
Fortinet researchers have documented a phishing campaign delivering the PureLogs information stealer by concealing encrypted payloads inside cat images using steganography. The PawsRunner loader extracts and decrypts the PureLogs payload at runtime. PureLogs steals credentials, cookies, and session tokens from browsers, over 100 crypto wallet extensions, password managers, and communication apps. Source: Help Net Security
OnlyFans 340 Million Records Claim — Experts Identify Recycled Data, Not a Platform Breach
A threat actor listed a dataset of 340 million alleged OnlyFans user records for roughly $76,000. OnlyFans denied any breach, and security experts reviewing the sample found incomplete entries, placeholder values, and field structures consistent with aggregated older leaks rather than a direct platform compromise. Source: Cybernews
Microsoft Shared Dutch Regulatory Officials’ Names with US Congress Under Cloud Act
Microsoft provided Dutch civil servants’ names to the US House of Representatives without redacting them from shared documents. The individuals work at the Authority for Consumers and Markets and the Dutch Data Protection Authority, both enforcing the Digital Services Act. The Dutch government raised the matter directly with the US Ambassador. Source: NL Times
CISA Releases ICS Advisory ICSA-26-148-01
CISA published industrial control system advisory ICSA-26-148-01 on May 28, 2026, addressing novel vulnerabilities in ICS, OT, and IoT devices. Operators of industrial infrastructure are urged to review the advisory and apply recommended mitigations immediately. Source: CISA
Stay tuned for today’s in-depth analysis posts.
