"Bad week." — ThreatsDay bulletin
MicroStealer: credential theft hitting education and telecom
A new stealer dubbed MicroStealer, first observed in December 2025, is actively targeting the education and telecom sectors to harvest sensitive material, researchers report. ANY.RUN said the malware "specializes in stealing browser credentials, active session data, screenshots, cryptocurrency wallets, and system information." The campaign uses a multi‑stage delivery chain with low detection rates and rapidly exfiltrates harvested data via Discord webhooks and attacker‑controlled servers.
MicroStealer joins a string of recent campaigns that rely on simple but effective lures — shady installers, typosquatted packages, and malicious ads — underscoring that credential theft remains the fastest path to compromise even as attackers adopt sophisticated tooling.
Microsoft Edge keeps passwords in cleartext memory — local admin can extract them
Security researcher Tom Jøran Sønstebyseter Rønning disclosed that Microsoft Edge decrypts saved credentials at startup and retains them in process memory in plaintext. An attacker with administrative privileges could create a memory dump of Edge’s "browser" sub‑task (for example, via Windows Task Manager) and recover stored passwords even when those sites are not open in the browser.
Microsoft has described this behavior as "by design" to speed sign‑in, and tests noted Edge is the only Chromium‑based browser observed to keep all credentials resident in memory. The researcher’s writeup emphasizes the prerequisite that an attacker already have administrative control of the machine. As VX‑Underground commented, the method "is interesting" but typically indicates a host is already deeply compromised.
Industrial risk: two patched Eclipse BaSyx flaws can bypass segmentation (CVE‑2026‑7411, CVE‑2026‑7412)
Two critical vulnerabilities in Eclipse BaSyx V2 have been disclosed and patched in version 2.0.0‑milestone‑10. CVE‑2026‑7411 (CVSS 10.0) is an unauthenticated path traversal that can write arbitrary files and lead to code execution; CVE‑2026‑7412 (CVSS 8.6) is a blind SSRF that forces the BaSyx server to act as a proxy and issue arbitrary HTTP POST requests.
Mohamed Lemine Ahmed Jidou, founder of AegisSec, told The Hacker News that "by chaining or utilizing these flaws, an external attacker can completely bypass network segmentation." He warned a compromised Digital Twin server could be weaponized to pivot internally and send unauthorized commands directly to isolated PLCs and industrial sensors, posing a concrete threat to manufacturing lines.
AI acceleration, patching cadence, and the three‑day proposal
The rapid adoption of AI in vulnerability discovery has compressed defenders' time to respond. Anthropic CEO Dario Amodei warned there is a narrow window — roughly six to 12 months — to remediate tens of thousands of vulnerabilities found by the company’s Mythos model before competing Chinese AI narrows the gap. Mythos and OpenAI GPT‑5.5 were evaluated as capable of solving multi‑step cyber attack simulations end‑to‑end, and Mythos reportedly surfaced more than 270 flaws in Mozilla Firefox.
That speed is altering patching expectations. Reuters reported U.S. cybersecurity officials are considering trimming the Known Exploited Vulnerabilities (KEV) remediation deadline from three weeks to three days. A Flashpoint study cited in the reporting found the time between disclosure and exploitation fell from 745 days in 2020 to 44 days last year. Ryan Dewhurst, watchTowr's head of threat intelligence, told The Hacker News that "at face value, three days is aggressive" but acknowledged the trend of accelerated exploitation is undeniable.
Vendors and platforms are already responding: Oracle will supplement quarterly Critical Patch Updates with monthly Critical Security Patch Updates (CSPUs), beginning May 28, 2026, citing the "increased pace of AI‑assisted vulnerability disclosures." The change illustrates a shift toward more frequent, focused patch releases for high‑priority flaws.
What this means for technologists, policymakers, and end users
- Technologists and security teams: prioritize rapid detection and patching of high‑risk services (for example, MOVEit Automation — Censys observed fewer than 100 exposed web admin interfaces globally, with nearly two‑thirds in the U.S.), harden endpoints against simple credential theft vectors, and plan for shorter, more frequent patch windows such as Oracle's CSPU cadence beginning May 28, 2026.
- Policymakers and regulators: expect pressure to adopt faster deadlines (the three‑day KEV proposal) and to use enforcement tools already in play — for instance, the FTC’s settlement with Kochava that restricts location‑data sales and requires new data retention schedules.
- End users and administrators: remain skeptical of sponsored search results and ads — Guardio reported phishing through Google sponsored results that flip users to fake ManageWP logins — and watch for mass smishing: Bitdefender Labs has detected more than 79,000 fraudulent messages across Operation Road Trap targeting 12 countries.
The week's reporting draws a clear line: automation and AI are compressing the window between discovery and exploitation, while many successful intrusions still begin with the old reliables — stolen credentials, scam ads, and neglected DNS records. Oracle's new monthly CSPUs start on May 28, 2026; whether defenders, operations teams, and policymakers can align processes and authorities fast enough to meet a proposed three‑day KEV schedule remains the immediate test.
https://thehackernews.com/2026/05/threatsday-bulletin-edge-plaintext.html




