OpenAI said in the United States [AMER] that two employee macOS devices were breached through the TanStack npm supply-chain attack, prompting certificate rotation and application update guidance. Investigators should correlate endpoint artefacts, package provenance, signing-key exposure, certificate issuance history and downstream build evidence to determine whether compromise remained limited to developer systems (Source: The Record, 14-05-2026).

Škoda Auto warned customers in Europe [EMEA] that its online shop may have exposed personal details after attackers exploited a vulnerability in standard ecommerce portal software. The company took the shop offline, removed the threat and engaged IT forensics and authorities, leaving investigators to reconcile monitoring alerts, access logs, order records and possible exfiltration indicators (Source: TechRadar, 14-05-2026).

Instructure reached an agreement in the United States [AMER/Global] with ShinyHunters after the Canvas breach threatened student and institutional data from thousands of schools. Investigative scrutiny now turns to the claimed proof of deletion, free-teacher-account abuse, customer-extortion assurances, access revocation timing and whether security logs independently support the destruction narrative (Source: Cybersecurity Dive, 13-05-2026).

US prosecutors charged two foreign nationals [AMER/EMEA] over alleged online “Trump Bucks” fraud that targeted victims across the United States using false claims about fake legal tender. The case will depend on digital payment trails, advertising records, domain and communications evidence, victim-contact histories and cross-border attribution links connecting overseas operators to US-facing fraud infrastructure (Source: US Department of Justice, 14-05-2026).

Foxconn confirmed in North America [AMER/APAC] that some factories were resuming production after a cyberattack claimed by the Nitrogen ransomware group. Investigators should separate verified operational impact from leak-site pressure by comparing factory downtime, partner notifications, claimed 8TB data theft, schematic exposure assertions and ransomware tooling linked to the ALPHV/BlackCat ecosystem (Source: TechCrunch, 13-05-2026).

Nvidia confirmed in Armenia [APAC/EMEA] that a GeForce NOW regional partner breach affected users registered through GFN.am, while stressing that Nvidia’s core services were not directly compromised. The evidential trail includes partner-system access, dark-web sale claims, user-registration scope, deleted forum postings, disputed ShinyHunters attribution and notification decisions for affected regional accounts (Source: TechRadar, 12-05-2026).

Cisco warned globally [Global] that CVE-2026-20182, a critical Catalyst SD-WAN Controller authentication bypass flaw, had been exploited as a zero-day to gain administrative privileges. Network defenders should preserve controller logs, DTLS traffic records, administrative session history and configuration-change artefacts to determine whether exploitation preceded patch deployment or overlapped with earlier SD-WAN intrusion activity (Source: BleepingComputer, 14-05-2026).

Researchers reported globally [Global] that PraisonAI CVE-2026-44338 was probed less than four hours after public disclosure, exposing internet-facing agent-management endpoints. The activity appears consistent with exploitability checks rather than full exploitation, making timestamped web logs, scanner identifiers, endpoint requests and subsequent authentication events critical for separating reconnaissance from attempted compromise (Source: The Hacker News, 14-05-2026).

CISA added a new exploited vulnerability in the United States [AMER] to its Known Exploited Vulnerabilities Catalog after confirming evidence of active exploitation. For investigators, KEV inclusion provides a prioritisation signal for exposure scoping, but host-level artefacts, exploit timing, vulnerable-version inventories and compensating-control evidence remain necessary to prove whether exploitation occurred locally (Source: CISA, 14-05-2026).

A Wisconsin man was sentenced in the United States [AMER/APAC] to 13 years for using the internet to sexually exploit a minor in the Philippines. The case illustrates the evidential importance of cross-border communications, device extractions, platform records, payment or travel indicators and victim-identification material when online exploitation spans multiple jurisdictions (Source: US Department of Justice, 14-05-2026).

The National Crime Agency marked a UK most-wanted campaign [EMEA] as part of continuing efforts to locate fugitives linked to serious and organised crime. While not limited to cyber offending, the campaign highlights how modern fugitive work relies on open-source signals, communications traces, financial movement, border records and public reporting channels to refresh investigative leads (Source: National Crime Agency, 14-05-2026).

The UK government published its 2026 cyber security sectoral analysis [EMEA], reporting continued sector growth across revenue, gross value added, employment and firm count. For investigation leaders, the figures matter because national capability, specialist labour supply, managed services maturity and evidential tooling capacity all affect how quickly organisations can preserve, analyse and present digital evidence (Source: UK Government, 12-05-2026).

ENISA detailed new CVE Numbering Authorities under its European root [EMEA], expanding regional vulnerability coordination and supporting the transition of European entities into the CVE programme. Stronger CNA coverage improves evidence quality for investigations by standardising vulnerability identifiers, disclosure timelines, affected-product records and cross-CSIRT coordination during exploitation triage (Source: ENISA, 06-05-2026).