Grafana confirmed a data breach after a cybercrime group listed the company on its leak site, with the case spanning cloud collaboration evidence and extortion infrastructure in AMER. Investigators should preserve identity logs, repository access records and leak-site artefacts because the reported actor links create useful attribution leads across ShinyHunters, Scattered Spider and Lapsus$-adjacent activity (Source: SecurityWeek, 18-05-2026).

Researchers reported that thieves are using low-cost tools sold through Telegram to unlock stolen iPhones, exposing a mobile-device evidence trail across resale markets and encrypted chats in APAC. The findings matter because handset identifiers, Telegram handles, payment trails and activation records can connect physical theft, platform-enabled services and downstream fraud in a single cross-platform investigation (Source: Help Net Security, 15-05-2026).

7-Eleven confirmed a data breach after ShinyHunters claimed stolen information from systems used to store franchisee documents, with the incident affecting a global retail operator tied to APAC and AMER. Investigators should prioritise document-store access history, April detection timelines, ransom communications and franchisee notification datasets to determine exposure scope and separate verified compromise from leak-site pressure tactics (Source: SecurityWeek, 18-05-2026).

Security researchers reported the first Shai-Hulud worm clones after source code briefly appeared on GitHub and cybercriminals adapted it into fresh package attacks in AMER. The investigation hinges on package typosquatting, credential-upload repositories and botnet behaviour, giving analysts concrete artefacts for tracing developer-environment compromise and distinguishing original worm tradecraft from copycat modifications (Source: SecurityWeek, 18-05-2026).

Threat actors began exploiting CVE-2026-42945, a critical NGINX vulnerability that can cause denial of service by default and remote code execution where ASLR is disabled, affecting exposed systems globally in EMEA, AMER and APAC. The incident elevates the value of web-server request logs, crash artefacts, configuration baselines and memory-protection evidence for determining whether exploitation was disruptive only or progressed to command execution (Source: SecurityWeek, 18-05-2026).

A new ransomware pressure report found that double and triple extortion, supply-chain exposure and AI-assisted attacks are increasing recovery complexity for organisations across AMER and EMEA. For investigators, the findings reinforce the need to collect endpoint persistence state, backup integrity records, extortion-channel evidence and disclosure timelines because recovery confidence alone does not prove containment or evidential completeness (Source: Help Net Security, 18-05-2026).

A researcher released MiniPlasma, an exploit for CVE-2020-17103 in the Windows Cloud Filter driver, alleging the privilege-escalation issue may not have been fully resolved in AMER. The release gives analysts a concrete exploit chain to test against endpoint telemetry, kernel crash records and patch provenance, particularly where older Windows fleets rely on synchronisation features that touch cloud-backed file systems (Source: SecurityWeek, 18-05-2026).

Help Net Security reported that AI is shrinking vulnerability exploitation windows to hours, increasing the tempo between discovery, proof-of-concept development and active probing across global networks in APAC, EMEA and AMER. Threat hunters should correlate disclosure timestamps with scan telemetry, exploit-kit chatter and asset exposure because attribution and containment increasingly depend on minute-level sequencing rather than traditional daily patch-cycle assumptions (Source: Help Net Security, 18-05-2026).

INTERPOL’s Operation Ramz disrupted phishing, malware and cyber-scam networks across the MENA region, resulting in 201 arrests and 382 additional suspects identified in EMEA. The case highlights how financial-loss reporting, phishing infrastructure, seized devices and suspect-link analysis can turn victim complaints into regional intelligence packages suitable for coordinated arrests and asset tracing (Source: Help Net Security, 18-05-2026).

Europol supported an online crackdown targeting an Iran Revolutionary Guard-linked propaganda ecosystem, with authorities referring 14,200 posts and related accounts for platform action across EMEA. Digital investigators should note the importance of preserving takedown referrals, platform response records, account metadata and content hashes before removal, since evidential continuity can otherwise be weakened once public material disappears (Source: Europol, 18-05-2026).

Anthropic is set to brief the Financial Stability Board on cyber vulnerabilities identified by its Mythos AI model, with global financial-sector implications across AMER, EMEA and APAC. For investigative teams, the development signals that AI-generated vulnerability findings may soon influence supervisory expectations, requiring stronger provenance records, validation notes and evidence trails for model-assisted discovery and remediation decisions (Source: Reuters, 18-05-2026).

Cybersecurity Dive reported on how a U.S. government contest accelerated automated AI vulnerability discovery for critical infrastructure, centred on DARPA-backed work in AMER. The policy significance is practical: investigators and assurance teams will need defensible logs showing how automated tools produced findings, how humans validated them and how fixes were prioritised against safety-critical systems (Source: Cybersecurity Dive, 18-05-2026).