7-Eleven confirmed in the United States that attackers accessed a document-storage system tied to franchise operations, with ShinyHunters claiming associated Salesforce data theft and subsequent leak activity [AMER]. Investigators should preserve franchise notifications, cloud audit logs, extortion-site artefacts and regulator filings to correlate the claimed 9.4GB exposure against verified personal-information records and potential notification thresholds. (Source: The Record, 20-05-2026)

Le Monde detailed a French-led investigation into suspected BreachForums operators allegedly linked to ShinyHunters following coordinated arrests and cooperation between French and US authorities [EMEA]. The case highlights how investigators are combining seized-device analysis, cryptocurrency tracing, administrator records and alias reuse to separate long-running criminal identities from transient forum operators. (Source: Le Monde, 20-05-2026)

PwC released new intelligence on Red Lamassu infrastructure and JFMBackdoor activity targeting telecommunications and government entities across Asia Pacific, alongside additional reporting on the Showboat Linux implant [APAC]. The research provides investigators with infrastructure overlaps, malware-loading techniques, persistence clues and network indicators useful for correlating telecom espionage campaigns across mixed Windows and Linux environments. (Source: PwC Threat Intelligence, 21-05-2026)

GitHub confirmed a breach involving theft of internal repositories after TeamPCP claimed access to company systems, while stating that customer repositories were not compromised [AMER]. Source-code investigations should examine developer endpoint telemetry, token exposure, repository permissions, extension provenance and commit anomalies for evidence of supply-chain tampering or credential misuse. (Source: The Record, 20-05-2026)

BleepingComputer reported that 7-Eleven confirmed a cyberattack after ShinyHunters claimed theft of franchise-related data from systems supporting retail operations across multiple regions [AMER]. The incident requires careful comparison of breach notices, leaked records, Salesforce artefacts and extortion-site disclosures to determine whether the exposed material contains regulated customer or franchisee information. (Source: BleepingComputer, 19-05-2026)

Dark Reading reported that Chinese APT operators deployed the Showboat Linux backdoor during espionage activity targeting telecommunications providers in Central Asia and neighbouring regions [APAC]. Investigators should prioritise network captures, ELF binary analysis, authentication records and management-plane telemetry to establish persistence timelines and identify lateral movement into telecom infrastructure. (Source: Dark Reading, 21-05-2026)

Microsoft began addressing two actively exploited Defender vulnerabilities, CVE-2026-41091 and CVE-2026-45498, after public reporting linked exploitation attempts to prior Defender bypass research [AMER]. Security investigators should retain Defender operational logs, tamper-protection events, exploit traces and post-remediation baselines to distinguish opportunistic exploitation from coordinated intrusion activity. (Source: The Hacker News, 21-05-2026)

Qualys disclosed CVE-2026-46333, a Linux kernel ptrace-path vulnerability that can expose credentials and enable local privilege escalation across multiple enterprise distributions [AMER]. Investigators handling affected Linux systems should treat cached credentials, CI runners, SSH host keys and multi-tenant workloads as potentially compromised until patch validation and credential rotation are completed. (Source: Qualys, 20-05-2026)

Europol announced a coordinated operation that dismantled First VPN, a criminal VPN service allegedly used by ransomware operators and data-theft groups across multiple investigations [EMEA]. The seizure provides investigators with infrastructure evidence, subscriber records, payment data and server artefacts that may connect ransomware campaigns previously treated as unrelated incidents. (Source: Europol, 21-05-2026)

The US Department of Justice unsealed charges against a Canadian national accused of administering the KimWolf DDoS botnet following cooperation between US and international authorities [AMER]. Device images, traffic captures, payment histories and seized command infrastructure are expected to support attribution analysis linking customers to large-scale distributed denial-of-service campaigns. (Source: US Department of Justice, 21-05-2026)

NIST released draft SP 1800-41 for public comment, outlining cybersecurity guidance for responding to and recovering from attacks affecting manufacturing environments in the United States [AMER]. The publication reinforces the need for investigators to preserve industrial logs, engineering workstation data and operational recovery evidence before restoration activities alter the forensic timeline. (Source: NIST CSRC, 21-05-2026)

NIST’s Software and Supply Chain Assurance Forum convened in Virginia with a focus on software assurance, dependency risk and supply-chain governance involving government and industry stakeholders [AMER]. The event highlights growing expectations that organisations maintain verifiable records for dependency provenance, build integrity and third-party access during cyber investigations and legal review. (Source: NIST CSRC, 20-05-2026)