Linus Torvalds talks AI bug hunters, 7-Eleven ransom demand, MENA's new cybercrime op

Added: 2026-05-19

[00:00:00]From the CISO series, it's cybersecurity headlines.

[00:00:06]These are the cybersecurity headlines for Tuesday, May 19th, [music] 2026. I'm Sarah Lane.

[00:00:14]Linus Torvalds not into AI bug hunters.

[00:00:18]Linus Torvalds says AI-powered bug hunting tools are overwhelming the Linux kernel security mailing list with duplicate reports, making it almost entirely unmanageable. He says multiple researchers are using the same AI tools to uncover the same vulnerabilities, forcing maintainers to spend time redirecting reports or explaining the bugs were already fixed. Torvalds said AI-generated findings are useful only when paired with meaningful contributions, like patches and technical analysis, criticizing drive-by reports that add little value beyond what automated tools already surface.

[00:00:59]7-Eleven hit with ransom demands.

[00:01:02]7-Eleven confirmed a data breach after the ShinyHunters Group claimed it stole more than 600,000 Salesforce records containing personal and corporate data.

[00:01:13]The company said attackers accessed systems used to store application documents, though it hasn't disclosed the total number of affected individuals. ShinyHunters allegedly tried to extort the company before offering the stolen data for $250,000.

[00:01:30]ShinyHunters has increasingly targeted Salesforce environments through phishing attacks, third-party integrations, and configuration weaknesses, rather than flaws in Salesforce itself.

[00:01:42]MENA runs first-of-its-kind cybercrime op. Interpol said countries across the Middle East and North Africa, known as MENA, m e n a, carried out the region's first large-scale coordinated cybercrime crackdown, dubbed Operation RAMZ, R A M Z, between October of 2025 and February of 2026. The operation involved 13 countries targeting phishing campaigns, malware infrastructure, and online scams, resulting in 201 arrests, the identification of 3,867 victims, and the seizure of 53 servers.

[00:02:25]Authorities also shared nearly 8,000 intelligence records during the operation.

[00:02:31]TanStack weighs invitation-only pull requests. TanStack is considering making pull requests invitation-only after that supply chain attack from last week tied to the Shai Hulud worm compromised its GitHub Actions workflows. Attackers exploited a feature to run malicious code through automated CI pipelines, poisoning a shared cache across the repository. TanStack has removed the vulnerable workflow pattern, disabled shared caches, strengthened dependency and authentication protections, and adopted new safeguards in the Node.js package manager, pnpm.

[00:03:12]>> [music] >> Huge thanks to our sponsor, >> [music] >> ThreatLocker. ThreatLocker is extending zero trust beyond endpoint control. With the recent release of zero trust network access and [music] zero trust cloud access, access isn't based on credentials alone. It requires [music] the right user, the right device, and the right conditions. Because, as we've seen in recent large-scale CRM breaches, stolen credentials >> [music] >> and misconfigurations can expose massive amounts of data. With [music] ThreatLocker, nothing is exposed and access is limited to exactly [music] what's needed. Learn more and start your free trial today at [music] threadlocker.com/c-sound.

[00:04:01]New info stealer campaign gets bigger.

[00:04:04]Researchers at OX Security say copies of that leaked Shy Halud malware are being used in various malicious NPM packages targeting developers. Noting four typo squatted or fake packages that stole credentials, cloud configuration files, crypto wallet data, and other sensitive information. With one package also adding infected systems to a DDoS botnets. The malware appears to be a largely unmodified copy of Shy Halud's leaked source code, which was previously linked to the Team PCP hacking group and recent supply chain attacks against node.js ecosystems. The infected packages were downloaded more than 2600 times and developers are urged to remove them and rotate compromised credentials and API keys.

[00:04:55]US healthcare breaches continue. Several major healthcare data breaches affecting potentially millions of people were recently added to the US Department of Health and Human Services Breach Tracker. New York City Health and Hospitals Corporation reported the largest confirmed incidents with attackers accessing systems through a third-party vendor between late 2025 and early 2026 exposing sensitive personal, medical, insurance, biometric, and financial data tied to 1.8 million people. Other breaches include those at Erie Family Health Centers affecting 570,000 individuals and Florida Physician Specialists affecting 276,000.

[00:05:42]Nginx Rift attackers target exposed servers. Researchers at Vulkan Check say attackers are already probing and exploiting the newly disclosed Nginx Rift vulnerability just days after patches and proof of concept code were released. The now 18-year-old flaw in Nginx was originally disclosed by researchers at Depth First and can let specially crafted HTTP requests crash worker processes and potentially enable remote code execution in rare cases where Linux memory protections like ASLR are disabled. Vulkan Check researcher Patrick Garrity said exploitation attempts were already hitting the company's canary systems. Security researcher Kevin Beaumont noted that modern Linux defaults make widespread real-world remote code execution attacks unlikely.

[00:06:37]AI won't stop the slop. GitHub product security engineer Jerome Brown warns that many submissions lack reproducible proof-of-concept exploits or duplicate known issues requiring stricter validation standards. Cloudflare chief security officer Grant Borzikas says AI tools are worsening triage overload by producing large volumes of plausible but unverified findings that drain security team's time. Cloudflare testing of Anthropic's Methos showed some improvement in generating exploit chains and proof-of-concepts, but security researcher Daniel Stenberg, lead developer of curl, that's cURL, says most findings were false positives or low impact and argued the model's gains over earlier tools are modest despite the hype.

[00:07:30]Remember to join us this Friday at 4:00 p.m. Eastern for our Department of No livestream. This week we're joined by Mike Lockhart, CISO at Eagle View, and Kathleen Mullen, the former CISO at MyKargerithm will be digging into how the news of the week applies to your security teams. What stories are more noise than signal and having some fun with our live chats. Be sure you're subscribed to the CISO series on YouTube and catch the stream at 4:00 p.m.

[00:08:00]Eastern time this Friday. If you have some thoughts on the news from today or about our show in general, be sure to reach out feedback at CISOseries.com.

[00:08:11]We'd love to hear from you. I am Sarah Lane reporting for the CISO series.

[00:08:15]Thank you for listening and we will talk to you tomorrow.

[00:08:21]Cybersecurity headlines are available every weekday. Head to CISOseries.com [music] for the full stories behind the headlines.