May 2026 Cyber Threat Brief: Identity, Supply Chains, and the Growing Speed of Risk

The cybersecurity landscape continued evolving rapidly throughout May, with several developments reinforcing a trend that has been building for years. Attackers are increasingly targeting trust itself.

Rather than relying solely on malware or credential theft, threat actors are focusing on authentication systems, software supply chains, trusted platforms, and the relationships organizations depend on every day. At the same time, advances in AI and automation continue to shorten the time between vulnerability discovery and exploitation, creating additional pressure on security teams.

Here are the key themes that emerged during May.

Identity Is Becoming the Primary Attack Surface

The FBI issued warnings regarding Kali365, a phishing-as-a-service platform designed to target Microsoft 365 environments through token theft and device-code authentication abuse.

These attacks reflect a broader shift away from traditional password theft. Instead, attackers are increasingly targeting:

• Authenticated sessions
• Access tokens
• Delegated permissions
• Trusted authentication workflows

When successful, these techniques can allow attackers to bypass traditional MFA protections without ever obtaining a user's password.

As organizations continue moving critical business processes into cloud environments, identity has become one of the most important control points for both defenders and attackers.

Supply Chain Risk Continues to Grow

Microsoft researchers identified malicious typosquatted npm packages designed to steal cloud credentials, CI/CD secrets, and developer tokens.

The campaign serves as another reminder that software supply chain attacks remain an attractive path for threat actors seeking scalable access. A single compromised package can expose development environments, deployment pipelines, and downstream systems.

Organizations must evaluate not only their own security controls but also the integrity of the tools, repositories, and dependencies that support daily operations.

Trusted Platforms Are Being Used Against Us

Researchers identified malware campaigns leveraging Steam Community profiles as command-and-control infrastructure.

While the specific platform is noteworthy, the larger trend is even more important. Threat actors increasingly abuse trusted services and legitimate platforms to:

• Conceal malicious activity
• Blend into normal network traffic
• Reduce the likelihood of detection
• Exploit existing trust relationships

This makes detection more challenging and reinforces the need for organizations to monitor behavior and communications rather than relying solely on reputation-based controls.

AI Is Accelerating Attack Timelines

Google Threat Intelligence reporting indicates attackers are increasingly leveraging AI to support vulnerability discovery, exploitation development, and operational decision-making.

While AI is creating opportunities for defenders, it is also helping attackers operate faster. The result is a continued reduction in the time organizations have available to assess vulnerabilities, prioritize remediation efforts, and respond to emerging threats.

As attack timelines shrink, continuous monitoring and rapid decision-making become increasingly important.

Resilience Matters More Than Ever

One of the most important themes emerging across cybersecurity today is the growing emphasis on resilience.

Organizations continue facing increasing volumes of vulnerabilities, alerts, and threat activity. The reality is that no organization can eliminate every risk or patch every vulnerability immediately. Success increasingly depends on understanding which exposures create meaningful operational risk and reducing those exposures first.

Modern cybersecurity programs are increasingly measured by their ability to:

• Detect threats quickly
• Maintain critical operations
• Recover efficiently from incidents
• Reduce long-term business impact

Recovery planning, operational visibility, and coordinated response capabilities are becoming essential components of cyber maturity.

Looking Ahead

The developments observed throughout May reinforce several important realities for organizations.

Identity has become the new perimeter. Software supply chain attacks continue expanding. AI is increasing operational speed for both defenders and attackers. Exposure reduction is becoming more important than vulnerability volume, and resilience is emerging as a core business requirement.

Organizations that focus on visibility, context, prioritization, and operational resilience will be better positioned to navigate an increasingly complex threat landscape.