Infosec bits for 2026 week 19

Heloise Meyer | May 8, 2026, 12:50 p.m.

Cybersecurity News:

US government, allies publish guidance on how to safely deploy AI agents [Greg Otto, Cyberscoop]

AI Adoption Outpaces Safety Policies, Leaving Organizations Exposed to Cyber Risk [Danny Palmer, Infosecurity Magazine]

60% of MD5 password hashes are crackable in under an hour [Brandon Vigliarolo, The Register]

Why data centers now belong on the critical infrastructure list [Grant Geyer, Cyberscoop]

Vulnerabilities & Patches:

Critical MOVEit Automation auth bypass vulnerability fixed (CVE-2026-4670) [Zeljka Zorz, HelpNetSecurity]

My Agentic Trust Issues: From Prompt Injection to Supply-Chain Compromise on gemini-cli [Dan Lisichkin, Pillar]

Chrome 148 Rolls Out With 127 Security Fixes [Ionut Arghire, SecurityWeek]

Cisco patches high-severity flaws enabling SSRF, code execution attacks [Pierluigi Paganini, SecurityAffairs]

Critical vm2 sandbox bug lets attackers execute code on hosts [Bill Toulas, BleepingComputer]

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution [Ravie Lakshmanan, The Hacker News]

New Cisco DoS flaw requires manual reboot to revive devices [Sergiu Gatlan, BleepingComputer]

Cyberattacks:

Critical cPanel and WHM bug exploited as a zero-day, PoC now available [Bill Toulas, BleepingComputer]

Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw [Acronis, Acronis]

AI Coding Agents Could Fuel Next Supply Chain Crisis [Kevin Townsend, SecurityWeek]

Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk [Elizabeth Montalbano, DarkReading]

ClickFix campaign uses fake macOS utilities lures to deliver infostealers [Microsoft, Microsoft]