A week in security (May 11 – May 17)

Attackers have been actively replacing JDownloader installer downloads with malware, highlighting the ongoing threat of software supply chain attacks. Meanwhile, Meta's new approach to chat privacy has been criticized for being confusing, potentially putting user data at risk. Elsewhere, a deepfake sextortion campaign has forced schools to remove student photos from their websites, demonstrating the severe consequences of such attacks. The May 2026 Patch Tuesday saw numerous fixes, although no zero-days were reported, emphasizing the importance of regular patching. Notably, a survey revealed that 1 in 8 employees have sold company logins or know someone who has, underscoring the need for robust internal security measures¹. As zero-day activity continues to target major platforms like Meta, the window for patching vulnerabilities is rapidly shrinking. This matters to security practitioners because it underscores the urgent need to assess their organization's exposure to such threats and take immediate action to mitigate them.