Over 500 Organizations Hit in Years-Long Phishing Campaign
SOCRadar reported that Operation HookedWing has stolen more than 2,000 credentials from more than 500 organizations across aviation, critical infrastructure, energy, logistics, government, financial services, and technology. The campaign has used GitHub domains, compromised servers, Microsoft and Outlook-themed lures, and personalized landing pages to make credential theft pages look more legitimate. This matters because the targeting isn’t random. The campaign appears focused on organizations with sensitive operations or high-value credentials that can be reused, sold, or passed to other threat actors.
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Researchers disclosed CVE-2026-7482, a critical Ollama vulnerability that could let a remote unauthenticated attacker leak process memory from affected servers. The flaw impacts Ollama deployments that allow attacker-supplied GGUF model files through the API, and researchers estimate more than 300,000 servers may be exposed globally. This is useful for security teams because local AI infrastructure is becoming part of the enterprise attack surface, and exposed model-serving systems may hold prompts, credentials, tokens, or other sensitive runtime data.
JDownloader site hacked to replace installers with Python RAT malware
The official JDownloader website was compromised between May 6 and May 7 to redirect some Windows and Linux downloads to malicious installers. The Windows payload reportedly deployed a Python-based remote access trojan, turning a trusted software download path into an initial access mechanism. The practical takeaway is that defenders shouldn’t assume official download sites are safe by default. Teams should validate installer hashes where possible, monitor for unexpected RAT behavior after software installation, and review downloads made during the affected window.
Polish intelligence warns hackers attacked water treatment control systems
Poland’s domestic intelligence service said attackers breached water treatment facilities in five towns in 2025, and in some cases accessed industrial control systems that could have affected water supply operations. The agency didn’t attribute the incidents publicly, but it warned that hostile cyber activity against Poland has intensified, with a focus on Russian services and activity that could support sabotage. This matters for critical infrastructure teams because it shows continued interest in moving from espionage and disruption messaging toward access that could affect physical operations.
CISA urges critical infrastructure firms to ‘fortify’ before it’s too late
CISA released CI Fortify guidance to help critical infrastructure operators plan for isolation and recovery during a major cyberattack or serious disruption. The guidance focuses on keeping vital services running in a degraded state, identifying key dependencies, documenting manual recovery options, and practicing restoration if systems are compromised. This is practical for energy, water, transportation, and other infrastructure operators because it shifts planning from prevention alone to operating through compromise.
The post InfoSec News Nuggets 05/11/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
