Check Point Weekly Roundup: Lapsus$ Leaks Vodafone Source Code, THORChain Breach, and Critical Patches for NGINX, Cisco, and Apple
Check Point's weekly threat intelligence report covers multiple incidents including a Lapsus$ source code leak at Vodafone, a $10.7 million THORChain vault breach, ransomware attacks on West Pharmaceutical and Foxconn, and critical patches for NGINX, Cisco, and Apple zero-days.
Check Point Research has released its weekly threat intelligence bulletin for May 18, 2026, detailing a wide range of active attacks, vulnerabilities, and emerging threats. The post 18th May – Threat Intelligence Report appeared first on Check Point Research.
The report highlights a source code leak at Vodafone claimed by the Lapsus$ extortion group. Vodafone confirmed limited access to GitHub files through compromised third-party development software, but stated that customer data and core network infrastructure were not affected. In the cryptocurrency space, THORChain suffered a security breach that led to the theft of approximately $10.7 million after one of its six vaults was compromised. Trading was halted, and the company said losses were limited to protocol-owned assets across several blockchains.
Two major ransomware attacks were also detailed. West Pharmaceutical Services, a global manufacturer of drug delivery components, experienced a ransomware attack that disrupted shipping, manufacturing, and shared service functions. The company disclosed that some systems were encrypted and data was stolen, but no ransomware group has publicly claimed responsibility. Foxconn confirmed it was hit by a cyberattack on its North American operations after the Nitrogen ransomware group claimed to have stolen 8TB of data. The company confirmed disruption at some factories and said affected facilities were resuming normal production.
On the vulnerability front, researchers disclosed 'Claw Chain', four vulnerabilities in OpenClaw, an autonomous AI agent platform, that allow attackers to bypass sandbox controls, expose restricted files, leak secrets, and gain owner-level access. The flaws include the critical CVE-2026-44112, rated CVSS 9.6. Additionally, two Windows zero-day vulnerabilities, YellowKey and GreenPlasma, affect Windows 11 and recent Windows Server versions. YellowKey allows BitLocker bypass through Windows Recovery Environment with physical access, while GreenPlasma abuses the CTFMON framework to escalate privileges to SYSTEM. Proof-of-concept code is public, and the vulnerabilities are still unpatched.
F5 has fixed CVE-2026-42945, a critical memory flaw in the NGINX rewrite module affecting versions 0.6.27 through 1.30.0. The 18-year-old bug enables denial of service and, under specific configurations, possible remote code execution. Cisco addressed CVE-2026-20182, a critical authentication bypass in Catalyst SD-WAN controllers that is being actively exploited. The flaw allows remote, unauthenticated attackers to gain full administrative control of affected systems. CISA ordered federal agencies to patch vulnerable devices following Cisco's fixes. Apple released security updates for CVE-2026-28819, an out-of-bounds write flaw in the Wi-Fi component affecting iOS, iPadOS, and macOS that could allow an app to execute code with kernel privileges.
The report also includes analysis of an internal leak from The Gentlemen ransomware operation, exposing chats, infrastructure details, affiliate roles, and ransom negotiations. Check Point Research summarized Q1 2026 ransomware trends, recording 2,122 leak-site victims, the second-highest Q1 on record, with Qilin leading at 338 victims. The report also quantified a World Cup 2026-driven surge in cyber activity, with weekly attacks per organization rising in Mexico, Canada, and the United States, and one in 41 FIFA-themed domains found to be malicious.