Supply Chain Hacks, Grafana Breach: May 2026 Roundup

A wave of cyberattacks in May 2026 hit open source software supply chains, a data visualization platform, a California lender, and ransomware infrastructure simultaneously — underscoring how quickly threat actors are moving across sectors. From 630 malicious package versions pushed in 20 minutes to a ransomware attack exposing 123,000 Social Security numbers, the month’s incidents span credential theft, extortion, and nation-adjacent cybercrime alliances.

Open Source Supply Chain Attack Hits 317 Packages

On May 19, hackers compromised a single developer account and used it to push 630 malicious package versions across 317 open source packages in roughly 20 minutes, according to SafeDep’s warning published Tuesday. The campaign, dubbed “Mini Shai-Hulud” by researchers, targets credentials stored in password managers and other services to enable further malware propagation downstream.

Among the compromised packages was Antv, a widely used visualization library maintained by Alibaba. JFrog Security reported that in some cases the attackers published malicious updates directly to GitHub, making detection harder for developers relying on automated dependency pulls.

The Mini Shai-Hulud campaign follows a broader pattern of escalating supply chain intrusions. According to TechCrunch, a prior wave within the same campaign compromised computers belonging to two OpenAI employees after attackers breached the open source library TanStack. OpenAI was one of multiple victims in that earlier wave. Cybersecurity firms StepSecurity and SafeDep jointly issued the May 19 advisory covering the latest escalation.

Grafana Confirms GitHub Token Breach, Rejects Ransom

Grafana confirmed a data breach on Sunday, May 18, two days after the cybercrime group Coinbase Cartel listed the company on its leak site. The breach was possible because of a compromised token that granted access to the Grafana Labs GitHub environment, allowing attackers to download the company’s codebase, according to SecurityWeek.

Grafana said no personal or customer data was stolen and that customer systems were not affected. The company confirmed it received a ransom demand to prevent source code publication but declined to pay. Grafana stated on X that compromised credentials have been reset and a forensic investigation is ongoing.

Coinbase Cartel, active since September 2025, does not deploy file-encrypting ransomware. Instead, the group extorts victims by threatening to publish stolen data — a model sometimes called “data extortion” or “hack-and-leak.” SecurityWeek reported the gang currently lists 105 victims on its site and has been linked by cybersecurity researchers to ShinyHunters, Scattered Spider, and Lapsus$, whose members have reportedly been collaborating since at least mid-2025. Prior targets attributed to the alliance include Instructure, Vimeo, Wynn Resorts, Vercel, and Medtronic.

American Lending Center Ransomware Attack Exposes 123,000 SSNs

American Lending Center (ALC), a California-based non-bank lender managing a $3 billion small business loan portfolio, disclosed this week that a ransomware attack detected in July 2025 affected more than 123,000 individuals. The breach notification, submitted to the Maine attorney general’s office and reported by SecurityWeek, states that names, dates of birth, and Social Security numbers may have been stolen.

“Through a forensic investigation into this breach, it was discovered that the threat actor compromised internal network, executed a ransomware attack, and accessed certain files that may have contained personal identifying or sensitive information,” ALC said in its notification.

The forensic investigation concluded on April 8, 2026 — nearly nine months after the attack was first detected. ALC said it has found no evidence the data has been misused. No known ransomware group has publicly claimed responsibility, which SecurityWeek noted may indicate either a ransom was paid or the attacker lacks a public leak site.

Law Enforcement Dismantles First VPN, Used by 25 Ransomware Gangs

An international law enforcement coalition announced Thursday it shut down First VPN, a service the FBI said was used by at least 25 ransomware gangs to conceal their activity. Europol confirmed the takedown and the arrest of the service’s administrator, according to TechCrunch.

First VPN operated servers across 27 countries and marketed itself explicitly to criminal actors on Russian-speaking cybercrime forums, offering anonymous payments, hidden infrastructure, and a no-logs policy. “We are for anonymity. We do not store any logs that would allow us or third parties to link an IP address in a specific period of time with a user of our service,” the service stated in a forum post reviewed by TechCrunch.

Europol said investigators obtained the service’s full user database and identified VPN connections, effectively de-anonymizing thousands of users. Affected users were notified that “they have been identified.” Europol described First VPN as having been “deeply embedded in the cybercrime ecosystem, appearing in almost every major cybercrime investigation supported by Europol in recent years.”

What This Means

May 2026’s incident cluster reveals three compounding pressures on defenders. First, supply chain attacks are accelerating in velocity — 630 malicious releases in 20 minutes represents a pace that manual review processes cannot match, and the compromise of OpenAI employee machines via a transitive dependency shows the blast radius extends well beyond the immediate victim. Second, the Coinbase Cartel’s data-extortion model — steal, threaten, publish — is proving durable without ransomware’s operational complexity, and its alleged links to ShinyHunters and Scattered Spider suggest a maturing criminal alliance with shared tooling and targeting lists. Third, the First VPN takedown is a meaningful disruption, but law enforcement has repeatedly dismantled criminal infrastructure only to see successor services emerge within months; the more significant outcome may be the de-anonymization of thousands of users, which could generate prosecutions over the next 12–18 months.

For organizations running open source dependencies, the Mini Shai-Hulud campaign reinforces the case for software composition analysis tools that flag newly published versions before they reach production builds. For companies handling sensitive financial data — as ALC’s nine-month gap between detection and full disclosure illustrates — incident response timelines remain a systemic liability.

FAQ

What is a supply chain attack in software?

A software supply chain attack occurs when hackers compromise a developer, tool, or repository that other software depends on, allowing malicious code to reach end users automatically through normal update mechanisms. The Mini Shai-Hulud campaign exploited this by taking over a single npm-style developer account to push malicious versions of 317 packages simultaneously.

Did the Grafana breach expose customer data?

Grafana said no personal or customer information was stolen in the breach confirmed on May 18, 2026. Attackers accessed the company’s source code repository via a compromised GitHub token but did not reach customer systems or operational data, according to Grafana’s own disclosure.

What was First VPN and why was it shut down?

First VPN was a commercial VPN service that explicitly marketed itself to cybercriminals, offering anonymous payments and a no-logs policy. The FBI identified it as infrastructure used by at least 25 ransomware gangs; an international law enforcement operation shut it down in May 2026 and arrested its administrator.