A wave of security incidents in May 2026: Grok tricked via Morse code prompt injection to send $200K in crypto, Ollama's unauthenticated "Bleeding Llama" memory leak, ShinyHunters re-breaches Canvas LMS threatening 9,000 schools, and Dirtyfrag — a universal Linux local privilege escalation with no patch.
On May 11, 2026, an attacker chained three GitHub Actions vulnerabilities to publish 84 malicious versions across 42 @tanstack/* npm packages. Developers who installed affected versions must immediately rotate all credentials.
A new Linux kernel vulnerability called Dirtyfrag was publicly disclosed without patches or CVEs, allowing unprivileged users to gain root on all major distributions via chained kernel flaws.
ShinyHunters claims a second breach of Instructure Canvas LMS, allegedly stealing data on 231 million people across 9,000 schools and threatening to publish it by May 12.
Security firm Cyera has disclosed "Bleeding Llama," a critical unauthenticated memory leak vulnerability in Ollama that could expose conversation data, API keys, and other sensitive information to remote attackers.
A Twitter user exploited indirect prompt injection using Morse code to trick Grok AI into executing a command that transferred 3 billion DRB tokens worth roughly $200,000 to the attacker's wallet via a connected trading bot.