As the operational technology (OT), industrial control systems (ICS), and Internet of Things (IoT) landscapes continue to evolve rapidly, so do the cyber threats targeting these critical environments. Recent developments underscore the increasing sophistication and scale of attacks, as well as the growing importance of proactive security measures to protect vital infrastructure and connected devices.
OT Ransomware Surge: Industrial Sector Targeted in 29.6% of All Attacks
New analysis from NCC Group reveals that industrial organizations were the most targeted sector every single month over the 12-month period ending March 2026, accounting for 29.6% of all global ransomware activity on average. Capital goods manufacturers — including machinery and equipment makers — bore the brunt, representing more than half of attacks. The firm’s OT Director Ray Robinson warned that “when OT systems are disrupted, the impact goes far beyond data loss — lives can be put at risk.” Regulatory pressure is also mounting, with NIS Regulations and the Cybersecurity Act increasingly requiring proportionate OT governance, incident reporting, and supply-chain security measures. Organizations that focus compliance solely on IT risk are exposing themselves to operational, regulatory, and safety consequences.
Source: MBT Magazine / NCC Group
Dutch Police Disrupt 17-Million-Device IoT Botnet Linked to Residential Proxy Abuse
Dutch National Police and the NCSC Netherlands dismantled a massive global botnet on May 28, 2026, seizing 200 command-and-control servers hosted in the Netherlands. The botnet comprised at least 17 million infected devices — including consumer routers, smartphones, tablets, and IoT security cameras — reportedly linked to the Asocks residential proxy service. The infrastructure was used for DDoS attacks, phishing, credential stuffing, spam, and malware distribution. The NCSC separately published guidance warning that residential proxies are increasingly weaponized in digital attacks, as traffic routed through compromised home devices appears legitimate to reputation-based defenses. Security teams are urged to treat unmanaged edge and IoT devices as part of the attack surface and to implement behavioral detection beyond IP reputation alone.
Source: NeuraCyb Intelligence
Claroty Launches Claire: Industry’s First CPS-Native AI Security Agent
Claroty has introduced Claire, an AI-powered security agent purpose-built for cyber-physical systems (CPS) environments, trained on over a decade of OT, healthcare, and industrial security data from more than 6,500 OEMs and medical device manufacturers across 20,000 sites worldwide. Claire leverages threat intelligence from Claroty’s Team82 research group to help organizations prioritize remediation, strengthen operational resilience, automate compliance activities, and improve asset visibility across industrial, healthcare, and critical infrastructure environments. The launch follows Claroty’s $150 million Series F funding round in January and its recent partnership with Corsha for zero-trust OT security in federal environments. CEO Yaniv Vardi stated the tool is designed to “empower human operators to make decisions with confidence, based on tailored insights and agentic actions you can trust.”
Source: ExecutiveBiz / Claroty
CISA Warns of ‘Megalodon’ Supply Chain Attack Targeting 5,500+ Open-Source Repositories
The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory warning that hackers targeted software development pipelines in recent weeks, referencing two active campaigns. The “Megalodon” supply chain attack on May 18 injected malicious GitHub Action workflows into more than 5,500 open-source repositories with weak branch protection, resulting in large-scale theft of cloud credentials, API tokens, and SSH keys. A second campaign compromised a GitHub employee’s device via a poisoned Nx Console VS Code extension (CVE-2026-48027), which was available in Visual Studio Marketplace for approximately 18 minutes. CISA is urging security teams to audit workflow files, monitor for suspicious pull requests, revert unauthorized changes, and rotate any secrets associated with potentially compromised CI/CD pipelines dating back to May 18.
Source: Cybersecurity Dive / CISA
Ubiquiti UniFi OS Patches Three Maximum-Severity (CVSS 10.0) Vulnerabilities
Ubiquiti has released a critical security advisory addressing five vulnerabilities in UniFi OS, three of which carry the maximum CVSS score of 10.0. The flaws — CVE-2026-34908 (improper access control), CVE-2026-34909 (path traversal), and CVE-2026-34910 (command injection) — are all exploitable by any attacker with network access, requiring no authentication. A fourth flaw (CVE-2026-33000, CVSS 9.1) allows command injection with high privileges. All vulnerabilities were reported through HackerOne’s bug bounty program. SANS Institute experts warn that no workarounds exist; the only mitigation is updating to the latest fixed software versions. Organizations running UniFi OS across campus networks, branch offices, and industrial environments should apply patches immediately and ensure UniFi management consoles are not exposed to the internet.
Source: SANS NewsBites / Ubiquiti
As threats continue to evolve and target critical OT, ICS, and IoT environments, it is essential for organizations to stay vigilant, prioritize timely patching, and adopt comprehensive security strategies that address both IT and operational technology risks. Staying informed and proactive remains the best defense against emerging cyber threats.
