- Mycomputerspot Security Newsletter
- Posts
- Market & Momentum - 05/18/2026
Market & Momentum - 05/18/2026
This week opens with sharpened enterprise risk around Linux root escalation, Microsoft 365 device-code phishing, stolen developer tokens, healthcare data exposure, and manufacturing ransomware disruption.
J.W. Croley
May 18, 2026
Sponsored by
Escape Wall Street's Control Over Your Crypto
Wall Street hijacked the stock market 200 years ago.
Now in 2026, they're coming for YOUR digital assets.
Bitcoin was supposed to be peer-to-peer. No banks. No middlemen.
Not anymore.
BlackRock owns more Bitcoin than most countries.
Fidelity's ETF hit $10 billion.
JPMorgan called Bitcoin a "fraud" — now they run billions in tokenized assets.
They ARE crypto now.
Every time you hit "Buy" on Coinbase, you're trading at their prices that they've already positioned themselves for the biggest returns. You're fighting over scraps.
It's the 2008 playbook.
Wall Street sold mortgage-backed securities to retail, then shorted them and made billions while people lost their homes.
But there's a way to operate outside their system.
Tan Gera, ex-Wall Street banker and CFA Charterholder, walked away after discovering their two-tier system.
Now, his 35-person research team helps 3,000+ investors access opportunities before Wall Street marks them up 100x.
For educational purposes only. Results will vary. DM Intelligence LLC is not liable for losses.
Over the last 48 hours, the threat pattern is painfully clear: attackers are leaning into trust abuse.
They are not just exploiting servers. They are abusing Linux privilege boundaries, Microsoft 365 device-code flows, GitHub access tokens, healthcare vendors, and manufacturing recovery windows.
If it grants access, moves code, stores identity data, or keeps operations running, it belongs on this week's board.
Threat Trend | Likelihood | Impact |
|---|---|---|
Linux root escalation exploit (DirtyDecrypt) | 80% | High |
Microsoft 365 device-code phishing (Tycoon2FA) | 90% | High |
Developer token/codebase breach (Grafana GitHub) | 80% | Medium-High |
Healthcare vendor/data exposure (NYC Health + Hospitals) | 70% | High |
Manufacturing ransomware disruption (West Pharma/Foxconn) | 70% | High |
DirtyDecrypt Linux root escalation exploit released - BleepingComputer reported that a proof-of-concept exploit is now available for the newly named DirtyDecrypt Linux kernel flaw, allowing local attackers to gain root on some systems. Prioritize shared hosts, developer workstations, container nodes, and anything where "local user" can quickly become "full box."
Tycoon2FA adds Microsoft 365 device-code phishing - The Tycoon2FA phishing kit has evolved into OAuth device-code phishing, with renewed Microsoft 365 targeting. This matters because users authenticate on legitimate Microsoft pages while attackers receive usable access tokens.
Grafana Labs GitHub token breach exposes codebase - Grafana disclosed that attackers used a stolen GitHub access token to download its codebase, with TechCrunch reporting the company refused an extortion demand. Even when code is open source, stolen developer tokens still create risk around private repos, internal tooling, CI/CD trust, and future phishing leverage.
NYC Health + Hospitals breach hits 1.8M people - TechCrunch reported that NYC Health + Hospitals disclosed stolen medical data, identity documents, and biometric data after a third-party vendor breach. Healthcare leaders should treat vendor access, biometric storage, and delayed detection as board-level risk.
Manufacturing ransomware pressure keeps climbing - Homeland Security Today reported ransomware disruption at West Pharmaceutical and Foxconn, while Halcyon warned that Nitrogen ransomware is leaning into manufacturing targets. The operating risk is not just data theft. It is shipping, receiving, plant recovery, supplier confidence, and downstream customer exposure.
10x the context. Half the time.
Speak your prompts into ChatGPT or Claude and get detailed, paste-ready input that actually gives you useful output. Wispr Flow captures what you'd cut when typing. Free on Mac, Windows, and iPhone.
Tokens are the new skeleton keys: Grafana's incident reinforces that stolen access tokens can be more valuable than passwords because they often bypass the noisy parts of authentication.
MFA is not a finish line: Device-code phishing turns legitimate login workflows into attacker-controlled access paths. If your controls only ask "was MFA completed?" you may miss the whole trick.
Linux patching still matters after initial access: DirtyDecrypt is a reminder that "local only" bugs become high impact once attackers land through phishing, vulnerable apps, exposed dev boxes, or stolen credentials.
Healthcare vendors remain soft targets with hard consequences: A third-party path into sensitive medical, identity, and biometric data can create lifetime exposure for affected individuals.
Ransomware is operational warfare: Manufacturing victims do not just lose files. They lose production rhythm, logistics confidence, and customer trust.
DirtyDecrypt / Linux: Confirm kernel patch status on shared infrastructure, container hosts, developer workstations, and high-density Linux servers. Hunt for unusual privilege transitions, new root-owned services, and unexpected changes to kernel-adjacent modules.
Microsoft 365 phishing: Restrict or monitor device-code authentication, review OAuth consent grants, alert on anomalous token issuance, and train help desk teams to challenge "enter this code" social engineering.
Developer tokens: Rotate stale GitHub and CI/CD tokens, enforce short-lived credentials where possible, review token scopes, and audit recent source-code clone/download activity.
Healthcare data: Reassess third-party access to medical, identity, and biometric data. Require vendor detection timelines, logging coverage, and proof of segmentation around sensitive repositories.
Manufacturing resilience: Validate offline backups, plant-level restore plans, supplier communication trees, and manual shipping/receiving fallbacks before attackers force the rehearsal.
This week's useful lesson is simple:
Attackers are not always breaking the front door.
Sometimes they are walking through the service entrance with a token, a device code, a vendor account, or a "local-only" exploit after somebody else gave them the first foothold.
That means the win is not more noise. The win is sharper trust boundaries.
Patch the privilege paths. Shorten token life. Watch device-code flows. Pressure vendors. Rehearse recovery where production actually happens.
Attackers are hunting trust. Make trust expire.
J.W.
(P.S. Check out our partners! It goes a long way to support this newsletter!)
Copy BlackRock's $10 Trillion Playbook
BlackRock manages $10 trillion using a playbook hidden from retail investors - until now.
The ABN Framework reverse-engineers their three-phase system: protect your base, collect fees like a bank, and get into markets before major listings.
4,000+ investors are already using it but the window is closing.
For educational purposes only. Results will vary. DM Intelligence LLC is not liable for losses.