The week of 18 – 24 May 2026 was defined by ecosystem-level compromise. Three independent supply-chain attacks landed in a single week — across npm, CI/CD workflows, and IIS web servers. A critical authentication-bypass vulnerability in SD-WAN edge appliances (CVE-2026-20182) is under active mass scanning, with confirmed post-compromise webshell deployment. Mobile malware reached a cross-platform peak across macOS, Android, and infostealer ecosystems.

Security teams don’t have an alert problem. They have a detection and operationalization problem. Here’s how this week’s adversaries prove it.

Where SOC workflows fail this week, and what to do about it