Intelligence is not a feed. Intelligence is structured, attributed, and time-bounded. This week we cataloged 86,008 indicator observations across 268 adversary clusters — including 20,034 high-severity records, an order of magnitude above a normal week and shaped by a Thursday infrastructure flood and a sustained IoT-botnet seeder wave. The story below is what the catalogue actually says — who, what, where, how, and what your blue team should do about it on Monday morning.

The week of 18 – 24 May 2026 was defined by ecosystem-level compromise. Three independent supply-chain attacks landed in a single week — across npm, CI/CD workflows, and IIS web servers. A critical authentication-bypass vulnerability in SD-WAN edge appliances (CVE-2026-20182) is under active mass scanning, with confirmed post-compromise webshell deployment. Mobile malware reached a cross-platform peak across macOS, Android, and infostealer ecosystems.

Security teams don’t have an alert problem. They have a detection and operationalization problem. Here’s how this week’s adversaries prove it.