GoKawiilThe first four months of 2026 have produced a sequence of cyber incidents that, if any one of them had landed in 2014 or 2017, would have dominated a news cycle for a week.
A Chinese state supercomputer reportedly bled ten petabytes. Stryker was wiped across 79 countries. Lockheed Martin was hit for a reported 375 terabytes. The FBI Director’s personal inbox was dumped on the open web. The FBI’s wiretap management network was breached in a separate “major incident.” Rockstar Games was breached through a SaaS analytics vendor most people have never heard of. Cisco’s private GitHub was cloned. Oracle’s legacy cloud cracked open. The Axios npm package, downloaded a hundred million times a week, was hijacked by North Korea. Mercor, the $10 billion AI training-data vendor that sits inside the data pipelines of OpenAI, Anthropic, and Meta simultaneously, was breached through the LiteLLM open source library and had 4 terabytes extracted by Lapsus$. Honda was hit twice. The new ShinyHunters/Scattered Spider/LAPSUS$ alliance breached approximately 400 organizations and exfiltrated roughly 1.5 billion Salesforce records.
Stacked on top of each other across roughly a hundred days, these events are something a historian of computing security writing in 2050 will probably file as a turning point, regardless of what else happens between now and then.
And yet, the public conversation around them has been quiet to the point of being strange. This is a curious observation more than a complaint. And the goal of what follows is to gather the events into one place, cite the publications that reported each one, and then ask, gently, why the period feels so undocumented in real time.
Every named incident below is followed by inline parenthetical citations to the publications that broke or covered it, in the same way an academic paper would.
I am not arguing that the cybersecurity community is failing. I am noting that something unusual is happening.
Four Threat Clusters, One Quiet Quarter
Strip out the noise and the 2026 wave so far breaks cleanly into four separate campaigns running in parallel against U.S. and Western targets. This convergence is the part nobody is naming out loud.
Cluster 1: Iran / Handala / Void Manticore (destructive state operations). Operating under the Handala Hack Team persona, attributed by Palo Alto Networks Unit 42 to Void Manticore, an actor linked to Iran’s Ministry of Intelligence and Security. Handala is claiming attacks against U.S. industrial, defense, and government targets and explicitly framing them as retaliation for a February 28 missile strike on a school in Minab, southern Iran, that killed at least 175 people, most of them children. Confirmed and claimed Q1 2026 victims: Stryker (200,000 devices wiped), Lockheed Martin (375 TB claim, 28 engineer doxxing), FBI Director Kash Patel (personal email dump).
Cluster 2: Scattered LAPSUS$ Hunters / SLH — the apex-predator merger (financially-motivated SaaS theft and extortion at industrial scale). This is the single largest and least-discussed organizational development in the criminal cyber landscape since the Conti collapse. In August 2025, three of the most notorious financially-motivated crews on the planet, ShinyHunters, Scattered Spider, and LAPSUS$, formally combined into a coordinated alliance widely tracked as Scattered LAPSUS$ Hunters (SLH), sometimes called “the Trinity of Chaos” (Resecurity; Cyberbit; Infosecurity Magazine; The Hacker News; Computer Weekly; ReliaQuest). Scattered Spider provides initial access through highly-effective social engineering and vishing. ShinyHunters handles exfiltration, leak-site management, and extortion. LAPSUS$ contributes its own brand of identity-system compromise. The result is an end-to-end criminal pipeline operating against the SaaS layer of the global enterprise.
... continue reading