Cyber·Monitoring
Shai-Hulud Supply-Chain Attack Trojanizes 19 PyPI Packages
PyPI repository (global online service)· Global4 Jun
5 reportsPROPCYCAS
MediumAI Refreshed
ClosedMedium impactAI Generated
US Water Utility Cybersecurity Incident Disrupts Treatment Systems
Detected 24 May 2026Occurrence date not yet established -- showing first detection by the desk.·
🇺🇸 United States — specific utility location unidentified0 reportsEnded 29 May 2026
CyberPropertyCyberCasualty & Liability
A major US water utility serving 2 million customers has reported a cybersecurity incident that has taken automated treatment and distribution systems offline, forcing a switch to manual operations. The EPA has been notified, indicating regulatory thresholds have been met. This represents a significant critical infrastructure cyber event with direct implications for cyber and property insurance books.
AI-generated from linked source reports. See our correction policy.
Impact verdict
Medium impact. MEDIUM: Critical infrastructure cyber attack on a water utility serving 2 million customers is directly relevant to cyber insurance books, particularly those with coverage for operational technology (OT) disruption and business interruption. Liability exposure exists if public health is affected. Insufficient detail currently to confirm loss quantum or attack vector, but scale of affected population and EPA notification suggest potential for material claims. TRIA zone applicability possible if state-sponsored attribution is established.
View assessment methodologyHow we grade what we know -- Known · Reported · Uncertain. Methodology →
Intelligence ledger
Each line expands in place to its underlying sourced claim.
Known4 lines
A major US water utility serving 2 million customers has reported a cybersecurity incident▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Automated treatment and distribution systems have been taken offline▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Manual operations have been implemented as a contingency▾
structured lineknown
No separate sourced-claim record is available for this line yet.
The EPA has been formally notified of the incident▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Reported1 line
The incident is characterised as a cybersecurity event, suggesting external attack or intrusion rather than technical failure▾
structured linereported
No separate sourced-claim record is available for this line yet.
Uncertain7 lines
Nature and origin of the attack (ransomware, state-sponsored, other)▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Extent of data breach or data exfiltration▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Duration of disruption and timeline to restoration of automated systems▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Identity of the utility and specific geographic location▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether any contamination or public health risk has been triggered▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Estimated financial loss or ransom demand▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether the incident meets TRIA certification thresholds▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Geographic Zone Matches
1 active match
- TRIA Certified AreasRule-basedConfidence 100%
Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.
Affected countries
🇺🇸 United States
Timeline
Status Change29 May 2026, 12:25
Lifecycle changed
monitoring → closed
Closure29 May 2026, 12:25
Event Closed
Seeded/test data cleanup: synthetic scenario row from 2026-05-24 demo batch; should not appear in the current public RiskEvents feed.
Status Change29 May 2026, 05:30
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
active → monitoring
Status Change28 May 2026, 22:36
Status changed to active
remediation: existing authoritative signal
signal → active
Lloyd's classifications
Tracking this kind of risk? Get an email when Cyber events escalate.
Get alerts