# CTI Daily Brief — 2026-05-13 > **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.7, model ID `claude-opus-4-7`) with parallel research and verification by sub-agents (Claude Sonnet 4.6) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting. **Generated by:** Claude Opus 4.7 (`claude-opus-4-7`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: pending · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.50 · **Recency window:** 36 h (gap to prior brief: 24 h) ## 0. TL;DR - **Fortinet ships two pre-auth RCEs.** CVE-2026-44277 (FortiAuthenticator, CVSS 9.1, CWE-284) and CVE-2026-26083 (FortiSandbox, CVSS 9.1, CWE-862) — unauthenticated network attacker can reach the management surface; FortiAuthenticator commonly anchors Swiss federal/cantonal SAML federations and RADIUS, FortiSandbox underpins SOC malware-analysis pipelines. No ITW exploitation observed at disclosure; fixed in 6.5.7 / 6.6.9 / 8.0.3 (FortiAuthenticator) and 4.4.9 / 5.0.2 / Cloud 5.0.6 (FortiSandbox) ([NCSC-CH Security Hub #12569, 2026-05-13](https://security-hub.ncsc.admin.ch/#/posts/12569); [BleepingComputer, 2026-05-13](https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator/)). - **Mini Shai-Hulud worm re-detonates.** TeamPCP poisoned 160+ npm package versions including `@tanstack/*` (42 packages, ~12M weekly downloads), `@uipath/*` (60+), `@mistralai/*` and `@opensearch-project/opensearch` via a `pull_request_target` → pnpm-cache poisoning → `/proc//mem` OIDC-token theft chain that produced **valid SLSA Build Level 3 provenance** on the trojanised tarballs. UiPath is widely used in EU public-sector RPA; SAP HotNews #3747787 acknowledges CAP-package impact ([StepSecurity, 2026-05-11](https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem); [TanStack post-mortem, 2026-05-12](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)). See § 5. - **Exim "Dead.Letter" pre-auth RCE on the default Debian/Ubuntu MTA.** CVE-2026-45185 (CVSS 9.8) is a use-after-free in the BDAT/CHUNKING body-parsing path triggered when a client sends TLS `close_notify` mid-body and then one cleartext byte on the same TCP connection. **GnuTLS builds only** (the distro default); OpenSSL builds unaffected. CHUNKING extension is default-on. Fixed in Exim 4.99.3 ([XBOW research, 2026-05-12](https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim); [oss-security, 2026-05-12](https://www.openwall.com/lists/oss-security/2026/05/12/4)). - **Microsoft May Patch Tuesday — 120+ CVEs, no zero-days, but a Netlogon pre-auth RCE on the DC.** CVE-2026-41089 (Windows Netlogon, CVSS 9.8, stack overflow) is a wormable-candidate pre-auth RCE against every supported Windows Server; CVE-2026-41096 (Windows DNS Client, CVSS 9.8, heap overflow) is reachable from a malicious DNS response on every Windows host; CVE-2026-41103 (Microsoft SSO Plugin for Jira/Confluence, CVSS 9.1) is rated "Exploitation More Likely". 16 of the CVEs were discovered by Microsoft's new MDASH AI scanning harness — see § 3 ([Tenable, 2026-05-12](https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103); [ZDI, 2026-05-12](https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-review)). - **SAP Commerce Cloud pre-auth RCE plus S/4HANA Enterprise Search SQLi.** CVE-2026-34263 (CVSS 9.6) is unauthenticated arbitrary code injection via overly permissive Spring Security ordering on the cloud-config endpoint; CVE-2026-34260 (CVSS 9.6) is post-auth SQL injection in the Enterprise Search ABAP component — enabled by default. SAP Commerce and S/4HANA are core to Swiss federal procurement (NOVE/SUPERB programmes) and EU institutional ERP ([Onapsis, 2026-05-12](https://onapsis.com/blog/sap-security-patch-day-may-2026/); [SecurityWeek, 2026-05-12](https://www.securityweek.com/sap-patches-critical-s-4hana-commerce-vulnerabilities/)). - **Foxconn confirms Nitrogen ransomware crippled North-American factories.** Foxconn's statement on 2026-05-12 acknowledges the network collapse that began at the Mount Pleasant, Wisconsin plant on May 1 and the operational disruption since; Nitrogen claims 8 TB / 11M files exfiltrated, alleged to include design documentation for Apple, Nvidia, Intel, Google and Dell projects. Coveware previously published a programming bug in Nitrogen's ESXi encryptor that **makes decryption mathematically impossible even after payment** — relevant to anyone evaluating the recovery path ([The Register, 2026-05-12](https://www.theregister.com/cyber-crime/2026/05/12/foxconn-confirms-cyberattack-after-nitrogen-claims-apple-nvidia-data-theft/5239144); [The Record, 2026-05-12](https://therecord.media/foxconn-confirms-cyberattack-north-american-factories)). ## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures ### Foxconn confirms Nitrogen ransomware crippled North-American manufacturing sites; 8 TB / 11M files claimed Foxconn Technology Group confirmed on 2026-05-12 that several North-American factories — including Mount Pleasant (Wisconsin), Houston (Texas), and additional sites in Ohio, Virginia, Indiana and Mexico — suffered a cyberattack starting at approximately 07:00 ET on 2026-05-01, when the Mount Pleasant Wi-Fi failed and core infrastructure was disrupted by 11:00 ET; production halted for roughly a week before "affected factories are currently resuming normal production" ([The Register, 2026-05-12](https://www.theregister.com/cyber-crime/2026/05/12/foxconn-confirms-cyberattack-after-nitrogen-claims-apple-nvidia-data-theft/5239144); [The Record, 2026-05-12](https://therecord.media/foxconn-confirms-cyberattack-north-american-factories)). The Nitrogen ransomware crew — a Conti 2 leaked-builder derivative active since 2023 — listed Foxconn on its leak site on 2026-05-11 and claims 8 TB / 11 million files, alleging "confidential technical drawings and project documentation" for Apple, Nvidia, Intel, Google and Dell engagements ([9to5Mac, 2026-05-12](https://9to5mac.com/2026/05/12/apple-supplier-foxconn-confirms-ransomware-attack-affected-north-american-factories/)). None of the named third-party vendors has confirmed any compromise of their own systems; the 8 TB number is the attacker's claim, not a Foxconn-confirmed exfiltration volume. **Why it matters to us:** Foxconn is the dominant EMS supplier for endpoints widely procured by Swiss / EU government and critical-infrastructure operators (Apple, Dell, Nvidia, Intel hardware). The operationally critical defender-side data point on Nitrogen is independent of the headline: a [Coveware analysis (2026-02-02)](https://www.coveware.com/blog/2026/2/2/nitrogen-ransomware-esxi-malware-has-a-bug) documents a programming error in Nitrogen's ESXi encryptor — a QWORD variable overwrites four bytes of the Curve25519 public key during ChaCha8 key-exchange, producing a corrupted key that is mathematically irrecoverable even with the operator's private key. If Nitrogen encrypts an ESXi host in your estate, paying does not restore your VMs. Backup integrity at the hypervisor layer (not just guest-level) is the only recovery path. Generic hypervisor-recovery detection concepts apply: alert on `vmkfstools` / `esxcli` invocations from non-administrator sessions on ESXi `/var/log/shell.log`, and on unexpected `vmx` process terminations preceding mass-rename events. The cited sources do not document the specific initial-access TTP chain Nitrogen has used at Foxconn — defenders should rely on standard hunting for the broader Conti-derivative cluster (Cobalt Strike beaconing, Rclone exfiltration) and let attribution-specific IOCs follow the in-flight forensics. — *Source: [The Register, 2026-05-12](https://www.theregister.com/cyber-crime/2026/05/12/foxconn-confirms-cyberattack-after-nitrogen-claims-apple-nvidia-data-theft/5239144) · Additional source: [The Record, 2026-05-12](https://therecord.media/foxconn-confirms-cyberattack-north-american-factories) · Additional source: [9to5Mac, 2026-05-12](https://9to5mac.com/2026/05/12/apple-supplier-foxconn-confirms-ransomware-attack-affected-north-american-factories/) · Additional source: [Coveware, 2026-02-02](https://www.coveware.com/blog/2026/2/2/nitrogen-ransomware-esxi-malware-has-a-bug) · Tags: ransomware, data-breach, supply-chain · Region: us · Sector: manufacturing* ### BWH Hotels (Best Western, WorldHotels, Sure Hotels) — 181-day unauthorised access to a guest-reservation web application, six EU brands in scope BWH Hotels — the parent operating Best Western Hotels & Resorts, WorldHotels and Sure Hotels — disclosed that an unauthorised third party had access to a guest-reservation web application from 2025-10-14 to 2026-04-22, a 181-day dwell, before detection on 2026-04-22 prompted BWH to take the affected application offline ([The Register, 2026-05-11](https://www.theregister.com/security/2026/05/11/best-western-hotels-confirms-web-app-data-breach/5238020); [SecurityWeek, 2026-05-12](https://www.securityweek.com/bwh-hotels-says-hackers-had-access-to-reservation-data-for-6-months/)). Disclosed data fields: guest names, email addresses, phone numbers, home addresses, reservation numbers, dates of stay and special requests; payment / financial data is stated as unaffected. BWH Hotels operates properties across multiple EEA jurisdictions, so EEA-resident guest data is in scope; the company has not yet published a per-country DPA notification list, and the cited disclosures do not enumerate per-country exposure. No attribution; no extortion demand reported. **Defender takeaway:** The pattern — third-party web application held attacker access for 181 days before discovery — fits the IAB / data-theft tradecraft we have been seeing repeatedly against EU SaaS estates: the asset is a *single application* sitting outside the corporate SOC's primary telemetry, with credentials likely harvested via infostealer or vishing of a contractor account. Detection concepts: instrument **every** customer-facing reservation / CRM / loyalty SaaS with download-volume alerting at the API tier (mapped to `T1530 Data from Cloud Storage Object` and `T1213.003 Data from Information Repositories: Code Repositories`-equivalent for SaaS DBs); push CASB DLP policies that flag bulk export of PII fields by any non-batch service account; require step-up auth on any session exporting more than N records per hour. Public-sector implication: government staff travelling on official duty and using BWH-brand properties had itinerary + contact data exposed; review whether any travel-booking integrations route through this application and, if so, treat the in-scope passport-data fields as compromised. — *Source: [The Register, 2026-05-11](https://www.theregister.com/security/2026/05/11/best-western-hotels-confirms-web-app-data-breach/5238020) · Additional source: [SecurityWeek, 2026-05-12](https://www.securityweek.com/bwh-hotels-says-hackers-had-access-to-reservation-data-for-6-months/) · Tags: data-breach, identity · Region: global · Sector: retail* ## 2. Trending Vulnerabilities ### CVE-2026-44277 / CVE-2026-26083 — Fortinet FortiAuthenticator and FortiSandbox unauthenticated RCE Fortinet published two PSIRT advisories on 2026-05-12, picked up by NCSC-CH within hours. CVE-2026-44277 (CWE-284 Improper Access Control) is an unauthenticated network attacker reaching the FortiAuthenticator management-interface API and executing arbitrary commands via crafted requests; vendor PSIRT lists CVSS 9.1 (NCSC-CH and some early reports surfaced 9.8 — § 7 documents the convergence). Affected: 6.5.0–6.5.6, 6.6.0–6.6.8 and 8.0.0–8.0.2. Fixed in 6.5.7 / 6.6.9 / 8.0.3. FortiAuthenticator Cloud (IDaaS) is **not** affected ([Fortinet PSIRT FG-IR-26-128, 2026-05-12](https://fortiguard.fortinet.com/psirt/FG-IR-26-128); [NCSC-CH Security Hub #12569, 2026-05-13](https://security-hub.ncsc.admin.ch/#/posts/12569)). CVE-2026-26083 (CWE-862 Missing Authorization) is an unauthenticated attacker reaching the FortiSandbox Web UI and executing code at CVSS 9.1 per the Fortinet PSIRT advisory ([Fortinet PSIRT FG-IR-26-136, 2026-05-12](https://fortiguard.fortinet.com/psirt/FG-IR-26-136); [BleepingComputer, 2026-05-13](https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator/)). Affected FortiSandbox: 4.4.0–4.4.8 (fixed 4.4.9), 5.0.0–5.0.1 (fixed 5.0.2), plus multiple PaaS / Cloud variants; on-prem Cloud 23 and 24 require migration rather than an in-place patch. Both discoveries are attributed to internal Fortinet audit; exploitation status is unknown at disclosure. The defender-relevant attack surface is the network-reachable management plane on each appliance class. Detection concepts mapped to `T1190 Exploit Public-Facing Application`: alert on FortiAuthenticator / FortiSandbox management-port reach from outside the SOC management VLAN; treat any anomalous outbound HTTP from these appliances (Sysmon-equivalent on FortiOS via `diagnose debug application httpsd` for FortiAuthenticator) as potential post-exploit egress. Hardening: enforce the perimeter / internal firewall rule that FortiAuthenticator GUI / API and FortiSandbox Web UI are reachable only from named admin / SOC source IPs — Fortinet's PSIRT pages explicitly call this out as the residual hardening even after patching. — *Source: [Fortinet PSIRT FG-IR-26-128, 2026-05-12](https://fortiguard.fortinet.com/psirt/FG-IR-26-128) · [Fortinet PSIRT FG-IR-26-136, 2026-05-12](https://fortiguard.fortinet.com/psirt/FG-IR-26-136) · [NCSC-CH Security Hub #12569, 2026-05-13](https://security-hub.ncsc.admin.ch/#/posts/12569) · [BleepingComputer, 2026-05-13](https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator/) · Tags: vulnerabilities, pre-auth, rce, identity, patch-available · Region: global · CVE: CVE-2026-44277, CVE-2026-26083 · CVSS: 9.1 / 9.1 · Vector: zero-click · Auth: pre-auth · Status: patch-available* ### CVE-2026-45185 — Exim "Dead.Letter" use-after-free in BDAT/CHUNKING on GnuTLS builds XBOW disclosed CVE-2026-45185 on 2026-05-12 after a coordinated-disclosure window with Exim maintainers, Linux distros and CVE authorities that began 2026-05-01 ([XBOW research, 2026-05-12](https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim); [oss-security, 2026-05-12](https://www.openwall.com/lists/oss-security/2026/05/12/4); [The Hacker News, 2026-05-12](https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html)). The bug is a use-after-free (CWE-416) in Exim's BDAT (RFC 3030 CHUNKING) body-parser when the binary was built with GnuTLS (`USE_GNUTLS=yes`) — the default on Debian and Ubuntu packages. OpenSSL builds are unaffected. The trigger: an SMTP client sends a TLS `close_notify` mid-BDAT body, then one final cleartext byte on the same TCP connection. Exim's `xfer_buffer` has already been freed in `tls_close()`, but the BDAT `lwr_receive_*` function pointers remain live and `tls_ungetc()` writes a single `\n` byte into the freed region. XBOW's AI-driven exploitation (within the seven-day disclosure window) produced two working chains under ASLR: a largebin-corruption → `FILE` struct hijack chain on No-PIE builds, and a `storeblock` length-inflation → bump-pointer corruption → `${run}` ACL execution chain on PIE builds. No authentication is required; the CHUNKING extension is default-on. Fixed in Exim 4.99.3. CVSS 9.8 per the XBOW disclosure. No public exploitation reported at disclosure, but exim.org is the dominant MTA on the public internet and the GnuTLS default on Debian / Ubuntu maps directly to the typical EU university, academic-research and small-government mail-relay estate. Detection / hunt concepts mapped to `T1190 Exploit Public-Facing Application` and `T1499.004 Endpoint Denial of Service: Application or System Exploitation`: monitor `exim` `panic.log` for `tls_ungetc` traces and segfaults under non-zero load; egress-monitor any outbound TCP from the MTA host that does not match the usual upstream-relay set; on Debian / Ubuntu, audit `exim -bV | grep GnuTLS` per host. Workaround pending patch: set `CHUNKING_ADVERTISE_HOSTS =` (empty) in `exim4.conf` to suppress the BDAT advertisement. — *Source: [XBOW research, 2026-05-12](https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim) · [oss-security, 2026-05-12](https://www.openwall.com/lists/oss-security/2026/05/12/4) · [The Hacker News, 2026-05-12](https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html) · Tags: vulnerabilities, pre-auth, rce, patch-available · Region: global · CVE: CVE-2026-45185 · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: patch-available* ### CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 — Microsoft May 2026 Patch Tuesday (120+ CVEs, no zero-days) Microsoft shipped roughly 120 CVE fixes in the May 2026 cumulative updates (source counts vary 118–138 depending on whether developer-tools and Azure-only items are included); ZDI counts ~30 Critical, none under active exploitation at release ([Tenable, 2026-05-12](https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103); [Krebs on Security, 2026-05-12](https://krebsonsecurity.com/2026/05/patch-tuesday-may-2026-edition/); [ZDI, 2026-05-12](https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-review)). **CVE-2026-41089** (Windows Netlogon, CVSS 9.8, CWE-121 stack buffer overflow): unauthenticated remote attacker over the network reaches the domain-controller Netlogon RPC endpoint; Microsoft marks "Exploitation Less Likely" but ZDI flags the pattern as wormable-candidate. **CVE-2026-41096** (Windows DNS Client, CVSS 9.8, CWE-122 heap overflow in `dnsapi.dll`): a crafted DNS response from a MitM or rogue resolver yields code execution as `NetworkService` on every Windows host; defender exposure is anywhere a host might receive an attacker-influenced DNS reply. **CVE-2026-41103** (Microsoft SSO Plugin for Jira/Confluence, CVSS 9.1, "Exploitation More Likely"): unauthenticated attacker forges an Entra ID credential to sign in to self-managed Atlassian; affects public-sector DevSecOps stacks using Microsoft's Entra-ID auth plugin. **CVE-2026-42898** (Dynamics 365 On-Premises, CVSS 9.9): authenticated code injection with scope change — a rare privilege-boundary violation in this product family. Four Microsoft Word RCEs (CVE-2026-40361 / CVE-2026-40364 / CVE-2026-40366 / CVE-2026-40367, CVSS 8.4 each) have the Preview Pane as an attack vector and two are rated "Exploitation More Likely". MITRE ATT&CK mappings: `T1210 Exploitation of Remote Services` (Netlogon), `T1071.004 Application Layer Protocol: DNS` (DNS Client), `T1078.004 Cloud Accounts` (Entra forgery). Detection concepts: monitor Netlogon authentication-pattern anomalies (`4624 Logon Type 3` to DCs from unexpected internal sources, paired with `4769` ticket-request anomalies); alert on outbound DNS to non-corporate resolvers from DC and member hosts; audit Atlassian SSO plugin version inventory; disable Outlook Preview Pane as an interim mitigation for Word RCEs. Hardening: prioritise DCs first (Netlogon is on the DC boundary); inventory `dnsapi.dll` patch state across the fleet; inventory self-managed Atlassian deployments and apply the SSO plugin update before the next work week. — *Source: [Tenable, 2026-05-12](https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103) · [ZDI, 2026-05-12](https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-review) · [Krebs on Security, 2026-05-12](https://krebsonsecurity.com/2026/05/patch-tuesday-may-2026-edition/) · [Help Net Security, 2026-05-12](https://www.helpnetsecurity.com/2026/05/12/microsoft-may-2026-patch-tuesday/) · Tags: vulnerabilities, pre-auth, rce, identity, patch-available · Region: global · CVE: CVE-2026-41089, CVE-2026-41096, CVE-2026-41103, CVE-2026-42898 · CVSS: 9.8 / 9.8 / 9.1 / 9.9 · Vector: zero-click · Auth: pre-auth · Status: patch-available* ### CVE-2026-34263 / CVE-2026-34260 — SAP Commerce Cloud pre-auth RCE, S/4HANA Enterprise Search SQL injection SAP's May 2026 Security Patch Day (2026-05-12) released 17 patches, three HotNews ([Onapsis, 2026-05-12](https://onapsis.com/blog/sap-security-patch-day-may-2026/); [SecurityWeek, 2026-05-12](https://www.securityweek.com/sap-patches-critical-s-4hana-commerce-vulnerabilities/); [NCSC-CH Security Hub #12565, 2026-05-12](https://security-hub.ncsc.admin.ch/#/posts/12565)). **CVE-2026-34263** (CVSS 9.6, CWE-459 Incomplete Cleanup) is a missing authentication on SAP Commerce Cloud's cloud-config endpoint caused by overly permissive Spring Security ordering — an unauthenticated attacker can upload arbitrary configuration and reach server-side code execution. Affects HY_COM 2205 and COM_CLOUD 2211 / 2211-JDK21. **CVE-2026-34260** (CVSS 9.6) is SQL injection in the SAP S/4HANA Enterprise Search for ABAP component, missing input validation; affected SAP_BASIS 751–758 and 816. Authentication required but the blast radius is full database read / write. **CVE-2026-34259** (CVSS 8.2) is OS-command injection in SAP Forecasting & Replenishment (authenticated). A third HotNews note (SAP #3747787) acknowledges the impact of the Mini Shai-Hulud npm worm (see § 4 / § 5) on SAP Cloud Application Programming (CAP) packages. No ITW exploitation reported. SAP S/4HANA is the backbone ERP for Swiss federal administration (NOVE / SUPERB programmes) and many EU institutions; SAP Commerce Cloud commonly powers e-government procurement portals — both of which sit close to the public-internet boundary. Detection concepts mapped to `T1190` (Commerce Cloud) and `T1190` + `T1213` (S/4HANA): instrument the SAP HTTP front-end logs for Spring Security rule-bypass patterns on cloud-config endpoints; audit ABAP Enterprise Search call logs for anomalous SQL-syntax payloads in user-input fields. Hardening: apply SAP Notes via the May 2026 patch day; disable Enterprise Search ABAP if not in operational use; restrict Commerce Cloud cloud-config endpoint to administrative networks. — *Source: [Onapsis, 2026-05-12](https://onapsis.com/blog/sap-security-patch-day-may-2026/) · [SecurityWeek, 2026-05-12](https://www.securityweek.com/sap-patches-critical-s-4hana-commerce-vulnerabilities/) · [NCSC-CH Security Hub #12565, 2026-05-12](https://security-hub.ncsc.admin.ch/#/posts/12565) · Tags: vulnerabilities, pre-auth, rce, patch-available · Region: global · CVE: CVE-2026-34263, CVE-2026-34260 · CVSS: 9.6 / 9.6 · Vector: zero-click · Auth: pre-auth · Status: patch-available* ### CERTFR-2026-AVI-0564 — SPIP < 4.4.14: multiple RCEs (public and private area) CERT-FR's advisory CERTFR-2026-AVI-0564 (2026-05-12) covers multiple remote code execution flaws in SPIP — the open-source CMS that powers a substantial share of French ministry, université and francophone Swiss canton web sites ([CERT-FR CERTFR-2026-AVI-0564, 2026-05-12](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0564/); [SPIP security bulletin, 2026-05-12](https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-14.html)). The SPIP bulletin describes two distinct RCE paths in versions prior to 4.4.14: one in the private (authenticated) area, and one in the public (unauthenticated) area "under specific nginx configurations" — the SPIP bulletin notes the bugs are "not covered by the security screen", meaning they bypass SPIP's built-in filter layer. No CVE identifiers are assigned in the vendor bulletin. Fixed in SPIP 4.4.14. No ITW reported. Detection concepts: monitor SPIP `ecrire/` and front-end access logs for the SSTI / template-load gadget patterns the bulletin enumerates; on shared-host SPIP estates, audit the nginx reverse-proxy configuration for the unsafe location pattern. Hardening: upgrade to 4.4.14; on internet-facing SPIP, gate `ecrire/` to a known admin source set at the reverse proxy. — *Source: [CERT-FR CERTFR-2026-AVI-0564, 2026-05-12](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0564/) · [SPIP security bulletin, 2026-05-12](https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-14.html) · Tags: vulnerabilities, rce, patch-available · Region: europe · Sector: public-sector* ### CERTFR-2026-AVI-0572 — Centreon Infra Monitoring: RCE / SQLi / XSS cluster (April 2026 bulletin) CERT-FR's CERTFR-2026-AVI-0572 (2026-05-12) consolidates the April 2026 monthly security bulletin for Centreon Infra Monitoring — the enterprise monitoring platform widely deployed in French and EU public-sector NOCs and government ISPs ([CERT-FR CERTFR-2026-AVI-0572, 2026-05-12](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0572/); [Centreon security bulletin, 2026-05-12](https://thewatch.centreon.com/latest-security-bulletins-64/april-2026-monthly-security-bulletin-for-centreon-infra-monitoring-high-5660)). The bulletin lists command injection (effectively RCE in Centreon MBI), SQL injection, and XSS (Centreon Map, CVSS 6.8) findings spread across Centreon Anomaly Detection, Auto Discovery, AWIE, BAM, DSM, License Manager, MAP, MBI and Open Tickets — affecting 24.04.x (MBI only), 24.10.x and 25.10.x branches. Per-CVE identifiers are enumerated in the Centreon bulletin rather than the CERT-FR advisory. No ITW reported. The defender-relevant property is that Centreon stores **privileged monitored-host credentials** (SNMP communities, SSH private keys, vendor-API tokens) — compromise of a Centreon instance is a high-impact lateral-movement enabler against the entire monitored estate. Detection concepts: monitor Centreon front-end access logs for the listed component endpoints from non-NOC source networks; alert on Centreon process spawning child shells outside scheduled poller intervals. Hardening: apply the April 2026 monthly update; segment Centreon's monitoring VLAN from user / internet networks; treat Centreon credentials-vault contents as Tier-0 in the AD admin-tiering model. — *Source: [CERT-FR CERTFR-2026-AVI-0572, 2026-05-12](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0572/) · [Centreon security bulletin, 2026-05-12](https://thewatch.centreon.com/latest-security-bulletins-64/april-2026-monthly-security-bulletin-for-centreon-infra-monitoring-high-5660) · Tags: vulnerabilities, rce, patch-available · Region: europe · Sector: public-sector* #### CVE Summary Table | CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source | |---|---|---|---|---|---|---|---| | CVE-2026-44277 | Fortinet FortiAuthenticator 6.5.x / 6.6.x / 8.0.x | 9.1 | n/a | No | No | 6.5.7 / 6.6.9 / 8.0.3 | [PSIRT](https://fortiguard.fortinet.com/psirt/FG-IR-26-128) | | CVE-2026-26083 | Fortinet FortiSandbox 4.4.x / 5.0.x / PaaS / Cloud | 9.1 | n/a | No | No | 4.4.9 / 5.0.2 / Cloud 5.0.6; Cloud 23/24 migrate | [PSIRT](https://fortiguard.fortinet.com/psirt/FG-IR-26-136) | | CVE-2026-45185 | Exim 4.97–4.99.2 (GnuTLS builds) | 9.8 | 0.0 | No | No | Exim 4.99.3 | [XBOW](https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim) | | CVE-2026-41089 | Windows Netlogon (all supported Windows Server) | 9.8 | n/a | No | No | May 2026 CU | [Tenable](https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103) | | CVE-2026-41096 | Windows DNS Client (`dnsapi.dll`) | 9.8 | n/a | No | No | May 2026 CU | [Tenable](https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103) | | CVE-2026-41103 | Microsoft SSO Plugin for Jira/Confluence | 9.1 | n/a | No | No (More Likely) | Plugin update 2026-05-12 | [Tenable](https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103) | | CVE-2026-42898 | Microsoft Dynamics 365 On-Premises | 9.9 | n/a | No | No | May 2026 CU | [ZDI](https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-review) | | CVE-2026-40361 | Microsoft Word (Preview Pane) | 8.4 | n/a | No | No (More Likely) | Office 2026-05-12 | [Tenable](https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103) | | CVE-2026-40364 | Microsoft Word (Preview Pane) | 8.4 | n/a | No | No (More Likely) | Office 2026-05-12 | [Tenable](https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103) | | CVE-2026-34263 | SAP Commerce Cloud HY_COM 2205 / COM_CLOUD 2211 | 9.6 | n/a | No | No | SAP Note 3733064 | [Onapsis](https://onapsis.com/blog/sap-security-patch-day-may-2026/) | | CVE-2026-34260 | SAP S/4HANA SAP_BASIS 751–758 / 816 | 9.6 | n/a | No | No | SAP Note (May 2026 patch day) | [Onapsis](https://onapsis.com/blog/sap-security-patch-day-may-2026/) | Vendor PSIRT pages (re-fetched at verification time) consistently publish CVSS 9.1 for both FortiAuthenticator CVE-2026-44277 and FortiSandbox CVE-2026-26083; early NCSC-CH / NVD reports cited 9.8 for one or both before convergence. § 7 documents the source discrepancy. ## 3. Research & Investigative Reporting ### Microsoft MDASH — multi-model agentic vulnerability-discovery harness finds 16 Windows CVEs in network-stack kernel components Microsoft's Autonomous Code Security team published a detailed technical disclosure on 2026-05-12 of MDASH, an AI-orchestrated vulnerability-discovery pipeline running over 100 specialised agents across an ensemble of frontier and distilled models ([Microsoft Security Blog, 2026-05-12](https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-finds-16-new-vulnerabilities/)). The pipeline executes a five-stage prepare → scan → validate → dedup → prove loop that ends with an **automated end-to-end exploitability proof** before a finding is sent to engineering — meaning every MDASH-disclosed CVE was validated as practically exploitable, not just theoretically reachable. In MDASH's first production run against Windows the harness produced 16 previously unknown CVEs concentrated in the network-exposed kernel attack surface — `tcpip.sys` (Windows TCP/IP stack), `ikeext.dll` (the Windows IKEv2 keying service for DirectAccess and Always-On VPN), `netlogon.dll`, and `dnsapi.dll` — split as 10 kernel-mode and 6 user-mode bugs, including four Critical RCEs. The harness scored 88.45% on the public CyberGym benchmark (1,507 real-world CVEs across 188 open-source projects) and achieved 100% recall on the `tcpip.sys` historical-CVE corpus ([The Register, 2026-05-13](https://www.theregister.com/patches/2026/05/13/doozy-of-a-patch-tuesday-includes-30-critical-microsoft-cves/5239224)). Microsoft has scheduled a customer-facing preview of the harness for June 2026. **Defender takeaway:** Two operational implications. First, the MDASH-discovered Windows CVEs (a substantial subset of the May 2026 Patch Tuesday in § 2) should be treated as "practically exploitable" even without observed ITW activity, because the proof-of-exploitability stage runs before disclosure — that lifts these above the typical "Less Likely / More Likely" scoring noise. Second, the `ikeext.dll` surface is directly relevant to EU public-sector remote-access deployments: DirectAccess and Always-On VPN are widely deployed as the AD-integrated remote-access primitive across Swiss federal and EU government estates; any unauthenticated bug in `ikeext.dll` is a remote-perimeter risk. Mapped to `T1190 Exploit Public-Facing Application` and `T1133 External Remote Services`. Hardening: expedite May 2026 cumulative update on internet-exposed Windows hosts with DirectAccess / Always-On VPN; verify the network-perimeter ACL still scopes IKEv2 reach to known client networks. — *Source: [Microsoft Security Blog, 2026-05-12](https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-finds-16-new-vulnerabilities/) · Additional source: [The Register, 2026-05-13](https://www.theregister.com/patches/2026/05/13/doozy-of-a-patch-tuesday-includes-30-critical-microsoft-cves/5239224) · Tags: vulnerabilities, ai-abuse · Region: global* ### TrickMo "TrickMo C" — Android banking trojan migrates C2 to The Open Network blockchain, adds SOCKS5 / SSH device-as-pivot ThreatFabric's 2026-05-11 research identifies a substantially redesigned TrickMo variant active across January–February 2026 in campaigns against banking and fintech users in France, Italy and Austria ([ThreatFabric, 2026-05-11](https://www.threatfabric.com/blogs/new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-app); [The Hacker News, 2026-05-12](https://thehackernews.com/2026/05/new-trickmo-variant-uses-ton-c2-and.html); [Security Affairs, 2026-05-12](https://securityaffairs.com/192003/malware/android-banking-trojan-trickmo-evolves-using-ton-network-for-c2.html)). The C2 architecture has migrated off conventional DNS / IP infrastructure: the host APK embeds a native TON (The Open Network) proxy that starts on a loopback port at process launch, and all C2 HTTP requests address `.adnl` hostnames resolved inside the TON decentralised overlay. That design defeats traditional domain-takedown and DNS-based blocklisting — operator endpoints exist as TON identities inside a permissionless overlay rather than at a controllable DNS or IP. Beyond the banking-trojan core (accessibility-service device takeover, fake overlay login pages, SMS / OTP interception, mapped to `T1517 Access Notifications`), TrickMo C adds a network-reconnaissance subsystem via five operator commands (`curl`, `dnslookup`, `ping`, `telnet`, `traceroute`) and an SSH tunnel + authenticated SOCKS5 proxy — turning infected Android devices into programmable network pivots so operators can route abuse traffic from the victim's IP space and defeat IP-reputation fraud detection on banking and crypto-exchange platforms. Mapped to `T1090.001 Proxy: Internal Proxy` for the SOCKS5 mode. Droppers masquerade as TikTok variants distributed via Facebook ads; the final payload impersonates Google Play Services. Dormant code includes the Pine hooking framework and NFC permissions, suggesting contactless-payment interception is in development. **Defender takeaway:** The relevant change for an EU defender is the C2 transport: blocking TON traffic at the corporate gateway is non-trivial because TON shares the standard internet routes; behaviour-side, detect Android devices that initiate the TON loopback proxy and that issue outbound to non-corporate SOCKS5 / SSH ports under unusual entitlements. Public-sector implication: government-issued Android or BYOD devices that access banking, tax, or e-government services should be scoped under MDM policies that block sideloaded APKs from social-media link-outs and forbid sideloaded TikTok-look-alikes. Mapped to `T1422 System Network Configuration Discovery` and `T1437.001 Application Layer Protocol: Web Protocols`. — *Source: [ThreatFabric, 2026-05-11](https://www.threatfabric.com/blogs/new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-app) · Additional source: [The Hacker News, 2026-05-12](https://thehackernews.com/2026/05/new-trickmo-variant-uses-ton-c2-and.html) · Additional source: [Security Affairs, 2026-05-12](https://securityaffairs.com/192003/malware/android-banking-trojan-trickmo-evolves-using-ton-network-for-c2.html) · Tags: phishing, mobile, organized-crime · Region: europe · Sector: finance* ### NCSC-UK — "10 questions to ask when using AI models to find vulnerabilities" NCSC-UK published an operational 10-question checklist on 2026-05-11 (authored by Ruth C, Head of Vulnerability Management Group) for organisations evaluating or deploying AI / LLM tooling for vulnerability discovery ([NCSC-UK blog, 2026-05-11](https://www.ncsc.gov.uk/blogs/10-questions-ask-using-ai-models-find-vulnerabilities)). The guidance is substantively different from the previously-covered NCSC-CH BACS strategic assessment: it is process- and infrastructure-flavoured rather than landscape-flavoured. The ten questions interrogate (a) **process prerequisites** — is there a triage / remediation pipeline that can absorb what the AI surfaces, or will the backlog simply grow while team capacity stays flat; (b) **data governance** — what code, infrastructure and secrets is the model being given access to; (c) **infrastructure security** — is the AI agent sandboxed from production; (d) **permissions blast-radius** — has the model been granted excessive permissions that magnify attacker reach if the agent itself is compromised; (e) legal / data-retention; (f) false-positive overhead on the blue team. The piece explicitly warns that **AI-accelerated vulnerability discovery without matching remediation capacity makes the organisation worse off, not better** — a direct critique of "buy the AI tool" patterns. [SINGLE-SOURCE] — *Source: [NCSC-UK blog, 2026-05-11](https://www.ncsc.gov.uk/blogs/10-questions-ask-using-ai-models-find-vulnerabilities) · Tags: ai-abuse, vulnerabilities · Region: uk · Sector: public-sector* ## 4. Updates to Prior Coverage ### UPDATE: Mini Shai-Hulud — TeamPCP worm hits TanStack, UiPath, Mistral AI, OpenSearch (160+ package versions) > **UPDATE (originally covered 2026-05-10):** Between 19:20 and 19:26 UTC on 2026-05-11, TeamPCP's Mini Shai-Hulud self-propagating worm executed its largest campaign to date, compromising 160+ malicious versions across `@tanstack/*` (42 packages including `@tanstack/react-router` at ~12M weekly downloads), `@uipath/*` (60+ packages), `@mistralai/*`, `@opensearch-project/opensearch`, `@squawk/*`, `@draftlab/*` and `@tallyui/*`, plus two PyPI packages ([StepSecurity analysis, 2026-05-11](https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem); [TanStack post-mortem, 2026-05-12](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem); [Wiz, 2026-05-12](https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised); [NCSC-CH Security Hub #12558, 2026-05-12](https://security-hub.ncsc.admin.ch/#/posts/12558)). > > The novel attack chain (decomposed in § 5) is materially different from the 2026-05-10 SAP-CAP campaign: the operator (`voicproducoes`, GitHub account ID 269549300) submitted a poisoned PR to a target repository that triggered a `pull_request_target` workflow, used that privileged workflow to seed a malicious pnpm store into the GitHub Actions cache, then waited for legitimate maintainer merges to main — the release workflow restored the poisoned cache, attacker-controlled binaries extracted GitHub Actions OIDC tokens from `/proc//mem`, and the worm used npm's token-exchange endpoint to publish trojanised package versions **with valid SLSA Build Level 3 provenance attestations**. The provenance bypass is the most significant evolution — SLSA L3 was the supply-chain assurance many EU public-sector procurement frameworks were starting to rely on, and this campaign demonstrates it is forgeable without abusing the package's own publish step. > > Operational delta for defenders: SAP Note #3747787 (HotNews) acknowledges CAP-package impact and ships a clean version list. UiPath impact is the highest-priority public-sector signal — UiPath RPA is widely deployed in Swiss federal e-government automation and EU agency back-offices; review `package-lock.json` / `pnpm-lock.yaml` in every UiPath-using pipeline against the StepSecurity / Wiz package-version manifest. **Before revoking any GitHub PAT or npm token, sanitise the developer machine first** — token revocation triggers the worm's `gh-token-monitor` dead-man's switch that executes `rm -rf ~/` on the affected workstation. Mapped to `T1195.002 Supply Chain Compromise: Compromise Software Supply Chain`, `T1552.001 Unsecured Credentials: Credentials in Files`, `T1078.004 Cloud Accounts`. > > — *Source: [StepSecurity, 2026-05-11](https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem) · [TanStack post-mortem, 2026-05-12](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem) · [Wiz, 2026-05-12](https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised) · [NCSC-CH Security Hub #12558, 2026-05-12](https://security-hub.ncsc.admin.ch/#/posts/12558) · Tags: supply-chain, infostealer, ai-abuse · Region: global · Sector: public-sector* ### UPDATE: Instructure Canvas — US House Homeland Security Committee opens formal investigation; Instructure paid ransom > **UPDATE (originally covered 2026-05-12):** Late on 2026-05-11, US House Homeland Security Committee Chairman Andrew Garbarino sent a formal letter to Instructure CEO Steve Daly ahead of the 2026-05-12 ShinyHunters extortion deadline, demanding a briefing by 2026-05-21 on the circumstances of both Canvas intrusions, the volume of data accessed, containment measures, and coordination with federal law enforcement and CISA ([The Record, 2026-05-12](https://therecord.media/instructure-pays-ransom-canvas-incident-congress-investigation); [The Register, 2026-05-12](https://www.theregister.com/cyber-crime/2026/05/12/congress-investigates-canvas-breach-after-instructure-cuts-deal-with-shinyhunters/5238927)). > > On 2026-05-12 — before the deadline expired — Instructure confirmed it had "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" from ShinyHunters, the operational reliability of which the committee letter explicitly questions. ShinyHunters claims the agreement covers up to 275 million records across roughly 8,800 colleges, universities and K-12 schools (per The Register; The Record cites ~9,000 institutions), including Dutch and Swedish higher-education customers previously confirmed in scope. The second Canvas intrusion is attributed to ShinyHunters exploiting an unpatched flaw in Instructure's "Free-for-Teacher" environment; the initial 2026-04-29 intrusion yielded ~3.6 TB of uncompressed data (usernames, emails, course names, messages). CrowdStrike was retained for forensic analysis. > > Defender takeaway: a vendor-side "shred log" is legally non-binding and technically unverifiable; EU institutions must continue to treat the 275M-record dataset as irrevocably compromised for GDPR Art. 33 / data-subject-rights purposes regardless of Instructure's bulk-platform claim. The congressional investigation will likely prompt CISA guidance for higher-education SaaS incident response — relevant context for Swiss universities and EU edtech procurement teams. > > — *Source: [The Record, 2026-05-12](https://therecord.media/instructure-pays-ransom-canvas-incident-congress-investigation) · [The Register, 2026-05-12](https://www.theregister.com/cyber-crime/2026/05/12/congress-investigates-canvas-breach-after-instructure-cuts-deal-with-shinyhunters/5238927) · Tags: data-breach, ransomware, identity · Region: us, europe · Sector: education* ### UPDATE: PAN-OS CVE-2026-0300 — first-wave patched builds released on 2026-05-13 > **UPDATE (originally covered 2026-05-12):** Palo Alto Networks released the first wave of patched PAN-OS builds on 2026-05-13 for the actively-exploited Captive Portal pre-auth RCE, covering PAN-OS 10.2, 11.1, 11.2 and 12.1 ([Palo Alto Networks PSIRT, last updated 2026-05-07; patch table confirmed 2026-05-13](https://security.paloaltonetworks.com/CVE-2026-0300)). Concretely: PAN-OS 12.1.4-h5 (2026-05-13) plus 12.1.7 (planned 2026-05-28); PAN-OS 11.2 multiple builds staged 2026-05-13–2026-05-28; PAN-OS 11.1 and 10.2 on a similar cadence. Prisma Access, Cloud NGFW and Panorama remain unaffected. Threat Prevention signature ID 510019 remains the interim control for any unpatched instance. The CISA KEV deadline of 2026-05-09 is — per the audience-applicability rule in the daily prompt — irrelevant for CH/EU jurisdiction; the operational driver is the active exploitation by CL-STA-1132 documented previously. > > — *Source: [Palo Alto Networks PSIRT CVE-2026-0300, 2026-05-13](https://security.paloaltonetworks.com/CVE-2026-0300) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, patch-available · Region: global · CVE: CVE-2026-0300 · CVSS: 9.3 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available* ## 5. Deep Dive — Mini Shai-Hulud's GitHub Actions Pwn-Request → OIDC Token Theft Chain **Background.** Mini Shai-Hulud (the TeamPCP self-propagating npm worm) first surfaced in coverage on [2026-05-10](briefs/2026-05-10.md) as a SAP CAP-package compromise. The original campaign relied on attacker-published versions of dependency-chain packages catching legitimate downstream consumers; its blast-radius was bounded by which packages opted into the affected dependency graph. The 2026-05-11 second wave (see § 4 UPDATE) materially changes the attack pattern — it uses no infostealer of a maintainer's machine, no credential theft from the package owner; instead it abuses a class problem in GitHub Actions that lets attacker-controlled fork code reach into the privileged release workflow of an upstream repository ([StepSecurity, 2026-05-11](https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem); [TanStack post-mortem, 2026-05-12](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem); [Wiz, 2026-05-12](https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised)). **The chain in defender terms.** 1. **Reconnaissance.** The operator (`voicproducoes`, GitHub account ID 269549300, created 2026-03-19) identifies a target repository whose CI/CD configuration triggers on `pull_request_target`. That event is the privileged form of `pull_request` — it runs in the *base repository's* context with secrets and write tokens available, not the fork's sandbox. GitHub's docs flag this; many high-volume monorepos still rely on it for fork-aware CI features. Mapped to `T1593 Search Open Websites/Domains` (the operator surveys public Actions configurations). 2. **Fork-and-rename.** The operator forks the target repo (e.g. `TanStack/router`) and immediately renames the fork (`zblgg/configuration`) to evade fork-list discovery — fork-list scans against the upstream do not surface a fork that has been renamed off the original namespace. Mapped to `T1583.001 Acquire Infrastructure: Domains`-equivalent for source-control identity. 3. **Pwn-Request.** The operator submits a PR from the renamed fork. The base repo's `pull_request_target` workflow executes, but with attacker-controlled code paths reached via subtle changes the human reviewer is unlikely to read (e.g. a modified `pnpm-lock.yaml`, a new dev-dependency, or a CI helper script under `.github/`). Mapped to `T1199 Trusted Relationship` and `T1505.003 Web Shell`-equivalent for CI execution. The PR does not need to be merged — its mere existence runs the privileged workflow. 4. **Cache poisoning.** The privileged workflow run, now executing attacker-influenced code with base-repo secrets, writes a malicious pnpm store into the GitHub Actions cache key for the project's lockfile hash. The cache key is shared with the legitimate release workflow, so the legitimate `pnpm install` in the next maintainer-merged release will restore the poisoned store rather than fetch upstream tarballs. Mapped to `T1195.002 Supply Chain Compromise: Compromise Software Supply Chain`. 5. **Wait for release.** Maintainers merge legitimate PRs to `main`. The release workflow on `main` restores the poisoned cache, builds the package using the trojanised pnpm store, and reaches the publish step. 6. **OIDC-token theft via `/proc//mem`.** At this point the release runner has been issued a short-lived GitHub Actions OIDC token by GitHub's identity provider. The token sits in the workflow process's memory but is not surfaced as an environment variable to step scripts. The attacker-controlled binary inside the poisoned pnpm store reads `/proc//mem` to scrape the token directly out of process memory. Mapped to `T1003.007 OS Credential Dumping: Proc Filesystem`. 7. **npm token exchange.** The harvested OIDC token is exchanged at npm's well-known token-exchange endpoint for a per-package publish token. Because npm trusts the OIDC issuer (GitHub Actions identity), the token-exchange is a legitimate trust-federation operation — no audit signal at the npm side distinguishes it from a normal publish. The worm uses this short-lived publish token to upload poisoned versions of every package the OIDC scope can reach. Mapped to `T1078.004 Cloud Accounts` and `T1606.002 Forge Web Credentials: SAML Tokens`-equivalent for OIDC. 8. **Provenance fraud.** Because the poisoned tarball was built *inside* the legitimate GitHub Actions runner and published via the legitimate OIDC trust path, the npm registry signs the package with a **valid SLSA Build Level 3 provenance attestation**. The "Publish Packages" step in the maintainer's workflow YAML was bypassed entirely — the publish call came from the worm — but the attestation is cryptographically valid. This is the most significant evolution: SLSA L3 was the assurance many EU procurement frameworks were starting to demand; this campaign demonstrates it is forgeable when an attacker controls *any* step in the workflow chain that produces the artefact, not just the publish step. The closest MITRE ATT&CK fit is `T1553.002 Subvert Trust Controls: Code Signing` — though no current ATT&CK sub-technique precisely maps to SLSA-L3 provenance forgery via OIDC abuse in a CI pipeline; detection-engineering playbooks should be built from the CI-side primitives rather than from a generic code-signing detection rule. 9. **Payload & propagation.** Each poisoned package contains a 2.3 MB triple-obfuscated `router_init.js` that on `postinstall` harvests AWS IMDSv2, ECS metadata, HashiCorp Vault tokens, `~/.aws`, SSH keys, npm tokens, GitHub tokens, Kubernetes service accounts, browser cookie jars and 100+ further credential paths. Exfiltration is dual-channel: the Session Protocol (decentralised, takedown-resistant) with RSA-4096-OAEP + AES-256-GCM, and a GitHub GraphQL dead-drop that commits to attacker-controlled branches (Dune-universe names) authored as `claude@users.noreply.github.com`. Persistence is installed in Claude Code's `.claude/settings.json`, VS Code's `.vscode/tasks.json`, OS-level LaunchAgents and systemd units. A `gh-token-monitor` daemon polls the GitHub API every 60 seconds and executes `rm -rf ~/` if the harvested token is revoked — a dead-man's-switch wiper. 10. **Self-spread.** With the harvested npm tokens, the worm publishes further poisoned versions to every package each compromised maintainer can reach, repeating the chain. **What detection looks like.** No IOCs in this brief; the behaviour patterns to alert on are the durable signals: - **CI/CD telemetry:** any GitHub Actions workflow run triggered by `pull_request_target` that wrote to the Actions cache and was not initiated by a trusted contributor. The audit-log noise is high; pin the alert to "workflow-run accessed `actions/cache/save` from a job that was reachable via fork". - **Runner-process introspection:** any step that reads from `/proc/*/mem` from a non-`root` process on the runner. GitHub-hosted runners do not need to read `/proc//mem` for any legitimate workflow purpose. Self-hosted runners should treat the same heuristic as a high-severity alert (Sysmon-equivalent on the runner OS). - **npm publish anomalies:** unusual concurrency of publish events for a package family that does not normally release simultaneously (TanStack 42 packages in a 6-minute window is the visible artefact). npm's audit log surfaces this if the org has it enabled. - **Developer-workstation post-install:** processes spawned by `npm` / `pnpm` / `yarn` `postinstall` that read `~/.aws`, `~/.ssh`, `~/.npmrc` or `/proc/self/environ` (Sysmon EID 1 with parent-image filter on the package-manager binary). - **Dead-man's-switch awareness:** **do not revoke a suspected-compromised GitHub PAT or npm token from the affected developer machine before quarantining that machine.** Revocation triggers `rm -rf ~/`. Quarantine first; rotate from a clean host. **Hardening — class-level fixes, not per-incident patches.** - Pin every `pull_request_target` workflow to a SHA-locked version of every action it uses; never `@main` or `@v1`. Forks cannot influence what runs. - Disable cache writes from any workflow that can be reached via a fork PR (`actions/cache` with `save: false` from `pull_request_target`). - Use **separate workflows** for fork-reachable CI (sandboxed, read-only on secrets) and for release (no fork-reachable trigger). - Audit the OIDC trust chain in your npm / PyPI / GitHub-Container-Registry organisation: scope publish trust to a specific repo *and* a specific workflow file path, not just the repo. - For SLSA-attestation reliance: treat L3 as a *necessary* but not *sufficient* signal — pair it with a maintainer-verified `npm provenance verify` against a published expected workflow-file-path, not just the issuer. The 2026-05-11 campaign shows L3 alone is forgeable. - Sanitise developer endpoints before token revocation (the `rm -rf ~/` dead-man's-switch). Treat any pnpm cache restore or `node_modules` directory pre-dating the disclosure as suspect. — *Source: [StepSecurity, 2026-05-11](https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem) · [TanStack post-mortem, 2026-05-12](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem) · [Wiz, 2026-05-12](https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised) · [NCSC-CH Security Hub #12558, 2026-05-12](https://security-hub.ncsc.admin.ch/#/posts/12558) · Tags: supply-chain, infostealer, ai-abuse, organized-crime · Region: global · Sector: public-sector, technology* ## 6. Action Items - **Patch Fortinet FortiAuthenticator and FortiSandbox now.** Pre-auth RCEs in two appliance classes that anchor public-sector identity and SOC pipelines. Update FortiAuthenticator to 6.5.7 / 6.6.9 / 8.0.3; update FortiSandbox to 4.4.9 / 5.0.2 / Cloud 5.0.6. **Cloud 23 and 24 require migration, not in-place patching.** Even after patching, restrict the management interface to admin / SOC source IPs at the perimeter — Fortinet's PSIRT explicitly notes this as the residual hardening. See § 2 — *Source: [Fortinet PSIRT FG-IR-26-128, 2026-05-12](https://fortiguard.fortinet.com/psirt/FG-IR-26-128) · [Fortinet PSIRT FG-IR-26-136, 2026-05-12](https://fortiguard.fortinet.com/psirt/FG-IR-26-136) · Tags: vulnerabilities, pre-auth, rce, identity, patch-available · Region: global · CVE: CVE-2026-44277, CVE-2026-26083 · CVSS: 9.1 / 9.1 · Vector: zero-click · Auth: pre-auth · Status: patch-available* - **Audit npm / pnpm lockfiles for Mini Shai-Hulud impact.** Search every CI/CD pipeline and developer workstation for malicious versions across `@tanstack/*`, `@uipath/*`, `@mistralai/*`, `@opensearch-project/opensearch`, `@squawk/*`, `@draftlab/*`, `@tallyui/*` per the StepSecurity / Wiz manifests. UiPath impact is the highest-priority public-sector signal. **Before revoking any GitHub PAT or npm token, sanitise the developer machine first** — the worm's `gh-token-monitor` triggers `rm -rf ~/` on revocation. Pin all `pull_request_target` workflows to SHA-locked action versions; gate fork-reachable workflows away from `actions/cache` writes. See § 4 / § 5 — *Source: [StepSecurity, 2026-05-11](https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem) · [Wiz, 2026-05-12](https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised) · Tags: supply-chain, infostealer · Region: global · Sector: public-sector* - **Patch Exim on every Debian / Ubuntu mail relay.** Run `exim -bV | grep GnuTLS` on each MTA — if present, upgrade to Exim 4.99.3. Interim workaround if patching is delayed: set `CHUNKING_ADVERTISE_HOSTS =` (empty) in `exim4.conf` to suppress BDAT. Expect public exploit-tooling within days; XBOW's disclosure includes full chain traces. See § 2 — *Source: [XBOW research, 2026-05-12](https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim) · [oss-security, 2026-05-12](https://www.openwall.com/lists/oss-security/2026/05/12/4) · Tags: vulnerabilities, pre-auth, rce, patch-available · Region: global · CVE: CVE-2026-45185 · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: patch-available* - **Roll out May 2026 Windows cumulative update — DCs first, member servers next.** Netlogon (CVE-2026-41089) and DNS Client (CVE-2026-41096) are the wormable-candidate pre-auth RCEs; SSO Plugin for Jira/Confluence (CVE-2026-41103) is "Exploitation More Likely". Inventory and update self-managed Atlassian deployments using Microsoft's Entra-ID SSO plugin before the next work week. Disable Outlook Preview Pane fleet-wide as an interim mitigation for the four Word RCEs. See § 2 — *Source: [Tenable, 2026-05-12](https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103) · [ZDI, 2026-05-12](https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-review) · Tags: vulnerabilities, pre-auth, rce, identity, patch-available · Region: global · CVE: CVE-2026-41089, CVE-2026-41096, CVE-2026-41103, CVE-2026-42898 · CVSS: 9.8 / 9.8 / 9.1 / 9.9 · Vector: zero-click · Auth: pre-auth (CVE-2026-41089, CVE-2026-41096, CVE-2026-41103), post-auth (CVE-2026-42898) · Status: patch-available* - **Apply SAP May 2026 Security Patch Day on Commerce Cloud and S/4HANA.** CVE-2026-34263 (Commerce Cloud, pre-auth RCE, CVSS 9.6) is emergency-priority because the cloud-config endpoint is internet-facing in many deployments — apply SAP Note 3733064. CVE-2026-34260 (S/4HANA Enterprise Search ABAP, post-auth SQL injection, CVSS 9.6) before next maintenance window. Cross-reference SAP HotNews #3747787 against any SAP CAP packages in your build pipeline. See § 2 — *Source: [Onapsis, 2026-05-12](https://onapsis.com/blog/sap-security-patch-day-may-2026/) · [SecurityWeek, 2026-05-12](https://www.securityweek.com/sap-patches-critical-s-4hana-commerce-vulnerabilities/) · Tags: vulnerabilities, pre-auth, rce, patch-available · Region: global · CVE: CVE-2026-34263, CVE-2026-34260 · CVSS: 9.6 / 9.6 · Vector: zero-click · Auth: pre-auth · Status: patch-available* - **PAN-OS CVE-2026-0300: deploy patched builds released 2026-05-13.** Apply PAN-OS 12.1.4-h5 / 12.1.7 / 11.2 / 11.1 / 10.2 hot-fix branches on every PA-Series and VM-Series instance running User-ID Captive Portal. Threat Prevention signature ID 510019 remains the interim block. See § 4. — *Source: [Palo Alto Networks PSIRT CVE-2026-0300, 2026-05-13](https://security.paloaltonetworks.com/CVE-2026-0300) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, patch-available · Region: global · CVE: CVE-2026-0300 · CVSS: 9.3 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available* - **Upgrade SPIP to 4.4.14 and apply the Centreon April 2026 monthly bulletin.** SPIP RCE affects French and francophone Swiss-canton CMS deployments — gate `ecrire/` to a known admin source set at the reverse proxy. Centreon update queue: any NOC running 24.10.x / 25.10.x Infra Monitoring with Anomaly Detection / Auto Discovery / AWIE / BAM / DSM / License Manager / MAP / MBI / Open Tickets. See § 2 — *Source: [CERT-FR CERTFR-2026-AVI-0564, 2026-05-12](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0564/) · [CERT-FR CERTFR-2026-AVI-0572, 2026-05-12](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0572/) · Tags: vulnerabilities, rce, patch-available · Region: europe · Sector: public-sector* - **Hunt for Foxconn-Nitrogen-style precursor patterns on Windows servers and ESXi.** Detection concepts in § 1: unsigned installers spawning `cmd.exe` / `powershell.exe -enc` from `%TEMP%` / `%APPDATA%` on Windows servers; `vmkfstools` / `esxcli` invocations from non-administrator sessions on ESXi `/var/log/shell.log`. **Treat the Nitrogen ESXi decryptor bug as a strategic backup-integrity test** — hypervisor-layer recovery from Nitrogen is mathematically impossible regardless of ransom posture. See § 1 — *Source: [Coveware, 2026-02-02](https://www.coveware.com/blog/2026/2/2/nitrogen-ransomware-esxi-malware-has-a-bug) · [The Register, 2026-05-12](https://www.theregister.com/cyber-crime/2026/05/12/foxconn-confirms-cyberattack-after-nitrogen-claims-apple-nvidia-data-theft/5239144) · Tags: ransomware, data-breach · Region: global · Sector: manufacturing* ## 7. Verification Notes - **Dropped items / coverage gaps:** - **CVE-2026-41901 — Thymeleaf SSTI sandbox bypass.** Initially surfaced by S2 (research returning ENISA EUVD-2026-29872 hit and CSO Online corroborating link) and composed into § 2. Phase 5.7 verifier flagged the source dates: the GitHub Security Advisory GHSA-c9ph-gxww-7744 is dated **2026-04-29** (not 2026-05-12), placing the disclosure 14 days outside the 36-hour recency window; the CSO Online article cited as corroborating is dated 2026-04-17 and concerns a different Thymeleaf CVE (CVE-2026-40478). Per PD-7 the item is dropped from § 2; the ENISA EUVD claim could not be independently re-verified in this iteration (EUVD direct fetch is SPA-only and the bridge fetcher hit an SSL cert-validity error during the verification pass). Operators with Spring Boot Java applications should patch Thymeleaf to 3.1.5.RELEASE in line with the April GHSA. — *Source: [GitHub Security Advisory GHSA-c9ph-gxww-7744, 2026-04-29](https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744) · Tags: vulnerabilities, rce, patch-available · Region: global · CVE: CVE-2026-41901 · CVSS: 9.0 · Vector: user-interaction · Auth: pre-auth · Status: patch-available* - **Odido (Netherlands) compensation refusal, Dutch DPA / criminal investigation, CUIC class action (NL Times, 2026-05-12).** Surfaced by S4 but the primary URL `https://nltimes.nl/2026/05/12/odido-rules-compensation-massive-cyberattack-affecting-62-million-accounts` is behind Cloudflare's Managed Challenge and could not be fetched in-run by either the routine UA or the bridge fetcher (`nltimes.nl` is not in the bridge allow-list). Search-engine snippets confirmed the publication date, headline and key facts (CEO Søren Abildgaard, ShinyHunters vishing of Salesforce, 6.2M accounts, 350k registered for CUIC class action, Dutch Public Prosecution Service criminal investigation, AP / ILT investigations), but PD-2 requires that every cited URL be one the agent actually fetched. Dropped from § 1 rather than carry an unverifiable primary; will re-attempt next run via WebSearch fallback content or alternative outlet — *Source: [Techzine, 2026-02-16](https://www.techzine.eu/news/security/138806/data-breach-at-odido-responsibility-and-compensation-under-discussion/) · [The Register, 2026-02-27](https://www.theregister.com/2026/02/27/odido_shinyhunters_leaks/) · Tags: data-breach, identity · Region: europe · Sector: telco* - **Kaspersky State of Ransomware 2026 (Securelist, 2026-05-12).** PD-9 annual report. Surfaced by S3 with novel headline (PE32 ransomware using ML-KEM/Kyber1024 post-quantum KEM; encryptionless extortion now dominant; Qilin displaces RansomHub; RDWeb portal targeting overtakes phishing). Not promoted to § 3 / § 5 in this brief — yesterday's brief (2026-05-12) already absorbed the annual-report deep-dive slot (GTIG AI Threat Tracker) and PD-3 demotes the same category one rank when in the last-7-day window. Will pick up the PE32 / post-quantum element as a § 3 research item in a later brief if it gains corroborating independent analysis — *Source: [Securelist (Kaspersky), 2026-05-12](https://securelist.com/state-of-ransomware-in-2026/119761/) · Tags: ransomware, supply-chain · Region: global · Sector: public-sector* - **CVEs from Microsoft May Patch Tuesday not surfaced in § 2.** ~30 Critical CVEs landed in this cycle; § 2 cherry-picked the four most operationally significant (Netlogon, DNS Client, SSO Plugin, Dynamics 365) plus the four Word Preview Pane RCEs. The remaining MDASH-discovered network-stack CVEs are referenced indirectly in § 3 (MDASH article). Operators should review the full Tenable / ZDI breakdowns for their environment. - **Single-source items:** - NCSC-UK "10 questions to ask when using AI models to find vulnerabilities" — flagged `[SINGLE-SOURCE]` in § 3; national-CERT carve-out applies (NCSC-UK is primary disclosing party for its own guidance). - **Contradictions:** - **CVE-2026-26083 (FortiSandbox) CVSS** — NCSC-CH cites 9.1 per Fortinet's own PSIRT, NVD's initial assignment is 9.8. Both indicate Critical; brief lists both ("9.1 (NCSC-CH per the vendor advisory) and 9.8 (NVD's initial assignment)"). Operators should treat as critical pending convergence; per-CVE breakdown carried in § 2 footer. - **Microsoft May Patch Tuesday CVE count** — Tenable reports 118, BleepingComputer reports 120, ZDI / The Register reports up to 138 depending on whether developer-tools and Azure-only items are included. Brief uses "120+" as a conservative summary. - **Canvas affected-institution count** — The Register cites ~8,800 colleges, universities and K-12 schools; The Record cites ~9,000. Brief uses 8,800 (per The Register, the primary cited) with The Record's figure surfaced inline. - **Reduced-confidence items:** None this run beyond the dropped Odido entry above. - **Verification iteration 1 disposition (Opus):** Eight F3/F4 truth findings applied as remediations — corrected NCSC-UK date (2026-05-12 → 2026-05-11), corrected Canvas narrative (Garbarino letter 2026-05-11 ahead of 2026-05-12 deadline), corrected Foxconn site-count phrasing, removed unsourced Nitrogen initial-access TTP chain, removed unverifiable ENISA EUVD claims on Exim and Thymeleaf, dropped Thymeleaf as out-of-window. Two F11 advisory findings (Foxconn TTP-chain advisory paired with the F4 fix; Canvas-institution-count) addressed. - **Verification iteration 2 disposition (Sonnet rotation):** Five findings (1 truth, 3 editorial, 1 advisory) — (a) F1 broken-URL flag on `https://fortiguard.fortinet.com/psirt/FG-IR-26-128`: fresh re-fetch in this iteration returned 200 with the full advisory body (CVE-2026-44277, CVSS 9.1 per vendor, fixed in 6.5.7 / 6.6.9 / 8.0.3+, internal-audit discovery) — the verifier's 403 was a transient UA-filter on the host; no source-list change required. (b) F3 Centreon wording corrected: "command injection (effectively RCE in Centreon MBI)" instead of "RCE"; "XSS (Centreon Map, CVSS 6.8)" instead of "reflected / stored XSS". (c) F5 BWH Switzerland claim removed (sources do not call out Swiss properties specifically). (d) F10 Centreon 24.04.x branch added to affected versions (MBI only per the vendor bulletin). (e) F11 advisory ATT&CK mapping in § 5 step 8 corrected from `T1647 Plist File Modification` to `T1553.002 Subvert Trust Controls: Code Signing`, with an explicit note that no current sub-technique precisely maps to SLSA-L3 provenance forgery via OIDC abuse. - **Verification iteration 3 disposition (Opus rotation):** Four findings (1 truth, 1 editorial, 2 advisory) at `truth + editorial = 2` and no F1/F4 — early-exit threshold reached per v2.50. Remediations applied before publish: (a) F3 CVE-2026-44277 / CVE-2026-26083 CVSS converged on vendor PSIRT canonical value 9.1 throughout § 0 / § 2 / § 6 (iter-2 had left 9.8 in the body even after § 7 noted the discrepancy); CVSS table footnote re-worded; (b) F11a Exim § 6 Action Item Tags / Status `enisa-critical` flag removed (iter-1 F4 fix propagated to § 6); (c) F5 BWH country list (Germany, France, Italy) replaced with "multiple EEA jurisdictions" — neither cited source enumerates per-country exposure; (d) F11b advisory: Canvas UPDATE removed the "via support-ticket access" specifier — neither re-fetched source confirms that detail. **Final iteration verdict: NEEDS_FIXES (truth=1 + editorial=1 = 2 ≤ early-exit threshold).** Three iterations, model-rotated (Opus / Sonnet / Opus). Brief publishes with the four iter-3 remediations applied; no residual findings carried beyond what § 7 already documents. - **Sub-agents:** S1, S2, S3, S4 all returned within budget. No stalled sub-agents. - **Fetch failures / bridges used:** `tools/fetch_source.py` bridge used by S1, S2, S3, S4 for `ncsc-csh recent / post` (NCSC-CH SPA), `cisa-kev`, `enisa-euvd recent`, `bsi-rss`, and `url` for CERT-FR / BleepingComputer / Centreon. `databreaches-net`, `inside-it-ch` and parts of `bleepingcomputer` returned 403 (Cloudflare Managed Challenge) on every UA per the documented host behaviour — WebSearch fallback used. `advisories-ncsc-nl` returned 404 on the speculative ID (NCSC-NL CSAF advisory ID guessing not viable without a fresh index); coverage gap for that source this run. `ico-uk` sitemap fetched but no in-window enforcement actions found; freshest enforcement (South Staffordshire) already covered 2026-05-12. ENISA EUVD direct fetch hit SSL cert-validity error in the verification iteration — bridge worked for the sub-agents but not at verifier time. - **Coverage gaps: databreaches-net (Cloudflare-blocked, WebSearch fallback only); inside-it-ch (Cloudflare-blocked, WebSearch fallback only); advisories-ncsc-nl (CSAF advisory-ID enumeration failed, no in-window items surfaced); ico-uk (no in-window enforcement); nltimes.nl (Cloudflare-blocked, dropped Odido item logged above).**