Škoda Auto Deutschland online-shop breach exposes customer PII and password hashes; logging gap prevents exfiltration confirmation (2026-05-11)

UPDATE (originally covered 2026-05-20; consolidated in weekly W21): Microsoft Threat Intelligence published a full dissection of The Gentlemen ransomware on 2026-05-28, giving Storm-2697 a much sharper technical profile than the victim-list reporting available in week 21. The encryptor is a single-binary Go executable (obfuscated through Garble to strip symbol tables), uses Curve25519 + XChaCha20 with per-file ephemeral keys (no bulk-decryption shortcut), and ships a self-propagation module that executes a series of lateral-movement techniques in parallel per host — PsExec, WMIC, scheduled tasks, services, PowerShell remoting — maximising the probability that at least one pivot path succeeds in any AD-joined environment.

Check Point Research's 2026-05-13 writeup adds the actor-side context that Microsoft's dissection does not — Check Point counts approximately 332 victim organisations on the operator's leak site, and documents that on Domain Admin compromise The Gentlemen deploys itself across the estate through a Group Policy Object linked at all relevant OUs. Huntress Labs' 2026-05-21 IR report corroborates the defense-evasion playbook: PowerShell disables Microsoft Defender real-time monitoring (Set-MpPreference -DisableRealtimeMonitoring), stops WinDefend, adds broad Add-MpPreference -ExclusionProcess and drive-level exclusions, disables Controlled Folder Access, and clears Security / System / Application event logs (EID 104, EID 1102). Huntress documented two April / May 2026 incidents whose entry vector was RDP with compromised credentials, lateral movement reached domain controllers via the NETLOGON share and SCCM's CcmExec.exe, and process names were masqueraded as svchost32.exe. The DFIR Report's 2026-05-11 alert confirmed a related chain in which EtherRAT (delivered via a malicious Sysinternals MSI) and TukTuk C2 preceded Gentleman deployment. Microsoft's Defender detection name is Ransom:Win64/Gentlemen.A; recommended Attack Surface Reduction posture per Microsoft's ASR rules reference is Block process creations originating from PsExec and WMI commands combined with EDR-in-block-mode enforcement.

Material new development vs. last coverage: full encryption + propagation mechanism, named-cluster identity (Storm-2697), the GPO-spread pathway documented by Check Point Research, and Check Point's count of approximately 332 victims. Detection focus: hunt for wevtutil cl Security|System|Application chained with sc stop WinDefend or msconfig; flag svchost32.exe spawned outside %SystemRoot%\System32; alert on CcmExec.exe launching non-SCCM payloads. Hardening: enforce SMB signing GPO, restrict GPO-creation rights to a hardened OU, enable Credential Guard, monitor Event ID 5136 for GPO modifications and 5140 for the hidden share SMB share.

Horizon research surfaced a quarterly report the dailies did not cover: Check Point's Q1 2026 State of Ransomware (published 2026-05-11). The synthesis that matters for a CH/EU public-sector SOC is structural, not the leaderboard: after two years of fragmentation driven by law-enforcement pressure on LockBit, ALPHV/BlackCat and others, the ecosystem is reconsolidating — the top ten leak-site operations now account for roughly 71% of listed victims, with Qilin holding the top spot for a third straight quarter and The Gentlemen (§ 7) entering the top three. The single most defender-relevant finding is LockBit's comeback paired with a deliberate geographic shift toward European and Latin American targets — which moves the rebuilt operation directly into this audience's threat model rather than leaving it a US-centric concern. Read alongside the Gentlemen internal-leak intelligence in § 7, the picture is a smaller number of higher-capability operations with European intent; prioritise the edge-appliance and identity hardening those operators are documented to rely on.

Resolving a W21 carry-forward watch item: GTIG published a definitive UNC6671 / BlackFile profile in mid-May 2026, characterising the operation as an adversary-in-the-middle vishing specialist targeting Microsoft 365 and Okta SSO environments in retail and hospitality (vishing impersonating IT support → MFA-bypass / credential grant → AiTM session-token harvest → exfiltration → extortion over the Session messenger). The leak-site went offline in late April, briefly resumed on 2026-05-11 to announce "BlackFile is shutting down… under this name," and went dark again — GTIG's phrasing and the qualifier point to a probable rebrand rather than a genuine exit. Defenders should keep the AiTM-vishing → rogue-MFA → SSO-token-theft TTP set on watch under any new brand; the tradecraft, not the name, is the durable indicator.

UPDATE (originally covered 2026-05-19, updated 2026-05-21): Unit 42 (Palo Alto Networks) and StepSecurity published concurrent technical analyses on 2026-05-21 of the TeamPCP Mini Shai-Hulud npm supply-chain campaign, establishing the defining novelty of this wave: the first documented case of malicious npm packages carrying valid SLSA Build Level 3 provenance attestations (Unit 42, 2026-05-21). Attackers compromised TanStack's legitimate GitHub Actions CI/CD pipeline's trusted OIDC identity mid-workflow — without stealing developer credentials — making the SLSA attestation genuine while the package payload was malicious. This invalidates "package carries valid provenance attestation" as a sufficient supply-chain integrity gate.

The execution chain runs tanstack_runner.js under the Bun JavaScript runtime, enumerating stored credentials including gh auth token capture (T1552.001 Unsecured Credentials: Credentials In Files); stolen npm tokens and GitHub PATs are used to backdoor every package the victim account can publish (T1650 Acquire Access), making the worm self-propagating across the npm ecosystem. By end of the 2026-05-11 wave, 373 malicious package versions across 169 npm packages and PyPI mirrors were active (Unit 42, 2026-05-21).

Defender actions from this technical update: (a) SLSA attestation verification is now insufficient as a sole gate — add runtime behavioural scanning of npm install scripts alongside provenance checks; (b) Pin GitHub Actions to commit SHAs, not mutable tags, to prevent mid-workflow OIDC identity hijack; (c) If pipelines ran npm publish during 2026-05-11 to 2026-05-12, rotate npm tokens and GitHub PATs and audit owned packages for unauthorised versions; (d) In environments where Bun is not an approved runtime, flag any bun or bun.js process execution from a CI runner context (Sysmon EID 1 process-name filter).

UPDATE (originally covered 2026-05-13 deep dive; multiple subsequent updates): three new TeamPCP / Mini Shai-Hulud developments landed in this window — GitHub itself, the official Microsoft durabletask PyPI package, and the Grafana Labs root-cause disclosure.

GitHub. GitHub confirmed on 2026-05-20 that TeamPCP (also tracked as UNC6780) accessed approximately 3,800 internal GitHub repositories after a single GitHub employee installed a poisoned Visual Studio Code extension on their device (The Hacker News, 2026-05-20; The Record, 2026-05-20; Infosecurity Magazine, 2026-05-20; Help Net Security, 2026-05-20). GitHub detected and contained the breach on 2026-05-19, isolated the affected endpoint and rotated high-impact secrets; the company states there is no evidence customer data stored outside the internal repositories was accessed. GitHub has not publicly named the malicious VS Code extension or its publisher at this writing. TeamPCP listed the stolen repositories — including GitHub Actions internals, agentic-workflow code, Copilot internal projects, CodeQL tools, Codespaces, Dependabot, and a Rails controller managing organisations and PRs — for sale at $50,000, with LAPSUS$ announcing a joint sale and a $95,000 asking price.

durabletask (PyPI). Wiz Security reported on 2026-05-20 that the TeamPCP / Mini Shai-Hulud worm compromised the official Microsoft durabletask PyPI package via versions 1.4.1, 1.4.2 and 1.4.3 (Wiz, 2026-05-20). The payload is a dropper that fetches rope.pyz from check.git-service[.]com; per Wiz the second stage is a full credential stealer targeting AWS, Azure, GCP, Kubernetes and Vault credentials, 1Password and Bitwarden vaults, filesystem credentials and shell history. Propagation per Wiz: on Kubernetes hosts the worm uses kubectl exec; on AWS EC2 instances it propagates via AWS Systems Manager SendCommand against up to 5 targets per host (T1078.004 Cloud Accounts, T1570 Lateral Tool Transfer).

Grafana Labs. Grafana Labs published the post-mortem of its own TeamPCP breach on 2026-05-19, confirming the root cause was a single GitHub Actions workflow token that slipped through the rotation process after the TanStack npm supply-chain attack (Grafana Labs, 2026-05-19; BleepingComputer, 2026-05-20). Per Grafana's own post-mortem the TanStack compromise was detected on 2026-05-11 (note: BleepingComputer cites 2026-05-01 for the malicious-package consumption event — surfaced as a contradiction in § 7); Grafana rotated the bulk of its GitHub workflow tokens, but the residual unrotated token gave TeamPCP access to clone private source-code repositories (exact count not disclosed in Grafana's post-mortem). Grafana refused the extortion demand on 2026-05-16. The exfiltration scope is confirmed limited to Grafana Labs GitHub repositories (public source code, private source code and internal repos); customer production data was not affected.

Defender takeaway: audit VS Code extension marketplace policies and consider a managed extensions allowlist via Group Policy / MDM (the VS Code marketplace does not enforce mandatory code-signing). Hunt — Sysmon EID 1 for code --install-extension invocations on developer endpoints; process trees where Code.exe or code-server spawn credential-access tools (git-credential-manager, aws configure, keychain access). Audit GitHub Actions OIDC token rotation completeness after any supply-chain incident; verify GitHub secret-scanning + push-protection are enabled on every org. CI/CD pipeline logs should be searched for durabletask imports in the 1.4.1–1.4.3 version range; treat any host that imported a malicious version as fully compromised. Review AWS SSM SendCommand audit logs for invocations that do not correspond to authorised maintenance windows.

Investigators confirmed on 2026-05-18 that the cyberattack on ARWINI — the Arbeitsgemeinschaft Wirtschaftlichkeitsprüfung Niedersachsen e.V., which audits prescription cost-effectiveness for statutory-health-insurance (GKV) patients in Lower Saxony via data exchange with Kassenärztliche Vereinigung Niedersachsen (KVN), AOK and other insurers — resulted in confirmed exfiltration of personal data (Deutsches Ärzteblatt, 2026-05-18; Heise Security, 2026-05-18). Intrusion signs were detected on ARWINI servers on 2026-05-04 and all systems were shut down on the same day; ARWINI's own statement, cited by Borns IT Blog on 2026-05-16, said particularly sensitive personal data (besondere Kategorien — GDPR Art. 9) are likely affected, with health and billing data on ≥70,000 patients in scope (Borns IT Blog, 2026-05-16). The Polizeidirektion Hannover is the investigating authority; the Landesbeauftragter für Datenschutz Niedersachsen (LfD) and BSI have been notified under the GDPR 72-hour rule and the German KRITIS / NIS2UmsuCG framework. Heise reports the Kairos ransomware group has claimed the attack and is threatening to sell approximately 2.87 TB of stolen data on its leak site, with attackers' leak-site claim dated 2026-05-11. The technical pattern is consistent with double-extortion ransomware now in the operator-leak-site phase.

Why it matters to us: GKV bodies and their mandated third-party auditors are NIS2 entities; the supply-chain relationship between KVN/AOK and ARWINI is precisely the data-processor scope hit by NMDL/IGJ in the Netherlands (covered 2026-05-14). Defender pattern: any GKV / AHV / cantonal health-insurance data-exchange counterparty should be inventoried as an in-scope critical-supplier under §8b BSI-Gesetz / NIS2UmsuCG, with breach-notification playbooks rehearsed for the 72-hour GDPR clock from a third party's detection event, not just one's own. Monitor for downstream phishing using GKV billing-data lures targeting affected patient cohorts.

UPDATE (originally covered 2026-05-13, 2026-05-15): Three concurrent developments show the TeamPCP / Shai-Hulud campaign has entered an open-source-imitator phase following Datadog Security Labs' 2026-05-13 analysis of the leaked Shai-Hulud worm source code. First, OX Security disclosed on 2026-05-17 four malicious npm packages published by deadcode09284814 — chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils — combined weekly downloads ~3,000 (OX Security, 2026-05-17; The Hacker News, 2026-05-18). chalk-tempalte is a near-unmodified clone of the leaked Shai-Hulud worm with a modified C2 server and a new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (see § 7); axois-utils bundles "Phantom Bot," a Golang HTTP/TCP/UDP/Reset-flood DDoS tool with Windows Startup folder and Linux scheduled-task persistence that survives package removal; the other two harvest SSH keys, cloud-provider credentials (AWS/GCP/Azure), and cryptocurrency wallet data.

Second, SANS ISC synthesised a 2026-05-18 campaign update confirming that Checkmarx officially acknowledged on 2026-05-11 that its Jenkins AST Scanner plugin had been trojanised — version 2026.5.09, compromise window 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC — making this TeamPCP's third confirmed Checkmarx intrusion in three months (SANS Internet Storm Center, 2026-05-18; Checkmarx, 2026-05-12). Hundreds of Jenkins controllers installed the malicious plugin before removal; remediated builds 2.0.13-848 and 2.0.13-847 are safe. CxSAST on-premise was unaffected; the cloud-integrated checkmarx/ast-github-action, checkmarx/kics-github-action, and VS Code extensions were all trojaned.

Third, SentinelLabs disclosed on 2026-05-07 — also folded into the SANS ISC summary — "PCPJack," a rival cloud worm that scans for exposed Docker, Kubernetes, Redis, MongoDB and RayML services and chains five CVEs (CVE-2025-29927 Next.js middleware auth bypass; CVE-2025-55182 Next.js Server Actions deserialization; CVE-2026-1357 WPVivid arbitrary file upload; CVE-2025-9501 W3 Total Cache RCE; CVE-2025-48703 CentOS Web Panel command injection) for initial access, then explicitly kills TeamPCP processes and removes TeamPCP artefacts before harvesting credentials — assessed by SentinelLabs with moderate confidence as possibly a former TeamPCP affiliate. Defender takeaway for the Swiss/EU public-sector SOC: developer endpoints and CI/CD runners with installed Checkmarx plugin should be audited for plugin versions outside the known-safe SHA range during the 2026-05-09 → 2026-05-10 window; npm audit and SBOM scans should flag the deadcode09284814 author/scope; egress from CI runners to *.lhr.life hostnames is a high-fidelity hunt pivot for the npm worm wave; Docker/Kubernetes/Redis/MongoDB endpoints exposed to the internet should be inventoried and removed from public exposure (PCPJack's scan list). MITRE T1195.002 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1041 (Exfiltration over C2 Channel).

If you did nothing this week: any Linux host (workload, container host, on-premises server, public-cloud VM) where the kernel ships xfrm-ESP enabled (default on virtually every distribution) is exposed to a single-command unprivileged-to-root privilege escalation with public PoC; Microsoft confirmed limited in-the-wild exploitation on 2026-05-08 and tracked further activity into 2026-05-11 (Microsoft Security Blog, 2026-05-08; daily 2026-05-11 UPDATE; Wiz Research). Patch propagation is substantially complete: AlmaLinux 8/9/10, Ubuntu, Debian, Fedora, openSUSE all ship CVE-2026-43284 kernels as of 2026-05-07–10, with KernelCare live-patches generally available (AlmaLinux blog).

CVE-2026-43500 (RxRPC) patch propagation is uneven. AlmaLinux 8 is not affected (rxrpc module not built); RHEL 9 errata are rolling; Ubuntu and Debian shipped patches; the lagging configurations are systems that have the optional kernel-modules-partner package installed (typical on AFS-using estates and some research-network deployments). The interim mitigation — modprobe -r esp4 esp6 rxrpc — breaks IPsec VPNs and AFS file-system access, so production rollout requires impact testing rather than blanket application. Detection focus: Sysmon EID 1 / auditd execve events showing unusual parent-process chains from non-root users spawning root-effective shells.

The TeamPCP / Mini Shai-Hulud story spans every working day of 2026-W20 and the daily briefs add a piece each day. Tuesday 2026-05-12: an attacker briefly published what appears to be the complete Shai-Hulud framework source (TypeScript / Bun) to a public GitHub repository attributed to TeamPCP, taken down within hours but mirrored widely; the public source disclosure inverts the threat model — every IDE, EDR, and PR-review vendor now has access to the same artefact the operator was using but defenders must assume new variants will appear with one to two days' lead-time on signatures (Datadog Security Labs static analysis, 2026-05-13; daily 2026-05-15 UPDATE). Wednesday 2026-05-13: Wave 4 hits — 170+ packages / 400+ malicious versions compromised per daily-brief tracking across @tanstack (including react-router, ~12M weekly downloads), @uipath, @mistralai, @opensearch-project, and @guardrails-ai; the Wiz writeup confirms the same TeamPCP / UNC6780 / PCPJack attribution as prior waves (Wiz Blog, 2026-05-11; daily 2026-05-13 UPDATE). Friday 2026-05-15: OpenAI named as a victim; the company enforces code-signing certificate rotation across all macOS apps as remediation (daily 2026-05-15 UPDATE).

What W1 horizon research surfaced that the dailies could not yet see: Datadog's static analysis of the leaked source reveals two new capability classes that change the defender posture. First, IDE persistence via hook entries in .claude/settings.json (Claude Code) and .vscode/tasks.json — allowing arbitrary command execution on developer-workspace events; this is not a build-time supply-chain primitive but a developer-workstation persistence mechanism that survives npm install cleanup and outlives the malicious-package removal. Second, OIDC token extraction directly from /proc/<pid>/mem on GitHub Actions runners, used to forge Sigstore provenance attestations — meaning malicious packages can be published that are indistinguishable from legitimate ones by provenance verification alone. The W19 weekly already flagged ShinyHunters / WorldLeaks as a long-running operator-family pattern; the TeamPCP / Mini Shai-Hulud progression confirms a parallel ecosystem maturing on the npm registry side, now with publication-provenance forgery in the toolset. The leaked framework source materially elevates the risk of secondary operators applying Shai-Hulud-style techniques against other package registries (PyPI, Cargo, Maven Central) in 2026-W21 (Datadog Security Labs).

The defender pivot is two-fold: (1) for DevOps pipelines, provenance verification is necessary but no longer sufficient — supplement with publisher-pinning, two-factor publish enforcement, and post-install hash-pinning; (2) for developer workstations, treat .claude/settings.json / .vscode/tasks.json / equivalent IDE hook files as security-relevant configuration and add them to file-integrity-monitoring scope. The Datadog filesystem indicators (gh-token-monitor daemon process, claude@users.noreply.github.com commits in unexpected repositories, exfil-repo names matching "Shai-Hulud: Here We Go Again") are the right hunt seeds.

The W19 weekly closed with the Canvas / Instructure extortion deadline of 2026-05-12 pending. The trajectory through W20: Tuesday 2026-05-12: Instructure confirmed ransom payment to ShinyHunters with claimed data return and digital confirmation of destruction; second intrusion separately confirmed; per-institution leak deadline reset to the same day (daily 2026-05-12 UPDATE; The Record, 2026-05-12). Wednesday 2026-05-13: the US House Homeland Security Committee (Chairman Garbarino) opened a formal investigation and requested an Instructure CEO briefing by 2026-05-21 covering both intrusion circumstances, scope and nature of accessed data, IR adequacy, and CISA coordination (House Homeland Security Committee letter, 2026-05-11; daily 2026-05-13 UPDATE). Post-payment: ShinyHunters defaced approximately 330 institutional Canvas login pages by re-exploiting the same Free-For-Teacher account vulnerability that enabled the second intrusion — demonstrating that the "no customer extortion" covenant in the ransom agreement was at best narrowly observed and that the access vector was not actually closed (The Record).

The story matters to Swiss / EU public-sector defenders for three reasons that crystallise only across the multi-day arc. First, paying the ransom did not close the access vector: Instructure's patches did not eliminate the Free-For-Teacher abuse path, so the defacement wave is operational evidence that the underlying flaw remained exploitable; this is the "what did the patch actually fix" question every IR-receiving organisation should be asking of every paid-ransom-with-promised-fix vendor. Second, the seven Dutch universities (VU Amsterdam, UvA, Erasmus, Tilburg, TU/e, Maastricht, Twente) disconnected Canvas rather than wait for vendor remediation (NL Times, 2026-05-09) — a defender posture worth pattern-matching for any future SaaS-LMS / SaaS-LRS / SaaS-grade-management vendor compromise. Third, the US House investigation is the regulatory analogue Swiss / EU SOC managers should anticipate from cantonal education ministries; the questions Chairman Garbarino's letter lists (intrusion timeline, data scope, IR adequacy, CISA / national-CSIRT coordination) are the same questions a cantonal Bildungsdirektion will ask after the next EdTech SaaS incident. Outcome of the 2026-05-21 briefing is the open horizon item for 2026-W21.

PHP SOAP-extension use-after-free in SOAP_GLOBAL(ref_map), CVSS 9.5, with two related companions (CVE-2026-7261 and CVE-2026-7262, both SOAP-class, CVSS 6.3 each). Patched on 2026-05-07 in PHP 8.5.6 and equivalents across maintained 8.4 / 8.3 / 8.2 branches per the official PHP GHSA. No ITW exploitation at week-end; daily 2026-05-11 recommends explicit patch validation for any web-facing PHP infrastructure with SOAP enabled (daily 2026-05-11; PHP GHSA-85c2-q967-79q5).

Customer PII and password hashes exposed; logging-gap prevented exfiltration confirmation. The defender's learning is the logging-coverage point: a breach where the victim cannot confirm what was exfiltrated is a logging-design failure. Pattern-match: which of your own citizen-facing / customer-facing e-commerce flows would leave you with the same uncertainty after an intrusion? (daily 2026-05-12).

Google Threat Intelligence Group published on 2026-05-15 an analysis of UNC6671 — a financially-motivated extortion cluster operating under the "BlackFile" brand since February 2026 — documenting a real-time vishing + adversary-in-the-middle chain that bypasses traditional MFA and pivots to mass SharePoint exfiltration (Google Threat Intelligence Group, 2026-05-15). The chain starts with a phone call placed to a victim's personal mobile number in which an operator impersonates internal IT helpdesk and directs the target to an attacker-registered lookalike single sign-on portal (Tucows-registered hostnames in the <org>.enrollms[.]com and <org>.passkeyms[.]com namespaces); the operator captures credentials and TOTP / push approvals live and immediately registers a new attacker-controlled MFA device for persistent post-vishing access, mapping to T1556 Modify Authentication Process. Post-compromise, BlackFile uses Python requests and PowerShell scripts against the Microsoft Graph API and direct SharePoint file-stream URLs to exfiltrate, with single-victim file counts exceeding one million; the API requests surface Microsoft Office's ClientAppId (d3590ed6-52b3-4102-aeff-aad2292ab01c) in the M365 audit log AppAccessContext field — the same value legitimate Office clients carry — to blend in with normal Office activity. The detection break is the underlying user-agent: legitimate Office clients do not present python-requests/2.28.1 or WindowsPowerShell/5.1 as the user-agent header against Graph or SharePoint endpoints. GTIG also notes that the FileAccessed audit event distinguishes the bulk-API extraction pattern from interactive FileDownloaded events. Geographic focus is North America, Australia, and the UK — but the playbook is language-agnostic; any European helpdesk-fronted M365 / Okta environment is one successful call away from the same outcome. The BlackFile data-leak site went offline in late April 2026 and relaunched on 2026-05-11 with a shutdown announcement, which GTIG assesses as probable rebrand rather than cessation. GTIG explicitly distinguishes UNC6671 from ShinyHunters (UNC6240). MITRE ATT&CK additionally: T1566.004 Spearphishing Voice, T1557 Adversary-in-the-Middle, T1528 Steal Application Access Token. Detection priorities: alert on Okta system.multifactor.factor.setup events not preceded by a user-initiated session; flag M365 audit FileAccessed events with AppAccessContext.ClientAppId == d3590ed6-52b3-4102-aeff-aad2292ab01c AND a user-agent containing python-requests or PowerShell; require Conditional Access compliant-device for Graph API access from administrative accounts; and move helpdesk-privileged accounts to FIDO2 phishing-resistant MFA.

UPDATE (originally covered 2026-05-10 in the Q1 2026 ransomware quarterly synthesis): Check Point Research published "Thus Spoke…The Gentlemen" on 2026-05-13, a detailed analysis of a 44.4 MB extract from the group's leaked "Rocket" backend database (16.22 GB total) that was posted to the cybercrime forum Breached on 2026-05-04 after the group's infrastructure was compromised by an unidentified actor (Check Point Research, 2026-05-13; BankInfoSecurity, 2026-05-11). The dataset contains 8,200 lines of internal chat-tool traffic across channels INFO / general / TOOLS / PODBOR, shadow files with password hashes, affiliate negotiation transcripts, and configuration artefacts for the ZeroPulse C2 framework.

Nine operator handles are identified — including administrator zeta88 (also hastalamuerte), who both manages the RaaS panel and participates directly in encryption events. Reconstructed attack chain: initial access almost exclusively via unpatched edge devices — FortiGate CVE-2024-55591 (the group's documented mainstay), Cisco appliances, CWMP/TR-069 interfaces — or purchased infostealer credentials; post-access tooling includes NetExec, RelayKing (NTLM relay), CertiHound (AD Certificate Services abuse), TaskHound, PrivHound; EDR-suppression utilities EDRStartupHinder, gfreeze and glinker manipulate ETW callbacks and NTDLL syscall tables; persistence is maintained via Cloudflare Zero Trust tunnels and self-provisioned WireGuard/OpenVPN chains.

Two operationally critical facts: (1) Check Point Research attributes a count of 1,570+ victim entries to a separately-exposed SystemBC C&C server, against 332 victims publicly listed on the group's data-leak site in the first five months of 2026 — significant under-reporting of true scope (Check Point's wider comparison cites 412 cumulative DLS listings); (2) the decryptor has been released as GitHub Bedrock-Safeguard/gentlemen-decryptor, enabling existing victims to recover without payment (decryptor disclosed in BankInfoSecurity's 2026-05-11 reporting). For Swiss / EU SOCs handling an active Gentlemen incident the workflow changes today: attempt decryption before any negotiation. Detection pivots from the leak: alert on EDRStartupHinder, gfreeze, glinker process names (custom binaries, not commodity); monitor for AD Certificate Services reconnaissance (certutil enumeration of CA servers and templates) consistent with CertiHound; correlate with FortiGate CVE-2024-55591 initial-access exploitation patterns that the group continues to weaponise.

Foxconn Technology Group confirmed on 2026-05-12 that several North-American factories — including Mount Pleasant (Wisconsin), Houston (Texas), and additional sites in Ohio, Virginia, Indiana and Mexico — suffered a cyberattack starting at approximately 07:00 ET on 2026-05-01, when the Mount Pleasant Wi-Fi failed and core infrastructure was disrupted by 11:00 ET; production halted for roughly a week before "affected factories are currently resuming normal production" (The Register, 2026-05-12; The Record, 2026-05-12). The Nitrogen ransomware crew — a Conti 2 leaked-builder derivative active since 2023 — listed Foxconn on its leak site on 2026-05-11 and claims 8 TB / 11 million files, alleging "confidential technical drawings and project documentation" for Apple, Nvidia, Intel, Google and Dell engagements (9to5Mac, 2026-05-12). None of the named third-party vendors has confirmed any compromise of their own systems; the 8 TB number is the attacker's claim, not a Foxconn-confirmed exfiltration volume.

Why it matters to us: Foxconn is the dominant EMS supplier for endpoints widely procured by Swiss / EU government and critical-infrastructure operators (Apple, Dell, Nvidia, Intel hardware). The operationally critical defender-side data point on Nitrogen is independent of the headline: a Coveware analysis (2026-02-02) documents a programming error in Nitrogen's ESXi encryptor — a QWORD variable overwrites four bytes of the Curve25519 public key during ChaCha8 key-exchange, producing a corrupted key that is mathematically irrecoverable even with the operator's private key. If Nitrogen encrypts an ESXi host in your estate, paying does not restore your VMs. Backup integrity at the hypervisor layer (not just guest-level) is the only recovery path. Generic hypervisor-recovery detection concepts apply: alert on vmkfstools / esxcli invocations from non-administrator sessions on ESXi /var/log/shell.log, and on unexpected vmx process terminations preceding mass-rename events. The cited sources do not document the specific initial-access TTP chain Nitrogen has used at Foxconn — defenders should rely on standard hunting for the broader Conti-derivative cluster (Cobalt Strike beaconing, Rclone exfiltration) and let attribution-specific IOCs follow the in-flight forensics.

BWH Hotels — the parent operating Best Western Hotels & Resorts, WorldHotels and Sure Hotels — disclosed that an unauthorised third party had access to a guest-reservation web application from 2025-10-14 to 2026-04-22, a 181-day dwell, before detection on 2026-04-22 prompted BWH to take the affected application offline (The Register, 2026-05-11; SecurityWeek, 2026-05-12). Disclosed data fields: guest names, email addresses, phone numbers, home addresses, reservation numbers, dates of stay and special requests; payment / financial data is stated as unaffected. BWH Hotels operates properties across multiple EEA jurisdictions, so EEA-resident guest data is in scope; the company has not yet published a per-country DPA notification list, and the cited disclosures do not enumerate per-country exposure. No attribution; no extortion demand reported.

Defender takeaway: The pattern — third-party web application held attacker access for 181 days before discovery — fits the IAB / data-theft tradecraft we have been seeing repeatedly against EU SaaS estates: the asset is a single application sitting outside the corporate SOC's primary telemetry, with credentials likely harvested via infostealer or vishing of a contractor account. Detection concepts: instrument every customer-facing reservation / CRM / loyalty SaaS with download-volume alerting at the API tier (mapped to T1530 Data from Cloud Storage Object and T1213.003 Data from Information Repositories: Code Repositories-equivalent for SaaS DBs); push CASB DLP policies that flag bulk export of PII fields by any non-batch service account; require step-up auth on any session exporting more than N records per hour. Public-sector implication: government staff travelling on official duty and using BWH-brand properties had itinerary + contact data exposed; review whether any travel-booking integrations route through this application and, if so, treat the in-scope passport-data fields as compromised.

ThreatFabric's 2026-05-11 research identifies a substantially redesigned TrickMo variant active across January–February 2026 in campaigns against banking and fintech users in France, Italy and Austria (ThreatFabric, 2026-05-11; The Hacker News, 2026-05-12; Security Affairs, 2026-05-12). The C2 architecture has migrated off conventional DNS / IP infrastructure: the host APK embeds a native TON (The Open Network) proxy that starts on a loopback port at process launch, and all C2 HTTP requests address .adnl hostnames resolved inside the TON decentralised overlay. That design defeats traditional domain-takedown and DNS-based blocklisting — operator endpoints exist as TON identities inside a permissionless overlay rather than at a controllable DNS or IP. Beyond the banking-trojan core (accessibility-service device takeover, fake overlay login pages, SMS / OTP interception, mapped to T1517 Access Notifications), TrickMo C adds a network-reconnaissance subsystem via five operator commands (curl, dnslookup, ping, telnet, traceroute) and an SSH tunnel + authenticated SOCKS5 proxy — turning infected Android devices into programmable network pivots so operators can route abuse traffic from the victim's IP space and defeat IP-reputation fraud detection on banking and crypto-exchange platforms. Mapped to T1090.001 Proxy: Internal Proxy for the SOCKS5 mode. Droppers masquerade as TikTok variants distributed via Facebook ads; the final payload impersonates Google Play Services. Dormant code includes the Pine hooking framework and NFC permissions, suggesting contactless-payment interception is in development.

Defender takeaway: The relevant change for an EU defender is the C2 transport: blocking TON traffic at the corporate gateway is non-trivial because TON shares the standard internet routes; behaviour-side, detect Android devices that initiate the TON loopback proxy and that issue outbound to non-corporate SOCKS5 / SSH ports under unusual entitlements. Public-sector implication: government-issued Android or BYOD devices that access banking, tax, or e-government services should be scoped under MDM policies that block sideloaded APKs from social-media link-outs and forbid sideloaded TikTok-look-alikes. Mapped to T1422 System Network Configuration Discovery and T1437.001 Application Layer Protocol: Web Protocols.

NCSC-UK published an operational 10-question checklist on 2026-05-11 (authored by Ruth C, Head of Vulnerability Management Group) for organisations evaluating or deploying AI / LLM tooling for vulnerability discovery (NCSC-UK blog, 2026-05-11). The guidance is substantively different from the previously-covered NCSC-CH BACS strategic assessment: it is process- and infrastructure-flavoured rather than landscape-flavoured. The ten questions interrogate (a) process prerequisites — is there a triage / remediation pipeline that can absorb what the AI surfaces, or will the backlog simply grow while team capacity stays flat; (b) data governance — what code, infrastructure and secrets is the model being given access to; (c) infrastructure security — is the AI agent sandboxed from production; (d) permissions blast-radius — has the model been granted excessive permissions that magnify attacker reach if the agent itself is compromised; (e) legal / data-retention; (f) false-positive overhead on the blue team. The piece explicitly warns that AI-accelerated vulnerability discovery without matching remediation capacity makes the organisation worse off, not better — a direct critique of "buy the AI tool" patterns. [SINGLE-SOURCE]

UPDATE (originally covered 2026-05-10): Between 19:20 and 19:26 UTC on 2026-05-11, TeamPCP's Mini Shai-Hulud self-propagating worm executed its largest campaign to date, compromising 160+ malicious versions across @tanstack/* (42 packages including @tanstack/react-router at ~12M weekly downloads), @uipath/* (60+ packages), @mistralai/*, @opensearch-project/opensearch, @squawk/*, @draftlab/* and @tallyui/*, plus two PyPI packages (StepSecurity analysis, 2026-05-11; TanStack post-mortem, 2026-05-12; Wiz, 2026-05-12; NCSC-CH Security Hub #12558, 2026-05-12).

The novel attack chain (decomposed in § 5) is materially different from the 2026-05-10 SAP-CAP campaign: the operator (voicproducoes, GitHub account ID 269549300) submitted a poisoned PR to a target repository that triggered a pull_request_target workflow, used that privileged workflow to seed a malicious pnpm store into the GitHub Actions cache, then waited for legitimate maintainer merges to main — the release workflow restored the poisoned cache, attacker-controlled binaries extracted GitHub Actions OIDC tokens from /proc/<pid>/mem, and the worm used npm's token-exchange endpoint to publish trojanised package versions with valid SLSA Build Level 3 provenance attestations. The provenance bypass is the most significant evolution — SLSA L3 was the supply-chain assurance many EU public-sector procurement frameworks were starting to rely on, and this campaign demonstrates it is forgeable without abusing the package's own publish step.

Operational delta for defenders: SAP Note #3747787 (HotNews) acknowledges CAP-package impact and ships a clean version list. UiPath impact is the highest-priority public-sector signal — UiPath RPA is widely deployed in Swiss federal e-government automation and EU agency back-offices; review package-lock.json / pnpm-lock.yaml in every UiPath-using pipeline against the StepSecurity / Wiz package-version manifest. Before revoking any GitHub PAT or npm token, sanitise the developer machine first — token revocation triggers the worm's gh-token-monitor dead-man's switch that executes rm -rf ~/ on the affected workstation. Mapped to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain, T1552.001 Unsecured Credentials: Credentials in Files, T1078.004 Cloud Accounts.

UPDATE (originally covered 2026-05-12): Late on 2026-05-11, US House Homeland Security Committee Chairman Andrew Garbarino sent a formal letter to Instructure CEO Steve Daly ahead of the 2026-05-12 ShinyHunters extortion deadline, demanding a briefing by 2026-05-21 on the circumstances of both Canvas intrusions, the volume of data accessed, containment measures, and coordination with federal law enforcement and CISA (The Record, 2026-05-12; The Register, 2026-05-12).

On 2026-05-12 — before the deadline expired — Instructure confirmed it had "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" from ShinyHunters, the operational reliability of which the committee letter explicitly questions. ShinyHunters claims the agreement covers up to 275 million records across roughly 8,800 colleges, universities and K-12 schools (per The Register; The Record cites ~9,000 institutions), including Dutch and Swedish higher-education customers previously confirmed in scope. The second Canvas intrusion is attributed to ShinyHunters exploiting an unpatched flaw in Instructure's "Free-for-Teacher" environment; the initial 2026-04-29 intrusion yielded ~3.6 TB of uncompressed data (usernames, emails, course names, messages). CrowdStrike was retained for forensic analysis.

Defender takeaway: a vendor-side "shred log" is legally non-binding and technically unverifiable; EU institutions must continue to treat the 275M-record dataset as irrevocably compromised for GDPR Art. 33 / data-subject-rights purposes regardless of Instructure's bulk-platform claim. The congressional investigation will likely prompt CISA guidance for higher-education SaaS incident response — relevant context for Swiss universities and EU edtech procurement teams.

The UK Information Commissioner's Office on 2026-05-11 issued a £963,900 fine against South Staffordshire Plc and its water-supply subsidiary for the 2020–2022 intrusion. The ICO's published findings cite inadequate vulnerability management, unpatched critical systems, obsolete unsupported software (the estate still contained Windows Server 2003, EOL since July 2015), and incomplete SIEM coverage; the regulator does not name a CVE or threat actor in its public notice. The technical kill-chain detail — phishing initial access in September 2020 → CVE-2020-1472 (ZeroLogon, T1068) against two unpatched domain controllers → domain admin → ~20 months of unimpeded lateral movement → detection in July 2022 when IT performance degraded — comes from The Record's reporting, as does the Cl0p attribution. The ICO press release records that data on about 1.85 million customers (approximately 750,000 current and 1.1 million former) was held by the company, of which 633,887 individuals had data published on the dark web, and that the published dataset totalled over 4.1 TB including customer credentials, bank account/sort codes, Priority Services Register data (from which disability status can be inferred) and HR records (The Register, 2026-05-11). The fine was reduced 40% on the basis of early admission and cooperative engagement; South Staffordshire agreed not to appeal.

Why it matters to us: The ICO action is the first significant post-Cyber-Security-and-Resilience-Bill UK regulatory action against a water-sector OES, and the regulator's operational findings transfer verbatim to NIS2 Article 21 technical measures and the German KRITIS-DachG public-administration scope that came into force this spring. Concrete defender takeaway: (a) measure your actual SIEM/XDR coverage percentage by hostname inventory rather than by sensor-licence count — partial coverage on a high-value subset is materially worse than uniform sampling; (b) the ZeroLogon pivot reported by The Record is a long-tail patch-management hygiene point on domain controllers any SOC can audit against; (c) detection logic that survives this case maps to Sysmon-class auditing of DC authentication events — 4742 (account changes) and 4769 Kerberos service-ticket anomalies — after vendor disclosure of any DC-impacting CVE.

The German Bundeskriminalamt (BKA) and Frankfurt's Central Office for Combating Internet Crime (ZIT), with Spanish National Police support, arrested a 35-year-old German national at his residence in Mallorca on a European Arrest Warrant on 2026-05-08 and shut down the relaunched Crimenetwork (Bundeskriminalamt press release — Deutscher Betreiber von "Crimenetwork" auf Mallorca verhaftet, 2026-05-08; Help Net Security, 2026-05-11). Crimenetwork was the dominant German-language darknet marketplace; the platform was originally taken down in December 2024, and a new operator rebuilt the infrastructure under the same branding shortly afterwards. The rebooted platform reached ~22,000 users and 100+ vendors and brokered stolen data, narcotics, forged documents and illegal services in BTC / LTC / XMR for an estimated €3.6 million in commissions and vendor fees before being seized. Investigators recovered approximately €194,000 in assets and substantial user/transaction data, which the BKA states will drive a wave of follow-on prosecutions — the press release explicitly frames the seized infrastructure data as the operational value, not the headline arrest.

Defender takeaway: The DACH-region credential / payment-card / forged-document inventory cycle on Crimenetwork is now a known-historical artefact for the next 12–24 months — the seized vendor and buyer ledgers will resurface in attribution reports and breach-notification timelines. For Swiss / German / Austrian SOCs running credential-monitoring services, expect a downstream wave of leaked-credential validations once the BKA dataset reaches partner CERTs. The case also reinforces a structural point for German-speaking-market threat models: when an EU-wide darknet platform is dismantled, the replacement is typically a same-branding relaunch on residual customer trust rather than a forum migration — the rebrand interval has now compressed to weeks.

West Pharmaceutical Services Inc. (NYSE: WST), a US-headquartered global manufacturer of drug-delivery and packaging components, filed a Form 8-K on 2026-05-11 disclosing a material cybersecurity incident under Item 1.05 (SEC EDGAR — WST 8-K, 2026-05-11). The filing states that detection occurred on May 4 2026, materiality was determined May 7, and that "certain data was exfiltrated by an unauthorized party and certain systems were encrypted" — terminology consistent with a T1486 Data Encrypted for Impact plus T1041 Exfiltration Over C2 Channel double-extortion ransomware pattern. The company took global systems offline, activated incident response, notified law enforcement and engaged external forensics; core enterprise systems are restored, shipping/receiving/manufacturing are partially restarted at some facilities, and full restoration timeline and material financial impact remain undetermined. No threat actor has claimed responsibility publicly at time of filing.

Defender takeaway: A double-extortion event against an OT-adjacent pharmaceutical packaging manufacturer is a high-supply-chain-risk template — West Pharma's elastomeric closures, vials and drug-delivery devices feed European biopharma packaging lines including those of national-formulary suppliers. EU public-sector procurement teams handling pharmaceutical resilience plans should validate continuity-of-supply with downstream vendors that source closures or delivery devices from West. Detection pivot for analogous targets: large-volume SMB enumeration, VSSAdmin / WBEM shadow-copy deletion (T1490 Inhibit System Recovery), and abnormal DLP egress volume in the days preceding encryption — the encryption event is rarely the first indicator if logs are retained.

Škoda Auto Deutschland GmbH disclosed on 2026-05-11 that an unauthorised actor exploited a vulnerability in the standard shop-software platform underlying its German online-retail store, accessing customer names, postal addresses, email addresses, telephone numbers, order history, account data and password hashes (Škoda Auto Deutschland — Sicherheitsvorfall Škoda Shop; SecurityWeek, 2026-05-11). Credit-card data was not exposed — payment processing is delegated to external PSPs and never stored in the shop database. Škoda's own monitoring detected the intrusion; the shop was taken offline, the underlying vulnerability patched, and external forensics retained. The disclosure flags one notable operational shortfall in the company's own framing: insufficient logging coverage prevents investigators from determining definitively whether the accessed data was actually exfiltrated, so customers must be treated as if it was. Škoda Auto a.s. is a VW Group subsidiary headquartered in Mladá Boleslav (Czech Republic); the German operating company's notification reached the competent EU supervisory authority within the GDPR Article 33 72-hour window. No threat actor has been attributed.

Defender takeaway: The exfiltration-uncertainty pattern this announcement makes public — "we know they read the database; we cannot prove they copied it" — is the dominant blind spot in EU e-commerce / customer-portal architectures whose security stack stops at the WAF and forgets about application-tier or database-tier query auditing. Concrete hardening: enable verbose query logging on the back-end DB for read-traffic anomalies (volume spikes per session, atypical filter cardinality), capture and retain HTTP response sizes at the WAF for n-times-baseline analytics, and forward both into the SIEM with retention measured in months rather than days. Downstream risk: the affected customer count and password-hash algorithm have not been disclosed in either cited source; defenders should treat any leaked password-hash dataset as plaintext-recoverable on a quarter-or-shorter horizon (GPU cracking yield against unknown-algorithm hashes is non-zero) and add Škoda customer email addresses to credential-stuffing watchlists at federated O365 / Google Workspace tenants for the next quarter.

UPDATE (originally covered 2026-05-09; updated 2026-05-10): Instructure on 2026-05-11 disclosed that it "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" — a ransom payment in everything but name, undisclosed amount, covering the platform-wide ~3.65 TB dataset that ShinyHunters claimed to have lifted from Canvas's Free-for-Teacher tier on 2026-04-29 (Inside Higher Ed, 2026-05-11; Infosecurity Magazine, 2026-05-11).

Two material developments accompany the settlement: (a) Instructure confirmed a second intrusion on 2026-05-07 in which ShinyHunters defaced approximately 330 individual institution login portals via the same Free-for-Teacher vulnerability — the first ITW evidence that the underlying flaw remained exploitable post-patch; (b) ShinyHunters has now reset a per-institution payment deadline to end-of-day 2026-05-12 (today), positioning the central settlement as covering only the bulk dataset while leaving individual institutions exposed to targeted publication (The Register, 2026-05-12). CEO Steve Daly publicly acknowledged delayed external communication ("we got the balance wrong" on disclosure timing). CrowdStrike remains engaged for the IR work.

Operational reality for any European university running Canvas: the "data was destroyed" claim is not technically verifiable — by ransomware-actor practice, the artefact provided is typically a hash list or a video, not a forensically meaningful proof of deletion. The dataset must continue to be treated as compromised in perpetuity for GDPR / Swiss DSG purposes, downstream phishing risk planning, and student-identity exposure communications. Institutions that received the per-institution deadline note should validate that any locally-stored Canvas-derived data (course rosters, communications, gradebooks) is included in the breach-notification scope, regardless of the platform-wide settlement.

UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the actor's signature naming "Checkmarx-Fully-Hacked-by-TeamPCP") to the Jenkins Marketplace. Any Jenkins instance configured to auto-update the AST plugin during that window pulled the malicious build and executed the SANDCLOCK credential stealer in the runner context (Checkmarx — Ongoing Security Updates, last updated 2026-05-09; The Hacker News, 2026-05-11; SecurityWeek, 2026-05-11).

SANDCLOCK targets every secret reachable from a typical CI/CD pipeline environment: GitHub Personal Access Tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, Docker / OCI registry credentials, SSH keys, and Checkmarx One API tokens. Affected pipelines should be treated as full secrets-compromise events: every credential the runner could read must be rotated and any artefact built or deployed in the window audited. Checkmarx's ongoing-security-updates page specifies plugin version 2.0.13-829.vc72453fa_1c16 (published December 2025) as the safe pinned version; a CVE has been issued as CVE-2026-33634 per the Checkmarx advisory. This is the third Checkmarx-product supply-chain compromise by this actor in three months, after the March 2026 KICS Docker image and the April 2026 VS Code extension defacement — the cadence and the actor's naming convention indicate persistent targeting of the Checkmarx product line specifically, not opportunistic distribution-channel abuse.

Mapped to T1195.002 Compromise Software Supply Chain and T1552.001 Credentials In Files. The GTIG AI Threat Tracker (see § 5) attributes SANDCLOCK specifically to TeamPCP and flags the stealer as explicitly designed to harvest LLM API keys in addition to traditional cloud credentials — consistent with the actor's pivot to monetising stolen LLM access. Defender pivot: inventory every Jenkins plugin auto-update enabled across CI/CD estates; constrain runners to short-lived OIDC-federated credentials (no long-lived PATs in runner env) where the platform supports it; audit Checkmarx One API logs for unexpected source IPs since 2026-05-09.

If you did nothing this week: in-the-wild exploitation began within approximately 36 hours of the GitHub Security Advisory (GHSA-r75f-5x8p-qvmc) publication per Bishop Fox. Any LiteLLM Proxy instance that was internet-accessible during that window should be treated as having had its credential tables read. Patching to v1.83.7+ does not remediate pre-patch credential exposure — every upstream API key (OpenAI, Anthropic, Azure OpenAI, Cohere, every other configured provider) stored in the proxy database must be rotated (Bishop Fox — CVE-2026-42208 technical analysis, 2026-05-06 · LiteLLM vendor advisory, 2026-04-29). CISA KEV deadline 2026-05-11 (Monday).

The flaw is an f-string SQL injection in the PrismaClient.get_data() method: the caller-supplied Authorization: Bearer <token> value is interpolated directly into a PostgreSQL query string rather than passed as a parameterised argument. An unauthenticated attacker sends a crafted token to any LLM API route (e.g., POST /v1/chat/completions) and performs blind time-based injection via pg_sleep() against the LiteLLM_VerificationToken table (Bishop Fox's named example) — alongside the proxy's virtual-key, upstream-provider-credential, team-binding, and rate-limit configuration tables. On default deployments where the application database user holds superuser rights, the primitive is full read/write across the database (CWE-89, CVSS 9.3, T1190 Exploit Public-Facing Application, T1552.001 Credentials in Files).

The architectural lesson connects directly to the Braintrust AWS account compromise disclosed 2026-05-06 (see § 5): AI-evaluation, AI-observability, and AI-gateway SaaS platforms aggregate organisation-level upstream-provider credentials for many tenants per vendor, so a single SaaS-tier compromise propagates into a multi-provider credential event for every downstream tenant. EU public-sector AI pilots running through LiteLLM or any similar gateway should inventory which provider keys are held by which SaaS vendor; require per-environment scoping (dev / staging / prod) with short TTLs; enable provider-side anomaly alerts for unusual call-volume or geographic-origin shifts. Patching path: pip install --upgrade litellm to ≥ 1.83.7 or pull the updated container image.

A new sector pattern surfaced this week: AI tooling SaaS as a multi-tenant credential aggregation surface. Two parallel incidents make the architecture explicit. Braintrust (AI evaluation / observability) — confirmed 2026-05-04 AWS account compromise; the compromised account held organisation-level API keys customers use to connect upstream LLM providers (OpenAI, Anthropic, Azure OpenAI); Braintrust instructed every customer to rotate organisation-level provider credentials regardless of confirmed exposure; one customer confirmed compromised, three reported anomalous AI usage spikes consistent with credential abuse (TechCrunch, 2026-05-06 · SecurityWeek, 2026-05-08 · daily 2026-05-10). LiteLLM Proxy CVE-2026-42208 — the database holds every virtual key, upstream-provider credential, and team binding configured into the proxy; pre-auth SQLi exposes them all; CISA KEV deadline Monday 2026-05-11. Cross-finding pattern: AI-evaluation, AI-observability, AI-gateway, prompt-management, and agent-evaluation platforms all aggregate organisation-level upstream-provider credentials for many tenants per vendor, so a single SaaS-tier compromise propagates into a multi-provider credential event for every downstream tenant. European public-sector AI pilots in 2026-W20 should inventory which AI-tooling SaaS vendors hold organisation-level upstream-provider keys, require per-environment scoping, and require provider-side anomaly alerts.

CVE-2026-42208 (pre-auth SQL injection in LiteLLM Proxy, CVSS 9.3) was added to CISA KEV on 2026-05-08 with a federal remediation deadline of 2026-05-11 — tomorrow (Bishop Fox — CVE-2026-42208 technical analysis, 2026-04-30 · LiteLLM vendor advisory, 2026-04-29). Patching alone is insufficient — every upstream LLM-provider API key (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.) stored in the proxy's database must be rotated, since pre-patch exposure means credentials may already be exfiltrated. Move to LiteLLM v1.83.7+ and audit upstream-provider call logs for anomalous geographic origins / call-volume spikes since 2026-04-30.

CVE-2026-42208 (CWE-89, CVSS 9.3) is a pre-authentication f-string SQL injection in the PrismaClient.get_data() method of LiteLLM Proxy, an open-source AI API gateway that centralises access management for upstream LLM provider keys (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.). The caller-supplied Authorization: Bearer <token> value is interpolated directly into a PostgreSQL query string rather than passed as a parameterised argument. An unauthenticated attacker sends a crafted token to any LLM API route (e.g., POST /v1/chat/completions) and performs blind time-based injection via pg_sleep(), targeting LiteLLM_VerificationToken, litellm_credentials, and litellm_config tables — which collectively hold every virtual API key, upstream provider credential, team binding, and rate-limit configuration in the proxy (Bishop Fox, 2026-04-30 · LiteLLM vendor advisory, 2026-04-29). On default deployments where the application database user holds superuser rights, an attacker gains full read/write access to the database. In-the-wild exploitation began within approximately 26–36 hours of the GitHub Security Advisory (GHSA-r75f-5x8p-qvmc) publication. CISA added the CVE to KEV on 2026-05-08 with a federal remediation deadline of 2026-05-11. Fixed in LiteLLM v1.83.7+. Patching does not remediate credential compromise on instances that were already exposed; operators should rotate all upstream API keys stored in the proxy database.

CVE-2025-68670 is a pre-authentication stack buffer overflow in the xrdp_wm_parse_domain_information function of xrdp (open-source RDP server for Linux), disclosed by Kaspersky researchers Denis Skvortsov and Dmitry Shmoylov on 2026-05-08. Domain names beginning with an underscore and containing __ delimiters are processed via a UTF-16-to-UTF-8 conversion path and written from a 512-byte input buffer into a 256-byte stack buffer without bounds checking; the conversion step amplifies the overflow size. Stack canaries are present but bypassable via canary leakage. The vulnerability was reported 2025-12-05, CVE assigned 2025-12-24, mainline patch merged 2026-01-27; public disclosure followed on 2026-05-08. Affects xrdp < 0.10.5; backports available for 0.9.27 and 0.10.4.1 (Kaspersky Securelist — CVE-2025-68670, 2026-05-08). xrdp is widely deployed in Linux remote-access and thin-client environments, including public-sector Linux desktops.

CVE Summary Table