Škoda Auto Deutschland online-shop breach exposes customer PII and password hashes; logging gap prevents exfiltration confirmation (2026-05-11)

If you did nothing this week: in-the-wild exploitation began within approximately 36 hours of the GitHub Security Advisory (GHSA-r75f-5x8p-qvmc) publication per Bishop Fox. Any LiteLLM Proxy instance that was internet-accessible during that window should be treated as having had its credential tables read. Patching to v1.83.7+ does not remediate pre-patch credential exposure — every upstream API key (OpenAI, Anthropic, Azure OpenAI, Cohere, every other configured provider) stored in the proxy database must be rotated (Bishop Fox — CVE-2026-42208 technical analysis, 2026-05-06 · LiteLLM vendor advisory, 2026-04-29). CISA KEV deadline 2026-05-11 (Monday).

The flaw is an f-string SQL injection in the PrismaClient.get_data() method: the caller-supplied Authorization: Bearer <token> value is interpolated directly into a PostgreSQL query string rather than passed as a parameterised argument. An unauthenticated attacker sends a crafted token to any LLM API route (e.g., POST /v1/chat/completions) and performs blind time-based injection via pg_sleep() against the LiteLLM_VerificationToken table (Bishop Fox's named example) — alongside the proxy's virtual-key, upstream-provider-credential, team-binding, and rate-limit configuration tables. On default deployments where the application database user holds superuser rights, the primitive is full read/write across the database (CWE-89, CVSS 9.3, T1190 Exploit Public-Facing Application, T1552.001 Credentials in Files).

The architectural lesson connects directly to the Braintrust AWS account compromise disclosed 2026-05-06 (see § 5): AI-evaluation, AI-observability, and AI-gateway SaaS platforms aggregate organisation-level upstream-provider credentials for many tenants per vendor, so a single SaaS-tier compromise propagates into a multi-provider credential event for every downstream tenant. EU public-sector AI pilots running through LiteLLM or any similar gateway should inventory which provider keys are held by which SaaS vendor; require per-environment scoping (dev / staging / prod) with short TTLs; enable provider-side anomaly alerts for unusual call-volume or geographic-origin shifts. Patching path: pip install --upgrade litellm to ≥ 1.83.7 or pull the updated container image.

A new sector pattern surfaced this week: AI tooling SaaS as a multi-tenant credential aggregation surface. Two parallel incidents make the architecture explicit. Braintrust (AI evaluation / observability) — confirmed 2026-05-04 AWS account compromise; the compromised account held organisation-level API keys customers use to connect upstream LLM providers (OpenAI, Anthropic, Azure OpenAI); Braintrust instructed every customer to rotate organisation-level provider credentials regardless of confirmed exposure; one customer confirmed compromised, three reported anomalous AI usage spikes consistent with credential abuse (TechCrunch, 2026-05-06 · SecurityWeek, 2026-05-08 · daily 2026-05-10). LiteLLM Proxy CVE-2026-42208 — the database holds every virtual key, upstream-provider credential, and team binding configured into the proxy; pre-auth SQLi exposes them all; CISA KEV deadline Monday 2026-05-11. Cross-finding pattern: AI-evaluation, AI-observability, AI-gateway, prompt-management, and agent-evaluation platforms all aggregate organisation-level upstream-provider credentials for many tenants per vendor, so a single SaaS-tier compromise propagates into a multi-provider credential event for every downstream tenant. European public-sector AI pilots in 2026-W20 should inventory which AI-tooling SaaS vendors hold organisation-level upstream-provider keys, require per-environment scoping, and require provider-side anomaly alerts.

The UK Information Commissioner's Office on 2026-05-11 issued a £963,900 fine against South Staffordshire Plc and its water-supply subsidiary for the 2020–2022 intrusion. The ICO's published findings cite inadequate vulnerability management, unpatched critical systems, obsolete unsupported software (the estate still contained Windows Server 2003, EOL since July 2015), and incomplete SIEM coverage; the regulator does not name a CVE or threat actor in its public notice. The technical kill-chain detail — phishing initial access in September 2020 → CVE-2020-1472 (ZeroLogon, T1068) against two unpatched domain controllers → domain admin → ~20 months of unimpeded lateral movement → detection in July 2022 when IT performance degraded — comes from The Record's reporting, as does the Cl0p attribution. The ICO press release records that data on about 1.85 million customers (approximately 750,000 current and 1.1 million former) was held by the company, of which 633,887 individuals had data published on the dark web, and that the published dataset totalled over 4.1 TB including customer credentials, bank account/sort codes, Priority Services Register data (from which disability status can be inferred) and HR records (The Register, 2026-05-11). The fine was reduced 40% on the basis of early admission and cooperative engagement; South Staffordshire agreed not to appeal.

Why it matters to us: The ICO action is the first significant post-Cyber-Security-and-Resilience-Bill UK regulatory action against a water-sector OES, and the regulator's operational findings transfer verbatim to NIS2 Article 21 technical measures and the German KRITIS-DachG public-administration scope that came into force this spring. Concrete defender takeaway: (a) measure your actual SIEM/XDR coverage percentage by hostname inventory rather than by sensor-licence count — partial coverage on a high-value subset is materially worse than uniform sampling; (b) the ZeroLogon pivot reported by The Record is a long-tail patch-management hygiene point on domain controllers any SOC can audit against; (c) detection logic that survives this case maps to Sysmon-class auditing of DC authentication events — 4742 (account changes) and 4769 Kerberos service-ticket anomalies — after vendor disclosure of any DC-impacting CVE.

The German Bundeskriminalamt (BKA) and Frankfurt's Central Office for Combating Internet Crime (ZIT), with Spanish National Police support, arrested a 35-year-old German national at his residence in Mallorca on a European Arrest Warrant on 2026-05-08 and shut down the relaunched Crimenetwork (Bundeskriminalamt press release — Deutscher Betreiber von "Crimenetwork" auf Mallorca verhaftet, 2026-05-08; Help Net Security, 2026-05-11). Crimenetwork was the dominant German-language darknet marketplace; the platform was originally taken down in December 2024, and a new operator rebuilt the infrastructure under the same branding shortly afterwards. The rebooted platform reached ~22,000 users and 100+ vendors and brokered stolen data, narcotics, forged documents and illegal services in BTC / LTC / XMR for an estimated €3.6 million in commissions and vendor fees before being seized. Investigators recovered approximately €194,000 in assets and substantial user/transaction data, which the BKA states will drive a wave of follow-on prosecutions — the press release explicitly frames the seized infrastructure data as the operational value, not the headline arrest.

Defender takeaway: The DACH-region credential / payment-card / forged-document inventory cycle on Crimenetwork is now a known-historical artefact for the next 12–24 months — the seized vendor and buyer ledgers will resurface in attribution reports and breach-notification timelines. For Swiss / German / Austrian SOCs running credential-monitoring services, expect a downstream wave of leaked-credential validations once the BKA dataset reaches partner CERTs. The case also reinforces a structural point for German-speaking-market threat models: when an EU-wide darknet platform is dismantled, the replacement is typically a same-branding relaunch on residual customer trust rather than a forum migration — the rebrand interval has now compressed to weeks.

West Pharmaceutical Services Inc. (NYSE: WST), a US-headquartered global manufacturer of drug-delivery and packaging components, filed a Form 8-K on 2026-05-11 disclosing a material cybersecurity incident under Item 1.05 (SEC EDGAR — WST 8-K, 2026-05-11). The filing states that detection occurred on May 4 2026, materiality was determined May 7, and that "certain data was exfiltrated by an unauthorized party and certain systems were encrypted" — terminology consistent with a T1486 Data Encrypted for Impact plus T1041 Exfiltration Over C2 Channel double-extortion ransomware pattern. The company took global systems offline, activated incident response, notified law enforcement and engaged external forensics; core enterprise systems are restored, shipping/receiving/manufacturing are partially restarted at some facilities, and full restoration timeline and material financial impact remain undetermined. No threat actor has claimed responsibility publicly at time of filing.

Defender takeaway: A double-extortion event against an OT-adjacent pharmaceutical packaging manufacturer is a high-supply-chain-risk template — West Pharma's elastomeric closures, vials and drug-delivery devices feed European biopharma packaging lines including those of national-formulary suppliers. EU public-sector procurement teams handling pharmaceutical resilience plans should validate continuity-of-supply with downstream vendors that source closures or delivery devices from West. Detection pivot for analogous targets: large-volume SMB enumeration, VSSAdmin / WBEM shadow-copy deletion (T1490 Inhibit System Recovery), and abnormal DLP egress volume in the days preceding encryption — the encryption event is rarely the first indicator if logs are retained.

Škoda Auto Deutschland GmbH disclosed on 2026-05-11 that an unauthorised actor exploited a vulnerability in the standard shop-software platform underlying its German online-retail store, accessing customer names, postal addresses, email addresses, telephone numbers, order history, account data and password hashes (Škoda Auto Deutschland — Sicherheitsvorfall Škoda Shop; SecurityWeek, 2026-05-11). Credit-card data was not exposed — payment processing is delegated to external PSPs and never stored in the shop database. Škoda's own monitoring detected the intrusion; the shop was taken offline, the underlying vulnerability patched, and external forensics retained. The disclosure flags one notable operational shortfall in the company's own framing: insufficient logging coverage prevents investigators from determining definitively whether the accessed data was actually exfiltrated, so customers must be treated as if it was. Škoda Auto a.s. is a VW Group subsidiary headquartered in Mladá Boleslav (Czech Republic); the German operating company's notification reached the competent EU supervisory authority within the GDPR Article 33 72-hour window. No threat actor has been attributed.

Defender takeaway: The exfiltration-uncertainty pattern this announcement makes public — "we know they read the database; we cannot prove they copied it" — is the dominant blind spot in EU e-commerce / customer-portal architectures whose security stack stops at the WAF and forgets about application-tier or database-tier query auditing. Concrete hardening: enable verbose query logging on the back-end DB for read-traffic anomalies (volume spikes per session, atypical filter cardinality), capture and retain HTTP response sizes at the WAF for n-times-baseline analytics, and forward both into the SIEM with retention measured in months rather than days. Downstream risk: the affected customer count and password-hash algorithm have not been disclosed in either cited source; defenders should treat any leaked password-hash dataset as plaintext-recoverable on a quarter-or-shorter horizon (GPU cracking yield against unknown-algorithm hashes is non-zero) and add Škoda customer email addresses to credential-stuffing watchlists at federated O365 / Google Workspace tenants for the next quarter.

UPDATE (originally covered 2026-05-09; updated 2026-05-10): Instructure on 2026-05-11 disclosed that it "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" — a ransom payment in everything but name, undisclosed amount, covering the platform-wide ~3.65 TB dataset that ShinyHunters claimed to have lifted from Canvas's Free-for-Teacher tier on 2026-04-29 (Inside Higher Ed, 2026-05-11; Infosecurity Magazine, 2026-05-11).

Two material developments accompany the settlement: (a) Instructure confirmed a second intrusion on 2026-05-07 in which ShinyHunters defaced approximately 330 individual institution login portals via the same Free-for-Teacher vulnerability — the first ITW evidence that the underlying flaw remained exploitable post-patch; (b) ShinyHunters has now reset a per-institution payment deadline to end-of-day 2026-05-12 (today), positioning the central settlement as covering only the bulk dataset while leaving individual institutions exposed to targeted publication (The Register, 2026-05-12). CEO Steve Daly publicly acknowledged delayed external communication ("we got the balance wrong" on disclosure timing). CrowdStrike remains engaged for the IR work.

Operational reality for any European university running Canvas: the "data was destroyed" claim is not technically verifiable — by ransomware-actor practice, the artefact provided is typically a hash list or a video, not a forensically meaningful proof of deletion. The dataset must continue to be treated as compromised in perpetuity for GDPR / Swiss DSG purposes, downstream phishing risk planning, and student-identity exposure communications. Institutions that received the per-institution deadline note should validate that any locally-stored Canvas-derived data (course rosters, communications, gradebooks) is included in the breach-notification scope, regardless of the platform-wide settlement.

UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the actor's signature naming "Checkmarx-Fully-Hacked-by-TeamPCP") to the Jenkins Marketplace. Any Jenkins instance configured to auto-update the AST plugin during that window pulled the malicious build and executed the SANDCLOCK credential stealer in the runner context (Checkmarx — Ongoing Security Updates, last updated 2026-05-09; The Hacker News, 2026-05-11; SecurityWeek, 2026-05-11).

SANDCLOCK targets every secret reachable from a typical CI/CD pipeline environment: GitHub Personal Access Tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, Docker / OCI registry credentials, SSH keys, and Checkmarx One API tokens. Affected pipelines should be treated as full secrets-compromise events: every credential the runner could read must be rotated and any artefact built or deployed in the window audited. Checkmarx's ongoing-security-updates page specifies plugin version 2.0.13-829.vc72453fa_1c16 (published December 2025) as the safe pinned version; a CVE has been issued as CVE-2026-33634 per the Checkmarx advisory. This is the third Checkmarx-product supply-chain compromise by this actor in three months, after the March 2026 KICS Docker image and the April 2026 VS Code extension defacement — the cadence and the actor's naming convention indicate persistent targeting of the Checkmarx product line specifically, not opportunistic distribution-channel abuse.

Mapped to T1195.002 Compromise Software Supply Chain and T1552.001 Credentials In Files. The GTIG AI Threat Tracker (see § 5) attributes SANDCLOCK specifically to TeamPCP and flags the stealer as explicitly designed to harvest LLM API keys in addition to traditional cloud credentials — consistent with the actor's pivot to monetising stolen LLM access. Defender pivot: inventory every Jenkins plugin auto-update enabled across CI/CD estates; constrain runners to short-lived OIDC-federated credentials (no long-lived PATs in runner env) where the platform supports it; audit Checkmarx One API logs for unexpected source IPs since 2026-05-09.

CVE-2026-42208 (pre-auth SQL injection in LiteLLM Proxy, CVSS 9.3) was added to CISA KEV on 2026-05-08 with a federal remediation deadline of 2026-05-11 — tomorrow (Bishop Fox — CVE-2026-42208 technical analysis, 2026-04-30 · LiteLLM vendor advisory, 2026-04-29). Patching alone is insufficient — every upstream LLM-provider API key (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.) stored in the proxy's database must be rotated, since pre-patch exposure means credentials may already be exfiltrated. Move to LiteLLM v1.83.7+ and audit upstream-provider call logs for anomalous geographic origins / call-volume spikes since 2026-04-30.

CVE-2026-42208 (CWE-89, CVSS 9.3) is a pre-authentication f-string SQL injection in the PrismaClient.get_data() method of LiteLLM Proxy, an open-source AI API gateway that centralises access management for upstream LLM provider keys (OpenAI, Anthropic, Azure OpenAI, Cohere, etc.). The caller-supplied Authorization: Bearer <token> value is interpolated directly into a PostgreSQL query string rather than passed as a parameterised argument. An unauthenticated attacker sends a crafted token to any LLM API route (e.g., POST /v1/chat/completions) and performs blind time-based injection via pg_sleep(), targeting LiteLLM_VerificationToken, litellm_credentials, and litellm_config tables — which collectively hold every virtual API key, upstream provider credential, team binding, and rate-limit configuration in the proxy (Bishop Fox, 2026-04-30 · LiteLLM vendor advisory, 2026-04-29). On default deployments where the application database user holds superuser rights, an attacker gains full read/write access to the database. In-the-wild exploitation began within approximately 26–36 hours of the GitHub Security Advisory (GHSA-r75f-5x8p-qvmc) publication. CISA added the CVE to KEV on 2026-05-08 with a federal remediation deadline of 2026-05-11. Fixed in LiteLLM v1.83.7+. Patching does not remediate credential compromise on instances that were already exposed; operators should rotate all upstream API keys stored in the proxy database.

CVE-2025-68670 is a pre-authentication stack buffer overflow in the xrdp_wm_parse_domain_information function of xrdp (open-source RDP server for Linux), disclosed by Kaspersky researchers Denis Skvortsov and Dmitry Shmoylov on 2026-05-08. Domain names beginning with an underscore and containing __ delimiters are processed via a UTF-16-to-UTF-8 conversion path and written from a 512-byte input buffer into a 256-byte stack buffer without bounds checking; the conversion step amplifies the overflow size. Stack canaries are present but bypassable via canary leakage. The vulnerability was reported 2025-12-05, CVE assigned 2025-12-24, mainline patch merged 2026-01-27; public disclosure followed on 2026-05-08. Affects xrdp < 0.10.5; backports available for 0.9.27 and 0.10.4.1 (Kaspersky Securelist — CVE-2025-68670, 2026-05-08). xrdp is widely deployed in Linux remote-access and thin-client environments, including public-sector Linux desktops.

CVE Summary Table