Unit 42: malicious OpenClaw ClawHub skills deliver AMOS + agentic fraud

Palo Alto Networks Unit 42 (2026-06-23) documented five malicious skills published to ClawHub, the third-party skill marketplace for the OpenClaw AI-agent platform, active February–May 2026 (Unit 42, 2026-06-23; corroborated by Trend Micro). Two skills delivered the cluw macOS infostealer (an Atomic macOS Stealer / AMOS variant) by redirecting the agent to paste-site URLs (rentry.co, glot.io) carrying Base64-encoded curl | bash droppers. A third, omnicogg, padded its README to 22 MB to exceed the file-size threshold of both ClawScan and VirusTotal, slipping its payload past automated scanning. The most novel two cross a line into agentic abuse: money-radar fetches an attacker-controlled referrals.json at runtime to silently rewrite the financial referral links the agent recommends (revenue redirection with no re-publish), and letssendit coordinates a pool of agents to accumulate Solana ahead of operator-timed token launches — Unit 42's described first weaponisation of an AI-agent botnet for pump-and-dump fraud.

Why it matters to us: The skill-marketplace attack surface behaves like a package registry but is barely covered by existing supply-chain tooling, and "installation results in complete control over the agent's identity." For any organisation piloting agentic AI, treat skills as untrusted code: review them line-by-line before install, validate publisher provenance, and watch for agent processes spawning curl/shell, reaching paste sites, or creating cron persistence (T1195.001 supply-chain compromise, T1204.003/T1202 indirect execution, T1053.003 cron, T1555 credential access). The file-padding evasion is a reminder that a scanner with a content-size cutoff is a control with a documented bypass.

Unit 42 detailed an architectural attack abusing the global uniqueness of object-storage bucket names across AWS S3, Google Cloud Storage and (less so) Azure Blob Storage (Unit 42, 2026-06-22). An actor holding bucket-delete rights deletes a destination bucket and immediately recreates it under their own account; existing log sinks, replication jobs, Pub/Sub-to-Storage subscriptions and Data Firehose streams keep writing to the now attacker-owned bucket with no config change and no entry in the source account's audit trail. No named in-the-wild exploitation is reported — this is offensive-research surfacing of an exposure class — but the impact on audit-log integrity is exactly what a SOC's detection pipeline depends on. [SINGLE-SOURCE] (Unit 42, a vendor lab, so the national-CERT carve-out does not apply; the underlying CSP behaviours are independently verifiable). Detection: alert on storage bucket-deletion API calls (GCP storage.buckets.delete, AWS CloudTrail DeleteBucket, Azure Microsoft.Storage/storageAccounts/delete) and on recreation of sink/replication targets; hardening: require multi-party approval for bucket deletion, enforce GCP VPC Service Controls / AWS account-region namespace isolation, and track sensitive-bucket ownership with DSPM. Maps to T1485/T1578 (resource manipulation) and the effective outcome of T1530 (data from cloud storage).

A new macOS ClickFix variant (Palo Alto Unit 42, via BleepingComputer 2026-06-23) drops the visible-DMG step: the fake-CAPTCHA Terminal lure now has the user paste a curl command that uses hdiutil attach -nobrowse to mount the disk image without it appearing in Finder or on the desktop, then launches a self-signed app via open (BleepingComputer, 2026-06-23). The payload is Atomic macOS Stealer (AMOS): it presents a fake System Preferences authentication prompt to capture the local password, then steals browser credentials across numerous Chromium- and Firefox-derived browsers, cryptocurrency-wallet data, and Keychain contents. [SINGLE-SOURCE] — BleepingComputer attributes to Unit 42 but a separate primary Unit 42 article for this specific technique was not located this run (see § 7). Detection on macOS: hdiutil attach -nobrowse invoked by a shell parented by Terminal; Terminal executing pasted commands referencing external download URLs; apps launched from /Volumes/ mounts; user awareness that legitimate CAPTCHAs never require Terminal input (T1204.001, T1105, T1555).

First disclosed in May and KEV-listed on 2026-05-29, the GlobalProtect portal/gateway authentication bypass moved into a confirmed exploitation wave this week. Unit 42 observed active exploitation by an unidentified actor attempting to access GlobalProtect, with Arctic Wolf reporting increasing exploitation volume and NCSC-CH refreshing its advisory on 2026-06-16 (Unit 42; daily 06-17). Notably, Unit 42 states no post-access lateral movement had been identified as of its analysis — so the current operational signal is unauthorised VPN session establishment, not yet confirmed downstream compromise. Patch to the fixed PAN-OS trains, and hunt GlobalProtect logs for authentications that bypass the expected portal flow.

The week's single most important research synthesis is that the AI developer toolchain — gateways, agents, IDE plugins and the Model Context Protocol — stopped being a theoretical risk and accumulated a cluster of working exploit chains. Microsoft's AutoJack showed a single malicious web page can drive host-level RCE through an AI browsing agent's local MCP WebSocket: a three-flaw chain in AutoGen Studio (origin-allowlist bypass, missing auth on /api/mcp/*, and OS command injection via StdioServerParams) lets an attacker-steered agent reach a privileged localhost socket and execute arbitrary host processes (Microsoft Security, 2026-06-18; daily 06-20). That sits alongside the week's other AI-surface disclosures: Obsidian Security's three-CVE LiteLLM chain turning any gateway user into root (Obsidian, 2026-06-16; daily 06-16), Varonis "SearchLeak" one-click M365 Copilot data exfiltration (CVE-2026-42824) (Varonis; daily 06-16), Unit 42's "Pickle in the Middle" cross-tenant code execution in Google Vertex AI (CVE-2026-2473) (Unit 42; daily 06-17), and 15 malicious JetBrains Marketplace plugins exfiltrating AI-provider API keys (Aikido; daily 06-18). Sophos X-Ops' underground-AI report (daily 06-19) confirms criminal interest in exactly these agent frameworks. The defender takeaway for CH/EU public-sector teams adopting AI tooling: treat self-hosted AI gateways and agent frameworks as internet-adjacent application servers — bind MCP/agent sockets to loopback behind a host firewall, run them under low-privilege isolated accounts, never on shared or production hosts, and rotate the API keys and cloud credentials these tools concentrate.

Unit 42 disclosed a cross-tenant RCE class in the Google Cloud Vertex AI SDK for Python (Unit 42, 2026-06-16). When a caller uploads a model without specifying a custom staging bucket, the SDK's stage_local_data_in_gcs() builds a deterministic, globally-unique bucket name from the project ID and region ({project-id}-vertex-staging-{region}). Because GCS bucket names are publicly claimable, an attacker who knows the target project ID can pre-register that bucket, attach a Cloud Function on object.finalize, and silently receive the victim's uploaded model.joblib — then swap in a malicious pickle. Vertex AI's serving agent deserialises the pickle and executes attacker code inside Google's serving container with the platform service account's privileges (The Hacker News, 2026-06-16). Google added bucket-name randomization (UUID4) in google-cloud-aiplatform 1.144.0 (2026-03-31) and the bucket-ownership check in the fully hardened 1.148.0 (2026-04-15); versions from 1.139.0 are affected and orgs on 1.144.0–1.147.x are only partially protected, so 1.148.0 is the version to target. No in-the-wild exploitation was observed.

Why it matters to us: Any EU/CH org running Vertex AI ML pipelines on the affected SDK that did not pin a staging bucket is exposed to the broader "resource-squatting" class — predictable cloud resource names without ownership verification. Upgrade the SDK to ≥ 1.148.0, audit jobs for default staging_bucket use, and alert on GCS objectCreate / ownership changes for any bucket matching the {project-id}-vertex-staging-{region} pattern not owned by your org.

UPDATE (originally covered 2026-05-30): Palo Alto's Unit 42 confirms an active exploitation campaign against the GlobalProtect cookie authentication-bypass (CVE-2026-0257) running since approximately late May (Unit 42, 2026-06-09). The flaw (CWE-565) decrypts an authentication-override cookie without any signature verification, letting an attacker forge a session and establish a VPN tunnel without credentials when the override feature is enabled (Palo Alto Networks PSIRT).

Arctic Wolf's telemetry documents post-exploitation consistent with Impacket tooling — SMB lateral movement, anonymous NTLM logon, share enumeration and domain-user discovery — across insurance, finance, manufacturing, education, engineering and healthcare targets in North America and Europe (Arctic Wolf, 2026-06-11). NCSC-CH refreshed its Security Hub advisory on 2026-06-16 to flag the Unit 42 confirmation (NCSC-CH Security Hub, 2026-06-16). Defenders: disable "Authentication Override" if not required, patch to fixed PAN-OS builds, and audit sessions since late May for Impacket-pattern lateral movement (EID 4624 Type 3 from unexpected IPs, SMB enumeration EID 5140/5145).

Two independent teams published complementary findings against OpenClaw, the self-hosted AI-agent platform that plugs into messaging systems, mailboxes, file systems and APIs. Imperva showed that shared contact names, vCard fields and location-pin labels flow into the LLM prompt with no untrusted-content boundary: a crafted contact — its injected command hidden behind 65 whitespace characters so the UI truncates it — executed python3 on the victim's host the moment the victim shared the contact with their agent (Imperva, 2026-06-10). Varonis demonstrated "agent phishing": a plain email from a plausible sender persuaded a mailbox-connected agent to forward mock AWS IAM keys and a customer export to an external address, with no exploit involved — the agent simply lacks sender-identity verification before acting (Varonis, 2026-06-09). Both teams note OpenClaw's default memory persistence lets one successful injection survive across sessions. The vendor fix (v2026.4.23) moves messaging-object metadata into a separate untrusted channel — but the structural lesson stands: wherever an agent ingests third-party-controlled strings (contacts, calendar invites, ticket bodies), that channel is an injection surface (T1059). Defender takeaway: pin OpenClaw ≥ v2026.4.23; inventory which AI agents hold mailbox send-permissions or shell access; gate agent-initiated outbound actions behind approval workflows the same way you gate privileged operations.

Unit 42 enumerates seven cloud-logging attack categories — five evasion, two visibility (Unit 42, 2026-06-09). Evasion techniques: stopping CloudTrail trails (StopLogging), deleting S3/GCS log destinations, removing GCP log-routing sinks, impairing customer-managed encryption keys (CMEK) so logs become unreadable, and log poisoning to mask activity with benign-looking entries; visibility techniques redirect logs to attacker accounts via cross-account delivery for long-term reconnaissance of defender detections (T1562.008, T1070, T1530). Hardening: S3 Object Lock / GCS locked-bucket immutable retention; IAM restrictions on cloudtrail:StopLogging, cloudtrail:DeleteTrail, logging.sinks.delete; alert on cloudtrail:UpdateTrail modifying KMS-key associations and on KMS key-policy changes affecting CloudTrail encryption. Log-integrity monitoring is a NIS2 incident-detection expectation, making this directly relevant to EU cloud-resident public-sector and financial workloads. [SINGLE-SOURCE] (Unit 42 primary research).

UPDATE (originally covered 2026-05-30): Unit 42's 9 June update on CVE-2026-0257 confirms that a limited number of probed PAN-OS GlobalProtect devices had attacker-established, gateway-connected VPN sessions, moving this from "exploit attempts observed" to confirmed successful exploitation (Unit 42, 2026-06-09). The bug (CWE-565, reliance on a cookie without integrity checking) lets an attacker extract the encryption certificate's public key from the TLS handshake and forge authentication-override cookies when that certificate is shared with another function; Rapid7 dates successful exploitation to 17 May from low-cost hosting IPs (Rapid7, 2026-05-29).

Affected: PAN-OS 10.2/11.1/11.2/12.1 and Prisma Access where authentication override is enabled with a shared certificate; patched in 12.1.7+, 11.2.12+, 11.1.15+, 10.2.18-h6+ and corresponding Prisma builds (Palo Alto Networks, 2026-06-03). Patch, then force one re-authentication so override cookies regenerate; as a workaround disable authentication override or assign it a dedicated certificate. Hunt GlobalProtect gateway logs for auth-method=cookie from unexpected source IPs.

Unit 42 reports that collaboration-platform phishing reached 42% of all phishing alerts in Cortex in the first four months of 2026, up from 30% in the preceding period, with Microsoft Teams external messaging the dominant vector (Unit 42, 2026-06-08). Two clusters dominate: Cloaked Ursa (APT29 / Midnight Blizzard) uses previously-compromised M365 tenants — often small-business accounts — to stand up IT-support-styled domains, then sends Teams messages requesting MFA approval or credential re-entry under an account-maintenance pretext. UNC6692 floods inboxes to manufacture urgency, then poses as IT support over Teams, ultimately delivering the SNOW suite — SNOWBELT (browser-extension backdoor), SNOWGLAZE (WebSocket tunneler) and SNOWBASIN (persistent backdoor) — after dumping LSASS via Task Manager (T1003.001) and moving laterally with Pass-the-Hash (T1550.002) (Mandiant, 2026-04-23). The root enabler is the default Teams configuration permitting unrestricted external-tenant messaging.

Why it matters to us: Hardening is configuration, not patching — restrict external access in the Teams Admin Center to explicitly-allowed partner domains and disable unmanaged/consumer-account chat. Detection concepts: Entra ID sign-in logs for logons originating from external M365 tenants; Teams activity logs for ExternalUserJoined events followed by rapid file/link shares; MDI alerts on MFA anomalies after cross-tenant contact. Extend AiTM-aware Conditional Access to Teams sign-in contexts.

Unit 42 details Operation FlutterBridge, the evolution of cluster CL-CRI-1089 (active since August 2025), which distributes macOS backdoors disguised as productivity apps (PodcastsLounge, PDF-Brain, PDF-Ninja) via hundreds of Google Ads bought through verified shell companies (Unit 42, 2026-06-02; The Hacker News, 2026-06-04). Every sample was signed with a valid Apple Developer ID and passed notarization, with zero VirusTotal detections at analysis time — Gatekeeper does not catch these. The FlutterShell payload keeps its malicious logic on an attacker-controlled website and uses a Flutter JavaScript-to-native bridge to translate JSON commands into native macOS calls, so capability changes need no new binary. Confirmed behaviour: arbitrary shell execution, file read/write, environment-variable theft, Chrome hijacking via the "Secure Preferences" file, and document exfiltration routed through the attacker's server under the guise of an AI document-summarisation feature. Targeting is global with explicit emphasis on Western Europe, including France and Germany.

Why it matters to us: notarization-bypassed, Developer-ID-signed macOS malware defeats the controls most teams lean on for Mac fleets. The reliable detection layer is behavioural: macOS endpoint telemetry for apps that instantiate a WKWebView with a custom JS message handler that then spawns shell processes, non-browser writes to Chrome's Secure Preferences, and outbound connections from "productivity" apps to CDN-fronted infrastructure.

UPDATE (originally covered 2026-05-23): Following Unit 42's coverage of UNC1549 / Screening Serpens AppDomainManager hijacking, Check Point Research (published 2026-05-22, widely re-reported this week) adds material technical depth on three February–April 2026 campaign waves keyed to Operation Epic Fury (Check Point Research, 2026-05-22; The Hacker News, 2026-05-26). The IRGC-affiliated actor replaced its MiniJunk family with a new backdoor, MiniFast — a 64-bit DLL with a single CheckForUpdates export and a JSON HTTP C2 using API-style endpoints (/agent/init, /agent/poll, /upload/) and a 14-opcode command set including DLL injection, UAC elevation and scheduled-task persistence.

Two persistence/delivery techniques are new versus the prior coverage: (1) Zoom scheduled-task hijacking (T1053.005) — instead of creating a suspicious new task, the malware watches for the legitimate ZoomUpdateTaskUser-<SID> task and hijacks it; (2) SEO poisoning (T1598.003) via a fake SQL Developer download domain ranked on Bing/DuckDuckGo, alongside T1574.008 AppDomain hijacking via redirected .config files. The loader chain validates parent=svchost.exe before proceeding and abused two SSL.com-issued code-signing certificates (Check Point Research, 2026-05-22). Hunt for ZoomUpdateTaskUser-* task modifications by non-Zoom processes, non-default AppDomainManager values in .NET .config files, and execution from user-writable AppData paths.

Unit 42 published a comprehensive write-up on Screening Serpens (a.k.a. UNC1549, Smoke Sandstorm, Nimbus Manticore) on 2026-05-22 covering operations from February through April 2026 timed to the onset of the U.S.–Israeli Middle East conflict that began 2026-02-28 (Unit 42, 2026-05-22 · Cybersecurity Dive, 2026-05-22). The group deployed new RAT variants across two malware families: MiniUpdate in four variants used between 2026-03-26 and 2026-04-17 with lures impersonating aviation, healthcare and financial-services firms, and MiniJunk V2 in two variants used between 2026-02-17 and 2026-03-27 against Middle Eastern and U.S. targets.

The technically significant evolution is AppDomainManager hijacking (T1574.014) paired with classic DLL sideloading (T1574.001): the infection chain drops a legitimate Microsoft .NET executable alongside a weaponised UpdateChecker.dll / InitInstall.dll / Updater.dll and — critically — a malicious .runtimeconfig.json that redirects the CLR's AppDomainManager loading at process startup, silently disabling ETW tracing and strong-name validation before the RAT executes. That leaves the host's EDR operating in a reduced-telemetry mode on every infected workstation. Delivery is high-touch — fake recruitment PDFs, spoofed video-conference meeting invitations, and ZIP archives containing a legitimate executable as the trigger; persistence uses scheduled tasks; C2 routes through Azure-hosted domains. Confirmed targets: U.S., Israel, UAE, plus at least two further Middle Eastern entities consistent with prior UNC1549 focus on aerospace, defence and telecommunications. The CH/EU nexus is indirect but real — Swiss aerospace and defence suppliers (RUAG, Pilatus and defence export channels) sit squarely in the sector profile, as do EU R&D firms historically swept up in Iranian collection campaigns.

Detection vantage: alert on .runtimeconfig.json writes by non-installer processes; watch the Microsoft-Windows-DotNETRuntime ETW provider for StrongNameVerification=0 startup events and CLR debug-mode initialisation; watch scheduled-task creation from processes with .dll parent images loading via rundll32.exe / svchost.exe. Hardening: enforce a code-integrity policy (UMCI + trusted-signers allowlist) so unsigned DLLs cannot load into the .NET CLR; restrict .runtimeconfig.json writes outside install paths via FIM.

Unit 42 documents (2026-05-22) systematic nation-state operationalisation of ROADtools — the open-source Python Entra ID attack/defence framework hosted at github.com/dirkjanm/ROADtools — by three named clusters: Cloaked Ursa / Midnight Blizzard / APT29 / NOBELIUM (Russia), Curious Serpens / Peach Sandstorm / APT33 (Iran) and UTA0355 (Russian state-affiliated) (Unit 42, 2026-05-22). The chain begins with credential compromise (password spray or OAuth device-code phishing — see § 1 Kali365), then uses roadtx to register attacker-controlled devices in the victim's Entra ID tenant, establishing persistence via a Primary Refresh Token bound to a registered device. The roadrecon module performs systematic directory enumeration via legacy Azure AD Graph API calls — now also ported to the msgraph branch — targeting users, groups, service principals, application permissions and OAuth token grants.

MITRE ATT&CK techniques mapped explicitly by Unit 42: T1098.005 (Account Manipulation: Device Registration), T1550 (Use Alternate Authentication Material), and T1087 (Account Discovery via Microsoft Graph API). The device-PRT-binding step functionally bypasses tenant MFA — the brief leaves the explicit T1556.006 framing off since Unit 42 does not map it that way; defenders running custom ATT&CK overlays may want to add it themselves. Volexity's April 2025 OAuth device-code paper is the historical background for the device-code half of the chain. Detection vantage: monitor Entra ID audit logs for Add device events from unfamiliar device names or from IPs not in expected employee geographies; alert on sign-in logs carrying the roadtx user-agent string or unexpected https://login.microsoftonline.com/common/oauth2/token device-code grant flows; review Microsoft Graph Activity Logs for bulk GET /users, GET /groups and GET /servicePrincipals calls clustered by time. Hardening: enforce Conditional Access token-protection (token binding renders stolen tokens non-transferable across devices); restrict device registration to compliant or hybrid-joined devices only; enforce Privileged Access Workstation policy for admin token issuance; block Azure AD Graph via blockLegacyAuthentication. Midnight Blizzard has a documented pattern of targeting EU diplomatic corps and government Microsoft 365 tenants, so the relevance to Swiss federal and EU institution Entra estates is direct.

UPDATE (originally covered 2026-05-19, updated 2026-05-21): Unit 42 (Palo Alto Networks) and StepSecurity published concurrent technical analyses on 2026-05-21 of the TeamPCP Mini Shai-Hulud npm supply-chain campaign, establishing the defining novelty of this wave: the first documented case of malicious npm packages carrying valid SLSA Build Level 3 provenance attestations (Unit 42, 2026-05-21). Attackers compromised TanStack's legitimate GitHub Actions CI/CD pipeline's trusted OIDC identity mid-workflow — without stealing developer credentials — making the SLSA attestation genuine while the package payload was malicious. This invalidates "package carries valid provenance attestation" as a sufficient supply-chain integrity gate.

The execution chain runs tanstack_runner.js under the Bun JavaScript runtime, enumerating stored credentials including gh auth token capture (T1552.001 Unsecured Credentials: Credentials In Files); stolen npm tokens and GitHub PATs are used to backdoor every package the victim account can publish (T1650 Acquire Access), making the worm self-propagating across the npm ecosystem. By end of the 2026-05-11 wave, 373 malicious package versions across 169 npm packages and PyPI mirrors were active (Unit 42, 2026-05-21).

Defender actions from this technical update: (a) SLSA attestation verification is now insufficient as a sole gate — add runtime behavioural scanning of npm install scripts alongside provenance checks; (b) Pin GitHub Actions to commit SHAs, not mutable tags, to prevent mid-workflow OIDC identity hijack; (c) If pipelines ran npm publish during 2026-05-11 to 2026-05-12, rotate npm tokens and GitHub PATs and audit owned packages for unauthorised versions; (d) In environments where Bun is not an approved runtime, flag any bun or bun.js process execution from a CI runner context (Sysmon EID 1 process-name filter).

UPDATE (originally covered 2026-W21): West Pharmaceutical Services (NYSE: WST) filed an 8-K/A amendment under SEC Item 1.05 on 2026-05-20 confirming full operational restoration across all manufacturing, supply chain, and commercial sites globally after the May 4 ransomware intrusion (SEC EDGAR 8-K/A, 2026-05-20). No unauthorized activity observed since 2026-05-05. Data exfiltration scope and threat actor attribution remain under investigation; Palo Alto Networks Unit 42 is conducting the forensic response. The 8-K/A marks formal closure of the containment phase under the SEC's mandatory cyber-incident disclosure cycle; data impact scope will require a further disclosure when the investigation concludes.

If you did nothing this week: any pipeline that resolved an affected npm / PyPI / Packagist dependency, installed a poisoned VS Code extension, or was one of the 5,561 GitHub repositories mass-backdoored by the Megalodon sub-campaign has most likely had its OIDC tokens, cloud credentials and CI secrets exfiltrated — and GitHub itself was named in a breach claim this week.

The campaign escalated every day of the window (full trajectory in § 2). The defender-relevant constant is the propagation primitive: OIDC-token reuse across the registry trust boundary, plus IDE-hook and CI-workflow injection that runs at build time inside an already-trusted runner. Unit 42 and StepSecurity confirmed on 2026-05-21 that SLSA Build Level 3 provenance attestation is no longer a reliable integrity gate for these waves — the malicious build step executes inside the legitimately-attested pipeline, so the attestation signs the compromised artefact. Hunt for unexpected npm publish / npm stage events, outbound connections from CI runners to non-registry hosts, and IDE-hook entries (.vscode/tasks.json, .claude/settings.json) committed in dependency updates. Rotate any CI token that was live during a dependency bump in the window; do not trust provenance attestation alone to clear a package.

This is the week's defining chain. After the worm framework was open-sourced on 2026-05-12, the window saw it move from a single operator's tool to commodity capability, escalating almost daily:

• 2026-05-18 → 19 — First copycat wave: TeamPCP imitators deploy Phantom Bot plus SSH/cloud stealers, the Checkmarx Jenkins plugin is re-trojanised, and a rival "PCPJack" worm appears, per Ox Security (daily 2026-05-19). Same window: the Nx Console VS Code extension (2.2M installs) is pushed malicious for an 11-minute window (12:36–12:47 UTC, 2026-05-18) via stolen publisher credentials, and all 53 tags of actions-cool/issues-helper are moved to an imposter commit reading /proc/PID/mem of the Runner.Worker (daily 2026-05-20).
• 2026-05-21 — Escalation to platform scale: GitHub itself is named in a breach claim, Microsoft's official durabletask PyPI package is weaponised (propagating via AWS SSM and kubectl exec), and Grafana confirms a missed-token-rotation root cause (The Hacker News; daily 2026-05-21).
• 2026-05-22 — Unit 42 and StepSecurity publish concurrent analyses establishing that SLSA Build Level 3 provenance attestation is invalidated as an integrity gate for these waves — the malicious build step runs inside the legitimately-attested pipeline (Unit 42; daily 2026-05-22).
• 2026-05-23 (disclosure; event 2026-05-18) — SafeDep and OX Security disclose the Megalodon sub-campaign, which mass-poisoned 5,561 GitHub repositories in a ~6-hour window on 18 May using forged CI-bot identities and templated commit messages, harvesting cloud credentials and OIDC tokens (SafeDep; daily 2026-05-23). A further Packagist/Laravel-Lang compromise is reported the same day (daily 2026-05-24).

Two in-window synthesis documents consolidate the picture. The Cloud Security Alliance research note (2026-05-22) frames the whole event as a two-wave attack: Wave 1 (Mini Shai-Hulud, 29 Apr – 12 May) hijacked TanStack's GitHub Actions runner via a pull_request_target trigger plus Actions cache poisoning, extracted a live OIDC token from runner process memory via /proc/PID/mem, obtained a Sigstore signing certificate from Fulcio, and produced SLSA BL3 provenance attestations for 404 malicious package versions across 172 packages (CVE-2026-45321, CVSS 9.6) — the first publicly-documented hijack of trusted build pipelines to generate attestation-bearing malicious artefacts. Wave 2 (Megalodon, from 18 May) pushed 5,718 commits to 5,561 repos in under six hours, harvesting AWS IAM, GCP/Azure IMDS, SSH, Docker auth, .npmrc, .netrc, Kubernetes configs, Vault tokens and Terraform state. Separately, GitHub's official post-incident blog (2026-05-20) confirmed an employee device was compromised via the poisoned Nx Console extension (GHSA-c9j4-9m59-847w) and ~3,800 GitHub-internal repositories were exfiltrated, with no customer-data impact found as of publication and a fuller report still outstanding.

Defender takeaways: set permissions: id-token: none on workflows that do not need OIDC; disable or isolate pull_request_target for fork PRs (permissions: contents: read); treat Git commit author/committer fields as unverified free text (use contributor allow-lists / push-rule bypass-actor audit events to catch Megalodon-style forged identities); audit Sigstore Rekor for unexpected signing events from your own pipeline identity; and do not accept SLSA BL3 attestation alone as a clean-package signal.

Unit 42 documented systematic nation-state operationalisation of the open-source ROADtools Entra ID framework by Midnight Blizzard, Curious Serpens and UTA0355 for device registration, token theft and tenant enumeration (daily 2026-05-23). This is the most broadly relevant item in the section — every M365/Entra tenant is in scope. Hunt for unexpected device-registration events, anomalous service-principal token requests, and ROADtools-characteristic enumeration patterns; tighten conditional-access on device-registration and review legacy-auth exposure.

Unit 42 detailed Screening Serpens using AppDomainManager hijacking to silently disable ETW and strong-name verification across six newly-documented RATs (daily 2026-05-23). The ETW-blinding plus strong-name-check bypass is the detection-relevant tradecraft — it defeats both behavioural telemetry and signature-trust controls in one step. Where AppDomainManager-redirection is not required by an application, monitor for the appDomainManagerAssembly / appDomainManagerType config and environment-variable hijack vectors.

Cyera Research published on 2026-05-15 four chained vulnerabilities in OpenClaw (also marketed as Clawdbot), an autonomous AI-agent platform released in late 2025 with integrations including Microsoft Agent 365 (Cyera Research, 2026-05-15 · The Hacker News, 2026-05-15). All four CVEs are fixed by the OpenClaw release dated 2026-04-23, addressed under GitHub Security Advisories GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx. The defender-relevant detail is that an attacker who can obtain code execution inside the OpenClaw managed sandbox — achievable via a malicious plugin, prompt injection into the agent context, or supply-chain compromise of an OpenClaw plugin — can chain the four primitives to a full sandbox-escape → credential-harvest → owner-level agent control → file-disclosure sequence whose steps each mimic normal agent behaviour and so evade controls calibrated to "human-attacker" indicators. CVE-2026-44112 (CVSS 9.6, Critical) is a TOCTOU race in the OpenShell sandbox backend that lets the sandbox process win the filesystem write race and redirect writes outside the intended mount root, enabling host-filesystem tampering and persistent backdoor placement. CVE-2026-44115 (CVSS 8.8, High) is an incomplete allowlist in OpenClaw's command parser — shell-expansion tokens embedded in environment-variable names bypass the validation gate, leaking API keys, tokens, and credentials at execution time. CVE-2026-44118 (CVSS 7.8, High) trusts a client-controlled senderIsOwner flag in MCP loopback messages without validating against the authenticated session, allowing privilege escalation to owner-level agent control. CVE-2026-44113 (CVSS 7.7, High) is the companion TOCTOU read escape enabling file disclosure outside the sandbox root. Exposure is broad: Cyera cites ~65 K (Shodan) and ~180 K (ZoomEye) publicly accessible OpenClaw instances as of May 2026, summing to an estimated ~245 K exposed servers. No in-the-wild exploitation reported at disclosure. Detection: alert on the agent process writing files outside designated sandbox mount directories; flag MCP loopback messages with senderIsOwner=true from sources not matching the authenticated session; alert on environment-variable expansion in command strings at agent execution time.

Palo Alto Networks Unit 42 published on 2026-05-15 an analysis of evolved variants of the Gremlin information stealer, adding three new capability tiers operationally relevant to defenders running endpoint detections tuned for older Gremlin samples (Palo Alto Networks Unit 42, 2026-05-15). Obfuscation has shifted to embedding encrypted payloads in .NET resource sections (XOR-keyed) combined with single- or double-character identifier renaming and a runtime string-decoder function (_003CModule_003E.c()) — defeating static signature analysis of string literals that previous-generation Gremlin samples used. A new crypto-clipper component continuously monitors the system clipboard and replaces Bitcoin and Ethereum wallet addresses with attacker-controlled equivalents in real time, T1115. The most operationally interesting addition is a WebSocket-based session-hijack module that reads active browser process memory (Chrome-based browsers) to extract session tokens directly from running processes, bypassing the cookie-encryption mitigations modern browsers apply at disk — T1185 Browser Session Hijacking. Credential scope includes browser cookies, session tokens, saved passwords, payment-card details, FTP and VPN credentials, Discord tokens (dedicated regex scanner), clipboard content, and cryptocurrency wallet files. Exfiltration is HTTPS POST to a private web panel; a Telegram Bot API channel is the secondary channel. Detection: Sysmon EID 10 (process access) targeting chrome.exe or msedge.exe (and other Chrome-based browser processes) from unexpected parent processes; clipboard-monitoring hook registration from non-standard processes (generic Windows clipboard-listener API surface). Hardening: browser isolation for high-value sessions; clipboard-API access audited in EDR telemetry. Single-source — Unit 42 only; flagged for verification.

UPDATE (originally covered 2026-05-07 deep dive, last updated 2026-05-13): Palo Alto Networks PSIRT updated its CVE-2026-0300 advisory on 2026-05-13 to reflect first-wave patch availability but to also disclose a second patch wave with an ETA of 2026-05-28 for eight commonly-deployed build streams: PAN-OS 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21 and 10.2.16-h7 (Palo Alto Networks PSIRT, updated 2026-05-13). Operators running any of those builds cannot patch yet; the interim mitigation — restrict User-ID Authentication Portal to trusted zones, or disable Captive Portal if unused — is the only option until 28 May. CL-STA-1132 in-the-wild exploitation continues; the cluster's tradecraft (EarthWorm / ReverseSocks5 tunnels, AD enumeration via firewall service account, deliberate log destruction) is unchanged from prior coverage (Unit 42 — Captive Portal Zero-Day, 2026-05-06).

The CISA KEV entry was updated on 2026-05-13 to note "Palo Alto has released a variety of patches"; the FCEB remediation deadline (2026-05-09) has already expired. Per PD-13 the KEV deadline is not the operational driver in CH/EU — the active-exploitation status, the affected-build delay, and the CL-STA-1132 attribution are. The wave-2 delay specifics are documented in the vendor PSIRT advisory and were not independently corroborated by HIGH-reliability third-party reporting in window; treat the eight-build "ETA 05/28" list as vendor-primary and verify against the live PSIRT entry before any rollout planning.

UPDATE (originally covered as the 2026-05-07 deep dive; updates 2026-05-08 → 2026-05-10): Palo Alto Networks' PSIRT page for CVE-2026-0300 (last updated 2026-05-07 at time of run) now lists first-wave fixed builds with an ETA of 2026-05-13 for several mainline branches and a second wave around 2026-05-28 for the remaining branches; no patched build is yet shipped against the unauthenticated root RCE in the User-ID Authentication Portal / Captive Portal service. The CL-STA-1132 cluster attribution and the ~2026-04-09 first-observed-exploitation date come from Unit 42's separate Captive Portal Zero-Day threat bulletin, not from the PSIRT advisory itself.

Operationally: until the 05/13 first-wave builds ship, the interim Threat Prevention signature 510019 plus source-IP restriction of the captive-portal interface to trusted internal ranges remain the only defender controls for branches that do not yet have a fixed build. PA-Series and VM-Series operators with User-ID Authentication Portal or Captive Portal exposed should treat tomorrow as a pre-staged deployment window — confirm a tested rollback path, validate the interim signature is enforced (Threat Prevention licence required), and verify the captive-portal listener is reachable only from authorised source ranges. Prisma Access, Cloud NGFW and Panorama are not affected. The CISA KEV deadline (2026-05-09) has already expired for FCEB agencies and per PD-13 does not drive Swiss/EU action framing on its own — the operational driver is the actively-exploited ITW status and the imminent first-wave patch ship date.

For any PA-Series / VM-Series perimeter device on PAN-OS 12.1, 11.2, 11.1, or 10.2 that has User-ID Authentication Portal or Captive Portal enabled, prepare today for the 2026-05-13 first-wave build release per Palo Alto's PSIRT advisory for CVE-2026-0300: confirm a tested rollback path, validate the change window for tomorrow, and pre-fetch release notes the moment the fixed builds publish. Until the first-wave builds ship, keep Threat Prevention signature 510019 enforced (requires Threat Prevention licence) and restrict the captive-portal listener to trusted internal source ranges. The second wave is expected around 2026-05-28 for the remaining branches (12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, 10.2.16-h7); plan a second deployment window then. The CISA KEV deadline has expired but the operational driver here is active ITW exploitation per Unit 42 — Captive Portal Zero-Day, not the FCEB compliance date.

If you did nothing this week: any PA-Series or VM-Series firewall with the User-ID Authentication Portal enabled and internet-reachable has been within the attack window since 2026-04-09 — three weeks before public disclosure (2026-05-06) and four-and-a-half weeks before the first staged patch becomes available (2026-05-13). The daily 2026-05-09 UPDATE recorded an observed dwell time of approximately 20 days from initial compromise to second-device exploitation on at least one tracked victim; the relevant retrospective-log question is whether your firewall has been compromised since mid-April, not whether it might be compromised next week.

CVE-2026-0300 (CVSS 9.3, CWE-121 stack-based buffer overflow) is an unauthenticated remote code execution in the PAN-OS User-ID Authentication Portal — a network-accessible service that a single crafted packet exploits to root on the firewall's management plane (Palo Alto Networks Security Advisory, 2026-05-06 · Unit 42 primary research, 2026-05-06). CERT-EU issued a Critical Advisory (rare designation) on disclosure day (CERT-EU 2026-006, 2026-05-06); CERT-FR followed with CERTFR-2026-AVI-0537 (CERT-FR, 2026-05-06). Unit 42 tracks the active exploitation cluster as CL-STA-1132 and characterises it as likely state-sponsored activity. Unit 42's primary research records shellcode injection into nginx worker processes, EarthWorm / ReverseSocks5 tunnelling, and Python implants under /var/tmp/linuxupdate and /tmp/.c; the daily 2026-05-09 UPDATE additionally surfaces a rogue admin name pattern svc-health-check-[6-digit-numeric] (bypassing normal admin-role RBAC), running-configuration export including pre-shared keys, and OSPF-based internal AD enumeration — a profile consistent with T1190 Exploit Public-Facing Application, T1055 Process Injection, T1003 OS Credential Dumping, and T1572 Protocol Tunneling. Patch availability is staged 2026-05-13 → 2026-05-28 across PAN-OS branches 10.2.x / 11.1.x / 11.2.x / 12.1.x; Cloud NGFW and Prisma Access are not affected. Until patches land, the operational expectations are (1) disable the Authentication Portal entirely where it is not required, (2) restrict it to trusted internal IP ranges via security policy where it is, (3) PAN-OS 11.1+ users should confirm Threat ID 510019 is in blocking mode, and (4) review authentication-portal logs and admin-account listings from 2026-04-09 onward for retrospective compromise evidence (daily 2026-05-07 deep dive; daily 2026-05-09 update).

If you did nothing this week: Microsoft Security Blog observed active campaigns deploying both Linux LPE families post-compromise; the daily 2026-05-09 UPDATE synthesised the operator-side selection logic as Copy Fail (algif_aead page-cache write) used on hosts where the module is available, Dirty Frag (xfrm-ESP and RxRPC page-cache writes) on hosts where user namespaces are enabled without algif_aead. Microsoft documents the same initial-access vector (SSH credential stuffing on exposed management ports) feeding both chains, and both defeat conventional on-disk file-integrity monitoring because the write lands in the kernel page cache rather than on disk (Microsoft Security Blog, 2026-05-08 · daily 2026-05-09 update).

Copy Fail (CVE-2026-31431, CVSS 7.8) is deterministic — no kernel-version offsets, no timing windows. A public 732-byte Python exploit exists; Go and Rust reimplementations have appeared in public code repositories; Kaspersky validated the container-to-host escape vector on Docker / LXC / Kubernetes when algif_aead is loaded on the host kernel (default on most distributions) (CERT-EU Advisory 2026-005, 2026-04-30 · Unit 42 — Copy Fail · BSI WID-SEC-2026-1232 · daily 2026-05-06 deep dive). Dirty Frag chains CVE-2026-43284 (xfrm-ESP / IPsec) with CVE-2026-43500 (RxRPC) into another deterministic root primitive via page-cache write primitives in both subsystems; researcher Hyunwoo Kim disclosed it 2026-05-07/08 after a third party reverse-engineered the upstream patch and broke embargo. CVE-2026-43500 distro patches remain pending at week-end (Wiz Research, 2026-05-08 · Red Hat RHSB-2026-003 · Ubuntu — Dirty Frag fixes-available · NCSC-CH 12547 · daily 2026-05-09). Both map to T1068 Exploitation for Privilege Escalation and T1548.001 Setuid and Setgid Abuse. Defenders should treat file-integrity monitoring as insufficient detection for either family — runtime detection lands on auditd execve of /usr/bin/su / /usr/bin/sudo / /usr/bin/passwd from anomalous parent processes, EDR process-ancestry rules for root from non-root contexts, and (for Copy Fail specifically) eBPF or EDR alerts on AF_ALG socket creation in container namespaces.

Mitigation hierarchy when patches are not yet deployable: kernel patches first (Ubuntu 6.1.98-1ubuntu1, RHEL kernel-5.14.0-503.14.1, Debian 12 pending at week-end; upstream 6.18.22 / 6.19.12 / 7.0 for Copy Fail); blacklist algif_aead via modprobe.d and update-initramfs -u; modprobe -r esp4 esp6 rxrpc for Dirty Frag (breaks IPsec VPNs and AFS); seccomp profiles blocking AF_ALG socket creation for containerised workloads; disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 on Ubuntu / Debian, user.max_user_namespaces=0 on RHEL) to remove CAP_NET_ADMIN as a default acquisition path for Dirty Frag.

The PAN-OS Captive Portal zero-day chain compressed an entire incident-response cycle into one ISO week. 2026-05-06 — Palo Alto disclosed CVE-2026-0300 (CVSS 9.3 unauthenticated root RCE); CERT-EU issued a rare Critical Advisory; CISA listed in KEV with deadline 2026-05-09; Unit 42 attributed active exploitation since 2026-04-09 to CL-STA-1132 and characterised it as likely state-sponsored (Palo Alto PSIRT, 2026-05-06 · CERT-EU 2026-006, 2026-05-06 · Unit 42, 2026-05-06 · daily 2026-05-07 deep dive). 2026-05-08 — KEV deadline announced as the next day; mitigation hardening (disable Captive Portal, restrict to internal CIDR, Threat ID 510019) repeated; daily flagged that organisations must confirm mitigation by today before close-of-business (daily 2026-05-08). 2026-05-09 — KEV deadline expired today, no patch exists; vendor confirmed earliest patches at 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4 expected 2026-05-13; Unit 42 published post-exploitation cluster framing — rogue admin account name pattern svc-health-check-[6-digit-numeric], Python tunnelling implants under /var/tmp/linuxupdate / /tmp/.c, OSPF-based internal AD reconnaissance; observed dwell time ~20 days from initial compromise to second-device exploitation on a tracked victim (daily 2026-05-09 UPDATE). 2026-05-10 — Unit 42 added EarthWorm / ReverseSocks5 tunnelling specificity (already adjacent to the prior framing; marginal delta over the cluster narrative).

The campaign-state lens a daily reader cannot see from one day: every organisation with an internet-facing PAN-OS Captive Portal that did not disable or restrict it during 2026-W19 is in the same posture on 2026-W20 — still no patch, still exposed, still inside CL-STA-1132's targeting window. Retrospective log review for the svc-health-check- account pattern, anomalous outbound from the firewall management IP, and unexpected nginx child processes back-to-back-to-back through 2026-04-09 is the highest-priority hunting action for the new week. ATT&CK profile: T1190, T1055, T1003, T1572, T1018 Remote System Discovery.

Current state: actively in-the-wild against internet-facing PAN-OS PA-Series / VM-Series firewalls since approximately 2026-04-09; the KEV deadline (2026-05-09) expired with no patch available and the staged patch window runs 2026-05-13 → 2026-05-28. Post-exploitation tradecraft per Unit 42 and the daily 2026-05-09 UPDATE is consistent: shellcode injection into nginx worker processes, EarthWorm / ReverseSocks5 tunnelling, Python implants under /var/tmp/linuxupdate and /tmp/.c; the daily UPDATE additionally records rogue admin accounts named svc-health-check-[6-digit-numeric], PAN-OS credential-store theft, and Active Directory enumeration via OSPF queries. Unit 42's 2026-05-08 update added explicit EarthWorm / ReverseSocks5 framing to the cluster (covered as marginal delta in the 2026-05-10 daily). Outstanding question for defenders into 2026-W20: with patches landing 2026-05-13 → 2026-05-28, the at-risk window remains open into next week's reporting and retrospective-log review for the svc-health-check- pattern across the 2026-04-09 → present period is the highest-priority hunt action. (Daily references: 2026-05-07 deep dive · 2026-05-09 UPDATE.)

UPDATE (originally covered 2026-05-07):

The CISA KEV deadline for CVE-2026-0300 (Palo Alto PAN-OS Captive Portal unauthenticated root RCE, CVSS 9.3) is today, 2026-05-09. Palo Alto Networks has not yet released a firmware patch; the vendor statement from 2026-05-08 confirmed the earliest expected maintenance release containing a code fix is PAN-OS 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4, expected 2026-05-13. Organisations in US federal scope that cannot meet the KEV deadline through mitigating action face a compliance gap until that release.

Palo Alto's mitigation guidance remains: disable Captive Portal (Device > User Identification > Captive Portal Settings > uncheck Enable Captive Portal) or disable GlobalProtect and Captive Portal if not operationally needed. Threat Prevention signatures 95817/95818/95820 block the known exploitation chain. PA-Series hardware appliances running content update < 8765-9032 are not covered by the signatures.

Post-exploitation detail added: Palo Alto Unit 42 published a threat bulletin on 2026-05-08 confirming CL-STA-1132 (a China-nexus cluster it tracks separately from previous PAN-OS attackers) as the primary exploitation actor. Unit 42 observed this cluster: creating rogue admin accounts via the GlobalProtect daemon (bypassing normal admin-role RBAC), exporting full running configurations including pre-shared keys, installing Python-based tunnelling implants under /tmp/.update-service, and performing internal reconnaissance via OSPF route table queries. The cluster's dwell time before detection was 4–17 days across confirmed victims. The rogue admin account naming pattern (svc-health-check-[6-digit-numeric]) has been observed consistently and can be used as a hunting indicator.