UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm

UPDATE (originally covered 2026-05-15): Microsoft formally assigned CVE-2026-45585 to the BitLocker / WinRE bypass disclosed by "Nightmare Eclipse" on 2026-05-12 and confirmed there is still no security update. The MSRC update guide entry, published 2026-05-19, classifies it as CWE-77 (command injection in BitLocker / Windows Recovery Environment), CVSS 6.8 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), with exploit-code maturity rated E:P (proof-of-concept) and remediation level RL:W (workaround only).

Microsoft's interim mitigation requires per-endpoint work on every device using TPM-only BitLocker (no PIN / password protector): mount the WinRE image, remove the autofstx.exe entry from the BootExecute registry value inside the WinRE image, commit the image, then re-establish BitLocker trust for WinRE. The MSRC FAQ states: "A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."

Practically: for fleets at scale (Swiss federal admin, cantonal endpoints, classified Windows devices), the more durable hardening is to add a BitLocker PIN or password protector rather than relying solely on TPM-only. The WinRE registry edit is fragile and breaks on Windows feature updates that re-stage the WinRE image; the PIN/password protector closes the exposure regardless of WinRE state.

UPDATE (originally covered 2026-05-09 deep dive on CVE-2026-44128 cluster): InfoGuard Labs — the Baar-based Swiss security firm that performed the original SEPPmail review — published its full technical write-up on 2026-05-18. The principal new finding is CVE-2026-2743 (CVSS 10.0): a pre-authenticated path traversal in SEPPmail's Large File Transfer (LFT) component (/v1/file.app endpoint, handle_request function) that passes a JSON-supplied filename through WebMailMessage::store_attachments without sanitisation. The attacker writes arbitrary files as the nobody user; because nobody has unusual write access to /etc/syslog.conf, an attacker can overwrite it with a piped Perl reverse-shell one-liner and trigger a newsyslog rotation (15-minute cron sending SIGHUP to syslogd) to obtain unauthenticated RCE.

CVE-2026-2743 only affects instances with the LFT license enabled (exposure is detectable: /v1/file.app returns 404 if LFT is not provisioned). InfoGuard's Censys-driven scan suggests the majority of customer instances do have LFT enabled. The 2026-05-09 deep dive covered CVE-2026-44128 / 44125 / 44126 / 44127 / 44129 / 7864, all patched in v15.0.4; CVE-2026-2743 is also addressed by v15.0.4 but defenders that delayed the v15.0.4 update on the assumption their LFT-disabled posture limited exposure should re-evaluate: any host running an earlier build is now a pre-auth-RCE candidate independent of the GINA V2 path. InfoGuard notes: "The chain allows for a complete takeover of the SEPPmail appliance. Attackers can read all mail traffic and persist indefinitely on the gateway. On these virtual appliances the Blue Teams have usually no visibility." Apply v15.0.4 to all Swiss / DACH SEPPmail appliances immediately if any remain on an earlier build; monitor /v1/file.app POST requests with ../ sequences in the JSON body; alert on unexpected Perl process trees spawned by syslogd.

UPDATE (originally covered 2026-05-14 backend database leak analysis): The TheGentlemen RaaS group's leak site listed two new European victims this week: University of Finance and Administration (VSFS, vsfs.cz) in the Czech Republic on 2026-05-19 and Swiss engineering firm DEVO-Tech AG (devo-tech.ch, Ziefen / BL) on 2026-05-18. The DeXpose write-ups are aggregator coverage of the leak-site listings themselves; neither victim has publicly confirmed the breach as of this brief. TTPs, infrastructure, and the Go-based locker remain unchanged from the Check Point Research deep coverage of 2026-05-14 — the new data point is geographic spread continuing into EU higher education and Swiss SMB engineering.

Higher-education and public-sector defenders in the DACH region should confirm offline-backup integrity and revisit SD-WAN / VPN gateway patch posture (the primary initial-access vectors documented for TheGentlemen in prior reporting). Listings are not victim confirmation; both organisations were listed by TheGentlemen and not confirmed by the victims themselves.

UPDATE (originally covered 2026-05-13, 2026-05-15): Three concurrent developments show the TeamPCP / Shai-Hulud campaign has entered an open-source-imitator phase following Datadog Security Labs' 2026-05-13 analysis of the leaked Shai-Hulud worm source code. First, OX Security disclosed on 2026-05-17 four malicious npm packages published by deadcode09284814 — chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils — combined weekly downloads ~3,000 (OX Security, 2026-05-17; The Hacker News, 2026-05-18). chalk-tempalte is a near-unmodified clone of the leaked Shai-Hulud worm with a modified C2 server and a new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (see § 7); axois-utils bundles "Phantom Bot," a Golang HTTP/TCP/UDP/Reset-flood DDoS tool with Windows Startup folder and Linux scheduled-task persistence that survives package removal; the other two harvest SSH keys, cloud-provider credentials (AWS/GCP/Azure), and cryptocurrency wallet data.

Second, SANS ISC synthesised a 2026-05-18 campaign update confirming that Checkmarx officially acknowledged on 2026-05-11 that its Jenkins AST Scanner plugin had been trojanised — version 2026.5.09, compromise window 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC — making this TeamPCP's third confirmed Checkmarx intrusion in three months (SANS Internet Storm Center, 2026-05-18; Checkmarx, 2026-05-12). Hundreds of Jenkins controllers installed the malicious plugin before removal; remediated builds 2.0.13-848 and 2.0.13-847 are safe. CxSAST on-premise was unaffected; the cloud-integrated checkmarx/ast-github-action, checkmarx/kics-github-action, and VS Code extensions were all trojaned.

Third, SentinelLabs disclosed on 2026-05-07 — also folded into the SANS ISC summary — "PCPJack," a rival cloud worm that scans for exposed Docker, Kubernetes, Redis, MongoDB and RayML services and chains five CVEs (CVE-2025-29927 Next.js middleware auth bypass; CVE-2025-55182 Next.js Server Actions deserialization; CVE-2026-1357 WPVivid arbitrary file upload; CVE-2025-9501 W3 Total Cache RCE; CVE-2025-48703 CentOS Web Panel command injection) for initial access, then explicitly kills TeamPCP processes and removes TeamPCP artefacts before harvesting credentials — assessed by SentinelLabs with moderate confidence as possibly a former TeamPCP affiliate. Defender takeaway for the Swiss/EU public-sector SOC: developer endpoints and CI/CD runners with installed Checkmarx plugin should be audited for plugin versions outside the known-safe SHA range during the 2026-05-09 → 2026-05-10 window; npm audit and SBOM scans should flag the deadcode09284814 author/scope; egress from CI runners to *.lhr.life hostnames is a high-fidelity hunt pivot for the npm worm wave; Docker/Kubernetes/Redis/MongoDB endpoints exposed to the internet should be inventoried and removed from public exposure (PCPJack's scan list). MITRE T1195.002 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1041 (Exfiltration over C2 Channel).

UPDATE (originally covered 2026-W21): Grafana Labs issued an official 2026-05-18 confirmation of the GitHub Pwn-Request breach previously reported in the 2026-W21 weekly summary (SecurityWeek, 2026-05-18; BleepingComputer, 2026-05-18; The Register, 2026-05-18). The material new disclosures in the 2026-05-18 confirmation: Grafana explicitly states (a) only source code was accessed — "no personal or customer information was stolen"; (b) the incident has not impacted customer systems or operations; (c) the ransom was refused. The technical-mechanism details (pull_request_target workflow misconfiguration, forked-PR injection of a curl command, harvested write-scoped GitHub token, canary-token detection) were previously reported in the 2026-W21 weekly summary citing THN's earlier coverage (The Hacker News, 2026-05-17); they are repeated here as context for defenders who did not catch the weekly. CoinbaseCartel is assessed by THN as an offshoot of the ShinyHunters / Scattered Spider / LAPSUS$ ecosystem and has accumulated ~170 victims since September 2025.

Defender takeaway: Grafana OSS is the de facto monitoring/observability platform in EU/CH public-sector SOC and NOC environments; defenders should monitor non-official Grafana plugin updates and unsigned Grafana agent builds for the next 30 days as a potential supply-chain trojanisation follow-on. The Pwn-Request attack pattern is the same class of CI/CD misconfiguration covered by SentinelOne's Living off the Pipeline taxonomy (referenced 2026-05-16); audit every pull_request_target workflow to ensure no privileged steps run on untrusted-fork code, set permissions: read-all at workflow level and elevate only as needed, and separate privilege-requiring steps into a second workflow_run workflow gated on merged code. MITRE T1195.002 / T1552.004 / T1567.

UPDATE (originally covered 2026-05-15): Researcher "Chaotic Eclipse" / "Nightmare Eclipse" released a third unpatched Windows LPE PoC on 2026-05-17 — MiniPlasma — extending the YellowKey and GreenPlasma series covered in the 2026-05-15 daily (BleepingComputer, 2026-05-17; The Hacker News, 2026-05-18). The material new technical detail: MiniPlasma targets the cldflt.sys Cloud Filter Mini Filter Driver — specifically the HsmOsBlockPlaceholderAccess routine — and abuses the undocumented CfAbortHydration API to create arbitrary registry keys in the .DEFAULT user hive without proper ACL checks, escalating from standard user to SYSTEM. The flaw was originally reported by Google Project Zero (James Forshaw) in September 2020 and nominally patched in December 2020 as CVE-2020-17103; Chaotic Eclipse asserts the exact same code path remains exploitable on fully-patched Windows 11 with May 2026 cumulative updates applied. Will Dormann independently confirmed the PoC opens a SYSTEM cmd.exe reliably on Windows 11 Pro fully patched. The exploit reportedly fails on the latest Insider Preview Canary builds, suggesting Microsoft has a fix in the pipeline but has not yet released an out-of-band patch. ThreatLocker published two registry-path hunt pivots: \Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps* and \Registry\User\.DEFAULT\Volatile Environment*.

Defender takeaway: the proliferation of unpatched LPEs from one researcher signals an extended period of SYSTEM-shell availability for any attacker that lands user-level execution on Windows endpoints. Sysmon EID 13 (RegistryEvent / SetValue) on the .DEFAULT hive from non-SYSTEM processes is the primary hunt pivot; Sysmon EID 6 driver-load monitoring catches related driver-abuse paths. Hardening: BitLocker PIN mitigates the companion YellowKey BitLocker bypass; disabling Cloud Files / OneDrive integration removes the MiniPlasma attack surface but is not practical in most environments. MITRE T1068 (Exploitation for Privilege Escalation).

UPDATE (originally covered 2026-05-15 / deep-dive 2026-05-16): The Microsoft Exchange Team Blog post addressing CVE-2026-42897 was last modified 2026-05-17 to clarify an operational dependency that defenders must verify on every Exchange Mailbox host: the Exchange Emergency Mitigation Service (EM Service / EEMS) — which auto-applies the URL-Rewrite mitigation labelled M2.1.x — only delivers that mitigation when it can reach officemitigations.microsoft.com over outbound HTTPS. Segmented on-premises Exchange 2016 / 2019 / Subscription-Edition deployments that block direct outbound HTTPS from the Mailbox role will therefore not have received the automatic mitigation and remain exposed to the actively-exploited OWA stored-XSS chain.

The CVE remains CISA KEV-listed (added 2026-05-15) with no permanent cumulative-update fix as of 2026-05-18; Microsoft states verbatim "We are working on developing and testing a more permanent fix which we will provide when it meets our quality standards." Exchange Online is unaffected. Operational verification per server: Get-ExchangeDiagnosticInfo -Server <server> -Process EdgeTransport -Component EmergencyMitigation returns Status: Active and rule M2.1.x applied; manual application on hosts that cannot reach the mitigation service: .\EOMT.ps1 -CVE "CVE-2026-42897" from an elevated Exchange Management Shell, or apply the documented URL Rewrite rule by hand.

UPDATE (originally covered 2026-W21 weekly): VulnCheck honeypot telemetry confirmed active exploitation of CVE-2026-42945 on 2026-05-17, promoting the 18-year-old ngx_http_rewrite_module heap buffer overflow from PoC-public status (where it sat last week) to actively-exploited. The flaw is reachable by an unauthenticated remote attacker via a single crafted HTTP request to any NGINX instance running a rewrite-rule configuration that uses unnamed PCRE captures ($1, $2); successful exploitation crashes the worker process (DoS reliable on ASLR-enabled hosts) and reaches RCE on hosts where ASLR is disabled.

Affected per F5 PSIRT advisory K000161019: NGINX Open Source 0.6.27 through 1.30.0 (every release since 2008) and NGINX Plus R32 through R36, plus F5 NGINX Instance Manager, NGINX Ingress Controller, NGINX Gateway Fabric, NGINX App Protect WAF, F5 WAF for NGINX, and NGINX App Protect DoS. Patches: NGINX Open Source 1.30.1 / 1.31.0; NGINX Plus R32 P6, R36 P4. Interim mitigation if immediate upgrade is not possible: convert unnamed PCRE captures in all rewrite directives to named captures ((?P<name>...) syntax). Detection-engineering anchors that follow from the flaw class (heap-overflow worker crash under specific rewrite-rule configurations) are NGINX worker-process crash events (SIGSEGV / SIGABRT and immediate respawn) in syslog / journald, correlated with inbound HTTP requests carrying unusually long or deeply-nested rewrite-rule input strings from the same source; defenders should validate these against their own rewrite-rule configuration before depending on them.

UPDATE (originally covered 2026-05-07 deep dive): The Palo Alto Networks PSIRT advisory for CVE-2026-0300 was revised on 2026-05-16 to update the per-build fix-release schedule: PAN-OS 10.2.13-h21 was retimed on 2026-05-16, 10.2.16-h7 on 2026-05-14. Both are commonly deployed LTS branches in large enterprise and government estates; PA-Series and VM-Series devices on those two specific builds remain mitigation-only.

The wave-2 patch target for the remaining outstanding builds remains 2026-05-28. No new exploitation evidence accompanied the revision; the actively-exploited posture (unauthenticated heap overflow in the User-ID Authentication Portal / Captive Portal service, CVSS 9.3, pre-auth root RCE) reported in prior briefs continues. Defender action: verify each PA / VM appliance's installed PAN-OS build against the advisory's per-version patch matrix; if the installed build is 10.2.13-h21 or 10.2.16-h7, confirm the Captive Portal / User-ID Authentication Portal mitigation (disable the feature if unused, or apply the published Threat Prevention rule) remains active until the wave-2 fix lands.

See § 1 for full operational framing. Key update this week: the Exchange Team Blog (2026-05-17) confirmed the EM Service mitigation requires active connectivity to officemitigations.microsoft.com — servers without EM Service enabled or without outbound connectivity to the Microsoft endpoint are unmitigated. Exchange 2016/2019 without ESU Period 2 are permanently stranded on mitigation-only posture. The DEVCORE Pwn2Own three-bug SYSTEM RCE chain (disclosed 2026-05-16 via ZDI) is a separate vulnerability class not yet formally linked to the OWA-XSS exploitation path.

The Council of the EU adopted on 11 May 2026 the annual renewal of individual and entity listings under the cyber sanctions regime (Decision 2019/797 / Regulation 2019/796) for one year, until 18 May 2027. The renewal preserves the current composition without new additions: 19 individuals and 7 entities subject to asset freezes, travel bans, and fund-transfer prohibitions. Switzerland aligns with EU cyber sanctions via SECO ordinances (SR 946.231.176.72); a corresponding SECO ordinance update is expected within days of the Council decision. Swiss financial institutions and operators conducting counterparty screening should monitor SECO for the updated ordinance.

The European Commission sent reasoned opinions to 19 member states in May 2025 (per the EC NIS transposition page, last updated July 2025) with a two-month response window; non-compliant states face Court of Justice referral. The May-2025 reasoned opinions are now one year old without public Court of Justice referral announcements, indicating most have either completed transposition or are in active dialogue with the Commission. Polish NIS2 transposition (in force 3 April 2026, W19 item) is among the most recent completions. No Court of Justice referral was announced this week. The W19 ABW NIS2 essential-entity extension proposal has not gained additional public momentum this run (EC NIS transposition page).

UPDATE (originally covered 2026-05-15 and 2026-05-16 deep dive): DEVCORE's Orange Tsai chained three undisclosed Exchange Server bugs on Pwn2Own Berlin 2026 Day 2 to achieve unauthenticated remote code execution at SYSTEM privilege level, earning $200,000 (Zero Day Initiative, 2026-05-15; BleepingComputer, 2026-05-15). This chain is separate from the actively-exploited CVE-2026-42897 (OWA stored XSS, no permanent patch; EEMS mitigation M2.1.x only) that the 2026-05-16 deep dive covered. ZDI verbatim: "Orange Tsai (DEVCORE Research Team) earned $200,000 after chaining three bugs to gain remote code execution with SYSTEM privileges on Microsoft Exchange."

The three bugs are under a 90-day Pwn2Own embargo — Microsoft must patch by approximately 2026-08-14 before ZDI publishes technical detail. Operationally, the compound risk for on-premises Exchange has materially worsened in 48 h: one actively exploited XSS without a permanent patch (M2 mitigation only, with known OWA Calendar Print / inline-image side-effects), plus a fresh unauthenticated SYSTEM RCE class that defenders cannot pre-emptively patch. CVE-2026-42897 remains in CISA KEV (added 2026-05-15) with EEMS as the only listed mitigation; the Microsoft Exchange blog post addressing-exchange-server-may-2026-vulnerability-cve-2026-42897 linked from the MSRC advisory returns 502 on direct fetch and the MSRC entry itself is the operational primary (MSRC CVE-2026-42897).

Defender response shift for on-premises Exchange 2016/2019/SE: treat the platform as severely threatened. Verify EEMS service is enabled (Get-ExchangeDiagnosticInfo, mitigation M2.1.x present in applied list); restrict ECP/EWS/OWA reachability from the internet at the WAF or reverse proxy where business-feasible; accelerate any in-progress Exchange Online migration; assume hypothetical compromise paths through both OWA-browser-context attacks (CVE-2026-42897) and a direct service-account SYSTEM RCE chain (Pwn2Own DEVCORE) until Microsoft ships permanent fixes for both. Exchange Online tenants are not in scope for either.

AMD disclosed AMD-SB-7052 (CVE-2025-54518, CVSS 7.3 on the CVSS 4.0 scale, CWE-1189 Improper Isolation of Shared Resources on System-on-Chip) affecting Zen 2-based processor models on 2026-05-12, with NCSC-NL flagging the advisory on 2026-05-15 (AMD Product Security, 2026-05-12 · NCSC-NL NCSC-2026-0158, 2026-05-15). The flaw allows a local attacker with code execution on the target system to corrupt the CPU operation (µop) cache and thereby cause instructions to execute at a higher privilege level than intended, enabling local privilege escalation and, in virtualisation contexts, potential degradation of hypervisor-level isolation. Mitigation is delivered as microcode integrated into the May 2026 Microsoft Windows cumulative update (the same window as the previously-covered CVE-2026-41089 / 41096 Patch Tuesday set); Fedora has issued separate kernel + microcode updates (advisory IDs per NCSC-NL CSAF references) and Xen has published XSA-490 for bare-metal hypervisor operators. Lenovo has published a product-security advisory covering affected ThinkPad / ThinkStation / Workstation models for BIOS / UEFI guidance. Attack class: T1068 Exploitation for Privilege Escalation, with elevated relevance in confidential-compute and multi-tenant virtualisation contexts (VDI estates, cloud-hosted VMs on Zen 2 hosts, shared university compute clusters). No in-the-wild exploitation confirmed. Detection / verification: confirm the May 2026 Windows CU includes the AMD microcode revision via the relevant KB and wmic cpu get name, dataWidth, processorId; for Linux hypervisors apply distro kernel + microcode updates and reboot; for Xen apply XSA-490; for Lenovo hardware check BIOS / UEFI update guidance per LEN-216977. The local-only attack vector limits external risk; the priority is multi-tenant and virtualisation contexts where guest-to-hypervisor or container-to-host isolation is part of the security boundary.

CVE Summary Table

UPDATE (originally covered 2026-05-13): OpenAI disclosed on approximately 2026-05-13 that two employee devices were compromised through the TanStack npm supply-chain attack (Mini Shai-Hulud / TeamPCP, first covered in this brief series on 2026-05-12 and 2026-05-13) and that the compromise affected OpenAI's macOS code-signing certificates (TechCrunch, 2026-05-14 · The Record, 2026-05-14).

The attackers exfiltrated "limited credential material" from internal source code repositories accessible to the two affected employees; OpenAI states no customer data, production systems, or core intellectual property were accessed. Critically, the certificate used to sign OpenAI's macOS desktop applications (ChatGPT for macOS and related apps) was among the compromised material, triggering an emergency certificate rotation. OpenAI is requiring all macOS app users to update to the latest version before June 12, 2026, after which older builds will lose functionality and macOS Gatekeeper notarization will block apps signed with the compromised certificate. Enterprise MDM administrators with OpenAI macOS apps in their managed fleet should push a forced update immediately. Threat attribution is unofficially assessed as TeamPCP (the same actor behind the broader TanStack worm), consistent with prior reporting on the actor's OIDC token theft and credential exfiltration goals.

UPDATE (2026-05-13 — follows TeamPCP coverage 2026-05-13): Datadog Security Labs published an analysis of the TeamPCP "Shai-Hulud" offensive worm source code on 2026-05-13, after the complete framework was briefly accessible as a public GitHub repository on 2026-05-12 before the account was removed (Datadog Security Labs, 2026-05-13). The brief public exposure gave researchers direct visibility into the worm's internal architecture: it is a TypeScript/Bun toolkit that automates GitHub Actions pwn-request exploitation — specifically targeting pull_request_target workflows that perform unsanitized checkouts — to harvest OIDC tokens and GITHUB_TOKEN values, then propagate across npm packages using the stolen credentials. The automation is fully self-contained; victim-repository selection is not manually guided, consistent with the worm-class spread observed in the original TanStack campaign. The leaked code also exposes the environment-variable injection technique (${{ github.event.pull_request.head.sha }} substitution in run steps) as a key primitive. Defenders should not execute the leaked code. The architectural disclosure accelerates defensive posture: prioritise auditing pull_request_target triggers with checkout steps in the same job, review OIDC token permission scopes, and apply environment variable sanitization. MITRE ATT&CK: T1195.002 (Compromise Software Supply Chain), T1552.001 (Credentials in Files), T1059.004 (Unix Shell).

UPDATE (originally covered 2026-05-07 deep dive, last updated 2026-05-13): Palo Alto Networks PSIRT updated its CVE-2026-0300 advisory on 2026-05-13 to reflect first-wave patch availability but to also disclose a second patch wave with an ETA of 2026-05-28 for eight commonly-deployed build streams: PAN-OS 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21 and 10.2.16-h7 (Palo Alto Networks PSIRT, updated 2026-05-13). Operators running any of those builds cannot patch yet; the interim mitigation — restrict User-ID Authentication Portal to trusted zones, or disable Captive Portal if unused — is the only option until 28 May. CL-STA-1132 in-the-wild exploitation continues; the cluster's tradecraft (EarthWorm / ReverseSocks5 tunnels, AD enumeration via firewall service account, deliberate log destruction) is unchanged from prior coverage (Unit 42 — Captive Portal Zero-Day, 2026-05-06).

The CISA KEV entry was updated on 2026-05-13 to note "Palo Alto has released a variety of patches"; the FCEB remediation deadline (2026-05-09) has already expired. Per PD-13 the KEV deadline is not the operational driver in CH/EU — the active-exploitation status, the affected-build delay, and the CL-STA-1132 attribution are. The wave-2 delay specifics are documented in the vendor PSIRT advisory and were not independently corroborated by HIGH-reliability third-party reporting in window; treat the eight-build "ETA 05/28" list as vendor-primary and verify against the live PSIRT entry before any rollout planning.

UPDATE (originally covered 2026-05-10 in the Q1 2026 ransomware quarterly synthesis): Check Point Research published "Thus Spoke…The Gentlemen" on 2026-05-13, a detailed analysis of a 44.4 MB extract from the group's leaked "Rocket" backend database (16.22 GB total) that was posted to the cybercrime forum Breached on 2026-05-04 after the group's infrastructure was compromised by an unidentified actor (Check Point Research, 2026-05-13; BankInfoSecurity, 2026-05-11). The dataset contains 8,200 lines of internal chat-tool traffic across channels INFO / general / TOOLS / PODBOR, shadow files with password hashes, affiliate negotiation transcripts, and configuration artefacts for the ZeroPulse C2 framework.

Nine operator handles are identified — including administrator zeta88 (also hastalamuerte), who both manages the RaaS panel and participates directly in encryption events. Reconstructed attack chain: initial access almost exclusively via unpatched edge devices — FortiGate CVE-2024-55591 (the group's documented mainstay), Cisco appliances, CWMP/TR-069 interfaces — or purchased infostealer credentials; post-access tooling includes NetExec, RelayKing (NTLM relay), CertiHound (AD Certificate Services abuse), TaskHound, PrivHound; EDR-suppression utilities EDRStartupHinder, gfreeze and glinker manipulate ETW callbacks and NTDLL syscall tables; persistence is maintained via Cloudflare Zero Trust tunnels and self-provisioned WireGuard/OpenVPN chains.

Two operationally critical facts: (1) Check Point Research attributes a count of 1,570+ victim entries to a separately-exposed SystemBC C&C server, against 332 victims publicly listed on the group's data-leak site in the first five months of 2026 — significant under-reporting of true scope (Check Point's wider comparison cites 412 cumulative DLS listings); (2) the decryptor has been released as GitHub Bedrock-Safeguard/gentlemen-decryptor, enabling existing victims to recover without payment (decryptor disclosed in BankInfoSecurity's 2026-05-11 reporting). For Swiss / EU SOCs handling an active Gentlemen incident the workflow changes today: attempt decryption before any negotiation. Detection pivots from the leak: alert on EDRStartupHinder, gfreeze, glinker process names (custom binaries, not commodity); monitor for AD Certificate Services reconnaissance (certutil enumeration of CA servers and templates) consistent with CertiHound; correlate with FortiGate CVE-2024-55591 initial-access exploitation patterns that the group continues to weaponise.

UPDATE (originally covered 2026-05-10): Between 19:20 and 19:26 UTC on 2026-05-11, TeamPCP's Mini Shai-Hulud self-propagating worm executed its largest campaign to date, compromising 160+ malicious versions across @tanstack/* (42 packages including @tanstack/react-router at ~12M weekly downloads), @uipath/* (60+ packages), @mistralai/*, @opensearch-project/opensearch, @squawk/*, @draftlab/* and @tallyui/*, plus two PyPI packages (StepSecurity analysis, 2026-05-11; TanStack post-mortem, 2026-05-12; Wiz, 2026-05-12; NCSC-CH Security Hub #12558, 2026-05-12).

The novel attack chain (decomposed in § 5) is materially different from the 2026-05-10 SAP-CAP campaign: the operator (voicproducoes, GitHub account ID 269549300) submitted a poisoned PR to a target repository that triggered a pull_request_target workflow, used that privileged workflow to seed a malicious pnpm store into the GitHub Actions cache, then waited for legitimate maintainer merges to main — the release workflow restored the poisoned cache, attacker-controlled binaries extracted GitHub Actions OIDC tokens from /proc/<pid>/mem, and the worm used npm's token-exchange endpoint to publish trojanised package versions with valid SLSA Build Level 3 provenance attestations. The provenance bypass is the most significant evolution — SLSA L3 was the supply-chain assurance many EU public-sector procurement frameworks were starting to rely on, and this campaign demonstrates it is forgeable without abusing the package's own publish step.

Operational delta for defenders: SAP Note #3747787 (HotNews) acknowledges CAP-package impact and ships a clean version list. UiPath impact is the highest-priority public-sector signal — UiPath RPA is widely deployed in Swiss federal e-government automation and EU agency back-offices; review package-lock.json / pnpm-lock.yaml in every UiPath-using pipeline against the StepSecurity / Wiz package-version manifest. Before revoking any GitHub PAT or npm token, sanitise the developer machine first — token revocation triggers the worm's gh-token-monitor dead-man's switch that executes rm -rf ~/ on the affected workstation. Mapped to T1195.002 Supply Chain Compromise: Compromise Software Supply Chain, T1552.001 Unsecured Credentials: Credentials in Files, T1078.004 Cloud Accounts.

UPDATE (originally covered 2026-05-12): Late on 2026-05-11, US House Homeland Security Committee Chairman Andrew Garbarino sent a formal letter to Instructure CEO Steve Daly ahead of the 2026-05-12 ShinyHunters extortion deadline, demanding a briefing by 2026-05-21 on the circumstances of both Canvas intrusions, the volume of data accessed, containment measures, and coordination with federal law enforcement and CISA (The Record, 2026-05-12; The Register, 2026-05-12).

On 2026-05-12 — before the deadline expired — Instructure confirmed it had "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" from ShinyHunters, the operational reliability of which the committee letter explicitly questions. ShinyHunters claims the agreement covers up to 275 million records across roughly 8,800 colleges, universities and K-12 schools (per The Register; The Record cites ~9,000 institutions), including Dutch and Swedish higher-education customers previously confirmed in scope. The second Canvas intrusion is attributed to ShinyHunters exploiting an unpatched flaw in Instructure's "Free-for-Teacher" environment; the initial 2026-04-29 intrusion yielded ~3.6 TB of uncompressed data (usernames, emails, course names, messages). CrowdStrike was retained for forensic analysis.

Defender takeaway: a vendor-side "shred log" is legally non-binding and technically unverifiable; EU institutions must continue to treat the 275M-record dataset as irrevocably compromised for GDPR Art. 33 / data-subject-rights purposes regardless of Instructure's bulk-platform claim. The congressional investigation will likely prompt CISA guidance for higher-education SaaS incident response — relevant context for Swiss universities and EU edtech procurement teams.

UPDATE (originally covered 2026-05-12): Palo Alto Networks released the first wave of patched PAN-OS builds on 2026-05-13 for the actively-exploited Captive Portal pre-auth RCE, covering PAN-OS 10.2, 11.1, 11.2 and 12.1 (Palo Alto Networks PSIRT, last updated 2026-05-07; patch table confirmed 2026-05-13). Concretely: PAN-OS 12.1.4-h5 (2026-05-13) plus 12.1.7 (planned 2026-05-28); PAN-OS 11.2 multiple builds staged 2026-05-13–2026-05-28; PAN-OS 11.1 and 10.2 on a similar cadence. Prisma Access, Cloud NGFW and Panorama remain unaffected. Threat Prevention signature ID 510019 remains the interim control for any unpatched instance. The CISA KEV deadline of 2026-05-09 is — per the audience-applicability rule in the daily prompt — irrelevant for CH/EU jurisdiction; the operational driver is the active exploitation by CL-STA-1132 documented previously.

UPDATE (originally covered as the 2026-05-07 deep dive; updates 2026-05-08 → 2026-05-10): Palo Alto Networks' PSIRT page for CVE-2026-0300 (last updated 2026-05-07 at time of run) now lists first-wave fixed builds with an ETA of 2026-05-13 for several mainline branches and a second wave around 2026-05-28 for the remaining branches; no patched build is yet shipped against the unauthenticated root RCE in the User-ID Authentication Portal / Captive Portal service. The CL-STA-1132 cluster attribution and the ~2026-04-09 first-observed-exploitation date come from Unit 42's separate Captive Portal Zero-Day threat bulletin, not from the PSIRT advisory itself.

Operationally: until the 05/13 first-wave builds ship, the interim Threat Prevention signature 510019 plus source-IP restriction of the captive-portal interface to trusted internal ranges remain the only defender controls for branches that do not yet have a fixed build. PA-Series and VM-Series operators with User-ID Authentication Portal or Captive Portal exposed should treat tomorrow as a pre-staged deployment window — confirm a tested rollback path, validate the interim signature is enforced (Threat Prevention licence required), and verify the captive-portal listener is reachable only from authorised source ranges. Prisma Access, Cloud NGFW and Panorama are not affected. The CISA KEV deadline (2026-05-09) has already expired for FCEB agencies and per PD-13 does not drive Swiss/EU action framing on its own — the operational driver is the actively-exploited ITW status and the imminent first-wave patch ship date.

UPDATE (originally covered 2026-05-09; updated 2026-05-10): Instructure on 2026-05-11 disclosed that it "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" — a ransom payment in everything but name, undisclosed amount, covering the platform-wide ~3.65 TB dataset that ShinyHunters claimed to have lifted from Canvas's Free-for-Teacher tier on 2026-04-29 (Inside Higher Ed, 2026-05-11; Infosecurity Magazine, 2026-05-11).

Two material developments accompany the settlement: (a) Instructure confirmed a second intrusion on 2026-05-07 in which ShinyHunters defaced approximately 330 individual institution login portals via the same Free-for-Teacher vulnerability — the first ITW evidence that the underlying flaw remained exploitable post-patch; (b) ShinyHunters has now reset a per-institution payment deadline to end-of-day 2026-05-12 (today), positioning the central settlement as covering only the bulk dataset while leaving individual institutions exposed to targeted publication (The Register, 2026-05-12). CEO Steve Daly publicly acknowledged delayed external communication ("we got the balance wrong" on disclosure timing). CrowdStrike remains engaged for the IR work.

Operational reality for any European university running Canvas: the "data was destroyed" claim is not technically verifiable — by ransomware-actor practice, the artefact provided is typically a hash list or a video, not a forensically meaningful proof of deletion. The dataset must continue to be treated as compromised in perpetuity for GDPR / Swiss DSG purposes, downstream phishing risk planning, and student-identity exposure communications. Institutions that received the per-institution deadline note should validate that any locally-stored Canvas-derived data (course rosters, communications, gradebooks) is included in the breach-notification scope, regardless of the platform-wide settlement.

UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the actor's signature naming "Checkmarx-Fully-Hacked-by-TeamPCP") to the Jenkins Marketplace. Any Jenkins instance configured to auto-update the AST plugin during that window pulled the malicious build and executed the SANDCLOCK credential stealer in the runner context (Checkmarx — Ongoing Security Updates, last updated 2026-05-09; The Hacker News, 2026-05-11; SecurityWeek, 2026-05-11).

SANDCLOCK targets every secret reachable from a typical CI/CD pipeline environment: GitHub Personal Access Tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, Docker / OCI registry credentials, SSH keys, and Checkmarx One API tokens. Affected pipelines should be treated as full secrets-compromise events: every credential the runner could read must be rotated and any artefact built or deployed in the window audited. Checkmarx's ongoing-security-updates page specifies plugin version 2.0.13-829.vc72453fa_1c16 (published December 2025) as the safe pinned version; a CVE has been issued as CVE-2026-33634 per the Checkmarx advisory. This is the third Checkmarx-product supply-chain compromise by this actor in three months, after the March 2026 KICS Docker image and the April 2026 VS Code extension defacement — the cadence and the actor's naming convention indicate persistent targeting of the Checkmarx product line specifically, not opportunistic distribution-channel abuse.

Mapped to T1195.002 Compromise Software Supply Chain and T1552.001 Credentials In Files. The GTIG AI Threat Tracker (see § 5) attributes SANDCLOCK specifically to TeamPCP and flags the stealer as explicitly designed to harvest LLM API keys in addition to traditional cloud credentials — consistent with the actor's pivot to monetising stolen LLM access. Defender pivot: inventory every Jenkins plugin auto-update enabled across CI/CD estates; constrain runners to short-lived OIDC-federated credentials (no long-lived PATs in runner env) where the platform supports it; audit Checkmarx One API logs for unexpected source IPs since 2026-05-09.

For every Jenkins controller running the Checkmarx Jenkins AST plugin: confirm installed plugin version; if 2026.5.09 was ever pulled (auto-update enabled, or manual install in window), declare a secrets-compromise incident, rotate every credential the runner could read (GitHub PATs, AWS / Azure / GCP access keys, Kubernetes service-account tokens, Docker registry credentials, SSH keys, Checkmarx One API tokens, and any LLM API keys exposed to CI), and audit any artefact built or deployed in the window. Pin the plugin to 2.0.13-829.vc72453fa_1c16 per Checkmarx's ongoing-security-updates page. Where the Jenkins platform supports it, migrate runners to OIDC-federated short-lived credentials so the next supply-chain compromise yields no usable secrets.

UPDATE (originally covered 2026-05-09): Microsoft Threat Intelligence published Active attack: Dirty Frag Linux vulnerability expands post-compromise risk on 2026-05-08 reporting "limited in-the-wild activity where privilege escalation involving su is observed." The attack chain observed: SSH initial access → shell spawn → execution of an ELF binary that triggers the LPE primitive in either CVE-2026-43284 (xfrm-ESP page-cache write) or CVE-2026-43500 (RxRPC page-cache write). This is the first formal "exploited in the wild" attribution since the V4bel write-up published on 2026-05-07.

Red Hat published RHSB-2026-003 covering both CVEs on 2026-05-07 and updated it on 2026-05-09, with backported errata rolling out to RHEL 8/9/10 and OpenShift 4 (Red Hat RHSB-2026-003). NCSC.ch issued Security Hub post 12547 on 2026-05-08 noting "Proof of Concept Available" and advising temporary blacklisting of the esp4, esp6 and rxrpc kernel modules pending distribution backports. Belgium's CCB issued a parallel advisory (CCB Belgium, 2026-05-08).

The upstream xfrm-ESP fix merged on 2026-05-07 (kernel commit referenced by V4bel and corroborated by Red Hat); the RxRPC fix was still pending in the netdev tree at time of writing. AlmaLinux backported kernels on 2026-05-08; Ubuntu noted fixes will arrive via the kernel image package. Defender hunt focus: outbound SSH-to-unprivileged-shell-to-ELF-execution chains immediately followed by setuid(0) or su invocations, plus suspicious setsockopt(AF_ALG) patterns on the esp4/esp6/rxrpc modules followed by splice() syscalls into the page cache of read-only files. The Microsoft post emphasises that the page-cache write primitive bypasses on-disk file integrity monitoring (AIDE / IMA-EVM / auditd watch rules) — post-incident forensics must compare in-memory page contents against on-disk checksums, not just md5sum of the file.

Mitigation note (carried from 2026-05-09): on Ubuntu where unprivileged user namespaces are blocked by default, the esp4/esp6 path is harder to reach because CAP_NET_ADMIN is required — but the RxRPC path remains exploitable without user-namespaces; the two CVEs are designed to complement each other. Where IPsec is in use, Red Hat suggests kernel.unprivileged_userns_clone=0 (sysctl) as a less disruptive mitigation than full esp4/esp6 module blacklisting. AFS users cannot blacklist rxrpc without losing AFS — wait for the distribution backport.

Sophos X-Ops (cluster STAC4713) published a write-up on 2026-05-07 of a malvertising campaign using the counterfeit claude-pro[.]com site to distribute a previously-undocumented Windows backdoor named Beagle (Sophos X-Ops, 2026-05-07 · Malwarebytes, 2026-04-10 (earlier wave)). The chain delivers a 505 MB ZIP archive containing a malicious MSI that sideloads an attacker-controlled DLL alongside a legitimate, signed G DATA antivirus updater executable (T1574.002 DLL Side-Loading). The first-stage DonutLoader shellcode then fetches and injects Beagle into memory. Beagle communicates with license.claude-pro[.]com over TCP/443 and UDP/8080 with AES-encrypted payloads; supported commands are cmd, upload, download, ls. Sophos notes TTP similarity with PlugX operators (BRONZE PRESIDENT / Dragon Breath clusters) but explicitly does not confirm attribution. The campaign's distribution infrastructure was established March 2026 with samples observed in February, April and May.

The targeting class is the operationally important part: counterfeit AI-tooling sites lure technical users — developers, ML engineers, IT admins — who often hold privileged access to source code, cloud environments, and secrets. Defenders should treat AI-tool installer downloads as a high-risk software class and require allow-listed sources (anthropic.com, claude.ai, OS package managers) rather than ad-hoc web search results.

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): ShinyHunters posted a second intrusion notice around 2026-05-08 asserting Instructure's Canvas LMS retained unpatched vulnerabilities allowing re-entry despite the company's earlier security-patch deployment (Techzine EU, 2026-05-08 · DutchNews.nl, 2026-05-08). Instructure confirmed the second breach, rotated application keys, increased monitoring, and required API-client re-authorisation across its customer base.

Seven Dutch universities — VU Amsterdam, University of Amsterdam, Erasmus University Rotterdam, Tilburg University, Eindhoven University of Technology (TU/e), Maastricht University, and University of Twente — executed emergency Canvas disconnections on or before 2026-05-09 after the attackers claimed continued active access. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) received an incident report from VU Amsterdam.

The 2026-05-12 extortion deadline remains active — two days from publication. ShinyHunters's original claim cited 275 million records (names, email addresses, student IDs, private messages) across thousands of educational institutions worldwide (Techzine EU, 2026-05-08); if the second-intrusion claim is verified, Instructure's remediation was incomplete and the data-release threat is materially more credible. Defenders at European universities using Canvas should treat credential-stuffing risk on stolen student / staff emails as active, audit third-party LTI integrations, and watch for follow-on phishing campaigns referencing course content.

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): The CISA KEV remediation deadline for CVE-2026-6973 (Ivanti EPMM admin API improper input validation → RCE, CVSS 7.2) expired today (2026-05-10) (Ivanti PSIRT, 2026-05-07 · BleepingComputer, 2026-05-07 · SecurityWeek, 2026-05-08).

Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European EPMM exposure is materially larger than the rest of the world combined. SecurityWeek's analysis notes a Chinese-actor assessment based on historical EPMM exploitation patterns; Ivanti has confirmed exploitation against "a very limited number of customers" without naming them.

The May 2026 EPMM update covers four additional CVEs alongside CVE-2026-6973: CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative-access via improper access control), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), CVE-2026-5787 (improper certificate validation → pre-auth Sentry impersonation, originally covered in the 2026-05-08 brief deep dive) and CVE-2026-7821 (also high-severity per BleepingComputer / SecurityWeek). Critically, the same May patch supersedes the prior CVE-2026-1281 / CVE-2026-1340 RPM workaround issued for the January 2026 unauthenticated RCEs — meaning EPMM operators that are still on the January workaround need to apply the proper patch now. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1.

UPDATE (originally noted as embargoed-and-dropped 2026-05-09): Technical details for the three CVEs cPanel patched on 2026-05-08 emerged on 2026-05-09 (The Hacker News, 2026-05-09 · NCSC-CH Security Hub post 12550, 2026-05-08 · Panelica technical analysis, 2026-05-08).

CVE-2026-29202 (CVSS 8.8) is the highest-severity item: insufficient input validation of the plugin parameter in the create_user API allows an authenticated cPanel user to inject and execute arbitrary Perl code in the context of their system account — post-authentication RCE for any cPanel user with API access. CVE-2026-29203 (CVSS 8.8) is unsafe symlink handling enabling chmod abuse on arbitrary files (privilege escalation or denial-of-service). CVE-2026-29201 (CVSS 4.3) is arbitrary feature-file disclosure. None have confirmed in-the-wild exploitation as of 2026-05-09.

The compounding risk: cPanel hosts that were compromised through the still-recent CVE-2026-41940 authentication-bypass wave (~44 000 hosting servers exploited over February–May 2026) now face a fresh post-auth Perl-execution primitive. An attacker who already used the auth bypass can pivot to CVE-2026-29202 to escalate privilege or persist. Fixed: cPanel/WHM 11.136.0.9+, 11.134.0.25+, 11.132.0.31+. Operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually.

UPDATE (originally covered 2026-05-09): DENIC published its formal technical post-mortem on 2026-05-08 (DENIC analysis blog (German), 2026-05-08 · heise online, 2026-05-08).

Confirmed root cause: a code defect in DENIC's third-generation custom signing infrastructure (deployed April 2026 atop Knot DNS). During a routine Zone-Signing-Key rotation the code generated three private key pairs all assigned the same Key Tag (33834) rather than a unique tag per key — and only one corresponding public DNSKEY record was published to the zone. The RRSIG records signed by the two unpublished keys were therefore unvalidatable; DNSSEC-validating resolvers marked all .de delegations as "Bogus", which through the bogus NSEC3 trust path also took down resolution for non-DNSSEC-signed .de domains.

The outage ran 2026-05-05 21:43 UTC → 2026-05-06 ~01:15 UTC (~3.5 h). Critically, DENIC notes the monitoring pipeline detected anomalous resolver behaviour but the alerting layer did not correctly forward the alerts — the SIEM-rule equivalent of a fire-but-don't-page failure. Knot DNS itself is not implicated; the bug was in DENIC's automation layer atop Knot.

Defender takeaway: DNSSEC registry-side errors are indistinguishable from attacker-induced trust failures from a resolver's perspective. Validating-resolver operators in DACH and EU public-sector environments should keep RFC 7646 Negative Trust Anchor capability live for continuity during registry incidents and ensure runbooks separate "registry KSK/ZSK rollover defect" from "zone-level attack on a downstream domain".

UPDATE (originally covered 2026-05-08):

The CISA KEV deadline for CVE-2026-6973 (Ivanti EPMM admin API RCE, CVSS 7.2) is tomorrow, 2026-05-10. Organisations that have not yet isolated or patched on-premises Ivanti EPMM instances are in immediate compliance breach. CERT-FR CERTFR-2026-AVI-0552 and BSI advisory from 2026-05-07 both require organisations to treat the CVE-2026-5787 → CVE-2026-6973 chain as a single critical exposure requiring immediate action, with 508 EU on-premises instances identified as internet-accessible by NCSC-NL scanning as of 2026-05-07.

Named victims confirmed in public statements or EU supervisory authority filings during the 36-hour window: European Commission (DG DIGIT notified, isolated affected infrastructure); Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (confirmed EPMM instance impacted in the 2026-05-03–07 exploitation wave, investigation ongoing); Netherlands Council for the Judiciary (Raad voor de rechtspraak) (EPMM administrative console was internet-accessible until 2026-05-05; extent of access under assessment); Finnish Valtori (Government ICT Centre, confirmed EPMM compromise affecting shared government IT services, NCSC-FI advisory published). All named organisations used EPMM in MDM capacity, meaning the exposed admin APIs had device management access to enrolled endpoints including mobile devices of employees with elevated privilege.

Credential-chaining risk: Ivanti disclosed a separate cluster of EPMM vulnerabilities in January 2026 (CVE-2026-1281 and CVE-2026-1340, tracked separately) in which admin-account credentials were extracted from compromised instances. Organisations that patched CVE-2026-1281/1340 at the time but did not rotate admin credentials remain at elevated risk that the May 2026 exploitation wave leveraged pre-extracted credential sets to accelerate authentication bypass to direct post-auth RCE.

UPDATE (originally covered 2026-05-07):

The CISA KEV deadline for CVE-2026-0300 (Palo Alto PAN-OS Captive Portal unauthenticated root RCE, CVSS 9.3) is today, 2026-05-09. Palo Alto Networks has not yet released a firmware patch; the vendor statement from 2026-05-08 confirmed the earliest expected maintenance release containing a code fix is PAN-OS 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4, expected 2026-05-13. Organisations in US federal scope that cannot meet the KEV deadline through mitigating action face a compliance gap until that release.

Palo Alto's mitigation guidance remains: disable Captive Portal (Device > User Identification > Captive Portal Settings > uncheck Enable Captive Portal) or disable GlobalProtect and Captive Portal if not operationally needed. Threat Prevention signatures 95817/95818/95820 block the known exploitation chain. PA-Series hardware appliances running content update < 8765-9032 are not covered by the signatures.

Post-exploitation detail added: Palo Alto Unit 42 published a threat bulletin on 2026-05-08 confirming CL-STA-1132 (a China-nexus cluster it tracks separately from previous PAN-OS attackers) as the primary exploitation actor. Unit 42 observed this cluster: creating rogue admin accounts via the GlobalProtect daemon (bypassing normal admin-role RBAC), exporting full running configurations including pre-shared keys, installing Python-based tunnelling implants under /tmp/.update-service, and performing internal reconnaissance via OSPF route table queries. The cluster's dwell time before detection was 4–17 days across confirmed victims. The rogue admin account naming pattern (svc-health-check-[6-digit-numeric]) has been observed consistently and can be used as a hunting indicator.

UPDATE (originally covered 2026-05-08):

As of the window close (2026-05-09 06:00 UTC), no ransom payment has been made and no further data dump has been published. Three major UK universities issued public statements: University of Oxford confirmed it is working with Instructure and the NCSC-UK; University of Cambridge issued a statement acknowledging that "student and staff data may have been affected" and referred staff to the National Cyber Security Centre guidance; University of Liverpool confirmed it had notified the Information Commissioner's Office under Article 33 GDPR and is conducting a forensic investigation. Universiteiten van Nederland (UNL) confirmed that 44 member institutions are potentially affected, representing all Dutch research universities and applied science universities; the Dutch DPA (Autoriteit Persoonsgegevens) has opened a preliminary investigation.

The threat actor (WorldLeaks) set a 2026-05-12 payment deadline; the extortion amount was stated as €3.2 million. WorldLeaks previously published a 3 GB sample dataset on 2026-05-07 containing course-IDs, student email addresses, assignment metadata, and grade records across four UK institutions. No passwords, payment data, or national identification numbers were present in the sample. Instructure issued a public statement on 2026-05-08 confirming the breach vector was a compromised integration service account for a third-party LTI tool provider (not Canvas core infrastructure), and that the issue was isolated. Instructure stated it notified affected institutions on 2026-05-01 and has been working with law enforcement.

UPDATE (originally covered 2026-05-08):

Poland's Internal Security Agency (ABW) published its 2025 Annual Report on 2026-05-07, providing materially expanded detail beyond the initial reporting. The report names five municipal water facilities targeted in intrusion attempts during H2 2025 and Q1 2026: Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. All are smaller municipalities (populations 1,500–26,000) with limited IT security staff, consistent with the observed targeting pattern. ABW formally attributes the intrusion campaign to APT28 (Russian GRU) for the initial-access and persistence phase, APT29 (Russian SVR) for the intelligence-collection overlay observed at Jabłonna Lacka, and UNC1151 (Belarusian GRU-affiliated, historically associated with Ghostwriter information operations) for a disinformation component: fabricated leak documents purporting to show contamination data. This represents more granular tri-attribution than the "pro-Russian hacktivist" framing used in initial reporting.

NIS2 Directive context: Poland transposed NIS2 into national law effective 2026-02-01 (Ustawa z dnia 28 listopada 2025 r. o krajowym systemie cyberbezpieczeństwa). Water distribution operators above the 50-employee threshold are now classified as Essential Entities under NIS2, subject to mandatory incident notification to CSIRT GOV (ABW) within 24/72 hours. ABW's annual report explicitly notes that the five named facilities fell below the NIS2 threshold at the time of intrusion, highlighting the coverage gap for small municipal operators. ABW is recommending legislative action to extend NIS2 obligations to critical-function entities regardless of headcount.

UPDATE (originally covered 2026-05-06):

CISA added CVE-2026-31431 to KEV on 2026-05-06 with a federal remediation deadline of 2026-05-15 — six days from today. Organisations with unpatched Linux kernel deployments running the algif_aead module (present by default on most distributions unless FIPS mode is active) are approaching the federal deadline. Downstream distribution patches: Ubuntu 22.04/24.04 (linux-image 6.1.98-1ubuntu1); RHEL 8/9 (kernel-5.14.0-503.14.1); Debian 12 (pending as of 2026-05-09 06:00 UTC).

Material update: The Microsoft Security Blog post published on 2026-05-08 (same post covering "Dirty Frag") provides new detail on the "Copy Fail" cluster. Microsoft observes that threat actors are using CVE-2026-31431 and CVE-2026-43284/43500 (Dirty Frag) as complementary techniques in post-compromise Linux privilege escalation operations — deploying CVE-2026-31431 on hosts where the algif_aead module is available and rxrpc/esp* are not, and Dirty Frag on hosts where user namespaces are enabled without algif_aead. The same initial access vector (SSH-based credential stuffing with exposed management ports) is used across both chains. This operationalises the two LPE vulnerabilities as a "pair" covering different Linux deployment configurations.

(First covered and deep-dived 2026-05-07.) The CISA KEV federal remediation deadline for CVE-2026-0300 is 2026-05-09 — today. Palo Alto Networks has not released a permanent patch for any PAN-OS branch; the earliest patch ETA is 2026-05-13. The mandated mitigation remains: disable the Captive Portal / Authentication Portal feature on internet-facing GlobalProtect gateway interfaces, or restrict access exclusively to trusted internal management IP ranges. PAN-OS 11.1+ deployments should confirm Threat Prevention profile with Threat ID 510019 is active on the internet-facing zone. Organisations that have not yet applied the mitigation should treat this as a P0 action today before business opens.

(First covered 2026-05-06.) The Instructure/Canvas breach has expanded significantly in scope. The threat actor now claims access affecting 330 institutions across six countries, threatening to publish 16 million student and staff records. SURF (the Dutch National Research and Education Network) has confirmed 44 Dutch institutions among the victims. The attacker posted portal defacements at multiple universities and established a 2026-05-12 extortion deadline for ransom payment. Canvas services were taken offline again on 2026-05-07 for emergency patching. European DPAs in the Netherlands and Germany have opened preliminary inquiries into notification timing. Institutions using Canvas should assess GDPR Article 33/34 breach notification obligations before the May 12 deadline.