ctipilot.ch

Home · Live brief · Weekly 2026-W21

Looking ahead — 2026-W21

notable outlook discovered 2026-05-18 05:00 UTC

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

Items already in motion at the close of 2026-W21. Not predictions — each links to the in-motion reporting underneath.

  • GitHub's fuller post-incident report on the internal-repo breach is still outstanding. GitHub's 2026-05-20 blog committed to a fuller report; the open questions are the full scope of the ~3,800 exfiltrated internal repos and whether any contained credentials or customer-impacting material. (GitHub Security Blog)
  • Shai-Hulud wave-6 candidate registries — Cargo (Rust) and Maven (Java). The OIDC-token-reuse propagation primitive is registry-agnostic; with the worm now open-sourced and commoditised, Cargo and Maven are the un-hit major ecosystems. Pre-stage Sigstore/provenance-anomaly hunts in Rust and Java dependency pipelines. (CSA research note)
  • EU 20th-package "managed security services" scope guidance, and SECO confirmation of Swiss transposition. No European Commission interpretive guidance on the managed-security-services definition was published as of 24 May; SECO confirmation of whether Switzerland's 22 May adoption includes the MSS prohibition specifically is the open compliance question for CH providers. (Greenberg Traurig)
  • PAN-OS CVE-2026-0300 wave-2 patch builds scheduled ~2026-05-28. Remaining build streams finish the staged patch arc; audit for attacker-created rogue admin accounts before patching wipes implant artefacts. (Palo Alto PSIRT; daily 2026-05-18)
  • Windows YellowKey / GreenPlasma / MiniPlasma cluster — June 2026 Patch Tuesday (~2026-06-10) is the expected first fix. Three public PoCs, no out-of-band release; until then BitLocker PIN/Network-Unlock GPOs and ctfmon.exe-injection WDAC rules are the only controls. (MSRC CVE-2026-45585; daily 2026-05-20)
  • Sparx Enterprise Architect chain and ChromaDB CVE-2026-45829 remain unpatched. Both carry public PoCs with no vendor fix; watch for the patches and, in the interim, keep both off the public internet behind authenticated access. (CERT-PL; daily 2026-05-21)
  • GTIG UNC6671 "BlackFile" probable rebrand. The DLS went offline with a shutdown message; no successor brand had emerged by week-end. Watch for a new leak-site reusing the vishing → AiTM → rogue-MFA → SharePoint-exfiltration TTP set. (daily 2026-05-23)
vulnerabilities global