Threat Newsletter May 18, 2026
This edition covers 21 of the most significant cybersecurity stories from May 11 to May 17 2026 — spanning zero-day disclosures, ransomware attacks on education and pharma, AI-powered exploits, supply chain compromises, and shifting regulatory landscapes. Each entry includes a three-sentence summary and clear, actionable takeaways.
Shai-Hulud Supply Chain Worm Harvests npm, GitHub, AWS, and Kubernetes Secrets From Developer Environments
On May 11, 2026, the threat group TeamPCP launched the latest wave of the "Mini Shai-Hulud" supply chain campaign, compromising 84 malicious package versions across 42 TanStack npm packages before rapidly spreading to over 170 packages across npm and PyPI — including Mistral AI, UiPath, OpenSearch, and Guardrails AI. What made this attack uniquely dangerous was that the malicious packages carried valid SLSA Build Level 3 provenance attestations and legitimate Sigstore cryptographic signatures, meaning they appeared completely authentic to developers and automated security tooling alike. The self-propagating worm stole credentials by targeting CI/CD tokens, GitHub PATs, AWS/GCP/Azure cloud keys, Kubernetes service account tokens, and even password manager vaults like Bitwarden and 1Password, exfiltrating them through a triple-channel C2 architecture that included a typosquatted domain, the decentralized Session messaging network, and GitHub API dead drops — making it significantly harder to detect and disrupt than conventional supply chain attacks.
Key Takeaways
- Rotate secrets immediately if your environment pulled any @tanstack, @mistralai, @uipath, or @guardrails-ai packages on May 11, 2026 — treat the machine or CI runner as fully compromised.
- Cryptographic trust is broken — valid SLSA provenance and Sigstore attestations were forged for malicious packages; signatures alone can no longer be treated as proof of safety.
- The blast radius is massive — affected packages collectively exceed 518 million downloads, and @tanstack/react-router alone sees over 12 million weekly downloads.
- Block C2 infrastructure at DNS/proxy level: git-tanstack.com, *.getsession.org, and 83.142.209.194.
- Check for persistence — the malware installs a background daemon (
gh-token-monitor) that survives npm uninstall; check~/Library/LaunchAgents/on macOS and~/.config/systemd/user/on Linux. - Enforce lockfile-only installs and pin all packages to verified SHA hashes to prevent silent auto-updates from pulling in poisoned versions.
- Auto-updates are a liability — organizations that rely on automated plugin/package updates were hit hardest because the malicious versions were pulled silently with no visible change to build configs.
Tushar Subhra Dutta
Patch or Pay: cPanel and WHM Fix Three High-Severity Vulnerabilities
cPanel and WHM have released patches addressing three newly discovered vulnerabilities, two of which carry CVSS scores of 8.8. The flaws, tracked as CVE-2026-29201, CVE-2026-29203, and a denial-of-service variant, expose web hosting control panels to risks including arbitrary file reads, privilege escalation, and denial-of-service conditions. There is no evidence of active exploitation in the wild, but the severity warrants immediate patching given the widespread deployment of cPanel across shared hosting environments.
Key Takeaways
- Update cPanel/WHM to the latest version immediately.
- Two of the three flaws scored 8.8 CVSS — treat as critical in production environments.
- No active exploitation detected, but cPanel flaws are historically weaponized quickly.
- Review file permission configurations and symlink handling policies as mitigations.
The Hacker News
Trusted Source Turned Trojan: JDownloader's Official Site Delivered Malware
The official JDownloader website was compromised and used to distribute trojanized Windows and Linux installers containing a Python Remote Access Trojan (RAT) between May 6 and May 7, 2026. The attack specifically targeted users who downloaded the Windows 'Alternative Installer' and the Linux shell installer from the legitimate site. JDownloader developers confirmed the breach, temporarily shut down the website, and are currently investigating the full scope of the incident.
Key Takeaways
- Even trusted, official software download sites can be compromised — always verify hashes.
- If you downloaded JDownloader installers between May 6–7, treat your machine as potentially compromised.
- The payload was a Python RAT, granting attackers remote control over infected systems.
- Supply-chain compromise through official sites is an increasingly common attack vector.
Dhivya
Europe Pushes Back: EU Plans to Restrict U.S. Cloud Providers for Sensitive Government Data
The European Commission is preparing a 'Tech Sovereignty Package' expected to be unveiled on May 27, 2026, which would restrict EU member-state governments from using U.S.-based cloud providers to process highly sensitive data in sectors such as healthcare, finance, and judicial systems. The core idea, as described by officials, is to mandate that certain sensitive public-sector data be hosted on European cloud infrastructure, reducing exposure to the U.S. CLOUD Act and growing tensions with the Trump administration. The package, which includes the Cloud and AI Development Act and Chips Act 2.0, requires approval from all 27 member states before taking effect.
Key Takeaways
- U.S. cloud providers (AWS, Azure, Google Cloud) face potential restrictions on EU government contracts.
- The U.S. CLOUD Act — allowing U.S. law enforcement to access data hosted by American firms — is the cited risk driver.
- Private sector companies would not be directly affected under the current proposals.
- Organizations with EU public-sector contracts should assess cloud sovereignty readiness now.
Kai Nicol-Schwarz
Exams in Chaos: ShinyHunters' Double Breach of Canvas Disrupts Universities Nationwide
The ShinyHunters cybercriminal group breached Instructure's Canvas learning management system twice in two weeks, ultimately affecting over 9,000 educational institutions serving 41% of higher education in North America. The attackers exploited a vulnerability in the Free-For-Teacher account infrastructure to steal 3.6 TB of data encompassing approximately 275 million user records, including names, email addresses, student IDs, and private messages. The second wave on May 7 defaced login pages at hundreds of institutions, forcing universities including Baylor, Princeton, Duke, Ohio State, and Northwestern to take Canvas offline during final exams and subsequently prompting Instructure to negotiate a ransom settlement.
Key Takeaways
- The breach affected 41% of North American higher education — one of the largest edtech incidents on record.
- ShinyHunters exploited a Free-For-Teacher support ticket vulnerability, not the core platform.
- Stolen data included private student-teacher messages — a significant privacy violation.
- Instructure ultimately reached a ransom agreement with the attackers to secure data destruction.
The Hacker News
Dark Web Déjà Vu: Germany Shuts Down Crimenetwork Reboot, Arrests Administrator in Spain
German authorities, in cooperation with Spanish National Police and Eurojust, shut down a relaunched version of Crimenetwork — the largest German-speaking dark web marketplace — and arrested its suspected 35-year-old administrator in Mallorca under a European arrest warrant. The operator had rebuilt the platform's infrastructure within days of the original December 2024 takedown, quickly attracting 22,000 users and more than 100 vendors offering stolen data, drugs, and forged documents, generating over €3.6 million in revenue. Authorities seized approximately €194,000 in illicit assets along with extensive user and transaction data that will support follow-up investigations against buyers and sellers.
Key Takeaways
- Dark web markets rebuild fast — Crimenetwork relaunched in days and reached 22,000 users.
- International coordination (Germany, Spain, Eurojust, Moldova) was key to the takedown.
- Seized user and transaction data puts buyers and sellers at significant risk of prosecution.
- The original Crimenetwork admin was sentenced to nearly 8 years — criminal marketplaces do not pay long-term.
Bill Toulas
Inside Job Gone Wrong: Virginia Man Convicted for Deleting 96 Federal Government Databases
Sohaib Akhter, 34, of Virginia was found guilty on federal charges for conspiring to delete 96 government databases and stealing an employee's password to access their email account without consent. Akhter and his twin brother Muneem worked for a Washington, D.C.-based company providing software services to more than 45 federal agencies, including the EEOC, and launched their sabotage campaign after both were fired when their prior felony convictions were discovered. Akhter faces up to 21 years in prison at sentencing on September 9, 2026.
Key Takeaways
- Background checks on employees with access to government data are non-negotiable.
- Insider threats escalate rapidly after termination — revoke access immediately upon offboarding.
- The brothers targeted their employer's government clients as retaliation, underscoring the cascading impact of insider attacks.
- The government contractor had visibility into data for 45+ federal agencies — a significant single point of failure.
Suzanne Smalley
AI-Powered Zero-Days Are Here: Google Disrupts First Known AI-Built Mass Exploitation Campaign
Google's Threat Intelligence Group (GTIG) reported on May 11 that it identified and disrupted what appears to be the first documented case of cybercriminals using an AI large language model to discover and weaponize a zero-day vulnerability — a two-factor authentication bypass in a widely used open-source web administration platform. The threat actors planned to use the AI-developed exploit in a mass vulnerability exploitation campaign before Google notified the affected vendor and coordinated a quiet patch. The AI-authored exploit contained hallmarks of LLM output including 'educational docstrings' and a hallucinated CVSS score, suggesting the attack was built largely by machine, though Google stated neither Gemini nor Anthropic's Mythos was the model used.
Key Takeaways
- The era of AI-driven zero-day exploitation has arrived — this is no longer a theoretical risk.
- Nation-state groups from China and North Korea are also actively using AI for vulnerability discovery.
- Even AI-generated exploits contain LLM artifacts (docstrings, hallucinated scores) that can aid attribution.
- Defenders must now assume threat actors can accelerate exploit development significantly using AI tools.
Google Threat Intelligence Group
Dirty Frag: A Second Major Linux Kernel Flaw Emerges Before Patches Were Ready
A second critical Linux kernel vulnerability, dubbed 'Dirty Frag' and tracked as CVE-2026-43284 and CVE-2026-43500, was publicly disclosed after its responsible disclosure embargo collapsed when an unrelated third party released a working exploit. Discovered by researcher Hyunwoo Kim, the flaw exploits the same area of the Linux kernel as last month's 'Copy Fail' vulnerability, allowing any user with a basic local account to seize full administrative control and escape cloud containers — a critical risk for cloud infrastructure. Red Hat, AlmaLinux, Ubuntu, and other major distributions issued patches within days, but the broken embargo left a dangerous window with no fix available at the moment of disclosure.
Key Takeaways
- Patch immediately: Red Hat, Ubuntu, AlmaLinux, Debian, and SUSE all have updates or advisories.
- Both Dirty Frag and Copy Fail originate from the same kernel memory management area — expect more disclosures there.
- Container escape vulnerabilities are particularly dangerous in multi-tenant cloud environments.
- AI-assisted research is compressing the discovery timeline for these long-hidden kernel bugs — a 'patch wave' is coming
Alexander Martin
The Pipeline Poisoner: TeamPCP Backdoors Checkmarx Jenkins Plugin in Third Supply Chain Strike
The threat actor TeamPCP compromised the Checkmarx Jenkins AST plugin (CVE-2026-33634, CVSS 9.4), publishing a backdoored version to the official Jenkins Marketplace on May 9, 2026, in what represents the group's third successful breach of Checkmarx infrastructure since March. The malicious plugin version (2026.5.09) silently harvested CI runner secrets — including GitHub tokens, AWS/GCP/Azure credentials, and Kubernetes configurations — and exfiltrated them to attacker-controlled infrastructure, with any Jenkins instance that pulled the update during the exposure window considered potentially compromised. TeamPCP leveraged credentials stolen in an earlier supply chain attack on the Trivy vulnerability scanner to maintain persistent access to Checkmarx's GitHub repositories, taunting the company with a defaced repository name reading 'Checkmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now.'
Key Takeaways
- Check immediately: if your Jenkins environment pulled the Checkmarx plugin between May 9 01:25 UTC and May 10 08:47 UTC, assume compromise.
- Rotate all secrets accessible from affected Jenkins runners — GitHub PATs, cloud credentials, Kubernetes tokens, SSH keys.
- Revert to the safe version: 2.0.13-829.vc72453fa_1c16 (December 17, 2025).
The Hacker News
Shifting Sands: Trump Administration Splits Over Giving Intelligence Agencies a Role in AI Oversight
The Trump administration is sharply divided over a proposal that would give U.S. intelligence agencies greater authority in evaluating advanced AI models, according to sources familiar with discussions, driven by concerns over powerful new AI systems capable of finding and exploiting cybersecurity vulnerabilities at scale. The debate is part of a broader policy reversal — the administration, which had positioned itself as anti-regulation, is now exploring oversight mechanisms in response to models like Anthropic's Mythos that can autonomously hunt for software flaws. The Commerce Department's Center for AI Standards and Innovation (CAISI) has already signed pre-deployment testing agreements with Google DeepMind, Microsoft, and Elon Musk's xAI, marking a significant departure from the earlier laissez-faire approach.
Key Takeaways
- The Trump administration's anti-regulation stance on AI is softening as national security concerns grow.
- CAISI (Commerce Department) now has pre-deployment testing agreements with major AI labs.
- AI models capable of autonomous vulnerability discovery are driving unprecedented policy urgency.
- Organizations should monitor evolving federal AI governance frameworks that may affect their AI deployments.
Editorial Team
Ransom Paid, Data Allegedly Destroyed: Instructure Settles with ShinyHunters After Double Breach
Instructure, the maker of Canvas, confirmed on May 11 that it had reached an agreement with the ShinyHunters extortion group following two separate breaches that collectively exposed data from approximately 275 million users across more than 8,800 institutions. The company said it received 'digital confirmation of data destruction (shred logs)' and assurances that no customers would be further extorted, though the financial terms of the deal remain undisclosed — with unconfirmed reports suggesting a payment of around $10 million. Cybersecurity experts warned that there is no reliable way to verify data destruction claims, and that historically, extortion groups often retain copies of stolen data for future use.
Key Takeaways
- Paying ransom provides no guarantee: data destruction claims cannot be independently verified.
- The deal 'covers all impacted Instructure customers' — individual institutions should not engage directly with ShinyHunters.
- ShinyHunters' removal of Instructure from their leak site was interpreted as confirmation payment was made.
- Edtech platforms holding sensitive student data are high-value targets — security investment must match risk.
Zack Whittaker
Worm in the Ecosystem: The 'Shai-Hulud' Campaign Poisons TanStack, Mistral AI, and 170+ npm Packages
TeamPCP launched the 'Mini Shai-Hulud' supply chain campaign on May 11, 2026, compromising 84 malicious package versions across 42 TanStack npm packages and rapidly spreading to Mistral AI, UiPath, OpenSearch, Guardrails AI, and over 170 packages total across npm and PyPI. The attack exploited a chain of three GitHub Actions vulnerabilities — a risky pull_request_target workflow, cache poisoning, and runtime OIDC token theft — to publish backdoored packages that carried valid SLSA Build Level 3 provenance attestations, making them cryptographically indistinguishable from legitimate releases. The credential-stealing payload targeted CI/CD tokens, cloud credentials, and developer secrets across Linux environments, with a geofencing mechanism that skipped execution on Russian-language systems, and affected packages had a cumulative download count exceeding 518 million.
Key Takeaways
- If you pulled @tanstack, @mistralai, @uipath, or @guardrails-ai packages on May 11, rotate all secrets from that environment immediately.
- Valid SLSA provenance and Sigstore attestations are no longer sufficient indicators of package safety.
- Block C2 infrastructure: git-tanstack.com, *.getsession.org, and 83.142.209.194 at DNS/proxy level.
- Enforce lockfile-only installs and pin packages to verified SHA hashes to prevent silent poisoning.
The Hacker News
Green Light for Green Bubbles: Apple and Google Enable End-to-End Encrypted RCS Messaging
Apple began rolling out end-to-end encrypted (E2EE) Rich Communication Services (RCS) messaging in beta with iOS 26.5 on May 11, 2026, with Google confirming a matching Android-side rollout via Google Messages — the first time cross-platform encrypted messaging has been available between iPhone and Android at the carrier RCS level. The implementation uses the IETF Messaging Layer Security (MLS) protocol as defined in the GSMA's RCS Universal Profile 3.0, with encryption enabled by default and indicated by a lock icon in the chat interface. For security teams, the development simultaneously reduces interception risk for legitimate communications while potentially creating a new blind spot for enterprise content monitoring and phishing detection over RCS channels.
Key Takeaways
- End-to-end encrypted RCS is now rolling out between iPhone and Android — a major privacy win for users.
- Enterprise security teams should update mobile threat monitoring strategies to account for E2EE RCS traffic.
- The MLS protocol is the new cross-platform encryption standard — understand its capabilities and limitations.
- This change shifts interoperability from plaintext SMS to encrypted messaging — smishing attack surfaces may evolve.
Amanda Silberling
Pharmaceutical Paralysis: West Pharmaceutical Services Hit by Ransomware, Global Operations Disrupted
West Pharmaceutical Services, a Pennsylvania-based global manufacturer of injectable drug delivery systems used by the world's top pharmaceutical and biotech companies, disclosed a ransomware attack that occurred on May 4, 2026, in an 8-K SEC filing on May 7. Attackers exfiltrated data before encrypting systems, forcing a global shutdown and isolation of on-premise infrastructure that temporarily disrupted shipping, receiving, and manufacturing operations worldwide, with Palo Alto Networks' Unit 42 engaged for incident response. No ransomware group has publicly claimed responsibility — a potential sign that ransom negotiations occurred — and the company has not confirmed the type or scope of data stolen.
Key Takeaways
- Ransomware attacks on pharmaceutical supply chain vendors create downstream risks for drug manufacturing schedules.
- West filed an 8-K with the SEC — organizations meeting materiality thresholds have mandatory disclosure obligations.
- The absence of a public ransomware claim may indicate ransom payment or active negotiations.
- Critical manufacturing sector organizations must ensure OT/IT network segmentation to contain similar incidents.
Bill Toulas
YellowKey and GreenPlasma: Unpatched Windows Zero-Days Put BitLocker-Protected Drives at Risk
A researcher using the aliases Chaotic Eclipse and Nightmare Eclipse publicly released proof-of-concept exploits for two unpatched Windows vulnerabilities — YellowKey, a BitLocker bypass enabling access to encrypted drives via the Windows Recovery Environment, and GreenPlasma, a privilege escalation to SYSTEM via the CTFMON framework — following frustration with Microsoft's handling of prior disclosures. YellowKey exploits crafted FsTx files on a USB drive to trigger a privileged command shell during boot recovery on TPM-only BitLocker configurations (Windows 11 and Server 2022/2025), and the researcher subsequently confirmed the flaw also works in TPM+PIN environments, though that exploit has not been publicly released. Microsoft has not yet shipped a patch, and the researcher hinted at a 'big surprise' for Microsoft coinciding with the June Patch Tuesday.
Key Takeaways
- Immediately enable BitLocker PIN at startup (TPM+PIN) as the primary available mitigation.
- TPM-only BitLocker configurations — the enterprise default — are fully vulnerable to the released PoC.
- Consider disabling Windows Recovery Environment (WinRE) on high-sensitivity endpoints as an additional control.
- Physical access to the target device is required — prioritize physical security for laptops and endpoints in public-facing environments.
Andrea Pomaranski, Special Projects IT Engineer
Machines Finding What Humans Missed: Microsoft's MDASH AI Uncovers 16 Critical Windows Flaws
Microsoft's new autonomous code security system, codenamed MDASH, discovered 16 previously unknown vulnerabilities in the Windows networking and authentication stack — including four critical remote code execution flaws — all of which were patched in the May 12, 2026 Patch Tuesday release. The system, developed by Microsoft's Autonomous Code Security team, orchestrates more than 100 specialized AI agents across multiple AI models to scan source code, validate findings, and construct triggering inputs before any human review, and has raised its score on the standard cybersecurity AI benchmark from approximately 15% to 88.45% in a single year. Among the critical findings were CVE-2026-33827, a remote unauthenticated use-after-free in the Windows IPv4 stack, and CVE-2026-33824, a pre-authentication double-free in IKEEXT affecting RRAS VPN, DirectAccess, and Always-On VPN deployments, both with CVSS scores of 9.8.
Key Takeaways
- Deploy the May 12 Patch Tuesday updates immediately — 16 of the 120 CVEs were found by Microsoft's own AI.
- AI-powered vulnerability hunting is compressing the window between discovery and patching — organizations must accelerate patch cadence.
- Both attackers and defenders are now using AI to find bugs; the defender side is catching up.
- MDASH enters private enterprise preview next month — watch for opportunities to adopt AI-assisted vulnerability detection
The Hacker News
AI Agents, Meet SQL Injection: Three Serious MCP Database Flaws Discovered, One Left Unpatched
Security researcher Tomer Peled of Akamai discovered three significant vulnerabilities in Model Context Protocol (MCP) servers for popular database platforms: a SQL injection flaw in Apache Doris MCP (CVE-2025-66335), an unauthenticated SQL injection pathway in Apache Pinot MCP, and an information disclosure vulnerability in Alibaba RDS MCP that allows unauthenticated exfiltration of schema metadata. Apache issued a patch and CVE for Doris MCP, an open GitHub ticket exists for Pinot, but Alibaba declined to patch the vulnerability in its RDS MCP server, leaving customers exposed. The findings reveal a systemic absence of baseline security controls in MCP server implementations, with SQL injection, missing authentication, and insufficient query validation appearing across multiple independent projects.
Key Takeaways
- MCP servers lack standardized security baselines — treat any MCP database integration as potentially vulnerable.
- Alibaba declined to patch its RDS MCP flaw — users should implement compensating controls or avoid the tool.
- Update Apache Doris MCP Server to version 0.6.1 or later immediately.
- AI agents connecting to databases via MCP represent a significant new attack surface requiring dedicated security review.
Jessica Lyons
Turnabout Is Fair Play: Ransomware Gang 'The Gentlemen' Suffers Internal Data Leak
An anonymous group breached the internal backend database of 'The Gentlemen,' the second most prolific ransomware-as-a-service operation globally in 2026, leaking approximately 44 MB of internal communications, tooling data, and operational details to underground forums on or around May 4. Check Point Research analyzed the leaked data, revealing the group is run by approximately nine named operators led by an administrator known as 'zeta88,' who personally participates in live encryption events and built the group's RaaS admin panel in three days using AI coding assistants including DeepSeek and Qwen. The leak exposed the group's 90/10 affiliate revenue split, attack infrastructure, TTPs including chain-victimization tactics, and internal communications dating back six months — providing defenders with unprecedented insight into a top-tier ransomware operation.
Key Takeaways
- Leaked TTPs show The Gentlemen gains initial access almost exclusively through unpatched internet-facing devices — patch edge appliances urgently.
- The group used stolen data from one victim to attack that victim's clients — a documented chain-victimization tactic.
- AI coding tools are being used by ransomware developers to accelerate malware and infrastructure development.
- Even sophisticated criminal organizations have OPSEC failures — but the group is expected to continue operating.
Mathew J. Schwartz
Confirmed: M&S Customer Data Stolen in April Ransomware Attack
Marks & Spencer confirmed on May 13, 2026, that personal customer data was stolen in the ransomware attack first disclosed in April 2025, with compromised information including customer names, birth dates, home and email addresses, phone numbers, household details, and online purchase histories. The company stated that usable payment or card details were not compromised as they are not stored in their systems, and that there is 'no evidence that this data has been shared,' while simultaneously resetting all online account passwords as a precaution. The attack, attributed to the DragonForce ransomware group and linked to a broader campaign that also hit UK retailer Co-op, has been categorized as a Category 2 event by the UK Cyber Monitoring Center with estimated financial impact between £270 million and £440 million.
Key Takeaways
- M&S customers should reset passwords, enable MFA, and monitor for phishing attempts using their leaked personal details.
- The attack's financial impact is estimated at £270M–£440M — one of the costliest UK retail cyber incidents on record.
- DragonForce used the same TTPs against M&S and Co-op — coordinated campaigns against retail sector should be assumed.
- The attack exploited weaknesses in identity and access controls — MFA and third-party access management are critical controls.
Alexander Martin
Slopsquatting: How AI Hallucinations Are Creating Real-World Software Supply Chain Threats
A growing threat dubbed 'slopsquatting' exploits the tendency of AI coding assistants to hallucinate non-existent software package names, enabling attackers to pre-register those fictional names in public repositories and wait for developers to inadvertently install the malicious packages. Research testing 16 code-generation LLMs across 756,000 code samples found that approximately 20% of recommended packages were fabricated, with 43% of hallucinated package names being consistently repeated across multiple queries — making the threat systematic rather than random. The risk has grown more acute as supply chain attacks like the Shai-Hulud campaign demonstrate that attackers are actively targeting developer tooling, and AI-assisted coding is increasingly integrated into enterprise CI/CD pipelines with limited dependency validation.
Key Takeaways
- Never blindly install AI-suggested packages — verify every dependency against official registry listings.
- Integrate dependency scanners and SBOMs into CI/CD pipelines to catch hallucinated or malicious packages pre-production.
- Approximately 1-in-5 AI-suggested package names may not exist — a significant attack surface in high-velocity development environments.
- Enforce lockfile-only installs and require cryptographic package verification to mitigate the risk.
The Hacker News
