Weekly Security Intelligence Briefing — Week of 2026-05-11

Executive Summary

The week of May 11, 2026 presents an elevated and broadly distributed threat landscape requiring immediate attention across multiple operational domains. The SCC pipeline processed 74 intelligence items this week, including 6 critical-severity CVEs with CVSS scores of 9.0 or higher, 4 CISA KEV-listed vulnerabilities, and 18 active campaigns spanning nation-state espionage, supply chain compromise, ransomware, and AI infrastructure attacks. Three distinct supply chain compromises—JDownloader, DAEMON Tools, and a typosquatted Hugging Face repository delivering ValleyRAT—demand emergency response on developer and end-user endpoints. The Instructure Canvas breach remains the week’s highest-impact data incident, with ShinyHunters claiming 275–330 million education records and executing portal defacements across 330+ institutions during active final exam periods; every organization operating Canvas must treat credentials as compromised until formally cleared by Instructure. AI infrastructure emerged as a dominant attack surface this week: the Ollama framework carries four separate vulnerabilities (Bleeding Llama, CVE-2026-7482, CVE-2026-42248, CVE-2026-42249) enabling unauthenticated memory theft and persistent code execution on widely deployed LLM serving infrastructure, while a Silver Fox/Hugging Face campaign achieved 244,000 downloads of a ValleyRAT-delivering fake OpenAI model in 18 hours. Nation-state actors remain highly active—MuddyWater’s false-flag Chaos ransomware campaign, UAT-8302/Earth Alux China-nexus espionage, and ScarCruft’s Android supply chain attack all require defensive posture reviews. Two KEV deadlines have passed or are imminent: CVE-2026-6692 (Slider Revolution) and CVE-2026-44742 (Postorius XSS). The Dirty Frag Linux kernel zero-day (CVE-2026-43284/43500) has no patch on most major distributions and grants deterministic root access—immediate compensating controls are required.

Critical Action Items

1. JDownloader Supply Chain Compromise — Python RAT Deployment
   Affected: JDownloader Windows and Linux installers from AppWork GmbH (approx. May 6–7, 2026). No CISA KEV. Immediately block outbound connections to parkspringshotel[.]com, auraguest[.]lk, and checkinnhotels[.]com at perimeter and DNS. Isolate any host that installed JDownloader during the exposure window. Re-download only from the official source after verifying installer hash. Remove Python RAT persistence artifacts (systemd services, shell profile modifications).
2. ValleyRAT via Hugging Face Typosquat (Silver Fox / SCC-CAM-2026-0301)
   Affected: Windows developer and ML workstations that accessed huggingface.co/Open-OSS/privacy-filter. No CISA KEV. Audit developer workstations and CI/CD runners immediately. Isolate any system that pulled the repository. Block C2 infrastructure per HiddenLayer Research IOCs. Rotate all browser-stored credentials, Discord tokens, and crypto wallet keys on any confirmed-infected host. Rebuild from known-good images.
3. Ollama Critical Vulnerabilities (CVE-2026-7482, CVE-2026-42248, CVE-2026-42249 + Bleeding Llama)
   Affected: Ollama prior to 0.17.1 (all platforms); Ollama for Windows 0.12.10–0.22.0. No CISA KEV. Block inbound TCP/11434 from all untrusted sources immediately. Upgrade to 0.17.1+ for CVE-2026-7482. Mitigate Windows path-traversal persistence issues (CVE-2026-42248/42249) via localhost-only binding and disabled auto-update pending a patch. Rotate all secrets accessible to the Ollama process.
4. Instructure Canvas Breach — ShinyHunters (Multiple SCC-DBR items)
   Affected: All Canvas LMS tenants globally (~15,000 institutions, 275–330M records claimed). No CISA KEV. Treat all Canvas credentials as compromised. Rotate all API keys, OAuth tokens, and service account credentials integrated with Canvas. Audit IdP logs for anomalous Canvas SSO events. Request written scope confirmation from Instructure. Assess FERPA breach notification obligations immediately.
5. Ivanti EPMM Active RCE Exploitation (CVE-2026-6973 + bundle)
   Affected: Ivanti EPMM on-premises prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. CVE-2026-6973 confirmed actively exploited. Patch immediately to the applicable fixed version. Restrict EPMM management interface to trusted IP ranges at the perimeter. Rotate all service account credentials and certificates post-patch. Monitor for unauthorized device re-enrollments.
6. CISA KEV: Slider Revolution File Upload (CVE-2026-6692)
   Affected: ThemePunch Slider Revolution for WordPress 7.0.0–7.0.10; patched in 7.0.11. CISA KEV listed. Update immediately via WordPress dashboard or WP-CLI. Scan wp-content/uploads/ for PHP webshells. Review access logs for POST requests to wp-admin/admin-ajax.php with RevSlider action parameters. Rotate WordPress admin credentials if exploitation is suspected.
7. Dirty Frag Linux Kernel Zero-Day (CVE-2026-43284 + CVE-2026-43500)
   Affected: All major Linux distributions (Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE, Fedora) — algif_aead, xfrm-ESP, RxRPC modules. No patch on most distros (AlmaLinux fix candidate published May 7). No CISA KEV. Unload affected modules immediately (modprobe -r algif_aead and equivalents). Restrict local shell access to authorized accounts. Monitor for privilege escalation from non-root to UID 0. Apply patches as they become available per distribution.
8. PAN-OS Zero-Day Active Exploitation (CVE-2026-0300)
   Affected: Palo Alto Networks PAN-OS PA-Series and VM-Series (User-ID Authentication Portal / Captive Portal). CISA KEV listed — deadline was May 9, 2026. No patch available. Immediately disable or restrict internet access to the Authentication Portal and Captive Portal interfaces. Monitor for web shell indicators (T1505.003) and anomalous process spawning from portal services. Apply vendor patch immediately upon release.

Key Security Stories

Silver Fox Deploys ValleyRAT via Fake OpenAI Model — 244K Downloads in 18 Hours

The China-linked Silver Fox threat actor published a typosquatted repository on Hugging Face impersonating an OpenAI privacy-filtering model under the account “Open-OSS.” The repository, huggingface.co/Open-OSS/privacy-filter, accumulated approximately 244,000 downloads in an 18-hour window before detection and removal. The payload chain uses a Rust-based loader that employs a dead-drop resolver via json.extendsclass.com (JSON Keeper) before fetching the ValleyRAT/Winos 4.0 remote access trojan. ValleyRAT targets Windows systems and harvests credentials from Chromium and Gecko-based browsers, Discord, cryptocurrency wallet extensions, and FileZilla. The malware employs sandbox evasion (T1497), UAC bypass (T1548.002), AMSI/ETW tampering (T1562.001), and scheduled task persistence (T1053.005).

This campaign is notable for its scale and speed: the ML community’s trust in the Hugging Face platform was weaponized, and the download volume means a large number of developer and data science workstations are potentially compromised. The loader performs virtualization/sandbox checks before deploying, and the dead-drop resolver pattern makes early network-layer detection difficult. Any developer environment or CI/CD pipeline runner that pulled this repository must be treated as fully compromised. Credential rotation alone is insufficient on confirmed-infected hosts; rebuilding from known-good images is the recommended remediation path per HiddenLayer Research.

For confirmed IOC values (hashes, C2 domains, IPs), retrieve directly from HiddenLayer Research’s published report. The dead-drop domain json.extendsclass.com is a shared legitimate service — verify against the HiddenLayer report before blocking to avoid collateral impact. Source: HiddenLayer Research; SCC-CAM-2026-0301.

JDownloader Supply Chain Attack Deploys Modular Python RAT Across Windows and Linux

Attackers compromised the JDownloader official distribution infrastructure and served trojanized installers for both the Windows alternative installer and the Linux shell installer during approximately May 6–7, 2026. The attack chain delivers a modular Python-based remote access trojan that establishes persistence via systemd services (Linux, T1543.002) and achieves privilege escalation through setuid binary abuse (T1548.001) and shell configuration modification (T1546.004). Three confirmed C2 domains were identified: parkspringshotel[.]com, auraguest[.]lk, and checkinnhotels[.]com. Communication uses encoded payloads over HTTP (T1132).

This is a high-confidence supply chain compromise (T1195.002) of a widely used download manager with a significant end-user base. The modular RAT design complicates partial remediation — incident responders should treat any compromised host as requiring full OS reinstallation rather than app-level removal. On Linux, the installer modifies shell initialization files and creates systemd persistence; standard file-based cleanup leaves footholds in place.

Block the three confirmed C2 domains at DNS and perimeter firewall immediately. Any host where a JDownloader installer executed during the exposure window should be quarantined and rebuilt. Re-download JDownloader only from the official source after confirming the site has been remediated, and verify installer hash against vendor-published checksums. Source: Multiple threat intelligence feeds; SCC-CAM-2026-0297.

Instructure Canvas: ShinyHunters Breach, Defacement, and Ransomware — Education Sector Under Siege

The week’s most operationally disruptive incident involves a multi-phase attack on Instructure’s Canvas LMS platform. ShinyHunters claims persistent access to the platform and exfiltration of approximately 275–330 million records spanning 8,800–15,000 institutions. The attack included defacement of approximately 330 Canvas portal login pages on May 7, 2026, displaying ransom demands. A separate item attributes a ransomware component that disrupted Canvas services during college final examination periods, forcing manual exam administration at multiple universities including the University of Minnesota, University of St. Thomas, and Columbia University.

The attack methodology, consistent with ShinyHunters’ historical tradecraft, involved credential-based initial access (T1078), bulk API data exfiltration (T1530, T1567), account manipulation for persistence (T1098), and ultimately portal defacement (T1491.002). The claimed data set includes student and educator PII, email addresses, academic records, and potentially credentials. The 275M record claim has not been independently verified by Instructure as of available reporting; however, Instructure has confirmed a security incident affecting the platform.

Every organization operating Canvas must immediately rotate all API tokens, OAuth credentials, and service account credentials. Audit IdP logs for anomalous authentication events during the May 1–7, 2026 window. Assess FERPA notification obligations — the scale of the claimed breach almost certainly triggers notification requirements for affected educational institutions. Do not wait for Instructure’s final determination before initiating internal review. Sources: Star Tribune, BleepingComputer, multiple SCC-DBR items (SCC-DBR-2026-0112 through SCC-DBR-2026-0120).

Ollama AI Infrastructure: Four Vulnerabilities Enable Unauthenticated Memory Theft and Windows Persistence

Ollama, one of the most widely deployed open-source LLM serving frameworks, has four significant vulnerabilities disclosed this week. CVE-2026-7482 (CVSS 9.5) is an out-of-bounds read in GGUF file handling that enables unauthenticated memory disclosure — dubbed “Bleeding Llama” by Cyera Research — potentially exposing model weights, API keys, and system prompts held in heap memory. CVE-2026-42248 and CVE-2026-42249 affect Ollama for Windows versions 0.12.10–0.22.0 and enable path-traversal-based code execution with persistence via the auto-update mechanism and Windows startup entries. CVE-2026-7482 is patched in version 0.17.1; the Windows path-traversal issues have no patch as of this writing.

The exposure is material: Ollama’s default configuration binds to all interfaces on TCP/11434 without authentication, and organizational deployments of AI infrastructure frequently lack the network segmentation applied to traditional web services. Heap-resident secrets (API keys, proprietary system prompts, model weights) should be treated as potentially compromised on any Ollama instance that was internet-accessible before patching. There is no reliable log-based detection for heap-read exploitation — assume exposure if the instance was reachable from untrusted networks.

Prioritize network-layer remediation first: block all external access to TCP/11434. Upgrade to 0.17.1 immediately. For Windows deployments, implement localhost-only binding and disable the auto-update mechanism pending a vendor fix for CVE-2026-42248/42249. Add Ollama to your vulnerability management inventory if not already tracked. Sources: CERT/CC VU#518910, Cyera Research; SCC-CVE-2026-0152, SCC-CVE-2026-0153.

MuddyWater Deploys Chaos Ransomware as Intelligence False Flag via Microsoft Teams

Iran’s MuddyWater (MOIS-linked, MITRE ATT&CK G0069) has adopted a sophisticated deception strategy: deploying the Chaos ransomware as a false flag to obscure the underlying espionage objective. The campaign uses Microsoft Teams as the initial social engineering vector, impersonating IT support staff via external tenant messaging to induce targets into installing legitimate remote access tools (Quick Assist, AnyDesk, DWAgent) and ultimately deploying Chaos ransomware alongside persistent backdoor implants. Code-signed tooling and masquerading (T1553.002, T1036) complicate attribution at the endpoint level.

The operational significance is that standard ransomware incident response — focused on decryption and recovery — misses the primary objective of credential theft and espionage. Organizations that experience what appears to be a Chaos ransomware incident should simultaneously investigate for T1003 (credential dumping), T1560 (data staging), and C2 beaconing consistent with MuddyWater’s documented infrastructure (MITRE ATT&CK G0069). Rapid7’s campaign analysis published specific IOCs including Chaos ransomware hashes and MuddyWater C2 domains; retrieve these from the Rapid7 advisory before operationalizing.

Immediate mitigations: audit Microsoft Teams external access settings and restrict cross-tenant messaging to approved domains. Block Quick Assist (msra.exe) execution for non-IT users via EDR or application control policy. Enhance detection for T1566.004 (spearphishing voice) scenarios. Sources: Rapid7; SCC-CAM-2026-0281, SCC-CAM-2026-0292.

Earth Alux / UAT-8302: China-Nexus APT Expands Multi-Continent Government Espionage

Two overlapping items this week document the expansion of a China-aligned APT cluster operating shared tooling across multiple threat groups. UAT-8302 (tracked separately by Cisco Talos) and Earth Alux (tracked by Trend Micro, with March 2025 primary research) are assessed as related or sharing a tool development pipeline. The toolset includes VARGEIT and COBEACON backdoors deployed via exploitation of internet-facing applications (T1190), with C2 using standard application-layer protocols over HTTP/S to blend with legitimate traffic. Targeted sectors include government, technology, logistics, manufacturing, and telecommunications across South America, southeastern Europe, and now expanding coverage.

The UAT-8302 campaign documented by Cisco Talos specifically abuses Microsoft OneDrive and the MS Graph API as C2 channels (T1102.002, T1567.002), a technique that severely limits traditional network-based detection. The campaign also targets Azure AD Connect / Entra ID Connect servers — a critical chokepoint in hybrid identity environments — enabling credential harvesting at scale. CVE-2025-0994 (EPSS 74.86%, in the top 1% of all CVEs) was exploited in the UAT-8302 campaign.

Organizations in targeted sectors should immediately audit MS Graph API application permissions for unauthorized consent grants and review Azure AD Connect server authentication logs. Retrieve VARGEIT/COBEACON IOCs directly from Trend Micro’s March 2025 research publication. Map detection coverage against the 28 MITRE ATT&CK techniques documented across these two items. Sources: Cisco Talos, Trend Micro; SCC-CAM-2026-0298, SCC-CAM-2026-0273, SCC-TAC-2026-0014.

Claude.ai Shared Chats Weaponized for MacSync Infostealer Delivery via Malvertising

A novel malvertising campaign exploited the Claude.ai shared chat and Artifacts feature as a payload delivery rail for the MacSync infostealer targeting macOS users. The attack chain begins with sponsored Google Search results for Claude AI terms, routes through claude.ai/artifacts/* URLs, and terminates in download of a memory-resident, polymorphic macOS infostealer. MacSync targets the macOS Keychain (T1555.001), browser credential stores across Chrome, Firefox, Safari, and Brave (T1555.003), session cookies (T1539), and performs exfiltration over C2 (T1041).

The payload’s memory-resident and polymorphic nature makes post-compromise cleanup unreliable; re-imaging is the recommended remediation for confirmed-infected hosts. The attack is particularly insidious because it exploits user trust in the claude.ai domain — the download appears to originate from a legitimate Anthropic URL. No confirmed public IOC hashes are available from the source reporting reviewed; treat any unsigned macOS binary sourced from a claude.ai URL as high-confidence malicious.

Implement DNS or proxy-layer ad-blocking to reduce malvertising exposure. Brief macOS users not to click sponsored search results for AI tools regardless of apparent destination. Apply macOS application allowlisting to prevent execution of unsigned binaries from user-writable directories. Source: Security research reporting; SCC-CAM-2026-0300.

DAEMON Tools Supply Chain Compromise: Backdoored Installers Served to 100+ Countries

Disc Soft Limited’s DAEMON Tools Lite official distribution infrastructure was compromised, serving trojanized installers for versions 12.5.0.2421 through 12.5.0.2434 from approximately April 8 to May 5, 2026. The malicious installer drops a multi-stage backdoor affecting three core binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), establishes persistence via registry run keys (T1547.001), performs system discovery, and communicates via both application-layer (T1071) and non-application-layer protocols (T1095). The clean version is 12.6.0.2445. Kaspersky’s Securelist published technical analysis including confirmed IOCs.

This campaign targets government and industry environments and represents a confirmed supply chain compromise of a legitimately signed vendor. The 27-day exposure window and broad distribution means this should be treated as a potentially widespread compromise in any environment where DAEMON Tools Lite was updated or installed during April–May 2026. The malicious binaries carry valid digital signatures from Disc Soft, bypassing signature-based detection.

Immediately inventory all DAEMON Tools Lite installations. Isolate any host where versions 12.5.0.2421–12.5.0.2434 were installed after April 8, 2026. Block identified C2 infrastructure per Kaspersky Securelist IOCs. Upgrade to 12.6.0.2445 from the official channel after verifying the installer hash. Sources: Kaspersky Securelist; SCC-CAM-2026-0280, SCC-CAM-2026-0294.

Dirty Frag: Chained Linux Kernel Zero-Day Grants Deterministic Root — No Patch on Most Distributions

CVE-2026-43284 and CVE-2026-43500, collectively dubbed “Dirty Frag,” chain vulnerabilities in the Linux kernel’s algif_aead, xfrm-ESP, and RxRPC modules to achieve deterministic local privilege escalation to root. A public proof-of-concept has been published. AlmaLinux released a fix candidate on May 7, 2026; Ubuntu, RHEL, CentOS Stream, openSUSE Tumbleweed, and Fedora do not yet have patches as of this reporting period. The combined CVSS score is 9.5; exploitation requires local user access (interactive shell), making multi-tenant environments, CI/CD runners, VDI infrastructure, and container hosts highest priority.

With a public PoC and no patch on most major distributions, the risk escalation path is direct: any user with interactive shell access on a vulnerable Linux system can achieve root in a deterministic manner. This has cascading implications for container escape, lateral movement from developer workstations, and privilege escalation in cloud Linux instances.

Unload affected kernel modules immediately using modprobe -r algif_aead and equivalents. Monitor vendor security channels for patches and apply immediately upon release. Restrict interactive shell access to authorized administrators. Source: Security research disclosure; SCC-CVE-2026-0145.

PAN-OS Zero-Day (CVE-2026-0300): Active Unauthenticated RCE on Palo Alto Firewalls, CISA KEV Listed

CVE-2026-0300 is an actively exploited, unauthenticated remote code execution vulnerability in the PAN-OS User-ID Authentication Portal and Captive Portal. CISA added this to the KEV catalog with a remediation deadline of May 9, 2026. No vendor patch is available as of this reporting period. The vulnerability enables attackers to achieve code execution on the firewall without credentials, with observed post-exploitation behavior including web shell deployment (T1505.003) and privilege escalation. Any organization with PA-Series or VM-Series firewalls that exposes these portal interfaces to untrusted networks must treat this as a critical emergency.

The absence of a patch combined with active exploitation and a CISA KEV listing creates an extreme exposure scenario. Immediate network-level isolation of the Authentication Portal and Captive Portal interfaces is the only available mitigation. Organizations subject to CISA BOD 22-01 are past the remediation deadline and should document compensating controls for compliance purposes.

Disable or restrict internet access to PAN-OS User-ID Authentication Portal and Captive Portal interfaces immediately. Monitor for web shell indicators. Apply the vendor patch immediately upon release. Source: CISA KEV, Palo Alto Networks; SCC-CVE-2026-0126.

cPanel Authentication Bypass Under Active Exploitation — cPanelSniper Tool Observed

A critical authentication bypass in cPanel/WHM is under active exploitation by a threat actor deploying the “cPanelSniper” exploit tool. The vulnerability enables unauthenticated root access to cPanel servers, affecting millions of shared and managed hosting deployments globally. A separate disclosure (CVE-2026-29201) documents three additional cPanel/WHM vulnerabilities spanning privilege escalation, code execution, and denial of service, with patches available in the WP2 Security Update released May 8, 2026. The combination of an actively exploited authentication bypass and a concurrent privilege escalation vulnerability creates a high-severity compound risk for hosting infrastructure.

Organizations managing cPanel/WHM infrastructure should audit all installations immediately. Restrict WHM access ports (TCP 2082, 2083, 2086, 2087) to known management IPs at the firewall. Apply available patches. If compromise is suspected, treat the server as fully untrusted — rebuild from known-good images and restore data from pre-compromise backups after confirming backup integrity.

Sources: Security advisory feeds; SCC-CAM-2026-0299, SCC-CVE-2026-0150.

AI Vibe-Coding Platforms: 380,000 Apps Publicly Accessible, ~5,000 With Sensitive Data Exposure

RedAccess published research documenting mass data exposure across applications built with AI-assisted development platforms including Lovable, Base44, Replit, and Netlify. Approximately 380,000 apps are publicly accessible, with approximately 5,000 confirmed to have sensitive data exposed including API keys, database connection strings, and internal credentials. The root cause is insecure-by-default configurations on these platforms, combined with developers who lack security awareness using AI tools to build and deploy applications at speed without security review.

This is an emerging and undermonitored attack surface. Security teams should audit corporate devices for traffic to known AI development platform domains using CASB telemetry and browser proxy logs. Any identified apps should be scanned for embedded credentials and secrets. This is primarily a governance and shadow IT problem — most current SDLC and procurement policies do not address AI-assisted development tools.

Source: RedAccess, Wired; SCC-STY-2026-0119.

CISA KEV & Critical CVE Table

CVE	Product	CVSS	EPSS	Status	KEV Deadline	Description
CVE-2026-0300	Palo Alto PAN-OS (PA-Series, VM-Series)	9.5	—	Actively Exploited, No Patch	May 9, 2026 (PAST DUE)	Unauthenticated RCE via User-ID Authentication Portal / Captive Portal
CVE-2026-6692	ThemePunch Slider Revolution (WordPress) ≤7.0.10	8.8	0.097%	KEV Listed, Patch Available (7.0.11)	CISA KEV (check catalog)	Unrestricted file upload enabling web shell deployment and RCE
CVE-2026-44742	postorius_project/postorius ≤1.3.13	7.4	0.010%	KEV Listed	CISA KEV (check catalog)	Stored XSS enabling session cookie theft and browser session hijacking
CVE-2026-3296	wpeverest Everest Forms (WordPress) ≤3.4.3	9.8	0.026%	KEV Listed, Patch Available (3.4.4)	CISA KEV (check catalog)	PHP object injection via deserialization enabling RCE and web shell
CVE-2026-2931	Amelia Booking Plugin (WordPress) ≤9.1.2	8.8	0.016%	KEV Listed	CISA KEV (check catalog)	IDOR enabling privilege escalation to administrator account takeover
CVE-2026-7482	Ollama <0.17.1	9.5	0.107%	Patch Available	—	Out-of-bounds read / heap memory disclosure via GGUF file handling (unauthenticated)
CVE-2026-42248 / CVE-2026-42249	Ollama for Windows 0.12.10–0.22.0	9.5	0.107%	No Patch Available	—	Path traversal enabling persistent code execution via Windows auto-update and startup entries
CVE-2026-43284 / CVE-2026-43500	Linux Kernel (algif_aead, xfrm-ESP, RxRPC) — all major distros	9.5	0.014%	No Patch (Most Distros), Public PoC	—	Chained local privilege escalation to deterministic root (Dirty Frag); AlmaLinux fix candidate available
CVE-2026-6973	Ivanti EPMM <12.6.1.1 / 12.7.0.1 / 12.8.0.1	9.5	—	Actively Exploited, Patch Available	—	RCE in EPMM on-premises; part of 7-CVE patch bundle including unauthenticated attack vectors
CVE-2026-33109	Azure Managed Instance for Apache Cassandra	9.9	—	Patch Status — Check MSRC	—	Critical RCE in Azure managed Cassandra service
CVE-2026-40379	Microsoft Enterprise Security Token Service (ESTS)	9.3	—	Patch Available (May 2026 Patch Tuesday)	—	Token spoofing enabling token theft and identity impersonation in Azure/M365
CVE-2026-33823	Microsoft Teams Events Portal	9.6	—	Patch Available (May 2026 Patch Tuesday)	—	Information disclosure enabling unauthorized data access from Teams-hosted event storage
CVE-2026-4670	Progress MOVEit Automation	9.8	0.022%	Patch Available (April 2026 Bulletin)	—	Authentication bypass in MFT automation platform
CVE-2026-31705	Linux ksmbd (Azure Linux 3.0)	9.8	0.046%	Patch Available (Azure Linux)	—	Critical out-of-bounds write in SMB2 EA handling enabling network-based RCE
CVE-2026-0073	Android (multiple versions)	9.8	—	Patch Pending (May 2026 Android Bulletin)	—	Zero-click RCE via wireless ADB bypass; no user interaction required
CVE-2026-23918	Apache HTTP Server (HTTP/2 module)	9.1	0.019%	Patch Available	—	Double-free vulnerability in HTTP/2 module enabling DoS and potential RCE
CVE-2025-0994	Exploited by UAT-8302 (China APT)	9.5	74.86% (top 1%)	Actively Exploited	—	Vulnerability exploited in China-nexus UAT-8302 government espionage campaign

Supply Chain & Developer Tool Threats

Hugging Face Typosquat: ValleyRAT via Fake OpenAI Model (Silver Fox)

The Silver Fox APT exploited Hugging Face’s open publishing model to distribute ValleyRAT/Winos 4.0 under a fake “Open-OSS” account. The repository name privacy-filter impersonated OpenAI tooling. The attack chain: users download what appears to be an OpenAI privacy model → Rust-based loader executes → dead-drop resolver (json.extendsclass.com) resolves C2 → ValleyRAT deployed. The malware steals browser credentials, cryptocurrency wallet extensions, Discord tokens, and FileZilla credentials. MITRE techniques: T1195.001, T1036.005, T1583.006, T1497, T1548.002, T1562.001, T1553.002.

Detection: Hunt for Rust binary execution following Hugging Face model download events. Alert on scheduled task creation (Event ID 4698) from unusual parent processes. Monitor for AMSI/ETW tamper events. Query for json.extendsclass.com in DNS/proxy logs. For confirmed IOC hashes and C2 domains, retrieve directly from HiddenLayer Research.

Control: Implement a policy requiring developer verification of Hugging Face repository authenticity (publisher account, download history, community flags) before any model download. Consider allowlist-based model sourcing for CI/CD pipelines. Integrate model hash verification and scanning into ML pipeline workflows (NIST SP 800-161, NIST CSF GV.SC-01).

JDownloader: Official Distribution Compromise — Python RAT (Windows + Linux)

The JDownloader official installer distribution was compromised for approximately 48 hours (May 6–7, 2026), serving a modular Python RAT to both Windows and Linux users. The RAT uses SOCKS5/SSH tunneling, systemd persistence on Linux, and encoded C2 communications. Three confirmed C2 domains are blocked. This attack required no user interaction beyond installing software from what appeared to be a trusted official source. The RAT’s modular design means partial cleanup leaves attacker footholds in place — full OS reinstallation is the recommended remediation for confirmed-compromised hosts. MITRE techniques: T1195.002, T1059.006, T1543.002, T1546.004, T1548.001, T1132.

Detection: Query DNS/proxy logs for the three confirmed C2 domains. Hunt for Python interpreter execution spawned from a JDownloader installer process. Check for systemd services and shell initialization file modifications created during the exposure window.

DAEMON Tools: Signed Installers Backdoored April 8 – May 5, 2026

Disc Soft Limited’s DAEMON Tools Lite distribution served trojanized installers for 27 days. The malware uses a multi-stage loader affecting DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe — all carrying valid vendor code signatures (T1553.002). The backdoor performs system discovery, establishes registry run key persistence (T1547.001), and communicates via both TCP and HTTP-based C2 (T1095, T1071). Kaspersky Securelist published full technical analysis including confirmed IOC values. Government and industry environments are confirmed targets across 100+ countries.

Detection: Hunt for process trees spawned by DAEMON Tools binaries from the affected version range. Check for registry modifications in HKCU/HKLM run keys timestamped to the April 8–May 5 window. Query DNS/proxy logs against C2 indicators from Kaspersky Securelist.

PyTorch Lightning 2.6.3: ShaiWorm Infostealer via Backdoored Package

PyTorch Lightning version 2.6.3 on PyPI was backdoored to deliver the ShaiWorm infostealer targeting AWS, Azure, and GCP credentials stored in standard cloud CLI configuration paths, as well as browser credentials from Chrome, Firefox, and Brave. Microsoft Defender detected associated artifacts as Trojan:Win32/Cerdigent.A!dha. The attack exploits the absence of package integrity verification in ML workflows. MITRE techniques: T1195.001, T1195.002, T1552.001, T1555.003, T1078.004, T1059.006, T1027.

Detection: Search for pytorch-lightning==2.6.3 in all pip freeze outputs, requirements files, and container layers. Query CloudTrail/Azure Monitor for anomalous cloud API calls from developer systems during the exposure window. Monitor Defender detections for ShaiWorm/Cerdigent.A!dha.

TrustFall: AI Coding Agents Exploitable for Supply Chain Compromise

Adversa.AI disclosed the TrustFall attack class demonstrating that AI coding agents (Claude Code specifically tested, but the attack class applies broadly to agentic tools with autonomous repository access) can be weaponized via indirect prompt injection to introduce malicious code into software supply chains. A malicious developer, an attacker with repository write access, or a compromised dependency can inject instructions into source code, README files, or package manifests that cause the coding agent to perform unauthorized actions — installing malicious packages, modifying security controls, or exfiltrating credentials — without the developer’s awareness. MITRE techniques: T1195.001, T1059, T1204.002.

Controls: Restrict coding agent permissions to least-privilege. Require human review for all agent-generated code changes. Enforce SBOM generation and dependency scanning for agent-produced artifacts. Treat all repository content as potentially adversarial input for coding agents.

Nation-State & APT Activity Summary

China — Silver Fox (CL-UNK-1068 / UAT-8302 / Earth Alux)

Silver Fox: Deployed ValleyRAT via typosquatted Hugging Face repository (244K downloads, 18 hours). Separately deployed ABCDoor backdoor (undocumented) via tax-themed spear-phishing targeting India and Russia. Targets: developer and ML communities globally; financial, cryptocurrency, and enterprise targets. TTPs: T1195.001, T1036.005, T1553.002, T1583.006, T1497, T1548.002.

UAT-8302 / Earth Alux: China-nexus APT expanding espionage across South America, southeastern Europe, government, technology, logistics, manufacturing, and telecommunications sectors. Shared tooling (VARGEIT, COBEACON backdoors) across multiple threat clusters. Exploited CVE-2025-0994 (EPSS 74.86%). C2 abuses Microsoft OneDrive and MS Graph API. TTPs: T1190, T1078, T1567.002, T1102.002, T1003, T1021.002, T1482, T1574.002. IOCs available in Trend Micro March 2025 research and Cisco Talos CL-UNK-1068 reporting.

Iran — MuddyWater (MOIS, G0069)

MuddyWater deployed Chaos ransomware as a false flag to obscure espionage operations. Initial access via Microsoft Teams social engineering (T1566.004) — impersonating IT support to induce victims to install Quick Assist, AnyDesk, and DWAgent. Post-access: credential dumping (T1003), data staging (T1560), Chaos ransomware deployment (T1486) as a distraction from data exfiltration. Code-signed tooling including MuddyWater backdoors with certificates. Targets: MENA region, Western organizations. Primary researcher: Rapid7. IOCs available in Rapid7 advisory; GhostFetch and CHARUSERAGENT tools documented in February 2026 The Hacker News reporting.

North Korea — ScarCruft (APT37)

ScarCruft deployed BirdCall Android malware via a compromised Korean-language gaming platform supply chain attack (T1195.002). BirdCall collects call logs, contact lists, SMS, location data, and device inventory. C2 uses non-standard ports. Targets: Korean diaspora, defector support organizations, Android users. No confirmed public IOCs in secondary sources; retrieve from threat intelligence platforms with APT37/ScarCruft tracking.

Hardware Supply Chain — Multiple Nation-State Actors

SentinelLabs research (presented at LabsCon25) documented hidden cellular radio modules in solar inverters deployed in U.S. highway infrastructure, consumer drones with covert drivers, and 3D printer backdoors — all assessed as originating from nation-state-directed supply chain compromises. BlueNoroff (North Korea) separately documented targeting macOS systems at cryptocurrency firms via Hidden Risk campaign using spear-phishing with fake cryptocurrency news lures. TTPs: T1195.003, T1542.001, T1195.002, T1542.003. IOCs for BlueNoroff/Hidden Risk available in SentinelLabs report.

UAE Critical Infrastructure — Iran-Aligned Threat Activity

Tripled breach attempt surge against UAE critical infrastructure sectors reported amid Iran-Israel conflict escalation. Attack vectors include SQL injection (CWE-89), authentication bypass (CWE-306), and supply chain compromise (T1195). CISA advisories ICSA-26-125-02 and ICSA-26-125-04 reference ABB B&R industrial control system vulnerabilities targeted in this campaign cluster. No specific IOCs confirmed in open-source reporting; consult CISA ICS advisories.

Phishing & Social Engineering Alert

TOAD (Telephone-Oriented Attack Delivery): Organized Infrastructure — PayPal, Geek Squad, McAfee, Norton LifeLock

Cisco Talos published detailed research on the TOAD campaign infrastructure, documenting organized sequential DID block provisioning through CPaaS providers (Sinch, Twilio, Bandwidth, Virtue, RingCentral, Verizon, NUSO). Phone numbers are provisioned in numerically adjacent blocks, used across multiple brand impersonation themes (PayPal billing fraud, Geek Squad renewal scams, McAfee/Norton subscription alerts), and rotated approximately every 14 days. Delivery combines PDF attachments embedding callback phone numbers with email-only variants. MITRE techniques: T1566.001, T1583.008, T1656, T1598.

Detection: Extract phone numbers from inbound email body content and flag messages containing NANP-format numbers combined with billing-alert or subscription-renewal language from high-impersonation brands. Numbers appearing across multiple sender addresses or lure themes within a 14-day window indicate shared infrastructure. Retrieve Cisco Talos IOC list from the primary research post for known number clusters.

Evasion technique: Emails contain no malicious URL or attachment — only a phone number. Standard link-based and attachment-based filtering provides zero coverage. Calls route through CPaaS infrastructure with legitimate caller ID. Victim calls a human social engineer who executes the fraud in real time.

ClickFix Campaigns: ACSC Advisory — Vidar Stealer via Compromised WordPress

The Australian Cyber Security Centre (ACSC) issued an advisory on active ClickFix campaigns delivering Vidar Stealer through compromised WordPress sites displaying Cloudflare-branded lure pages. The lure instructs users to paste a PowerShell command into the Run dialog to “verify they are human.” The command downloads and executes Vidar Stealer (T1059.001, T1027, T1102). Vidar uses Telegram and Steam community profiles as dead-drop C2 resolvers. IOC feeds available from ACSC.

Detection: Alert on PowerShell execution with encoded/Base64 arguments spawned by explorer.exe (Run dialog). Enable PowerShell Script Block Logging (Event ID 4104) — this campaign is largely invisible without it. Monitor for connections from powershell.exe to Telegram API endpoints or Steam community profiles.

Beagle Backdoor: Fake Claude AI Site + DLL Sideloading + PlugX-Linked Infrastructure

A campaign delivering the Beagle backdoor uses typosquatted Anthropic/Claude AI domains (and since February 2026, typosquatted CrowdStrike, SentinelOne, and Trellix domains) to serve malicious MSI installers. Installation uses DLL sideloading via the legitimate G Data signed binary NOVupdate.exe (T1574.002). C2 uses TCP/443 (AES-encrypted) and UDP/8080 to Alibaba Cloud infrastructure. Infrastructure overlaps with PlugX-linked activity. MITRE techniques: T1566, T1204.002, T1574.002, T1547.001, T1573.001, T1095, T1583.001.

Detection: Block execution of NOVupdate.exe outside verified G Data installations via application control. Hunt for avk.dll loaded outside a G Data process tree. Monitor DNS/proxy logs for Alibaba Cloud ASN traffic on UDP/8080 from endpoint systems.

ManageWP Credential Theft: Google Ads Malvertising with Real-Time 2FA Bypass

Guardio Labs documented a campaign using Google Ads to intercept ManageWP credentials in real time via an adversary-in-the-middle proxy (T1557). Sponsored search results for “ManageWP” route through a phishing proxy that relays credentials and 2FA codes to the attacker, who logs in simultaneously using the intercepted session. The proxy mirrors the exact app.managewp.com interface. TOTP-based 2FA provides no protection against this attack class.

Controls: Enforce FIDO2/passkey authentication for ManageWP accounts — this is the only MFA type that prevents AiTM credential interception. Implement a policy requiring staff to access ManageWP exclusively via bookmarks, never via search results. Brief users that legitimate ManageWP has no sponsored search results.

Indicators of Compromise

Type	Value	Confidence	Context / Campaign
URL	https://huggingface.co/Open-OSS/privacy-filter	High	Silver Fox / ValleyRAT — typosquatted Hugging Face repo delivering ValleyRAT payload (now disabled; flag in log matching)
Domain	json.extendsclass.com	Medium	Silver Fox / ValleyRAT — JSON Keeper dead-drop resolver for C2 resolution (T1583.006). Verify against HiddenLayer report before blocking; shared legitimate service.
Hash	[See HiddenLayer Research report]	High	Silver Fox / ValleyRAT — Rust-based loader and ValleyRAT payload hashes. Retrieve directly from primary source to avoid transcription error.
Domain	parkspringshotel[.]com	High	JDownloader Supply Chain — C2 infrastructure for Python RAT
Domain	auraguest[.]lk	High	JDownloader Supply Chain — C2 infrastructure for Python RAT
Domain	checkinnhotels[.]com	High	JDownloader Supply Chain — C2 infrastructure for Python RAT
URL	disc-soft.com (distribution channel only)	High	DAEMON Tools — official vendor distribution served trojanized installers April 8–May 5, 2026 for versions 12.5.0.2421–12.5.0.2434. Do not block permanently; flag downloads in that date window.
Hash	[See Kaspersky Securelist: securelist.com/tr/daemon-tools-backdoor/119654]	High	DAEMON Tools — backdoored DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe hashes. Retrieve from primary source.
Domain	[See Kaspersky Securelist]	High	DAEMON Tools — C2 infrastructure. Retrieve from Kaspersky primary report.
URL	claude.ai/artifacts/* (download context)	Medium	MacSync / Claude.ai malvertising — treat downloads from this path as suspicious; not all traffic is malicious
Tool	NOVupdate.exe (G Data binary abused via DLL sideloading)	High	Beagle Backdoor — legitimate signed G Data binary abused for DLL sideloading outside verified G Data deployment. High-confidence IOC when found outside managed G Data installation.
File	avk.dll (malicious DLL)	High	Beagle Backdoor — malicious DLL sideloaded via NOVupdate.exe delivering Beagle backdoor. Specific hash: retrieve from current threat intelligence feeds.
Network Port	TCP/5555 (ADB)	High	xlabs_v1 Mirai Botnet — active scanning target. Inbound or outbound connections on this port from non-development hosts indicate potential exposure or compromise.
Domain	Telegram API (api.telegram.org) — non-browser process context	Medium	Vidar Stealer (ClickFix) — used as dead-drop C2 resolver. Not a block candidate in isolation; high-value detection signal when initiated by powershell.exe or non-browser processes.
Domain	steamcommunity.com — non-browser process context	Medium	Vidar Stealer — Steam community profiles used as dead-drop C2 resolver. Flag connections from non-browser processes.
Phone Number Pattern	Sequential DID blocks via Sinch, Twilio, Bandwidth, RingCentral, NUSO, Verizon	High	TOAD Callback Scam — numerically adjacent VoIP numbers in billing-alert/subscription-renewal email lures. Retrieve specific numbers from Cisco Talos IOC list.
Domain	[See Rapid7 advisory]	Medium	MuddyWater / Chaos Ransomware false flag — C2 infrastructure and Chaos ransomware hashes available in Rapid7 campaign report.
Domain	[See Trend Micro March 2025 research]	Medium	Earth Alux / UAT-8302 — VARGEIT and COBEACON backdoor C2. Retrieve from primary Trend Micro publication.
URL (Reference)	https://securelist.com/amazon-ses-phishing-and-bec-attacks/119623/	High	AWS SES IAM credential abuse — Kaspersky Securelist primary research. Reference only, not a malicious indicator.
URL (Reference)	https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/	High	BlueNoroff / Hidden Risk — macOS IOCs including domains, hashes, and LaunchAgent persistence. Search-retrieved URL; validate before use.
URL (Canvas login portals)	Canvas institution subdomain login pages displaying ransom demand content	High	ShinyHunters / Canvas defacement — approximately 330 institution portals defaced May 7, 2026. Specific URLs vary by institution subdomain.
URL	https://huggingface.co/open-oss-privacy-filter	High	Typosquatted Hugging Face (Rust infostealer / SCC-CAM-2026-0295) — now removed; flag any reference in download or access logs
Network	TON blockchain overlay (no seizeable domain)	Low	TrickMo.C Android banker — C2 traffic routed through TON blockchain network; detection requires endpoint and behavioral signals rather than network IOC matching
Hash / Domain	[See ThreatFabric TrickMo.C analysis]	Low	TrickMo.C — No APK hashes confirmed in open-source reporting at time of writing. Retrieve from ThreatFabric’s published analysis.

Note on IOC usage: Several high-value IOC sets in this briefing require retrieval from primary vendor reports rather than direct citation here. This approach is intentional — reproducing hashes and C2 addresses from secondary sources introduces transcription risk and may propagate stale or incorrect values. Retrieve IOCs from the named primary sources before ingesting into production blocking or detection systems.

Helpful 5: High-Value Low-Effort Mitigations

1. Block Three Confirmed JDownloader C2 Domains Immediately

Why: Three confirmed, high-confidence C2 domains for the JDownloader Python RAT are available and actionable now: parkspringshotel[.]com, auraguest[.]lk, checkinnhotels[.]com. Any host with the RAT installed will beacon to one of these domains. Blocking them at DNS and perimeter breaks the C2 channel and enables detection through blocked connection attempts — even before you identify infected hosts.

How:

1. Add all three domains to your DNS sinkhole or RPZ (Response Policy Zone) immediately.
2. Add all three to your perimeter firewall deny list (outbound).
3. Query DNS logs retroactively for any resolution of these domains to identify potentially infected hosts.
4. Alert on any blocked connection attempts — these are high-confidence indicators of infection.

Framework Alignment: NIST CSF DE.CM-01 (network monitoring), NIST 800-53 SC-7 (Boundary Protection), CIS v8 Control 9.2 (Block Unnecessary Ports/Services), CIS v8 Control 8.2 (Collect Audit Logs).

2. Block TCP/11434 From Untrusted Networks — Ollama LLM Infrastructure

Why: Ollama’s default configuration binds to all interfaces with no authentication. With four vulnerabilities disclosed this week — including unauthenticated heap memory disclosure (Bleeding Llama) and Windows persistent code execution — any internet-exposed Ollama instance is an active, trivially exploitable target. Network-layer blocking requires no application changes and takes minutes to implement.

How:

1. Run a network scan for any assets with TCP/11434 open to the internet or untrusted internal segments: nmap -p 11434 --open [network range].
2. Immediately apply firewall ACL or security group rules restricting inbound TCP/11434 to trusted source IPs only.
3. Verify the restriction with a follow-up scan from an untrusted perspective.
4. Add TCP/11434 inbound from untrusted sources to your perimeter alerting rules.
5. Add Ollama to your vulnerability management inventory if not already tracked.

Framework Alignment: NIST 800-53 SC-7 (Boundary Protection), SC-5 (Denial-of-Service Protection), CIS v8 Control 12.2 (Manage Network Infrastructure), CIS v8 Control 13.4 (Perform Traffic Filtering Between Network Segments).

3. Rotate All Canvas API Tokens and Service Account Credentials

Why: ShinyHunters claims persistent access to Instructure Canvas with 275–330M records exfiltrated. Platform defacement confirms the breach is real. API tokens and OAuth credentials integrated with Canvas must be treated as compromised. Credential rotation is low-risk, low-cost, and actionable now without waiting for Instructure’s final incident scope determination.

How:

1. Log in to your Canvas admin console and navigate to account settings.
2. List all active API tokens: Admin > Developer Keys; revoke all tokens not in active, documented use.
3. Rotate all service account credentials used for Canvas LTI, SIS sync, and third-party integrations.
4. Force re-authentication for all Canvas administrator accounts.
5. Audit OAuth application authorizations and remove any unrecognized or unused integrations.
6. Confirm your SSO/IdP is enforcing MFA for all Canvas-connected accounts.

Framework Alignment: NIST 800-53 IA-5 (Authenticator Management), AC-2 (Account Management), CIS v8 Control 5.2 (Use Unique Passwords), CIS v8 Control 6.2 (Establish an Access Revoking Process), NIST CSF RS.MI-01 (Incidents are Contained).

4. Disable ADB on All Non-Development Android Devices (TCP/5555)

Why: The xlabs_v1 Mirai-based botnet is actively scanning for Android devices with TCP/5555 (ADB) exposed. The Android zero-day CVE-2026-0073 additionally enables zero-click RCE via wireless ADB bypass. ADB has no legitimate use case on production, corporate, or consumer-grade Android devices. Disabling it takes under 2 minutes per device and eliminates both attack surfaces simultaneously.

How:

1. Via MDM: Push a policy disabling Developer Options or enforcing USB Debugging disabled via Android Enterprise restrictions (policy key: developer_options_disabled or equivalent for your EMM).
2. Manual per device: Settings > Developer Options > disable “USB Debugging” and “Wireless Debugging.”
3. Add TCP/5555 inbound blocking to your perimeter firewall for all network segments hosting Android devices.
4. Query MDM compliance reports for any device with Developer Options enabled and flag for remediation.

Framework Alignment: NIST 800-53 CM-7 (Least Functionality), RA-5 (Vulnerability Monitoring), CIS v8 Control 4.1 (Establish and Maintain a Secure Configuration Process), NIST 800-124 (Guidelines for Managing Mobile Device Security).

5. Apply May 2026 Microsoft Patch Tuesday — Prioritize ESTS and Teams Events Portal

Why: This week’s Microsoft patches include CVE-2026-40379 (ESTS spoofing, CVSS 9.3) enabling token impersonation across all Azure/Microsoft 365 identity infrastructure, and CVE-2026-33823 (Teams Events Portal, CVSS 9.6) enabling unauthorized data disclosure. Both affect ubiquitous enterprise Microsoft infrastructure. Applying May 2026 Patch Tuesday updates is the highest-leverage single action for most enterprise Windows and Microsoft 365 environments this week.

How:

1. Verify May 2026 Patch Tuesday updates are available via Windows Update, WSUS, or Microsoft Endpoint Configuration Manager.
2. Prioritize deployment to: Domain Controllers, Azure AD Connect servers, Exchange servers, and endpoints with access to Teams Events Portal.
3. Verify ESTS patch deployment by confirming the KB article specified in the MSRC advisory (CVE-2026-40379) appears in installed updates: Get-HotFix | Where-Object {$_.HotFixID -eq "[KB number]"}.
4. For Azure AD/Teams components that patch server-side automatically: confirm in the Microsoft 365 admin center that service updates are current.
5. Post-patch: review Azure AD sign-in logs for any anomalous token issuance that occurred before patching and may indicate exploitation.

Framework Alignment: NIST 800-53 SI-2 (Flaw Remediation), CIS v8 Control 7.3 (Perform Automated OS Patch Management), CIS v8 Control 7.4 (Perform Automated Application Patch Management), NIST CSF ID.RA-01 (Asset Vulnerabilities are Identified and Documented).

Framework Alignment Matrix

Threat / Campaign	MITRE Tactic	MITRE Technique(s)	NIST 800-53 Controls	CIS v8 Controls
Silver Fox / ValleyRAT via Hugging Face	Initial Access, Defense Evasion, Exfiltration	T1195.001, T1036.005, T1497, T1548.002, T1562.001, T1041	SR-2, SR-3, SI-7, CM-7, AT-2	2.5, 2.6, 15.1, 16.4
JDownloader Supply Chain Compromise	Initial Access, Persistence, C2	T1195.002, T1059.006, T1543.002, T1546.004, T1071.001	SR-3, SA-9, SI-7, SI-3, CM-7	2.5, 2.6, 15.1
DAEMON Tools Supply Chain (Signed Installer Backdoor)	Initial Access, Persistence, Defense Evasion	T1195.002, T1553.002, T1547.001, T1071, T1095	SR-2, SR-3, SI-7, CA-7, CM-3	2.5, 2.6, 7.3, 7.4, 15.1
Instructure Canvas Breach (ShinyHunters)	Collection, Exfiltration, Impact	T1078, T1530, T1567, T1486, T1491.002, T1528	AC-2, IA-2, IA-5, SC-28, CP-9, CP-10	6.3, 6.5, 5.2
Ollama AI Infrastructure (CVE-2026-7482 / Bleeding Llama)	Initial Access, Credential Access	T1190, T1552	SC-7, RA-5, SI-2, SI-16, CA-8	7.3, 7.4, 13.4
Ollama Windows Persistence (CVE-2026-42248/42249)	Persistence, Initial Access	T1574.010, T1543, T1547.001	SC-7, SI-2, SR-2, CA-7, SI-4	7.3, 7.4
MuddyWater / Chaos False Flag via Teams	Initial Access, Execution, Collection, Impact	T1566.004, T1219, T1486, T1560, T1003	CM-7, SI-3, SI-4, IA-2, AT-2, CP-9	6.3, 6.4, 6.5, 14.2
Earth Alux / UAT-8302 (China APT)	Initial Access, Discovery, C2, Exfiltration	T1190, T1078, T1102.002, T1567.002, T1003, T1021.002	AC-2, AC-6, SC-7, IA-2, CA-7, SI-4	2.5, 2.6, 6.3
PAN-OS Zero-Day (CVE-2026-0300)	Initial Access, Persistence	T1190, T1505.003, T1068	CA-8, RA-5, SC-7, SI-2, CM-2, CM-7	7.3, 7.4
Dirty Frag Linux Kernel (CVE-2026-43284/43500)	Privilege Escalation	T1068, T1059.004, T1055	AC-6, SI-2, SI-16, CM-7	5.4, 6.8, 7.3
Slider Revolution File Upload (CVE-2026-6692 / KEV)	Initial Access, Persistence	T1190, T1505.003, T1059	CA-8, RA-5, SC-7, SI-2, SI-7	7.3, 7.4, 16.10
Everest Forms PHP Object Injection (CVE-2026-3296 / KEV)	Initial Access, Persistence, Execution	T1190, T1505.003, T1059.004	SI-10, SI-7, CA-8, CM-7	16.10
TOAD Callback Scam (PayPal, Geek Squad, McAfee, Norton)	Initial Access, Resource Development	T1566.001, T1583.008, T1656, T1598	AT-2, SI-8, SC-7	14.2, 8.2
TrickMo.C Android Banker (TON Blockchain C2)	C2, Collection, Defense Evasion	T1481, T1090.003, T1417, T1513, T1516	SC-7, SI-4, CM-7, IA-2	6.3, 6.4, 6.5
MacSync Infostealer (Claude.ai Malvertising)	Initial Access, Credential Access, Exfiltration	T1583.008, T1555.001, T1555.003, T1539, T1041	SI-3, SI-4, CA-7, AT-2	2.5, 5.2, 6.3
AI Vibe-Coding Platforms Data Exposure	Collection, Discovery	T1530, T1213, T1083	AC-3, SC-28, RA-5	6.3

Upcoming Security Events & Deadlines

CISA KEV Remediation Deadlines (Active or Imminent)

• CVE-2026-0300 (PAN-OS RCE) — PAST DUE: May 9, 2026. No patch available. Implement compensating controls and document. Federal agencies in scope of BOD 22-01 must report status.
• CVE-2026-6692 (Slider Revolution File Upload) — CISA KEV listed. Verify deadline at https://www.cisa.gov/known-exploited-vulnerabilities-catalog. Patch to version 7.0.11 immediately.
• CVE-2026-44742 (Postorius XSS) — CISA KEV listed. Apply upstream patch. Verify deadline at CISA KEV catalog.
• CVE-2026-3296 (Everest Forms PHP Object Injection) — CISA KEV listed. Patch to 3.4.4. Verify deadline.
• CVE-2026-2931 (Amelia Booking IDOR) — CISA KEV listed. Patch to 9.1.3. Verify deadline.

Patch Tuesday

• June 2026 Patch Tuesday: June 9, 2026. Begin planning for next month’s update cycle. Outstanding items from May 2026 (ESTS, Teams Events Portal) should be confirmed deployed before this date.

Pending Patches — Monitor for Release

• PAN-OS CVE-2026-0300: No patch available. Monitor Palo Alto Networks security advisories at security.paloaltonetworks.com daily.
• Ollama CVE-2026-42248/42249 (Windows): No patch available. Monitor official Ollama releases at github.com/ollama/ollama/releases.
• Linux Dirty Frag (CVE-2026-43284/43500): Patch available for AlmaLinux. Monitor Ubuntu Security Notices (ubuntu.com/security/notices), Red Hat Access (access.redhat.com), and distribution security channels for RHEL, CentOS Stream, openSUSE, and Fedora patches.
• Android CVE-2026-0073: Google Android Security Bulletin for May 2026 pending. Monitor Android releases.
• Microsoft Semantic Kernel CVE-2026-25592/26030: Monitor Microsoft Security Response Center (msrc.microsoft.com).

Vendor EOL and Compliance Notes

• Ollama Windows versions 0.12.10–0.22.0: Should be treated as end-of-safe-use given unpatched CVE-2026-42248/42249. Upgrade to 0.17.1+ immediately or implement compensating controls.
• NIST Post-Quantum Cryptography Transition: NIST SP 800-131A Rev. 2 guidance on ML-KEM, ML-DSA, and SLH-DSA adoption is now in effect. Organizations should be assessing gaps against PQC transition requirements, particularly for AI infrastructure communications. Relevant to this week’s item on PQC risk for AI infrastructure (SCC-STY-2026-0118).
• CISA BOD 22-01 Compliance Review: CISA is evaluating shortened remediation deadlines. Organizations should audit current MTTP (mean time to patch) for KEV-listed vulnerabilities to assess readiness for compressed timelines.

Sources

Section 2 — Critical Action Items & Section 3 — Key Security Stories

• HiddenLayer Research — Silver Fox / ValleyRAT / Hugging Face: https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter (search-retrieved; validate before use)
• CERT/CC Vulnerability Notes — Ollama Bleeding Llama: https://kb.cert.org/vuls/id/518910
• Cyera Research — Bleeding Llama: https://www.cyera.com/research/bleeding-llama-critical-unauthenticated-memory-leak-in-ollama
• Ollama Official Releases: https://github.com/ollama/ollama/releases
• Kaspersky Securelist — DAEMON Tools Backdoor: https://securelist.com/tr/daemon-tools-backdoor/119654 (search-retrieved; validate before use)
• Star Tribune — Canvas Breach: https://www.startribune.com
• BleepingComputer — Instructure Breach: https://www.bleepingcomputer.com/news/security/instructure-confirms-data-breach-shinyhunters-claims-attack/
• Instructure Official Incident Update: https://www.instructure.com/resources/blog/security-incident-update
• Rapid7 — MuddyWater / Chaos Ransomware Campaign
• Trend Micro — Earth Alux: https://www.trendmicro.com (March 2025 research)
• Cisco Talos — UAT-8302: blog.talosintelligence.com
• AlmaLinux — Dirty Frag fix candidate: https://almalinux.org/blog/2026-05-07-dirty-frag/
• SentinelLabs — BlueNoroff / Hidden Risk: https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/ (search-retrieved; validate before use)

Section 4 — CISA KEV & Critical CVE Table

• CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• NIST NVD — CVE-2026-0300: https://nvd.nist.gov/vuln/detail/CVE-2026-0300
• NIST NVD — CVE-2026-7482: https://nvd.nist.gov/vuln/detail/CVE-2026-7482
• Microsoft MSRC — CVE-2026-40379: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40379
• Microsoft MSRC — CVE-2026-33109: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33109
• Microsoft MSRC — CVE-2026-33823: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33823
• Ivanti Security Advisory — EPMM May 2026
• Progress Software Security Alert — CVE-2026-4670: https://community.progress.com/s/article/MOVEit-Automation-Security-Alert-Bulletin (verify URL)

Section 5 — Supply Chain & Developer Tool Threats

• HiddenLayer Research — Hugging Face / Silver Fox
• Kaspersky Securelist — DAEMON Tools: https://securelist.com/tr/daemon-tools-backdoor/119654
• Lightning AI — PyTorch Lightning Supply Chain Advisory: https://lightning.ai/blog (verify current URL)
• Adversa.AI — TrustFall attack class disclosure
• NIST SP 800-161 — Cybersecurity Supply Chain Risk Management Practices: https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final

Section 6 — Nation-State & APT Activity

• MITRE ATT&CK — MuddyWater (G0069): https://attack.mitre.org/groups/G0069/
• Trend Micro — Earth Alux Research (March 2025)
• Cisco Talos — UAT-8302 / CL-UNK-1068
• SentinelLabs — Hardware Supply Chain / LabsCon25: https://www.sentinelone.com/labs/labscon25-replay-please-connect-to-the-foreign-entity-to-enhance-your-user-experience/ (search-retrieved; validate before use)
• SentinelLabs — BlueNoroff / Hidden Risk (see above)
• CISA ICS Advisories — ICSA-26-125-02 and ICSA-26-125-04: https://www.cisa.gov/ics-advisories

Section 7 — Phishing & Social Engineering

• Cisco Talos — TOAD / Phone Number Clustering: https://blog.talosintelligence.com/insights-into-the-clustering-and-reuse-of-phone-numbers-in-scam-emails/ (search-retrieved; validate before use)
• ACSC — ClickFix / Vidar Advisory: https://www.cyber.gov.au (verify current advisory URL)
• Guardio Labs — ManageWP Malvertising
• Security researcher reporting — Beagle Backdoor / Claude.ai Malvertising

Section 9 — Helpful 5 Mitigations

• NIST SP 800-53 Rev. 5: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
• CIS Controls v8: https://www.cisecurity.org/controls/v8
• NIST SP 800-124 Rev. 2 — Mobile Device Security: https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final
• Android Enterprise Policy Reference: https://developers.google.com/android/work/device-admin-deprecation

Section 11 — Upcoming Events & Deadlines

• CISA BOD 22-01 Binding Operational Directive: https://www.cisa.gov/binding-operational-directives
• CISA Subscribe to Updates: https://www.cisa.gov/subscribe-updates-cisa
• NIST PQC Standards — SP 800-131A Rev. 2 and FIPS 203/204/205: https://csrc.nist.gov/projects/post-quantum-cryptography
• Palo Alto Networks Security Advisories: https://security.paloaltonetworks.com
• Microsoft MSRC Update Guide: https://msrc.microsoft.com/update-guide