Threat Intel Bi-Weekly

Linux kernel local privilege escalation now on CISA's Known Exploited Vulnerabilities catalog after active exploitation confirmed in the wild. The Copy Fail vulnerability (CVSS 7.8) affects all Linux distributions running kernels built since 2017. An unprivileged local user executes a 732-byte Python script to perform a controlled 4-byte overwrite of the kernel page cache, corrupting setuid binaries and escalating to root. Container escape vector: shared page cache across containers means an unprivileged container process can corrupt a host setuid binary. Federal Civilian Executive Branch agencies must patch by May 15, 2026.

ConnectWise ScreenConnect path traversal vulnerability (CVSS 8.4) added to CISA KEV on April 29. The flaw allows an authenticated attacker to traverse directories outside the intended scope. Federal agencies have until May 12 to patch. ScreenConnect is widely deployed for remote IT support and managed service provider access — a compromised instance provides persistent access to all endpoints the tool manages. Often chained with CVE-2024-1709 (authentication bypass, CVSS 10.0) for unauthenticated full takeover.

Microsoft confirmed active exploitation of CVE-2026-32202 (CVSS 4.3), a Windows Shell protection mechanism failure enabling spoofing attacks via malicious LNK shortcut files. Exploitation linked to a Russian-linked campaign targeting Ukraine and European organizations. Weaponized LNK files trigger NTLM credential hash leakage via UNC path SMB connections — hashes usable for relay attacks or offline cracking. Represents an incomplete patch bypass of CVE-2026-21510. CISA KEV-listed with federal patch deadline May 12.

High-severity authentication bypass in Apache HttpClient affecting SCRAM-SHA-256 mutual authentication. A missing critical step in the SCRAM-SHA-256 handshake allows an attacker to manipulate the authentication flow, causing the client to incorrectly accept server authentication without verification. This enables establishment of unauthorized trusted sessions with servers using SCRAM-SHA-256 — a protocol deployed for secure credential exchange in database connections (MongoDB, PostgreSQL via SASL), messaging systems, and enterprise middleware. CVSS score: High.

TeamPCP's fourth supply chain wave poisoned official SAP npm packages (mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, @cap-js/sqlite@2.2.2), Intercom npm packages (7.0.4, 7.0.5), and PyPI lightning (2.6.2, 2.6.3) on April 29-30. Preinstall hooks bootstrap a Bun runtime and execute a credential stealer that harvests GitHub/npm tokens, AWS/Azure/GCP/K8s secrets, and browser passwords, encrypting exfiltration with RSA-4096 + AES-256-GCM to attacker-controlled GitHub repos named with Dune-themed patterns. Critically: the payload self-propagates by writing malicious .claude/settings.json (abusing Claude Code SessionStart hook) and .vscode/tasks.json (VS Code auto-run) to all accessible repos, poisoning every package the victim maintains via their stolen npm token. First supply chain attack to weaponize AI coding agent configuration files as a persistence vector.

A single prompt injection pattern confirmed against three major AI coding agents simultaneously: Anthropic Claude Code Security Review (PR title injection extracted ANTHROPIC_API_KEY and GITHUB_TOKEN), Google Gemini CLI Action (issue comment injection leaked GEMINI_API_KEY publicly), and GitHub Copilot Agent (HTML comment payload bypassed all three GitHub runtime defense layers to exfiltrate GITHUB_TOKEN and COPILOT_API_TOKEN). Rated CVSS 9.4 Critical. No CVE issued by any vendor. GitHub classified the issue as a known architectural limitation. Attacks fire automatically from GitHub Actions workflows — no victim action required for Claude Code or Gemini. Any AI agent that ingests untrusted GitHub data and has access to execution tools in the same runtime is potentially affected.

Maximum-severity (CVSS 10.0) RCE in Google Gemini CLI all versions prior to 0.39.1 and run-gemini-cli GitHub Action prior to v0.1.22. In headless and CI mode, Gemini CLI automatically trusted any workspace .gemini/ configuration without review or sandboxing. A malicious pull request planting a .gemini/ config executes on the CI host before any sandbox initializes. The --yolo flag bypassed tool allowlists entirely. Impact: CI/CD secrets theft, supply-chain pivot, lateral movement through GitHub Actions environment variables.

Mandiant's M-Trends 2026 report (based on 500,000+ hours of incident response in 2025) confirms the exploit window has inverted: mean time-to-exploit is now negative 7 days — exploitation is routinely underway before patches exist. 28.3% of CVEs are exploited within 24 hours of public disclosure, compared to a 44-day average in 2025 and 700+ days in 2020. AI-assisted attacks rose 89% year-over-year per CrowdStrike. Exploitation remains the leading initial access vector for the sixth consecutive year (32% of intrusions). QUIETVAULT, a newly documented credential stealer, specifically checks compromised machines for local AI CLI tools and executes predefined prompts to exfiltrate AI tool configurations. Attackers can now transfer access between criminal actors in under 30 seconds.

FBI leadership confirmed in February 2026 that Salt Typhoon, the PRC-linked APT responsible for the 2024 U.S. telecom infrastructure breach, remains 'still very much ongoing.' Intrusions have impacted telecommunications providers and government bodies in 80+ countries. The threat actor pairs broad network access with indiscriminate collection, targeting edge devices that lack EDR telemetry. AT&T and Verizon reportedly blocked release of Salt Typhoon security assessment reports. Congressional email systems confirmed compromised. Related group UAT-7290 is simultaneously targeting U.S. and allied telecom providers via edge device exploits. Salt Typhoon's primary access method is exploitation of vulnerable legacy edge devices — not zero-day exploits.

April 2026 confirmed major breaches across enterprise, government, and healthcare sectors. Booking.com, McGrawHill, and Medtronic all confirmed unauthorized access incidents. The EU Commission experienced an infrastructure breach. The Los Angeles City Attorney's Office confirmed data exfiltration. Chinese Supercomputer research network, Eurail B.V., Basic-Fit fitness chain, Chipsoft healthcare IT, and the Los Angeles City Attorney's Office further demonstrate targeting across public sector, healthcare, travel platforms, and critical technology. Attack patterns include exploiting exposed APIs, credential theft via phishing, and supply chain compromise. Organizations with Chipsoft medical software (Netherlands-based, used across European hospitals) should audit for unauthorized access.

Socket and Wiz forensics of the Mini Shai-Hulud campaign identified over 1,100 GitHub repositories created by compromised developer accounts, using the naming pattern <word>-<word>-<3 digits> (e.g., prescient-lasgun-242). These repositories serve as encrypted credential exfiltration drop points, with AES-256-GCM encrypted payloads. The same RSA public key used in the Bitwarden CLI and Checkmarx incidents confirms this is the fourth major TeamPCP wave. CI/CD secrets extracted directly from runner memory by reading /proc/<pid>/mem, bypassing GitHub Actions log masking entirely.

A cross-vendor prompt injection attack class named Comment and Control allows attackers to hijack AI agents running in GitHub Actions by embedding malicious instructions in PR titles, issue comments, or HTML comments. Confirmed against three agents: Anthropic Claude Code Security Review (PR title injection extracted ANTHROPIC_API_KEY and GITHUB_TOKEN), Google Gemini CLI Action (issue comment injection leaked GEMINI_API_KEY publicly), and GitHub Copilot Agent (HTML comment bypass defeated all three GitHub runtime defense layers to leak GITHUB_TOKEN and COPILOT_API_TOKEN). Rated CVSS 9.4 Critical by Anthropic. No CVE issued by any vendor. GitHub classified the issue as a known architectural limitation. The attack requires no external infrastructure and fires automatically from GitHub Actions workflows without victim action (except Copilot, which requires manual issue assignment). Affects any AI agent that ingests untrusted GitHub data and has access to execution tools and secrets in the same runtime.

Maximum-severity (CVSS 10.0) RCE in Google Gemini CLI and its run-gemini-cli GitHub Action. In headless and CI mode, Gemini CLI automatically trusted any workspace folder for loading .gemini/ configuration files without user review, sandboxing, or approval. An attacker with the ability to place content in a repository workspace via pull request could plant a malicious .gemini/ config file that the agent silently executed on the CI host before any sandbox initialized. The --yolo flag also bypassed tool allowlists entirely. Impact includes CI/CD secrets theft, supply-chain pivot, and lateral movement via GitHub Actions environment variables. CVE not yet formally assigned.

OX Security disclosed a systemic architectural weakness in Anthropic MCP SDK enabling arbitrary command execution across any MCP implementation. Attack paths include unauthenticated command injection via MCP STDIO, zero-click prompt injection leading to STDIO config rewrite, and MCP marketplace supply-chain attacks. Ten CVEs assigned across popular frameworks. Anthropic declined to change the protocol architecture. 7,000+ public MCP servers affected. Flowise patched as CVE-2026-40933; other frameworks have varying remediation status.

Published May 4, 2026. Mandiant's M-Trends 2026 findings confirm AI has inverted the exploit timeline: mean time-to-exploit is -7 days, 28.3% of CVEs weaponized within 24 hours of disclosure. AI-assisted attacks rose 89% year-over-year per CrowdStrike data. QUIETVAULT credential stealer found targeting local AI CLI tool configurations. Ransomware access handoffs now occur in under 30 seconds. The report frames this as a structural failure of traditional patch management — defenders must shift to runtime detection and continuous risk signals.

The Mini Shai-Hulud campaign marks the first publicly documented supply chain attack to weaponize AI coding agent configuration files (.claude/settings.json SessionStart hook, .vscode/tasks.json folderOpen trigger) as a persistence and propagation mechanism. The attack demonstrates that AI tool configuration files in repositories are now an active attack surface — any developer who opens a compromised repo in Claude Code or VS Code automatically executes the attacker's payload. This represents a qualitative evolution from prior supply chain attacks that relied on package installation hooks.