Coverage: May 5–8, 2026 · 5 areas · CVEs, AI threats, nation-state activity, breaches, and news
A critical unauthenticated buffer overflow (CVSS 9.3) in the PAN-OS User-ID Authentication Portal (Captive Portal) on PA-Series and VM-Series firewalls allows a remote attacker to execute arbitrary code with root privileges by sending specially crafted packets — no credentials or user interaction required. Palo Alto Networks confirmed active exploitation in the wild on May 6, 2026, with Security Affairs reporting nation-state actor involvement observed for weeks before disclosure. CISA added CVE-2026-0300 to the KEV catalog on May 6 with a federal FCEB remediation deadline of May 9. No patch is available; fixes are expected May 13-28, 2026. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
A critical authentication bypass (CVSS 9.8) in cPanel and WHM versions prior to the latest emergency update allows unauthenticated attackers to gain full control over hosting accounts, websites, email, and server infrastructure. A public proof-of-concept and session checker tool were published to GitHub. Active exploitation has been observed from attacker IP 100.96.3.23. The vulnerability enables full WHM server takeover if the WHM panel is exposed. Affects all cPanel/WHM versions below the emergency patched release.
Progress Software's MOVEit Automation contains a critical authentication bypass (CVSS 9.8, CWE-305) affecting versions from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, and all versions prior to 2024.0.0. The flaw is remotely exploitable with no authentication or user interaction required (AV:N/AC:L/PR:N/UI:N) and can result in full compromise of confidentiality, integrity, and availability. MOVEit has been a perennial high-value target — the 2023 MOVEit campaign by Cl0p ransomware compromised 2,700+ organizations and affected 90M+ individuals. No active exploitation has been confirmed yet, but the CVSS profile and MOVEit's attack history make rapid exploitation likely.
Previously covered (May 5 brief) — now has a public proof-of-concept at github.com/theori-io/copy-fail-CVE-2026-31431. A logic flaw in the Linux kernel authencesn cryptographic template allows an unprivileged local user to write four controlled bytes into the page cache of any readable file, enabling root access by modifying setuid binaries. CISA KEV-listed. FCEB patch deadline May 15, 2026. Attacker domain copy[.]fail is actively distributing exploit tooling.
LayerX Security disclosed that Anthropic's Claude Chrome extension (Claude in Chrome) trusts the origin (claude.ai) rather than the execution context, allowing any co-installed browser extension — including one with zero declared permissions — to inject arbitrary prompts, breach Claude's guardrails, bypass user confirmation flows, and perform actions in Gmail, Google Drive, and GitHub on behalf of the user. Demonstrated attacks include exfiltrating files from Google Drive, sending emails as the user, stealing GitHub source code, and summarizing/deleting email threads. Anthropic issued a partial fix in v1.0.70, but LayerX confirmed the flaw remains fully exploitable by switching an extension to 'privileged' mode — the user is never notified or asked to approve. No CVE assigned. Disclosure date: April 27, 2026; publicly reported May 7-8.
The shell tool within GitHub Copilot CLI versions 0.0.422 and earlier allows arbitrary code execution through crafted bash parameter expansion patterns (${var@P}, ${var=value}, ${!var}, nested $(cmd) inside ${...}). The CLI's safety classifier treats these patterns as read-only commands while they can embed and execute arbitrary code — bypassing write-operation approval requirements. Attack delivery vectors include prompt injection via repository README files, code comments, issue bodies, or compromised MCP server responses. A developer's workstation is compromised without any approval prompts. CVSS 7.5 High. Patched in version 0.0.423.
Unit 42 and independent researchers identified the ClawHavoc campaign, which uploaded over 1,100 malicious MCP tools to ClawHub (an MCP tool marketplace). Installing any of these tools results in deployment of information-stealing malware that exploits the permissions granted to the AI agent. Attack methodology mirrors TeamPCP but targets the MCP tooling ecosystem directly. The campaign represents a maturing supply chain attack model: rather than poisoning packages, attackers create convincing-looking AI agent tools that inherit all agent permissions on installation. No CVEs assigned; ongoing as of early May 2026.
ShinyHunters ransomware group breached Instructure, the company behind the Canvas learning management system used by approximately 9,000 schools worldwide. The group claims to have stolen personal identifying information for 275 million students, teachers, and staff — including private messages between students and teachers. Canvas systems were visibly defaced on May 7 with ShinyHunters' ransom demand, confirmed by CBS Sacramento, ABC affiliates, and multiple universities. Affected institutions include the University of Pennsylvania, Wake County Public Schools, Sacramento State, and Duke University. Ransom deadline is May 12, 2026. ShinyHunters has also been linked to recent breaches at Princeton and Harvard universities.
CVE-2026-32202 (Windows Shell LNK spoofing, CVSS 4.3) is being actively exploited by APT28 (Fancy Bear, FOREST BLIZZARD) in campaigns targeting Ukrainian and EU government organizations. Akamai researchers confirmed the flaw is an incomplete patch of CVE-2026-21510 (CVSS 8.8), which was itself exploited by APT28 in February 2026. The LNK exploitation leaks NTLM hashes, enabling pass-the-hash lateral movement across enterprise networks. CISA KEV-listed with FCEB deadline May 12. Multiple CrowdStrike reports confirm FANCY BEAR deployed LLM-enabled malware (LAMEHUG) in 2025 to automate reconnaissance — this campaign continues that pattern.
North Korean threat actor UNC1069 (attributed by Google; also tracked as Sapphire Sleet/FAMOUS CHOLLIMA by Microsoft/CrowdStrike) compromised the Axios npm package maintainer account in late March 2026, publishing trojanized versions 1.14.1 and 0.30.4. The malicious dependency 'plain-crypto-js' delivered OtterCookie, a cross-platform RAT enabling system reconnaissance, credential harvesting, and remote command execution on Windows, macOS, and Linux. Axios is downloaded approximately 100 million times weekly and integrated into ~80% of cloud and coding environments. Wiz detected the malicious packages in ~3% of examined environments. The compromised packages were removed within ~3 hours but may have been downloaded 500,000+ times before removal. DPRK incidents rose more than 130% in 2025 per CrowdStrike M-Trends 2026.
ShinyHunters' breach of Instructure Canvas is the most significant data breach of this period by raw scope. Claimed data includes PII (names, emails, institutional IDs) for 275 million students, teachers, and staff at approximately 9,000 institutions globally, plus 'billions of private messages' between students, teachers, and peers. Universities confirmed outages and defacements on May 7. Data leak deadline set by attackers is May 12, 2026. This breach is notable for combining a massive PII dataset with private communications — creating heightened phishing, social engineering, and blackmail risk for affected individuals.
Israeli application security firm Checkmarx confirmed that internal data including source code repositories, employee database records, API keys, authentication tokens, and MongoDB/MySQL database credentials surfaced on the dark web in late April 2026. Initial compromise was attributed to TeamPCP (the same group behind the Mini Shai-Hulud supply chain campaign). LAPSUS$ subsequently claimed and listed Checkmarx on their data leak site. Additional compromises were identified in Checkmarx's KICS Docker image, Visual Studio Code extensions, and GitHub workflows — all weaponized to distribute credential-stealing malware. The incident has broader implications: Checkmarx scans code for thousands of enterprise clients, meaning the breach may expose downstream customer code analysis results.
Microsoft disclosed a large-scale credential theft campaign leveraging code-of-conduct-themed phishing lures combined with legitimate email services to redirect users to attacker-controlled domains that steal authentication tokens. The campaign targets enterprise environments, exploiting the trust users place in legitimate-looking compliance or HR-themed communications. Token theft bypasses MFA in many configurations, enabling session hijacking and persistent access without requiring credentials.
Pulled from AI Vuln Monitor run — May 8, 2026
Affected: Anthropic Claude Chrome Extension (Claude in Chrome) — all versions prior to Anthropic's partial fix
LayerX Security disclosed a flaw in Anthropic's Claude Chrome browser extension (Claude in Chrome) in which the extension exposes a privileged message interface to the Claude LLM via the 'externally_connectable' manifest setting, trusting the origin (claude.ai) rather than the actual execution context. This allows any other installed browser extension — including minimal, low-permission ones — to execute arbitrary prompts against the Claude LLM, breach Claude's guardrails, bypass user confirmation flows, manipulate Claude's perception of the UI, and perform sensitive cross-site actions (Gmail, Google Drive, GitHub). Researchers named the flaw 'ClaudeBleed.' Anthropic confirmed awareness and released a partial fix, but LayerX confirmed the flaw remains exploitable after the patch. No CVE assigned. Classified High severity due to requirement for a co-installed malicious extension, though the malicious extension can be minimal and low-permission.
Affected: GitHub Copilot CLI versions 0.0.422 and earlier
The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 allows arbitrary code execution through crafted bash parameter expansion patterns. The CLI's shell safety assessment classifies commands as read-only (safe) or write-capable (requires approval), but fails to account for bash parameter transformation operators that can embed executable code within apparently read-only commands. Dangerous patterns include ${var@P}, ${var=value}/${var:=value}, ${!var}, and nested $(cmd) or <(cmd) inside ${...} expansions. An attacker who can influence command text via prompt injection through repository files (README, code comments, issue bodies), compromised MCP server responses, or social engineering can achieve arbitrary code execution on the developer's workstation — even in permission modes requiring user approval for write operations, because the injected commands appear read-only. CVSS 7.5 High. Patched in version 0.0.423.
BlackFog confirmed April 2026 as the highest April ransomware activity ever recorded: 105 publicly disclosed attacks across 22 countries, with the US accounting for 60% of incidents. ShinyHunters led all groups with 15 attacks. Healthcare was the most targeted sector with 25 attacks. 32 distinct ransomware groups were active. CrowdStrike's 2026 Global Threat Report notes AI-enabled adversaries increased activity by 89%, with Russia-nexus FANCY BEAR deploying LLM-enabled malware (LAMEHUG) and DPRK FAMOUS CHOLLIMA more than doubling its incident rate. 42% of vulnerabilities in 2025 were exploited before public disclosure.
Google researchers published findings (May 2, 2026) from a scan of the public web showing growing evidence of indirect prompt injection attempts targeting AI agents — including prompts embedded in web pages designed to trigger data exfiltration and destructive actions when processed by agentic AI. Sophistication remains limited, but the trend is clear as adversaries test the expanded attack surface that agentic AI creates. Multi-language evasion (fragmenting payloads across Mandarin, Arabic, Portuguese) was documented by Unit 42 in real-world attacks to bypass classifiers trained primarily in English.
Oracle announced a shift to monthly Critical Security Patch Updates (CSPUs) beginning May 28, 2026, addressing high-priority vulnerabilities more rapidly than its quarterly CPU cycle. CSPUs provide targeted critical fixes while quarterly CPUs remain cumulative. This is a positive industry development — Oracle customers in customer-managed environments can now address critical vulnerabilities without waiting up to 90 days for the next quarterly cycle. Upcoming schedule: May 28 (CSPU), June 16 (CSPU), July 21 (quarterly CPU).