u/falconupkid

CISA has added CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller, to its Known Exploited Vulnerabilities (KEV) catalog, mandating remediation due to active exploitation.

Technical Breakdown

• Vulnerability: CVE-2026-20182, a critical authentication bypass flaw in Cisco Catalyst SD-WAN Controller.
• Impact: Exploitation grants unauthenticated attackers administrative access to the controller.
• Affected Product: Cisco Catalyst SD-WAN Controller.
• TTPs: Active exploitation indicates threat actors are leveraging this bypass to gain initial access or escalate privileges, effectively bypassing standard authentication mechanisms (MITRE ATT&CK: T1078.004 - Exploitation of Remote Services, T1190 - Exploit Public-Facing Application).

Defense

Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability by May 17, 2026. All organizations utilizing Cisco Catalyst SD-WAN Controller should prioritize applying available patches or implementing mitigation strategies immediately to prevent unauthorized administrative access.

Source: https://thehackernews.com/2026/05/cisa-adds-cisco-sd-wan-cve-2026-20182.html

The Shai-Hulud malware code has been publicly released, providing a blueprint that significantly lowers the barrier for threat actors to orchestrate sophisticated supply chain attacks.

• This "code drop" enables a wider range of adversaries to leverage pre-built malicious capabilities, directly fueling an increased risk of supply chain compromise efforts. It democratizes access to advanced tooling, making it easier for less-resourced groups to conduct targeted attacks.

Defense: Prioritizing and taking immediate action on supply chain security posture is critical. This includes enhancing vendor risk assessments, implementing robust software supply chain integrity checks, and deploying advanced endpoint detection and response (EDR) solutions across the ecosystem.

Source: https://www.reversinglabs.com/blog/the-shai-hulud-code-drop

The TeamPCP hacker group is advertising Mistral AI's source code repositories for sale, threatening a public leak if no buyer is found.

Strategic Impact:

• Intellectual Property (IP) Theft: This incident underscores the escalating risk of IP theft targeting high-value assets, particularly within the rapidly evolving AI sector. Protecting proprietary algorithms, model architectures, and development code is a critical concern for any organization in this space.
• Supply Chain & Trust Implications: For organizations using or integrating Mistral AI's models, potential source code exposure could introduce unforeseen vulnerabilities or backdoors, demanding heightened scrutiny of upstream dependencies.
• Competitive Intelligence & Espionage: The availability of core AI IP on the black market poses a significant threat, as it could be acquired by competitors or state-sponsored actors seeking to gain a strategic advantage or accelerate their own development efforts.

Key Takeaway: Organizations innovating in AI must implement robust security controls around their core intellectual property and development environments to counter dedicated threat actors.

Source: https://www.bleepingcomputer.com/news/security/teampcp-hackers-advertise-mistral-ai-code-repos-for-sale/

Attackers are actively exploiting a critical authentication bypass vulnerability in the Burst Statistics WordPress plugin to gain admin-level access on compromised websites.

Technical Breakdown:

• Vulnerability: An authentication bypass flaw allows unauthenticated actors to assume administrative privileges directly.
• Affected Component: Burst Statistics WordPress plugin.
• TTPs: Initial Access (via authentication bypass), Privilege Escalation (achieving admin-level control).
• Impact: Full compromise of affected WordPress sites, allowing for arbitrary actions, data manipulation, or further exploitation.

Defense: Immediate patching is paramount. Site administrators using the Burst Statistics plugin should update to the latest available secure version without delay.

Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-auth-bypass-flaw-in-burst-statistics-wordpress-plugin/

Cisco warns of active zero-day exploitation of a critical authentication bypass flaw (CVE-2026-20182) in its Catalyst SD-WAN Controllers, allowing attackers to seize administrative control.

Technical Breakdown

• Vulnerability: CVE-2026-20182, a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller.
• Impact: Exploitation grants attackers administrative privileges on compromised devices.
• Observed TTPs (inferred):
  • Initial Access (T1078 - Valid Accounts): Exploiting the bypass to gain initial unauthorized access.
  • Privilege Escalation (T1068 - Exploitation for Privilege Escalation): Achieving administrative rights through the vulnerability.

Defense

Prioritize applying Cisco's security updates as soon as they are released and monitor logs for any unauthorized access attempts or suspicious activity on SD-WAN controllers.

Source: https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-critical-sd-wan-flaw-exploited-in-zero-day-attacks/

EvilTokens is leveraging AI to automate and scale device code phishing attacks, bypassing MFA across hundreds of organizations. This sophisticated technique exploits legitimate authentication flows to gain persistent access without requiring stolen passwords or malware.

Technical Breakdown:

• TTPs: Device Code Phishing (T1621 - Multi-Factor Authentication Request Generation, T1566.002 - Phishing: Spearphishing Link).
  • The attack flow involves convincing targets to visit a malicious phishing site that initiates a legitimate Microsoft device code authentication request.
  • Victims are then prompted to enter a generated device code on a genuine Microsoft login page, granting the attacker access to their session or application consent.
  • The AI component likely enhances the social engineering aspect of the phishing lures and automates campaign management and scaling.
• Affected Scope: The campaign has targeted at least 344 organizations.
• The provided summary does not contain specific IOCs like IPs or hashes.

Defense: Educate users extensively on device code phishing tactics, emphasizing careful scrutiny of authentication prompts and the originating URLs. Implement strong conditional access policies and continuously monitor for unusual authentication patterns or application consent grants.

Source: https://www.huntress.com/blog/device-code-phishing-ai-mfa-bypass

Summary: Huntress has partnered with Acrisure to launch a new cyber insurance program, simplifying the application process and offering financial incentives for organizations.

Strategic Impact: This partnership directly impacts how organizations can manage cyber risk and insurance costs. Companies leveraging Huntress's Managed EDR and Managed ITDR services can now qualify for streamlined cyber insurance policies through Acrisure, crucially including a $0 deductible on Tech E&O or Cyber policies. This initiative links specific security control adoption to tangible financial benefits and simplified risk transfer, influencing security tool selection and budget allocation for CISOs and security leaders.

Key Takeaway: The program provides a clear financial incentive for adopting specific security services by reducing cyber insurance deductibles.

Source: https://www.huntress.com/blog/huntress-acrisure-cyber-insurance-program

The CMMC Final Rule has been issued, mandating that DoD subcontractors achieve Level 2 compliance by November 2026. This regulatory update formalizes requirements for protecting Controlled Unclassified Information (CUI).

Strategic Impact: This is a critical update for any organization in the DoD supply chain. CISOs and security leaders must now strategize for CMMC Level 2 certification, which aligns with NIST SP 800-171 requirements. This includes implementing robust security controls, continuous monitoring, and maintaining comprehensive documentation. Failing to meet this deadline will likely impact eligibility for future DoD contracts.

Key Takeaway: All DoD subcontractors must accelerate their efforts to implement and demonstrate compliance with CMMC Level 2 requirements within the next three years to maintain operational viability in the defense sector.

Source: https://www.huntress.com/blog/cmmc-final-rule-guide-for-dod-subcontractors

OpenAI has confirmed a security breach impacting two employee devices, stemming from the wider TanStack supply chain attack that affected hundreds of npm and PyPI packages. This incident prompted OpenAI to rotate code-signing certificates for its applications as a precaution.

Technical Breakdown

• TTPs:
  • Supply Chain Compromise (T1195.002): The initial vector was a compromise within the TanStack ecosystem, leading to malicious versions of npm and PyPI packages.
  • Initial Access (T1195.001 - Compromise Software Supply Chain): Exploitation of these malicious packages likely led to the breach of two OpenAI employee devices.
• Impact: Led to OpenAI's decision to rotate code-signing certificates, suggesting potential risks to the integrity of their applications.

Defense

OpenAI proactively rotated code-signing certificates for its applications to mitigate potential risks and invalidate any compromised keys. Organizations should ensure robust supply chain security practices and endpoint detection for developer environments.

Source: https://www.bleepingcomputer.com/news/security/openai-confirms-security-breach-in-tanstack-supply-chain-attack/

A new vulnerability, NGINX Rift (CVE-2026-42945), has been identified with an associated exploit exposing millions of NGINX instances globally.

Technical Breakdown

• CVE ID: CVE-2026-42945
• Affected Product: NGINX
• Impact: Millions of NGINX instances are reportedly vulnerable to exploitation.
• TTPs/IOCs: Specific TTPs or IOCs are not detailed in the summary, but the vulnerability is stated to have an active exploit.

Defense

Organizations should immediately assess their NGINX deployments for exposure to CVE-2026-42945. Tools like OX Security are highlighted as capable of assisting in identifying this issue across environments.

Source: https://www.ox.security/blog/from-prompt-to-runtime-four-ways-to-find-nginx-rift-cve-2026-42945-with-ox-security/

Malicious node-ipc npm Versions Distribute Stealer Backdoor Targeting Developer Secrets

Several versions of the widely-used node-ipc npm package have been found to contain a stealer backdoor designed to compromise developer secrets and sensitive information. This constitutes a significant software supply chain risk impacting projects relying on these compromised dependencies.

Technical Breakdown:

• Affected Versions: node-ipc@9.1.6, node-ipc@9.2.3, node-ipc@12.0.1
• TTPs: This incident points to a Software Supply Chain Compromise (T1588.006) leveraging a Backdoor (T1199) to facilitate Data Exfiltration (T1041) of developer secrets.
• IOCs: Specific malicious code has been identified within the mentioned package versions.

Defense: Organizations and developers should immediately audit their dependency trees for any usage of the affected node-ipc versions and downgrade to a known safe version or remove them. Enhance supply chain security scanning and integrity checks for all third-party libraries.

Source: https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html

Critical Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited

A maximum-severity authentication bypass vulnerability (CVE-2026-20182, CVSS 10.0) in Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager is being actively exploited in limited attacks. Threat actors are leveraging a flaw in the peering authentication mechanism to gain administrative access.

Technical Breakdown:

• Vulnerability Type: Authentication bypass, specifically impacting peering authentication.
• Affected Products: Cisco Catalyst SD-WAN Controller (vSmart) and Catalyst SD-WAN Manager.
• Impact: Full administrative access upon successful exploitation.
• Exploitation Status: Confirmed as actively exploited in the wild.

Defense: Cisco has released security updates to address this critical flaw. Prioritize patching for all affected Catalyst SD-WAN deployments immediately.

Source: https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.html

Pwn2Own Berlin 2026 kicked off with a bang, as researchers successfully exploited 24 unique zero-day vulnerabilities in Windows 11 and Microsoft Edge on the first day alone, collecting over $523,000 in bounties.

Technical Breakdown

• Targets: Windows 11, Microsoft Edge
• Vulnerabilities: 24 distinct zero-day exploits demonstrated.
• Impact: Successful exploitation leading to cash awards, indicating significant security bypasses and potential for remote code execution or privilege escalation, typical for Pwn2Own challenges.

Defense

Microsoft will be addressing these vulnerabilities in upcoming security updates. Ensure timely patching and maintain a robust update management strategy to protect against these newly discovered flaws.

Source: https://www.bleepingcomputer.com/news/security/windows-11-and-microsoft-edge-hacked-on-first-day-of-pwn2own-berlin-2026/

Summary: Talos Intelligence reflects on the impending impact of advanced AI tools on vulnerability discovery and the subsequent challenges for large-scale patch management. The prediction is that AI will accelerate the rate at which new vulnerabilities are found, creating an increased burden on security teams to effectively identify, prioritize, and deploy patches.

Strategic Impact: This isn't just a technical discussion; it's a strategic warning. Security leaders need to consider how to scale their vulnerability management programs and patching cadences to cope with an anticipated surge in disclosures. Current resources and processes might be insufficient for this accelerated pace, necessitating investments in automation, improved prioritization frameworks, and potentially new staffing models. It highlights the need for proactive planning to avoid being overwhelmed by the sheer volume of required patching.

Key Takeaway: Prepare for a future where vulnerability disclosures will be significantly more frequent, demanding a strategic overhaul of current patch management capabilities.

Source: https://blog.talosintelligence.com/the-time-of-much-patching-is-coming/

A critical supply chain attack has compromised the widely used node-ipc npm package (3M+ monthly downloads), actively spreading infostealer malware designed to exfiltrate AI sessions, cloud credentials, and browser data.

Technical Breakdown

• Threat Vector: Software supply chain compromise affecting a popular npm package.
• Affected Package: node-ipc
• Affected Versions: Specifically identified version 12.0.1.
• Malware Type: Infostealer.
• Targeted Data: AI sessions, cloud credentials, and browser data.
• TTPs: (Based on the snippet, implies a combination of)
  • TA0001 - Initial Access: Compromise of a legitimate software component.
  • TA0009 - Collection: Stealing credentials and sensitive information.
  • TA0010 - Exfiltration: Transmission of stolen data (implied).

Defense

If you've installed node-ipc version 12.0.1, immediately treat the affected machine as compromised. Review the official node-ipc project for remediation steps and patched versions.

Source: https://www.ox.security/blog/node-ipc-npm-package-infostealer-malware/

A significant software supply chain attack has been detected targeting the node-ipc npm package, leveraging DNS exfiltration for credential stealing. This wide-reaching compromise has reportedly impacted projects including TanStack and Mistral AI's npm and PyPI packages.

Technical Breakdown

• Threat: Mass Software Supply Chain Attack
• Affected Package: node-ipc (npm)
• Impacted Projects: TanStack, Mistral AI (affecting their npm and PyPI distributions)
• TTPs:
  • Compromise of legitimate open-source packages.
  • Credential Stealing functionality.
  • DNS Exfiltration for data egress.
• MITRE ATT&CK: T1195.002 (Supply Chain Compromise: Compromise Software Dependencies and Libraries), T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage), T1003 (OS Credential Dumping).

Defense

Organizations should implement real-time software supply chain security monitoring to detect and block malicious packages before they enter development pipelines. Proactively scan all open-source dependencies and enforce policies to prevent the installation of compromised components.

Source: https://safedep.io/malicious-node-ipc-npm-compromise

A critical Remote Code Execution (RCE) vulnerability, NGINX Rift (CVE-2026-42945), has been disclosed, affecting the widely used NGINX web server for 18 years. With a CVSS score of 9.2 (Critical), this unauthenticated heap buffer overflow poses a significant threat to countless internet-facing systems.

Technical Breakdown

• Vulnerability Name: NGINX Rift
• CVE ID: CVE-2026-42945
• Vulnerability Type: Heap Buffer Overflow
• Impact: Unauthenticated Remote Code Execution (RCE)
• CVSS Score: 9.2 (Critical)
• Affected Software: NGINX web server. The vulnerability has been present in the codebase for 18 years, impacting a significant portion of internet-facing web servers globally.
• TTPs/IOCs: Specific TTPs or IOCs were not detailed in the disclosure summary.

Defense

Prioritize immediate patching or updating of NGINX installations to the latest secure version to mitigate this critical vulnerability.

Source: https://www.picussecurity.com/resource/blog/nginx-rift-cve-2026-42945-critical-heap-buffer-overflow-vulnerability-explained

A fresh "ThreatsDay Bulletin" highlights a critical PAN-OS RCE, a Mythos cURL bug, and emerging AI Tokenizer Attacks, alongside a worrying trend of increasing supply chain attacks and sophisticated social engineering tactics.

Technical Breakdown:

• PAN-OS RCE: A critical Remote Code Execution vulnerability affecting Palo Alto Networks operating system, requiring immediate attention for patching and mitigation.
• Mythos cURL Bug: A new vulnerability identified in cURL, posing potential risks for data manipulation, exfiltration, or further system compromise depending on its nature.
• AI Tokenizer Attacks: An emerging threat vector focused on exploiting or manipulating AI model tokenizers, which could lead to prompt injection, data poisoning, or other adversarial machine learning attacks.
• Supply Chain Attacks: Continued exploitation of software supply chains through malicious packages, compromised dependencies, and insider threats.
• Social Engineering: Persistent and evolving tactics including fake help desks, phishing links, and deceptive forum posts, targeting user credentials and system access.
• Common Weaknesses: Underscores a recurring theme of basic security hygiene failures ("weak checks") that continue to enable attackers.

Defense: Prioritize patching for critical vulnerabilities like the PAN-OS RCE. Implement robust supply chain security controls and continuous monitoring for suspicious activity. Enhance user awareness training against evolving social engineering tactics, and audit foundational security controls to address long-standing weaknesses.

Source: https://thehackernews.com/2026/05/threatsday-bulletin-pan-os-rce-mythos.html