Weekly threat intelligence digest: May 11–17, 2026

Executive summary

Week 2026-W20 marks a significant escalation in both the velocity and sophistication of supply-chain attacks, critical infrastructure targeting, and cloud-native vulnerabilities. Three critical RCE vulnerabilities in widely-deployed systems (Ollama, GitHub Actions, Exim) combined with active exploitation of NGINX and public PoCs for Windows zero-days signal an environment where defenders face compressed response windows. State-sponsored actors have begun operationalising AI-augmented exploitation at industrial scale, while criminal marketplaces continue their cycle of takedown and relaunch despite law enforcement pressure.

Critical & high priority

Supply-chain compromises accelerate: npm, PyPI, and GitHub Actions under siege

The week opened with three major supply-chain incidents that expose the fragility of open-source dependency chains:

GitHub Actions OIDC token extraction and cache poisoning (CVE-2026-45321) enabled attackers to publish 84 malicious npm package versions under a trusted publisher identity, delivering credential-harvesting malware at install time. The attack chain combined pull_request_target misconfiguration with cache poisoning and in-memory token extraction—a sophisticated abuse of GitHub's own authentication mechanisms.

TanStack npm library compromise affected multiple AI companies including OpenAI, with malicious code distributed across both npm and PyPI, indicating coordinated targeting of the AI development supply chain specifically.

node-ipc malicious versions (9.1.6, 9.2.3, 12.0.1) contained data-stealing backdoors exfiltrating developer secrets and credentials. Given node-ipc's ubiquity in Node.js projects, this represents a direct compromise of infrastructure dependencies affecting potentially hundreds of thousands of deployments.

Jenkins plugin compromise (Checkmarx AST) by TeamPCP followed their earlier KICS tool attack, suggesting methodical targeting of CI/CD pipeline infrastructure. This is the second Checkmarx compromise in weeks.

Action: Immediately audit your npm and PyPI dependency trees for affected versions. Review GitHub Actions workflows for pull_request_target usage and implement cache validation. For organisations using Checkmarx tooling, downgrade to version 2.0.13-829.vc72453fa_1c16 or earlier immediately.

Critical remote code execution vulnerabilities with active exploitation and public PoCs

Ollama memory disclosure (CVE-2026-7482) permits unauthenticated remote attackers to extract entire process memory from affected instances. With 300,000+ servers exposed globally, this represents immediate risk to organisations running unpatched deployments. The out-of-bounds read flaw allows attackers to extract sensitive data including API keys, model parameters, and chat histories.

Exim BDAT use-after-free (CVE-2026-45185) affects GnuTLS-compiled builds, enabling memory corruption and potential RCE on mail servers. Given Exim's deployment across internet-facing mail infrastructure, this poses significant risk to email delivery chains and should be prioritised for immediate patching.

NGINX heap buffer overflow (CVE-2026-42945, CVSS 9.2) in the rewrite module is under active exploitation days after disclosure, affecting versions 0.6.27 through 1.30.0. This is a weaponised vulnerability with demonstrated RCE potential against load balancers and reverse proxies.

Mapfish Print unauthenticated RCE (CVE-2026-44672) allows arbitrary code execution without credentials via dynamic table functionality, representing a critical authentication bypass.

SiYuan Bazaar stored XSS escalating to Electron RCE (CVE-2026-45375) demonstrates the persistent risk of Electron applications with overpermissive security configurations (nodeIntegration enabled, contextIsolation disabled).

Marten full-text search SQL injection (CVE-2026-45288) enables unauthenticated SQL injection against PostgreSQL backends through unparameterized regConfig interpolation.

VM2 sandbox escape (CVE-2026-45411) via async generator type confusion allows attackers to break sandbox confinement and execute arbitrary host code.

Strapi Content-Type Builder SQL injection (CVE-2026-22599) allows authenticated administrators to inject arbitrary SQL, enabling database compromise including file read, DoS, and potential RCE.

Action: Prioritise patching of Ollama, Exim, and NGINX based on your exposure footprint. For Mapfish Print, Strapi, and VM2, apply patches immediately. For organisations running Marten with external-facing Solr APIs, implement authentication and network segmentation. Test patches in non-production environments given the complexity of these systems.

State-sponsored actors operationalise AI-augmented exploitation at industrial scale

Google Threat Intelligence Group reports that adversaries have progressed from experimental AI use to industrial-scale deployment of generative models for vulnerability exploitation, reconnaissance, and initial access. This represents a qualitative shift in threat capability and operational maturity. State-sponsored actors are now using AI to:

• Automate vulnerability discovery and exploitation chain development
• Generate convincing phishing and social engineering content
• Conduct reconnaissance at scale without manual intervention
• Identify and exploit novel attack vectors faster than defenders can respond

This capability shift will compress the window between vulnerability disclosure and weaponisation, particularly for zero-days.

Action: Assume that nation-state actors can now operationalise zero-days within days rather than months. Implement continuous monitoring for unusual reconnaissance activity (DNS queries, port scanning patterns, credential enumeration). Focus incident response planning on detection of state-sponsored intrusions, which differ fundamentally from commodity ransomware (see Cisco Talos guidance: state-sponsored IR requires different playbooks than ransomware-focused response).

SillyTavern header-based SSO authentication bypass (CVE-2026-44649)

This vulnerability represents a foundational architectural flaw: SillyTavern trusts HTTP headers (Remote-User, X-Authentik-Username) from any network client without validating origination from a trusted reverse proxy. This allows unauthenticated attackers to impersonate any user, including administrators. This pattern—trusting unvalidated headers—remains disturbingly common in web applications.

Action: If running SillyTavern, apply patches immediately. For any custom web applications relying on reverse proxy authentication, conduct an urgent security review to ensure that proxy headers are validated against a whitelist of legitimate reverse proxy IPs and that the proxy itself implements proper authentication.

UNC6671 BlackFile campaign: vishing and AiTM as a vector to cloud extortion at scale

UNC6671 operates BlackFile, an extortion campaign using sophisticated vishing and adversary-in-the-middle (AiTM) techniques to bypass MFA and compromise Microsoft 365 and Okta environments. The attack chain circumvents traditional perimeter defences by targeting human authentication vectors rather than technical infrastructure, exfiltrating corporate data for extortion. This represents a fundamental shift in how high-impact attackers operate: social engineering plus credential theft plus cloud access equals cloud extortion.

Action: Implement conditional access policies that restrict access to sensitive resources based on risk signals. Deploy FIDO2 security keys for high-value accounts and enforce phishing-resistant authentication. Train staff on vishing tactics and implement callback procedures for authentication verification. Monitor for anomalous cloud account activity including unusual login patterns and API access from unexpected locations.

Windows zero-day with public PoC: MiniPlasma privilege escalation

A Windows privilege escalation zero-day called MiniPlasma has had a proof-of-concept exploit publicly released, allowing attackers to achieve SYSTEM-level access on fully patched systems. Public PoC availability significantly increases exploitation risk across all affected Windows environments within days.

Action: Assume MiniPlasma is being actively weaponised. Implement application whitelisting and endpoint detection and response (EDR) tuning to detect privilege escalation attempts. Monitor for suspicious SYSTEM-level process creation chains. Microsoft is expected to release a patch; prioritise deployment when available.

Supply-chain attacks on critical infrastructure: Foxconn and Nitrogen ransomware

Foxconn confirmed a cyberattack affecting multiple North American manufacturing facilities across six US states and Mexico. The Nitrogen ransomware group claims to have compromised Foxconn's North American operations and exfiltrated 8TB of data including confidential documents. This represents a significant supply chain risk given Foxconn's role as a critical electronics manufacturer for major tech companies. The incident threatens consumer electronics and automotive component supply chains.

Action: Organisations dependent on Foxconn should prepare supply chain contingency plans. Assume that confidential manufacturing data, designs, and customer information may have been exfiltrated. Monitor dark web marketplaces and breach notification services for Foxconn data sales. If you use Foxconn as a supplier, contact your supply chain team to assess impact.

Chinese-linked FamousSparrow targets Azerbaijani energy sector via Microsoft Exchange exploitation

A Chinese-affiliated threat actor designated FamousSparrow conducted a multi-wave intrusion against an Azerbaijani oil and gas company between December 2025 and February 2026, exploiting Microsoft Exchange vulnerabilities. This represents a notable shift in the group's targeting geography and suggests persistent interest in critical infrastructure. The use of Exchange vulnerabilities as an initial access vector remains effective despite multiple patches.

Action: Critical infrastructure organisations should assume they are targeted by state-sponsored actors. Implement network segmentation to isolate Exchange servers from internal systems. Monitor for anomalous Outlook Web Access (OWA) access patterns and unusual email forwarding rules. Ensure Exchange is patched to the latest cumulative updates.

Phishing campaign targets 500+ organisations across critical infrastructure

A years-long phishing campaign has compromised over 500 organisations across aviation, energy, infrastructure, logistics, public administration, and technology sectors. The extended campaign duration and cross-sector targeting suggest either a sophisticated threat actor or multiple coordinated groups with sustained operational capability.

Action: Implement email authentication (SPF, DKIM, DMARC) and advanced email filtering with sandboxing. Conduct phishing simulations targeting your organisation. Enforce multi-factor authentication organisation-wide. Assume your organisation may already be compromised; implement continuous monitoring for lateral movement and data exfiltration.

Canvas LMS (Instructure) targeted by ShinyHunters: Congressional pressure mounting

The U.S. House Committee on Homeland Security has demanded testimony from Instructure executives regarding two separate cyberattacks by the ShinyHunters extortion group against Canvas, which exposed student data and disrupted educational institutions during critical exam periods. This represents escalating regulatory pressure on organisations failing to protect critical infrastructure used by students and educational institutions.

Action: Educational technology providers should assume they are targeted by extortion groups. Implement zero-trust architecture for student data access. Conduct regular security audits and penetration testing. Establish incident response playbooks specifically for educational technology environments.

Notable developments

Malvertising campaign exploits Google Ads and Claude.ai to deliver macOS malware

Attackers are running a malvertising campaign using Google Ads and Claude.ai shared chats to redirect users searching for Claude downloads to malware installers. The campaign exploits search engine placement and trusted service reputation to compromise macOS systems. This demonstrates how attackers can weaponise legitimate advertising platforms and generative AI interface affordances to distribute malware.

Action: Users should verify download sources and use digital signatures to validate software integrity. Organisations should implement application whitelisting and monitor for suspicious downloads in macOS environments.

German law enforcement dismantles Crimenetwork marketplace reboot

German police shut down a relaunched version of the Crimenetwork darknet marketplace and arrested its administrator after €3.6M revenue generation. The operation demonstrates sustained law enforcement capability against criminal infrastructure despite repeated takedown and relaunch cycles. Law enforcement continues to be effective against tier-1 darknet marketplaces (Dream Market admin extradition also occurred this week).

Action: This is a positive signal that law enforcement is not solely reactive. Organisations should maintain compliance with financial crime reporting requirements, as law enforcement investigations often rely on financial data to identify and pursue criminal operators.

Turla weaponises Kazuar backdoor as P2P botnet

Russian state-sponsored group Turla has rebuilt its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and persistent command-and-control. This represents a significant operational upgrade that complicates detection and attribution for defenders. The shift from centralised C2 to P2P infrastructure reduces law enforcement's ability to disrupt the botnet through server takedowns.

Action: Monitor for unusual peer-to-peer communication patterns in network traffic. Assume that Turla-infected systems have persistent C2 capability that is resistant to centralised infrastructure takedowns. Implement network segmentation and lateral movement detection to identify compromised hosts.

Tycoon2FA expands device-code phishing capability

The Tycoon2FA phishing kit has added device-code authentication flow attacks to its arsenal and now abuses Trustifi click-tracking URLs to mask malicious redirects. This demonstrates how phishing kits continue to evolve to bypass security controls and abuse legitimate services for obfuscation.

Action: Implement conditional access policies that flag device-code flow authentication from unusual locations. Train users to verify URLs before clicking. Monitor for suspicious use of URL shortening and click-tracking services in phishing campaigns.

Microsoft silent fix to Azure Backup for AKS raises disclosure transparency concerns

A security researcher claims Microsoft quietly patched an Azure Backup for AKS vulnerability without issuing a CVE or acknowledging the original report, whilst Microsoft contests the characterisation. The dispute highlights tensions in coordinated disclosure practices and raises concerns about undisclosed fixes in cloud infrastructure. This pattern—silent patching without CVE assignment—obscures the threat landscape for defenders.

Action: Monitor Azure Backup and AKS release notes closely for security-relevant changes that may not receive CVE assignment. Assume that cloud providers may patch vulnerabilities silently; implement continuous configuration monitoring to detect security-relevant changes to your cloud infrastructure.

DeFi ecosystem continues to demonstrate custody and key management weaknesses

THORChain suffered a $10.7 million theft from one of six vaults, indicating a compromise of their multi-signature custody mechanism. This demonstrates that even established DeFi platforms remain vulnerable to sophisticated attacks targeting key management and vault architecture.

Action: Organisations involved in DeFi should implement hardware-based key storage, geographic distribution of custody infrastructure, and third-party custody verification audits. Users should assume that even tier-1 platforms may suffer compromises and manage exposure accordingly.

Windows Snipping Tool NTLMv2 hash interception

The Snipping Tool can be abused to trigger NTLM authentication flows that leak NTLMv2 hashes to attacker-controlled network locations. This demonstrates how legitimate Windows utilities can be weaponised for credential theft.

Action: Enforce network segmentation to prevent UNC path access from workstations. Implement conditional access policies that flag unusual Kerberos and NTLM authentication patterns. Monitor for suspicious Snipping Tool usage in enterprise environments.

WordPress Funnel Builder plugin actively exploited for payment card theft

Attackers are actively exploiting a critical flaw in the Funnel Builder WordPress plugin to inject malicious JavaScript into WooCommerce checkout pages, enabling payment card theft from customer transactions. This represents a direct financial threat to e-commerce platforms using this plugin.

Action: If running Funnel Builder, disable the plugin immediately pending a security patch. Audit all WooCommerce transactions for card theft indicators. Notify customers of the breach and monitor payment card fraud reports.

Pixel 10 0-click exploit chain demonstrates persistent Android attack surface

Google Project Zero published a 0-click exploit chain for Pixel 10 leveraging CVE-2025-54957 (Dolby vulnerability) and bypassing RET PAC mitigations. The attack requires only two exploits to achieve root access from a zero-interaction context, indicating modern Android devices remain vulnerable despite security hardening.

Action: Assume that Android devices will be compromised via 0-click exploits. Implement device management and mobile threat defence solutions. Educate users that even updated devices may be vulnerable to sophisticated exploit chains. Assume that rooted devices have been compromised and revoke access to sensitive systems.

Vulnerability landscape

The week saw 281 new CVEs tracked, with severity distribution skewed toward high-impact vulnerabilities: 221 high-severity, 49 unspecified, and critically, 11 critical-severity vulnerabilities. This represents a higher-than-normal concentration of critical vulnerabilities in a single week.

Top affected vendors include okfn (2), artica (2), and adobe (2), suggesting broad exposure across content management, security infrastructure, and creative software. However, the critical vulnerabilities this week are concentrated in infrastructure layers (Ollama, Exim, NGINX, Mapfish Print, Strapi, VM2, Marten, SiYuan), indicating that attackers are focusing on exploitable vulnerabilities in systems that handle data processing, authentication, and system administration.

The concentration of vulnerabilities in open-source tools (Marten, VM2, Strapi, SiYuan) and widely-deployed infrastructure (Exim, NGINX) suggests that defenders face a complex patching landscape where a single vulnerability can affect thousands of deployments. The public availability of PoCs for critical vulnerabilities (MiniPlasma, NGINX CVE-2026-42945) compresses response windows to hours rather than days.

Recommended actions

1. Immediate patching: Prioritise patches for Ollama, Exim, NGINX, and MiniPlasma based on your exposure. Test patches in non-production environments first given the complexity and criticality of these systems.

2. Supply-chain audit: Review your npm, PyPI, and GitHub Actions usage for affected packages (node-ipc, TanStack, Checkmarx plugins). Audit your CI/CD pipelines for pull_request_target usage. Implement dependency scanning and vulnerability notification in your build pipelines.

3. Authentication hardening: Deploy FIDO2 security keys for high-value accounts. Implement conditional access policies that flag unusual authentication patterns. Enforce phishing-resistant authentication organisation-wide. Assume that vishing and AiTM attacks will succeed against some users; implement detection controls for post-authentication anomalies.

4. Cloud infrastructure monitoring: Implement continuous configuration monitoring for cloud environments (Azure, AWS, GCP). Monitor for anomalous cloud account activity including unusual login patterns and API access from unexpected locations. Assume that cloud extortion attacks will target your organisation.

5. Incident response planning: Update incident response playbooks to differentiate state-sponsored intrusions from commodity ransomware. Assume that nation-state actors can now operationalise zero-days within days. Implement continuous reconnaissance monitoring to detect early-stage intrusions.

6. Network segmentation: Isolate critical systems (Exchange servers, DNS, PKI) from general user networks. Implement microsegmentation for sensitive data access. Monitor for unusual peer-to-peer communication patterns.

7. Endpoint detection: Tune EDR solutions to detect privilege escalation attempts, unusual process creation chains, and lateral movement. Deploy application whitelisting on critical systems.

Looking ahead

Monitor for active exploitation of MiniPlasma as PoC availability will drive rapid weaponisation. Expect similar zero-day releases this week as researchers publish additional attack chains.

Watch for downstream supply-chain compromises resulting from TanStack, node-ipc, and GitHub Actions attacks. Assume that compromised packages may have dependencies in your environment that you haven't explicitly audited.

Expect law enforcement action against Nitrogen ransomware group and other active extortion campaigns. Criminal marketplaces continue their cycle of takedown and relaunch; monitor for new marketplace launches targeting Foxconn data.

Anticipate Microsoft patching for MiniPlasma and other Windows vulnerabilities. Assume patches will introduce compatibility issues; test extensively before deployment.

Monitor regulatory pressure on critical infrastructure providers (healthcare, energy, aviation, education) following Congressional testimony from Instructure and other compromised organisations. Assume regulatory guidance will tighten security requirements for government contractors and critical infrastructure operators.

Assume state-sponsored targeting continues across critical infrastructure, particularly energy, aviation, and logistics sectors. Prepare for multi-wave intrusions leveraging AI-augmented reconnaissance and exploitation.