Joshua Marpet
- Cisco Catalyst SD-WAN Controller — CVSS 10.0 Auth Bypass Under Active Exploitation
A max-severity authentication bypass (CVE-2026-20182) lets unauthenticated attackers gain admin on Cisco Catalyst SD-WAN Controllers. CISA added it to the KEV catalog this week. Patch now — exploitation is in the wild.
- Canvas/Instructure Breach — 275M Students and Faculty Exposed
ShinyHunters defaced the Canvas LMS login page with a ransom demand, claiming 275M records across roughly 9,000 schools and universities. Instructure took the platform offline mid-semester, disrupting finals nationwide.
- Microsoft Exchange On-Prem CVE-2026-42897 — Mass-Exploited XSS via Email
An XSS flaw in on-prem Exchange is being weaponized by simply sending crafted email; arbitrary JavaScript executes inside Outlook Web Access for any recipient who opens the message. On-prem Exchange admins should patch immediately and audit OWA sessions.
- Windows Zero-Days “YellowKey” and “GreenPlasma” — BitLocker Bypass + LPE
An anonymous researcher dropped two unpatched Windows zero-days: YellowKey bypasses BitLocker via the Recovery Environment (effectively a backdoor on encrypted drives), and GreenPlasma escalates privileges through CTFMON. No fix in this month's Patch Tuesday.
- TanStack Supply-Chain Compromise Hits OpenAI Devices (“Mini Shai-Hulud”)
Two OpenAI employee laptops were compromised through a malicious TanStack package update — the latest in the Shai-Hulud-family npm attacks. Limited internal credentials were exposed; no production systems or user data were touched. Reinforces that dev workstations are now front-line targets.
- node-ipc Backdoor Returns — 3 Malicious Versions Stealing 90 Categories of Secrets
Three poisoned versions of the popular npm package node-ipc contain obfuscated stealer/backdoor code that fingerprints hosts, walks the filesystem, and exfiltrates developer tokens, cloud keys, and browser data across 90 secret categories. Pin versions and audit lockfiles.
- Microsoft Patch Tuesday May 2026 — 118 CVEs, 16 Critical, Zero Emergency 0-Days
Microsoft shipped fixes for 118 vulnerabilities including 16 critical, and for the first time in nearly two years issued no out-of-band emergency zero-day patches. Krebs notes AI-assisted vulnerability discovery is now flagging issues across vendors at scale.
- PraisonAI CVE-2026-44338 — Auth Bypass Weaponized in 4 Hours
A missing-authentication flaw in the PraisonAI agent framework drew exploitation attempts within four hours of public disclosure, giving attackers unauthenticated access to protected API endpoints. Time-to-exploit on AI infrastructure is now effectively zero.
- Shai-Hulud Offensive Framework Source Code Leaked on GitHub
TeamPCP's full offensive framework — the same code family behind a wave of npm supply-chain compromises — was briefly published on GitHub before takedown, and a code-teardown is now circulating. Defenders gain rare visibility into TTPs, but proliferation risk to copycats is high.
- GPT-5.5 Matches Anthropic’s “Mythos” at Finding Vulnerabilities — UK AISI
The UK AI Security Institute concluded that publicly available GPT-5.5, and even smaller open models, match a frontier closed model on vulnerability discovery benchmarks. Schneier's takeaway: the offense-defense gap is no longer gated by access to a single lab's top model — the implications run from code into tax law and any rule-bound system.





