⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More

Summary

Microsoft Exchange Server faces active exploitation of CVE-2026-42897, a cross-site scripting spoofing vulnerability (CVSS 8.1). Cisco's SD-WAN Controller is under attack from threat actor UAT-8616 exploiting CVE-2026-20182 for unauthorized access and persistence. TeamPCP's Mini Shai-Hulud campaign has compromised dozens of npm packages including UiPath, Mistral AI, and OpenSearch dependencies to deploy stealer malware targeting credentials and API keys.

Full text

⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ravie LakshmananMay 18, 2026Cybersecurity / Hacking Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off. Patch the quiet risks first. Let’s get into it. ⚡ Threat of the Week On-Prem Microsoft Exchange Server Exploited in the Wild—Microsoft disclosed a security vulnerability impacting on-premise versions of Exchange Server, which has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue. Microsoft is providing a temporary mitigation through its Exchange Emergency Mitigation Service, while it's readying a permanent fix for the security defect. There are currently no details on how the vulnerability is being exploited, the identity of the threat actor behind the activity, or the scale of such efforts. It's also unclear who the targets are and if any of those attacks were successful. The Case for Autonomous Validation in Four On-Demand Sessions Enterprise CISOs, an industry analyst, and security leaders covered why point-in-time testing no longer matches the speed of modern threats, and how teams are using validation evidence to prioritize remediation, prove control effectiveness, and report risk to leadership. Four sessions, all on demand. Watch Now ➝ 🔔 Top News Cisco Catalyst SD-WAN Controller Flaw Under Attack—A sophisticated threat actor tracked as UAT-8616 has been attributed to the exploitation of CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller. "8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor," Cisco Talos said. "UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges." UAT-8616 is the same threat actor that was behind the weaponization of CVE-2026-20127 earlier this year to gain unauthorized access to SD-WAN systems. Cisco isn't the only security vendor facing a barrage of attacks on its customers, but it is among the most heavily targeted, along with Fortinet and Ivanti. "For nation-state operators, a bug like this (as seen with the actively exploited CVE-2026-20127) is ideal for pre-positioning," Rapid7 said. "They are usually not looking for a smash and grab. They want persistence. They want access that blends in. They want to sit in the right place long enough to observe, influence, and pivot when the time is right. An SD-WAN controller is a great place to do that, because it lives in the middle of trust relationships most organizations rarely question." Blast Radius of TeamPCP Attacks Expands—A new wave of the Mini Shai-Hulud campaign compromised dozens of TanStack npm packages as part of a broader supply chain attack worming through developer ecosystems, including packages tied to UiPath, Mistral AI, OpenSearch and PyPI. The activity has been attributed to TeamPCP, which has orchestrated a series of high-profile supply chain attacks targeting popular open-source projects in recent months. The goal is the same across all attack campaigns — use poisoned, open-source software to deploy stealer malware and harvest user credentials, API keys, SSH keys, and other secrets. TeamPCP is said to be weaponizing credentials and secrets obtained in the supply chain attacks to access organizations' cloud infrastructure, not to mention turn into an initial access broker for follow-on attacks like ransomware by teaming up with other cybercrime groups. In some waves, the attackers used the Trufflehog scanner to validate those credentials. The escalating attacks show that TeamPCP prioritizes speed rather than subtlety and stealth. Supply chain attacks have become an increasingly serious concern because of the sheer scale at which trusted dependencies are reused. A single poisoned package can rapidly propagate into thousands of downstream applications, enterprise environments, and production systems. The development coincided with the compromise of the node-ipc package to distribute a stealer malware. It's currently not known who is behind the attack. Since the library is a dependency for hundreds of other packages, which in turn could be dependencies for even more packages, the attack could have cascading consequences. Apple and Google Roll Out Cross-Platform E2EE for RCS Messages—End-to-end encrypted (E2EE) Rich Communication Services (RCS) messaging is being rolled out in beta between iPhone and Android devices, closing one of the biggest interoperability gaps in mainstream mobile messaging. The feature is available to iPhone users on iOS 26.5 with supported carriers and to Android users on the latest version of Google Messages. Encrypted conversations are marked with a padlock icon in the chat interface. The wider rollout to iPadOS, macOS, and watchOS will follow in future software updates, Apple said. Instructure Reaches Ransom Agreement with ShinyHunters—Instructure, the developer of school information portal Canvas, said it struck a deal with the ShinyHunters group, which breached its systems, stole a massive amount of data, and disrupted thousands of schools that rely on the company's software. The company did not say what it had given the threat actors in exchange for the destruction of the data, but it's fair to say it likely made the controversial decision to make a ransom payment. The company said it also received "digital confirmation" that the hackers destroyed any remaining copies in the form of "shred logs." In addition, the agreement included the return of the stolen data, assurances that affected customers would not be extorted, and a commitment that individual institutions would not need to engage with the threat actor. While it remains to be seen if the threat actors will keep their side of the bargain, it's worth highlighting a key problem with paying a ransom: once attackers have a victim's data, there is no guarantee it was not copied or shared with others. As of May 12, the listing for Instructure has been removed from the ShinyHunters' data leak site. The group said: "The data is deleted, gone. The company and it's [sic] customers will not further be targeted or contacted for payment by us." Fake Hugging Face Repository Delivers Stealer Malware—A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart, released by OpenAI late last month (openai/privacy-filter), including copying the entire description verbatim to trick unsuspecting users into downloading it. The description accompanying the fake model diverged from the legitimate project in one aspect: instructing users to run start.bat on Windows or execute python loader.py on Linux and macOS to deploy the stealer. Access to the malicious model has since been disabled by Hugging Face. The incident highlights how public AI model registries are emerging as a new software supply chain risk for enterprises, emphasizing why AI model supply chain security needs the same level of rigor as software supply chain security. It's essential to verify publisher identity, check model card provenance, and scan for u

Indicators of Compromise

• cve — CVE-2026-42897
• cve — CVE-2026-20182
• cve — CVE-2026-20127
• malware — Mini Shai-Hulud
• malware — stealer

Entities