[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHENZe_7PA1ERT7K_bNyY0fTzYhCFaCXQzaAlSMog9Mg":3},{"roundup":4},{"id":5,"week_label":6,"slug":7,"date_from":8,"date_to":9,"tldr":10,"full_brief":11,"top_iocs":12,"social_linkedin":64,"social_x":65,"article_count":66,"awareness_links":67,"status":68,"published_at":69,"created_at":70,"updated_at":70,"mastodon_posted_at":71,"executive_summary":72,"tagline":73,"cover_image_url":74},"56cdf2df-7cc0-46cd-b126-8dd64b2b2bfe","2026-W20","2026-w20","2026-05-11","2026-05-17","🔗 Supply chain attacks hit new heights as TeamPCP weaponizes 400+ npm\u002FPyPI packages with self-propagating Shai-Hulud worm\n📱 Zero-day disclosures accelerate with Windows BitLocker bypass and privilege escalation flaws released publicly\n🏭 Critical infrastructure takes major hits with Foxconn ransomware and pharmaceutical company breaches\n🛠️ Major vendors rush patches for 200+ vulnerabilities across Microsoft, Adobe, SAP, and Fortinet products\n⚖️ Regulatory pressure increases with $12.75M GM settlement and new CISA CI Fortify initiative\n🤖 AI security emerges as frontier with vulnerabilities in OpenClaw, PraisonAI, and Hugging Face tokenizers","## Supply Chain & Open Source\n\n**[TeamPCP Used Mini Shai-Hulud Worm to Poison Over 400 npm and PyPI Packages](https:\u002F\u002Fhackread.com\u002Fteampcp-mini-shai-hulud-worm-npm-pypi-packages\u002F)**. TeamPCP executed a coordinated attack compromising 400+ packages across npm and PyPI by hijacking OpenID Connect tokens to gain CI\u002FCD access, targeting TanStack, Mistral AI, UiPath, and OpenSearch with a self-propagating credential-stealing worm.\n\n**[OpenAI Hit by TanStack Supply Chain Attack](https:\u002F\u002Fwww.securityweek.com\u002Fopenai-hit-by-tanstack-supply-chain-attack\u002F)**. OpenAI disclosed impact from the TanStack attack, with two employee devices infected and limited credential material plus code-signing certificates for iOS, macOS, Windows, and Android exfiltrated from repositories.\n\n**[Hundreds of Malicious Packages Force RubyGems to Suspend Registrations](https:\u002F\u002Fwww.securityweek.com\u002Fhundreds-of-malicious-packages-force-rubygems-to-suspend-registrations\u002F)**. RubyGems disabled new registrations after threat actors published 500+ malicious packages via bot accounts targeting RubyGems infrastructure with XSS and data exfiltration attempts.\n\n**[TeamPCP Ups the Game, Releases Shai-Hulud Worm's Source Code](https:\u002F\u002Fwww.securityweek.com\u002Fteampcp-ups-the-game-releases-shai-hulud-worms-source-code\u002F)**. TeamPCP publicly released Shai-Hulud source code on GitHub with deployment instructions and launched a supply chain challenge offering monetary rewards to cybercriminals who use the worm.\n\n### Key Takeaway\nImplement SLSA attestation validation, audit CI\u002FCD permissions, and monitor package dependencies for unexpected changes.\n\n## Ransomware & Breaches\n\n**[Foxconn confirms cyberattack claimed by Nitrogen ransomware gang](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Felectronics-giant-foxconn-confirms-cyberattack-on-north-american-factories\u002F)**. Foxconn confirmed a cyberattack by Nitrogen ransomware on North American factories, with attackers claiming 8TB stolen including confidential designs from Apple, Intel, Google, and Nvidia.\n\n**[West Pharmaceutical Services Hit by Disruptive Ransomware Attack](https:\u002F\u002Fwww.securityweek.com\u002Fwest-pharmaceutical-services-hit-by-disruptive-ransomware-attack\u002F)**. Major pharmaceutical manufacturer West Pharmaceutical Services suffered a May 4 ransomware attack prompting global system shutdowns and data exfiltration, engaging Unit 42 for response.\n\n**[Deal Reached With Hackers to Delete Data Stolen From the Canvas Educational Platform](https:\u002F\u002Fwww.securityweek.com\u002Fdeal-reached-with-hackers-to-delete-data-stolen-from-the-canvas-educational-platform\u002F)**. Instructure reached an agreement with ShinyHunters to delete Canvas data stolen from 9,000 schools affecting 275 million individuals, receiving digital shred logs as confirmation.\n\n**[BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months](https:\u002F\u002Fwww.securityweek.com\u002Fbwh-hotels-says-hackers-had-access-to-reservation-data-for-6-months\u002F)**. BWH Hotels disclosed unauthorized access to guest reservation systems from October 2025 through April 2026, exposing names, contact details, and booking information.\n\n### Key Takeaway\nPrioritize manufacturing and critical infrastructure protection with network segmentation and offline backup verification.\n\n## Vulnerabilities & Exploits\n\n**[PoC Code Published for Critical NGINX Vulnerability](https:\u002F\u002Fwww.securityweek.com\u002Fpoc-code-published-for-critical-nginx-vulnerability\u002F)**. PoC code is available for CVE-2026-42945, a critical heap buffer overflow in NGINX's rewrite module that enables RCE, patched 16 years after introduction.\n\n**[Windows BitLocker zero-day gives access to protected drives, PoC released](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fwindows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released\u002F)**. Researcher Chaotic Eclipse released PoC exploits for YellowKey (BitLocker bypass) and GreenPlasma (privilege escalation) Windows zero-days due to frustration with Microsoft's handling.\n\n**[Critical 'Claw Chain' Vulnerabilities Put Thousands of OpenClaw AI Servers at Risk](https:\u002F\u002Fhackread.com\u002Fclaw-chain-vulnerabilities-openclaw-ai-servers-risk\u002F)**. Four critical vulnerabilities in OpenClaw autonomous AI platform allow sandbox evasion, persistent backdoors, credential theft, and admin escalation across thousands of exposed servers.\n\n**[Maximum Severity Cisco SD-WAN Bug Exploited in the Wild](https:\u002F\u002Fwww.darkreading.com\u002Fvulnerabilities-threats\u002Fmaximum-severity-cisco-sd-wan-bug-exploited)**. A CVSS 10.0 vulnerability in Cisco SD-WAN is being actively exploited, allowing remote code execution without authentication.\n\n### Key Takeaway\nPatch NGINX, Cisco SD-WAN, and OpenClaw immediately; monitor for YellowKey and GreenPlasma exploitation indicators.\n\n## APT & Nation-State\n\n**[FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit](https:\u002F\u002Fhackread.com\u002Ffamoussparrow-oil-gas-ms-exchange-server-exploit\u002F)**. China-linked FamousSparrow conducted multi-wave campaign against Azerbaijani energy company using ProxyNotShell exploits to deploy Deed RAT and Terndoor backdoors.\n\n**[FrostyNeighbor: Fresh mischief and digital shenanigans](https:\u002F\u002Fwww.welivesecurity.com\u002Fen\u002Feset-research\u002Ffrostyneighbor-fresh-mischief-digital-shenanigans\u002F)**. Belarus-aligned FrostyNeighbor updated toolset targeting Ukrainian government with JavaScript variants of PicassoLoader and weaponized PDFs impersonating telecom companies.\n\n**[Signal adds security warnings for social engineering, phishing attacks](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fsignal-adds-security-warnings-for-social-engineering-phishing-attacks\u002F)**. Signal introduced new protections against Russian state-sponsored attacks exploiting Linked Device features to trick high-profile users into sharing account access.\n\n### Key Takeaway\nHarden Exchange servers against ProxyNotShell variants and review Signal usage policies for high-value targets.\n\n## Patch Tuesday Roundup\n\n**[Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fmicrosoft\u002Fmicrosoft-may-2026-patch-tuesday-fixes-120-flaws-no-zero-days\u002F)**. Microsoft addressed 120 vulnerabilities including 17 critical flaws (14 RCE, 2 privilege escalation, 1 info disclosure) with particular focus on Office file exploits.\n\n**[SAP Patches Critical S\u002F4HANA, Commerce Vulnerabilities](https:\u002F\u002Fwww.securityweek.com\u002Fsap-patches-critical-s-4hana-commerce-vulnerabilities\u002F)**. SAP patched critical code injection flaws in S\u002F4HANA (CVE-2026-34260) and Commerce (CVE-2026-34263) plus OS command injection in Forecasting & Replenishment.\n\n**[Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator\u002F)**. Two critical RCE vulnerabilities (CVE-2026-44277, CVE-2026-26083) allow unauthenticated command execution via improper access controls.\n\n### Key Takeaway\nPrioritize Microsoft Office, SAP enterprise applications, and Fortinet appliances in this month's patching cycle.\n\n## Regulatory & Compliance\n\n**[CI Fortify | CISA](https:\u002F\u002Fbit.ly\u002F4eu2Yd6)**. CISA launched CI Fortify initiative urging critical infrastructure operators to isolate OT systems and develop comprehensive recovery plans against nation-state threats already pre-positioned in networks.\n\n**[GM agrees to $12.75M California settlement over sale of drivers' data](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Flegal\u002Fgm-agrees-to-1275m-california-settlement-over-sale-of-drivers-data\u002F)**. California AG secured $12.75M settlement with GM for illegally selling driving data to Verisk Analytics and LexisNexis without proper consumer notification between 2020-2024.\n\n### Key Takeaway\nReview data collection practices for CCPA compliance and assess critical infrastructure isolation per CISA guidance.\n\n## References\n\n- https:\u002F\u002Fhackread.com\u002Fteampcp-mini-shai-hulud-worm-npm-pypi-packages\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002Fpoc-code-published-for-critical-nginx-vulnerability\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Felectronics-giant-foxconn-confirms-cyberattack-on-north-american-factories\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fwindows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released\u002F\n- https:\u002F\u002Fhackread.com\u002Fclaw-chain-vulnerabilities-openclaw-ai-servers-risk\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fmicrosoft\u002Fmicrosoft-may-2026-patch-tuesday-fixes-120-flaws-no-zero-days\u002F\n- https:\u002F\u002Fbit.ly\u002F4eu2Yd6\n- https:\u002F\u002Fwww.securityweek.com\u002Fteampcp-ups-the-game-releases-shai-hulud-worms-source-code\u002F",[13,17,20,24,27,30,34,37,40,43,47,51,54,58,61],{"type":14,"value":15,"context":16},"malware","Mini Shai-Hulud","Multi-stage credential stealer worm targeting NPM and PyPI ecosystems",{"type":14,"value":18,"context":19},"Nitrogen","Ransomware group claiming responsibility for Foxconn data theft; emerged 2023, connected to ALPHV\u002FBlackCat.",{"type":21,"value":22,"context":23},"domain","git-tanstack.com","Malicious domain impersonating TanStack used in credential exfiltration",{"type":14,"value":25,"context":26},"GreenPlasma","Windows CTFMON arbitrary section creation EoP vulnerability",{"type":14,"value":28,"context":29},"YellowKey","BitLocker bypass vulnerability",{"type":31,"value":32,"context":33},"cve","CVE-2026-42945","DoS in NGINX ngx_http_rewrite_module, CVSS 9.2, heap buffer overflow",{"type":31,"value":35,"context":36},"CVE-2026-40361","High-severity remote code execution in Microsoft Word (use-after-free bug, CVSS 8.4)",{"type":31,"value":38,"context":39},"CVE-2026-44277","Improper Access Control in FortiAuthenticator allowing unauthenticated RCE",{"type":31,"value":41,"context":42},"CVE-2026-26083","Missing authorization in FortiSandbox allowing unauthenticated RCE",{"type":44,"value":45,"context":46},"hash_sha256","8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79","Malicious LNK file in RAR archive used in phishing emails",{"type":48,"value":49,"context":50},"ip","159.198.41.140","C2 server hosting decoy PDF and command infrastructure",{"type":21,"value":52,"context":53},"api.masscan.cloud","Command-and-control infrastructure used by Shai-Hulud to exfiltrate stolen credentials",{"type":55,"value":56,"context":57},"mitre_attack","T1115","Clipboard Data (clipboard monitoring for wallet address substitution)",{"type":55,"value":59,"context":60},"T1005","Data from Local System (data exfiltration of documents, media, emails, code files)",{"type":55,"value":62,"context":63},"T1486","Data Encrypted for Impact (ransomware encryption with .crpx0 extension)","This week brought unprecedented supply chain chaos and zero-day disclosure acceleration that every security team needs to understand:\n\n• TeamPCP weaponized 400+ packages with self-propagating Shai-Hulud worm\n• Public Windows BitLocker bypass disclosure bypassed traditional coordination\n• Foxconn and pharmaceutical giants hit by sophisticated ransomware campaigns\n• 200+ critical vulnerabilities patched across Microsoft, SAP, Fortinet, NGINX\n• CISA warns of nation-state pre-positioning in critical infrastructure\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w20\n\n#cybersecurity #supplychainsecurity #ransomware #zeroday #threatintelligence","Supply chain attacks hit industrial scale this week:\n\n• 400+ npm\u002FPyPI packages poisoned with Shai-Hulud worm\n• Windows BitLocker bypass disclosed publicly\n• Foxconn ransomware: 8TB stolen\n• 200+ patches across major vendors\n\nFull threat roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w20",80,[],"published","2026-05-17T05:00:02.005+00:00","2026-05-17T05:01:45.808157+00:00","2026-05-17T05:15:03.826+00:00","### The week in one line\n\nSupply chain attacks reached industrial scale while zero-day disclosures accelerated beyond traditional coordination.\n\n### What happened\n\nThis week marked a dangerous escalation in both supply chain compromise sophistication and public zero-day disclosure practices. TeamPCP executed the largest coordinated supply chain attack to date while frustrated researchers bypassed traditional disclosure.\n\n- TeamPCP compromised 400+ npm\u002FPyPI packages with self-propagating Shai-Hulud worm targeting TanStack, Mistral AI, and UiPath\n- Major manufacturers hit by ransomware including Foxconn (8TB stolen) and West Pharmaceutical Services\n- Researcher publicly disclosed Windows BitLocker bypass and privilege escalation zero-days citing Microsoft frustrations\n- Critical vulnerabilities patched across 200+ issues in Microsoft, SAP, Fortinet, and NGINX products\n- CISA launched CI Fortify initiative warning of pre-positioned nation-state threats in critical infrastructure\n\n### Why it matters for defenders and leaders\n\nThe convergence of supply chain weaponization and accelerated zero-day disclosure creates unprecedented risk velocity that traditional security programs cannot match. Organizations face simultaneous threats from trusted development dependencies and unpatched system vulnerabilities.\n\n- Supply chain attacks now use self-propagating worms with valid signatures, bypassing most detection mechanisms\n- Public zero-day releases eliminate traditional patching windows and coordination benefits\n- Critical infrastructure faces coordinated pressure from ransomware groups and nation-state pre-positioning\n- AI platform vulnerabilities expose new attack surfaces with limited security tooling\n\n### What to do this week\n\n- Audit all npm, PyPI, and RubyGems dependencies for unexpected package updates since May 11\n- Apply Microsoft patches immediately, prioritizing Office products and Windows privilege escalation fixes\n- Patch NGINX, Cisco SD-WAN, SAP S\u002F4HANA, and Fortinet products with critical vulnerabilities\n- Review CI\u002FCD pipeline security and revoke\u002Frotate any exposed credentials or tokens\n- Assess critical infrastructure isolation per CISA CI Fortify guidance and test recovery procedures","When worms met zero-days and chaos followed","https:\u002F\u002Fcdn.threatnoir.com\u002Fweekly\u002F2026-w20-cover.png"]