⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More

Ravie LakshmananMay 18, 2026Cybersecurity / Hacking

Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted.

The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off.

Patch the quiet risks first. Let’s get into it.

⚡ Threat of the Week

On-Prem Microsoft Exchange Server Exploited in the Wild—Microsoft disclosed a security vulnerability impacting on-premise versions of Exchange Server, which has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue. Microsoft is providing a temporary mitigation through its Exchange Emergency Mitigation Service, while it’s readying a permanent fix for the security defect. There are currently no details on how the vulnerability is being exploited, the identity of the threat actor behind the activity, or the scale of such efforts. It’s also unclear who the targets are and if any of those attacks were successful. 

🔔 Top News

• Cisco Catalyst SD-WAN Controller Flaw Under Attack—A sophisticated threat actor tracked as UAT-8616 has been attributed to the exploitation of CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller. “8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor,” Cisco Talos said. “UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges.” UAT-8616 is the same threat actor that was behind the weaponization of CVE-2026-20127 earlier this year to gain unauthorized access to SD-WAN systems. Cisco isn’t the only security vendor facing a barrage of attacks on its customers, but it is among the most heavily targeted, along with Fortinet and Ivanti. “For nation-state operators, a bug like this (as seen with the actively exploited CVE-2026-20127) is ideal for pre-positioning,” Rapid7 said. “They are usually not looking for a smash and grab. They want persistence. They want access that blends in. They want to sit in the right place long enough to observe, influence, and pivot when the time is right. An SD-WAN controller is a great place to do that, because it lives in the middle of trust relationships most organizations rarely question.”
• Blast Radius of TeamPCP Attacks Expands—A new wave of the Mini Shai-Hulud campaign compromised dozens of TanStack npm packages as part of a broader supply chain attack worming through developer ecosystems, including packages tied to UiPath, Mistral AI, OpenSearch and PyPI. The activity has been attributed to TeamPCP, which has orchestrated a series of high-profile supply chain attacks targeting popular open-source projects in recent months. The goal is the same across all attack campaigns — use poisoned, open-source software to deploy stealer malware and harvest user credentials, API keys, SSH keys, and other secrets. TeamPCP is said to be weaponizing credentials and secrets obtained in the supply chain attacks to access organizations’ cloud infrastructure, not to mention turn into an initial access broker for follow-on attacks like ransomware by teaming up with other cybercrime groups. In some waves, the attackers used the Trufflehog scanner to validate those credentials. The escalating attacks show that TeamPCP prioritizes speed rather than subtlety and stealth. Supply chain attacks have become an increasingly serious concern because of the sheer scale at which trusted dependencies are reused. A single poisoned package can rapidly propagate into thousands of downstream applications, enterprise environments, and production systems. The development coincided with the compromise of the node-ipc package to distribute a stealer malware. It’s currently not known who is behind the attack. Since the library is a dependency for hundreds of other packages, which in turn could be dependencies for even more packages, the attack could have cascading consequences.
• Apple and Google Roll Out Cross-Platform E2EE for RCS Messages—End-to-end encrypted (E2EE) Rich Communication Services (RCS) messaging is being rolled out in beta between iPhone and Android devices, closing one of the biggest interoperability gaps in mainstream mobile messaging. The feature is available to iPhone users on iOS 26.5 with supported carriers and to Android users on the latest version of Google Messages. Encrypted conversations are marked with a padlock icon in the chat interface. The wider rollout to iPadOS, macOS, and watchOS will follow in future software updates, Apple said. 
• Instructure Reaches Ransom Agreement with ShinyHunters—Instructure, the developer of school information portal Canvas, said it struck a deal with the ShinyHunters group, which breached its systems, stole a massive amount of data, and disrupted thousands of schools that rely on the company’s software. The company did not say what it had given the threat actors in exchange for the destruction of the data, but it’s fair to say it likely made the controversial decision to make a ransom payment. The company said it also received “digital confirmation” that the hackers destroyed any remaining copies in the form of “shred logs.” In addition, the agreement included the return of the stolen data, assurances that affected customers would not be extorted, and a commitment that individual institutions would not need to engage with the threat actor. While it remains to be seen if the threat actors will keep their side of the bargain, it’s worth highlighting a key problem with paying a ransom: once attackers have a victim’s data, there is no guarantee it was not copied or shared with others. As of May 12, the listing for Instructure has been removed from the ShinyHunters’ data leak site. The group said: “The data is deleted, gone. The company and it’s [sic] customers will not further be targeted or contacted for payment by us.”
• Fake Hugging Face Repository Delivers Stealer Malware—A malicious Hugging Face repository managed to take a spot in the platform’s trending list by impersonating OpenAI’s Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart, released by OpenAI late last month (openai/privacy-filter), including copying the entire description verbatim to trick unsuspecting users into downloading it. The description accompanying the fake model diverged from the legitimate project in one aspect: instructing users to run start.bat on Windows or execute python loader.py on Linux and macOS to deploy the stealer. Access to the malicious model has since been disabled by Hugging Face. The incident highlights how public AI model registries are emerging as a new software supply chain risk for enterprises, emphasizing why AI model supply chain security needs the same level of rigor as software supply chain security. It’s essential to verify publisher identity, check model card provenance, and scan for unexpected binary downloads.
• OpenAI Announces Daybreak—OpenAI announced Daybreak, a new initiative based on its frontier large language models (LLMs) and its artificial intelligence (AI)-powered coding assistant, Codex, to help developers secure their software from the ground up. Like Anthropic’s Mythos and Project Glasswing, the initiative makes it possible to scan a codebase to identify flaws and fix them, triage vulnerability backlog and prioritize fixes by severity, impact, or exploitability, and automate vulnerability detection, validation and response. In a related development, Microsoft detailed its own AI-assisted vulnerability discovery system called MDASH, which orchestrates more than 100 specialized AI agents across multiple frontiers and distilled AI models to find vulnerabilities in the tech giant’s own codebases. MDASH is designed to run a structured pipeline that goes through distinct stages: preparation, scanning, validation, deduplication, and proof construction. The emergence of Daybreak and MDASH comes amid a spike in vulnerability discovery, mainly fueled by the use of AI tools. Five months into 2026, Microsoft has already patched more than 500 vulnerabilities in its software, a rate that could see the company break its own annual record for the most number of security fixes in a year. The U.K. National Cyber Security Centre (NCSC) has also warned organizations that they should prepare for a surge of software updates driven by AI-assisted vulnerability discovery. At this stage, access to these advanced tools is tightly controlled. OpenAI has framed the access controls as a response to the dual-use nature of the underlying technology. The same AI capabilities that allow defenders to identify vulnerabilities and accelerate remediation could be misused by bad actors. Per Google, hacking groups are already using AI models to boost the speed, scale, and sophistication of their attacks, as well as perform reconnaissance and build better malware. 

🔥 Trending CVEs

Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.

Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-42945 (NGINX Plus and NGINX Open), CVE-2026-44112 (OpenClaw), CVE-2026-42897 (Microsoft Exchange Server), CVE-2026-41096 (Microsoft Windows DNS), CVE-2026-42826 (Microsoft Azure DevOps), CVE-2026-20182 (Cisco Catalyst SD-WAN Controller), CVE-2026-44338 (PraisonAI), CVE-2026-46300, CVE-2026-46333 (Linux Kernel), CVE-2026-45185 (Exim), CVE-2026-8043 (Ivanti Xtraction), CVE-2026-44277 (Fortinet FortiAuthenticator), CVE-2026-26083 (Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS), CVE-2026-34260, CVE-2026-34263 (SAP), CVE-2026-42231, CVE-2026-42232, CVE-2026-44791, CVE-2026-44789, CVE-2026-44790, CVE-2026-42236, CVE-2026-42230 (n8n), CVE-2026-6815 (Casdoor), CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, CVE-2026-5172 (dnsmasq), CVE-2026-6787, CVE-2026-6788 (WatchGuard Agent on Windows), CVE-2026-23479, CVE‑2026‑25243, CVE-2026-25588, CVE‑2026‑25589 (Redis), CVE-2026-41002, CVE-2026-40982, CVE-2026-40981, CVE-2026-41713, CVE-2026-41712, CVE-2026-41705 (Spring), CVE-2026-6722 (PHP ext-soap), CVE-2026-43824 (Argo CD), CVE-2026-27174 (MajorDoMo), CVE-2026-25254, CVE-2026-25293 (Qualcomm), CVE-2026-28819, CVE-2026-43668, CVE-2026-28972 (Apple macOS), CVE-2026-44413 (JetBrains TeamCity), CVE-2026-42010, CVE-2026-33845, CVE-2026-42009, CVE-2026-33846, CVE-2026-1584 (GnuTLS), CVE-2026-30905, CVE-2026-30906 (Zoom), CVE-2026-4782, CVE-2026-4798 (Avada Builder plugin), CVE-2026-43898 (SandboxJS), CVE-2026-8509, CVE-2026-8510 (Google Chrome), CVE-2026-44578 (Next.js), CVE-2025-14177 (PHP), CVE-2026-33439 (OpenAM), CVE-2025-66335 (Apache Doris MCP), an authentication validation bypass in Apache Pinot MCP, and an information disclosure flaw in Alibaba RDS MCP.

🎥 Cybersecurity Webinars

• AppSec Tools Blind to Lethal Chains: Code → Pipeline → Cloud Attacks: Your AppSec tools are drowning in alerts but completely blind to how real attackers breach you. Modern threats don’t exploit single bugs — they chain tiny weaknesses across code, pipelines, and cloud into lethal attack paths. Join the webinar to discover the 3 deadliest cross-lifecycle patterns from Wiz experts (ex-Okta/GitLab) and learn how to map & stop them.
• AI is making DDoS attacks dangerously intelligent. Are you ready? AI is turning DDoS attacks into smart, adaptive weapons that scan weaknesses in real-time, mimic legit traffic, and dodge traditional defenses. With a 358% surge in incidents, it’s time to upgrade your strategy. Join the webinar to learn the latest tactics and how to defend effectively.

📰 Around the Cyber World

• Flaw in Apple’s Memory Integrity Enforcement —Calif said it discovered a new way of circumventing Apple’s Memory Integrity Enforcement (MIE), a new hardware-assisted memory safety system, and achieved privilege escalation. The discovery was made possible while testing an early version of Anthropic’s Mythos Preview in April. “It’s the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE,” Calif said. “The exploit is a data-only kernel local privilege escalation chain targeting macOS 26.4.1 (25E253). It starts from an unprivileged local user, uses only normal system calls, and ends with a root shell. The implementation path involves two vulnerabilities and several techniques, targeting bare-metal M5 hardware with kernel MIE enabled.” Additional details are currently withheld to give Apple time to address the issues.
• Mustang Panda Delivers Updated FDMTP Tool —A new campaign consistent with tradecraft associated with Mustang Panda has been observed targeting the Asia-Pacific and Japan (APJ) region to deliver an updated version of FDMTP using DLL side-loading. The malware is designed to connect to an external server and receive commands from the remote server, profile compromised hosts, and load additional plugins to handle scheduled tasks, manage Windows Registry persistence, or retrieve files or commands. The activity has been spotted since September 2025.
• New Flaw in Burst Statistics Plugin Exploited —Threat actors are exploiting a critical flaw in the Burst Statistics WordPress plugin (CVE-2026-8181, CVSS score: 9.8), which “allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints such as /wp-json/wp/v2/users, by supplying any arbitrary and incorrect password in a Basic Authentication header,” per Wordfence. An attacker could exploit this flaw to create a new administrator-level account with no prior authentication and seize control of the site. The plugin has over 200,000 installations. Wordfence said it has blocked thousands of attacks targeting this vulnerability.
• CISA and Others Release Guidance to Strengthen AI Supply Chain —Multiple government cyber agencies issued a joint guidance to help public and private sector stakeholders improve transparency in their AI systems and supply chains. “A software bill of materials (SBOM) acts as an ‘ingredients list’ for software that better positions organizations to understand their supply chains and make risk-informed decisions about how to protect their critical systems,” the agencies said. “Because AI systems are software systems, these recommendations should be considered in addition to the general minimum elements for an SBOM.”
• Stealer Malware Continues to Evolve —Cybersecurity researchers disclosed details of various new and emerging information stealers like Salat, Gremlin, and Reaper, the last of which is a new SHub macOS stealer variant that spoofs Apple, Google, and Microsoft across a multi-stage attack chain to steal credentials, exfiltrate business files, and establish persistent backdoor access. According to a report published by Flare.io last week, one in four infostealer victims has active access to corporate infrastructure: VPN credentials, SaaS sessions, cloud platforms. “One in six gaming-related infections involves a user with corporate infrastructure access,” it said. “16% of victims infected through gaming lures also held active credentials for VPNs, SaaS platforms, or cloud environments, creating a direct pipeline from personal device use to enterprise compromise.”
• Flaws in myAudi Platform —Multiple security flaws have been discovered in the myAudi connected car platform, allowing anyone with knowledge of a vehicle’s VIN to add it to their account as a guest and access sensitive data. The leaked information included the embedded SIM’s IMEI and ICCID identifiers, the GPS location of the primary owner when they triggered a “honk & flash” command, and vehicle lock status. One of the identified issues has been fixed by Audi and CARIAD. 

🔧 Cybersecurity Tools

• Rustinel → It is an open-source endpoint detection tool for Windows and Linux. It collects system activity using ETW on Windows and eBPF on Linux, checks events against Sigma rules, YARA rules, and IOCs, and writes alerts in ECS NDJSON format for use in SIEM or log pipelines. It is built for blue teams, detection engineers, researchers, and testing environments, not as a full replacement for commercial EDR.
• Giskard → It is an open-source Python tool for testing and evaluating LLM agents and AI systems. It helps developers check whether an AI app behaves correctly, stays grounded in context, follows safety rules, and handles multi-turn conversations reliably. Its current version focuses on lightweight evaluation workflows, while related scanning and RAG evaluation features are still being developed or are available in older versions.
• VanGuard → It is a cross-platform incident response toolkit for Windows and Linux that lets security teams collect evidence, run triage, perform threat hunting, capture memory, gather disk artifacts, manage Velociraptor workflows, and generate reports from a single portable binary without installation. It includes 28 pre-built investigation workflows, supports offline use, and tracks evidence with hashing, chain of custody, and audit logging.

Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law.

Conclusion

The message is simple: trust less, check more. Bad packages, fake pages, weak plugins, leaked keys, and old bugs all lead to the same place.

Patch first. Rotate keys. Review what you run in prod. That’s the work. That’s the recap.