Six days ago I wrote that three critical exploits dropping inside the same 72 hour window felt like the start of something rather than a fluke. The week that followed has taken that warning and walked it into the wall. Since the previous post went live, my read-it-later pile has filled with more than a dozen named incidents, two new Windows 0-days, an Apple Tuesday that addressed roughly 130 CVEs across phone and Mac, the highest-publicity supply chain wave yet from the TeamPCP crew, and a federal indictment of a sitting California mayor as an alleged agent of the People’s Republic of China.
At a glance
| Item | Severity | Date | Action |
|---|---|---|---|
| YellowKey | critical | May 12 | Mitigations only, no patch |
| GreenPlasma | critical | May 12 | App-control + EDR tuning |
| Dirty Frag | critical | May 7 | Reboot onto patched kernel |
| Mini Shai-Hulud wave | critical | May 11 | Audit lockfiles, rotate tokens |
| Canvas LMS | high | May 7 | Rotate creds for school clients |
| PAN-OS CVE-2026-0300 | high | May 6 | Patch within 24 hours |
| Apple 26.5 | high | May 11 | Patch this week |
| Next.js, 13 advisories | high | May 6 | Upgrade to 15.x or 16.x |
| CVE-2026-32202 | medium | Apr 29 | Patch + monitor for APT28 |
| Google AI 2FA bypass | awareness | May 11 | No action, monitor space |
| Arcadia mayor + Forza leak | awareness | May 11 | Context for client conversations |
One observation worth front-loading: the bulk of these items landed in roughly 48 hours on May 11 and 12, and that density is the actual story. Apple’s mega-Tuesday, the TeamPCP supply chain wave, the Shai-Hulud toolkit going public, Google’s AI-built-zero-day confirmation, the Arcadia indictment, the Forza leak, and the Nightmare-Eclipse 0-day drop all happened inside that window. The cadence change is the headline, not any single item.
YellowKey
criticalDisclosed: May 12, 2026 by the Nightmare-Eclipse researcher persona, dropped to public GitHub without coordinated disclosure
Asset class: BitLocker at-rest disk encryption on Windows 11 and Server 2022/2025; Windows 10 reportedly unaffected
Action: Boot order lockdown, USB port controls, pre-boot authentication with TPM+PIN, tamper-evident seals on regulated-data devices
Full BitLocker bypass via a USB stick and a specific key combination at reboot. The researcher described the bug as “almost feeling like a deliberate backdoor”, which is the kind of language that lands hard when the asset class is the at-rest encryption you sell to clients with regulated data. No patch and no Microsoft advisory at time of writing; the mitigations available are physical. The previous warning from this researcher did pan out, so I would not dismiss the framing as theatre.
GreenPlasma
criticalDisclosed: May 12, 2026, same drop as YellowKey
Asset class: Local privilege escalation to SYSTEM on Windows via CTFMON service abuse
Action: Tighten what local users can execute; audit normal-user desktops with admin tooling; EDR rules on SYSTEM creating section objects in unusual directories
A low-privileged process can manipulate an arbitrary memory section object created by CTFMON inside a SYSTEM-writable directory to escalate. No patch, no CVE, public PoC. The companion piece to YellowKey from the same researcher: where YellowKey breaks the encryption boundary, GreenPlasma breaks the privilege boundary inside the OS.
Dirty Frag
criticalDisclosed: May 7, 2026 by Microsoft, Wiz, and Elastic Security Labs in coordinated research
CVEs: CVE-2026-43284 (esp4/esp6 IPsec) and CVE-2026-43500 (rxrpc subsystem)
Action: Reboot Linux hosts onto post-May-7 stable kernels; assume any unrebooted host is locally rootable
A pair of Linux kernel logic bugs that yield local root from any unprivileged user through page-cache and memory-fragment corruption primitives. Microsoft’s writeup explicitly notes active post-compromise exploitation. The community is calling it Copy Fail 2 because the patch lineage rhymes with the original Copy Fail, but the canonical name is Dirty Frag, and the two unrelated kernel subsystems landing the same “no race, no payload, deterministic write” shape eight days apart says something uncomfortable about how much latent debt is still sitting in the long tail of clever-but-undertested kernel optimisations.
Mini Shai-Hulud wave
criticalDisclosed: May 11, 2026, between 19:20 and 19:26 UTC
Scope: ~172 unique packages and 400+ malicious versions across npm and PyPI, with cumulative weekly downloads of around 518 million
Headliners: @tanstack/* (84 versions across 42 packages, including @tanstack/react-router at 12.7M weekly downloads), @mistralai/mistralai on npm, mistralai 2.4.6 on PyPI
Action: Audit npm and PyPI lockfiles for anything resolved during the window; rotate npm tokens, GitHub PATs, OIDC-scoped cloud credentials; reimage rather than clean
The same TeamPCP threat actor we wrote about for the LiteLLM compromise in March pushed the largest publicly catalogued supply chain wave on record into a six-minute publish window. What is genuinely new is the entry technique: a chained GitHub Actions pull_request_target “Pwn Request” with actions/cache poisoning and OIDC token theft from runner memory. The TanStack packages even shipped with valid SLSA provenance, because the legitimate release pipeline was hijacked mid-workflow. The TanStack compromise carries CVE-2026-45321, scored 9.6.
Bundled with the same wave, the operators pushed a public GitHub repository titled “Shai-Hulud: Here We Go Again. Let the Carnage Continue. A Gift From TeamPCP”, containing what JFrog and others have analysed as the full worm-and-stealer source code with instructions to swap keys and command-and-control. The toolkit just went from being one crew’s signature to being something any motivated low-skill operator can deploy with a few edits. That is a meaningful change to the ambient supply chain risk profile, and not in our favour.
Canvas LMS
highDisclosed: Initial intrusion April 30, defacement May 7, Instructure paid ransom and announced data destruction on May 11
Scope: ~8,800 institutions globally; largest education-sector breach on record per Inside Higher Ed
Action: For MSPs serving schools, treat any client whose users authenticated through Canvas in the window as a credential-exposure event
ShinyHunters exploited Instructure’s Free-For-Teacher account program (no institutional verification required) to land inside the Canvas environment. Initial data theft happened May 1 to 2, and on May 7 the attackers replaced school login pages with a ransom note. Instructure has confirmed it paid the ransom; the announcement on May 11 said the stolen data was destroyed, a claim that historically has a poor track record but is the only one on offer. The US Department of Education has issued its own advisory through Federal Student Aid Partners.
PAN-OS CVE-2026-0300
highDisclosed: ~May 6, 2026; patches rolled from May 13; on CISA KEV
Severity: 9.3 unauthenticated buffer overflow in the User-ID Authentication Portal (captive portal) on PA-Series and VM-Series
Action: 24-hour patch window if captive portal is internet-facing
Successful exploitation gives remote code execution as root. Limited in-the-wild exploitation has been reported. If your client’s edge firewalls have captive portal exposed to the internet (which they should not, but they do), this is a same-day patch window.
Apple 26.5
highDisclosed: May 11, 2026
Scope: macOS Tahoe 26.5 (79 CVEs with backports), iOS 26.5 (~50 CVEs); ~130 CVEs across the trains
Action: Patch this week; budget for client communications about iPhone and Mac restarts
Notable items include kernel arbitrary code via Wi-Fi, remote kernel memory corruption in mDNSResponder, a sandbox escape on iOS, and a kernel use-after-free that leaks memory. The headline is the count more than any individual bug: a single Tuesday’s release from one vendor is now larger than what some platform vendors used to ship in a year.
Next.js, 13 advisories
highDisclosed: ~May 6, 2026, coordinated batch from Vercel
Scope: DoS, middleware and proxy bypass, SSRF, cache poisoning, XSS, plus upstream RSC DoS (CVE-2026-23870)
Action: Upgrade to Next.js 15.x or 16.x; no backport patches for 13.x or 14.x; inherit CDN-side mitigations if on Cloudflare or Netlify
If you forked or vendored Next.js, walk the diff. Cloudflare Pages with OpenNext should already have inherited the platform-side mitigations.
CVE-2026-32202
mediumDisclosed: April 29, 2026; CISA KEV with May 12 federal remediation deadline
Lineage: Incomplete patch for CVE-2026-21510, the Windows Shell SmartScreen bypass APT28 was chaining with the MSHTML bypass CVE-2026-21513 earlier in the year
Action: Patch on the priority schedule the original APT28 chain warranted, not the schedule a mid-7 info-disclosure normally earns
Microsoft and CISA have not formally re-attributed CVE-2026-32202 to APT28, but Akamai and others have publicly drawn the lineage. The honest framing for clients is: this is the same bug class APT28 was abusing in February, which Microsoft thought it had fixed, and which is back in active exploitation roughly eleven weeks later.
Google AI 2FA bypass
awarenessDisclosed: May 11, 2026 by Google Threat Intelligence Group
Note: First publicly confirmed real-world case of LLM-built zero-day exploitation in routine criminal operations
Action: None on the patch side (the affected tool is undisclosed and GTIG coordinated disclosure pre-exploitation); awareness for client conversations and threat-model updates
GTIG reported with high confidence that a financially motivated criminal actor had used an unnamed AI model to discover and weaponise a 2FA bypass in a “popular open-source, web-based system administration tool”. The Python exploit had clear LLM tells, including a hallucinated CVSS score and the textbook-perfect Python structure no human attacker bothers to write. Google was careful to note the model used was not Gemini. The exploitation campaign would have been mass-scale; GTIG caught it before it ran.
Policy-layer items
awarenessForza Horizon 6 leak (May 11). A ~155 GB build of the unreleased game escaped via a Steam preload mishap a week before launch. Playground Games has announced franchise-wide and hardware bans for anyone caught with it. The cyber angle is indirect, but it is a clean asset-protection failure on a major Microsoft title and a useful talking point for clients in any business with pre-release IP.
Arcadia mayor charged (May 11). The US Department of Justice charged the Mayor of Arcadia, California, Eileen Wang, with acting as an illegal agent of the People’s Republic of China; reporting indicates she has agreed to plead guilty. For MSPs serving municipal clients it is a useful reminder that the trust boundary you are protecting can be compromised at the policy and physical access layer entirely outside your stack.
What this means for MSPs
I am going to keep this short because I said most of it less than a week ago, and the days since have only made it more obvious.
- The cadence of “critical, internet-exposed, patch-this-week” disclosures has gone from a couple a quarter to several a week. Patch fatigue is itself a security risk, and the answer is not “work harder”, it is “build a backlog model that prioritises by blast radius and accept that some lower-impact items will slip a cycle”.
- Operating system mega-updates are now routine. A combined 130 CVEs from one Apple Tuesday should sit inside your patch SLA and your client communications playbook as a recurring event, not as a surprise.
- With the Shai-Hulud toolkit publicly available and the entry technique demonstrated to clear SLSA provenance checks, supply chain compromise has moved from “well-resourced actor with novel tradecraft” to “anyone with a GitHub account and a copy of the source”. CI runners and developer workstations are the front line. Pin to commit SHAs, audit Actions usage, hash-check installs, scope OIDC tokens, separate publish credentials from build credentials.
- AI on the offensive side now has at least one publicly confirmed example of finding and weaponising a real-world zero-day. Defenders do not yet have an equivalent in routine use. Expect that gap to widen before it narrows.
- Physical and policy layer security still matter. YellowKey is a hands-on-keyboard physical exploit. The Arcadia indictment is a policy-layer counter-intelligence story. Neither will be caught by an EDR rule.
- For Windows estates, the YellowKey-and-GreenPlasma pair has no patches yet, and the Dirty Frag pair has patches but requires a kernel reboot. Plan reboot windows accordingly and accept that some clients will need to make uncomfortable trade-offs in the short term.
Closing thought
Six days ago I said I feared three exploits in 72 hours was the start, not the end. The week since has produced eleven distinct named incidents worth telling clients about, anchored by a 48 hour window in the middle of it that I am still not sure how to mentally file. The bar for “what counts as a notable week in security” has moved, and the MSPs who come through 2026 in one piece will be the ones that adjust their operating rhythms to match: rotate by default, segment by default, pin and hash-check by default, treat every disclosure as the start of an incident response timer rather than the end of one, and ration the team’s attention by blast radius rather than chronology.
If past form is anything to go by, the next batch of receipts is already on its way.
Related reading
3 exploits in 72 hours. I fear this is just the beginning.
Three critical incidents in under 72 hours: cPanel auth bypass exploited as 0-day, Linux Copy Fail kernel root, and Mini Shai-Hulud's npm and PyPI return.
LiteLLM Supply Chain Attack: What MSPs Need to Know
Analysis of the TeamPCP supply chain attack on LiteLLM via compromised Trivy GitHub Actions, covering the 3-layer payload, IOCs, and defensive actions for MSPs.
Axios npm Supply Chain Attack: What You Need to Know
Analysis of the axios npm supply chain attack that dropped a cross-platform RAT via maintainer account compromise, with IOCs and defensive steps.
Nightmare-Eclipse: Public PoC Meets Real Intrusion
Huntress caught the Nightmare-Eclipse toolkit (BlueHammer, RedSun, UnDefend, BeigeBurrow) in a live intrusion. Here are the IOCs and what we learned.