The Lyceum: Cyber Intelligence Daily — May 12, 2026

Two stories landed Monday (May 11, 2026) that, taken together, tell you where the floor just moved. Google's Threat Intelligence Group confirmed the first criminal use of an AI-developed zero-day — an exploit caught before its mass-exploitation debut, and recognizable as machine-written partly because the script invented its own CVSS score. Hours later, the npm worm "Mini Shai-Hulud" reappeared, this time poisoning 170+ packages including TanStack and Mistral AI's Python SDK, and — for the first time on record — shipping malicious versions with valid SLSA Build Level 3 provenance attestations. The trust infrastructure defenders spent years building is now being signed and delivered with the malware inside it.

• CVE-2026-41940 — cPanel: actively exploited, no NVD score yet in this issue's backbone. A threat actor tracked as Mr_Rot13 is chaining the authentication bypass to drop Filemanager backdoors and webshells on unpatched hosts.
• CVE-2026-33634 — Checkmarx Jenkins AST plugin v2026.5.09: malicious build published to the Jenkins Marketplace, CVSS 9.4 per Techzine; designed to exfiltrate environment variables and secrets from CI runners.
• CVE-2026-0300 — Palo Alto Networks PAN-OS: KEV-listed, maturity 2 (operational), no ransomware tag yet. CL-STA-1132 observed targeting government networks; patch lands this week.
• CVE-2026-6973 — Ivanti EPMM: KEV-listed, maturity 2, exploited using credentials stolen in January attacks against orgs that never rotated.
• CVE-2026-42208 — BerriAI LiteLLM: KEV-listed, maturity 2; the AI gateway joins CISA's actively exploited list.
• Mini Shai-Hulud npm worm (wave four): TeamPCP-attributed self-spreading payload now affecting 170+ npm packages plus mistralai==2.4.6 and guardrails-ai==0.10.1 on PyPI; first documented worm producing validly-attested malicious packages.
• ThingsBoard 4.2.0 SSRF PoC: working exploit code published on Exploit-DB for the IoT management platform — a practical pivot from IT into OT segments that rely on ThingsBoard to reach isolated devices.

The thing security researchers have been warning about for years happened, and it was almost invisible.

Google's Threat Intelligence Group (GTIG) disclosed Monday (May 11, 2026) that it has identified, for the first time, a criminal threat actor using a zero-day exploit it believes was developed with AI — one the group planned to use in a mass exploitation event, and which GTIG's proactive counter-discovery appears to have disrupted. The exploit was a Python script that bypassed two-factor authentication on a popular open-source, web-based system administration tool. Google has not named the tool or the actor; the vendor has been notified and the bug patched.

What's genuinely new isn't that AI was used — it's what kind of flaw AI found. GTIG notes that the vulnerability stemmed not from common implementation errors like memory corruption, but from a high-level semantic logic flaw where the developer had hardcoded a trust assumption. Fuzzers don't find those. Frontier LLMs apparently do — they read the developer's intent and notice when the 2FA enforcement logic contradicts its own hardcoded exceptions.

The script gave itself away by being too polished. According to GTIG, the Python code contained an abundance of educational docstrings, a hallucinated CVSS score the AI invented for itself, and the kind of textbook Pythonic structure characteristic of LLM training data. The AI exploit writer, in other words, footnoted its own work.

The broader report is the part most coverage is burying. According to The Hacker News's readout of the GTIG findings, North Korean cluster APT45 sent "thousands of repetitive prompts" to recursively analyze CVEs and validate proof-of-concept exploits, while Chinese state-linked APT27 leveraged Gemini to speed development of a fleet-management application likely intended to manage an operational relay box network. A Russia-nexus cluster targeting Ukrainian organizations is delivering AI-enabled malware dubbed CANFAIL and LONGSTREAM, both using LLM-generated decoy code to conceal malicious functionality.

GTIG's chief analyst John Hultquist, quoted by The Register, put it bluntly: "There's a misconception that the AI vulnerability race is imminent. The reality is that it's already begun. For every zero-day we can trace back to AI, there are probably many more out there."

Watch for when the affected admin tool is named (the vendor disclosure will eventually surface); unpatched instances will become priority targets within hours. The observable signal that defenders are losing this race will be the second incident — the first AI-developed exploit not caught before deployment.

If your team ran npm install Monday evening, this is the one to handle before lunch.

Between 19:20 and 19:26 UTC on May 11 — a six-minute window — an attacker published 84 malicious versions across 42 @tanstack/* npm packages. According to TanStack's own postmortem, the attack chained a pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning across the fork/base trust boundary, and runtime memory extraction of an OIDC token directly from the GitHub Actions runner process. OIDC tokens are the short-lived credentials GitHub Actions uses to publish packages without storing long-lived secrets — the mechanism that was supposed to make supply chains safer.

The malicious packages weren't published by an attacker who stole credentials. They were published by TanStack's legitimate release pipeline, using its trusted OIDC identity, after attacker-controlled code hijacked the runner mid-workflow. By the time the dust settled, per SafeDep's tally, the campaign had compromised 170+ npm packages and two PyPI packages — mistralai==2.4.6 (the official Mistral AI Python SDK) and guardrails-ai==0.10.1 — for a total of 404 malicious versions. PyPI has quarantined both Python projects entirely.

The payload, per Wiz's analysis, targets CI/CD tokens (GitHub Actions OIDC, GitLab, CircleCI), cloud credentials (AWS IMDSv2, GCP, Azure), Kubernetes service accounts, HashiCorp Vault, and registry tokens. On developer machines, it installs a persistent daemon that polls GitHub every 60 seconds and — on receiving a 40X error indicating token revocation — attempts to run rm -rf ~/. The daemon exits cleanly after 24 hours without triggering, but in the meantime, rotate your tokens in the wrong order and you may lose your home directory. Remove the malware first. Then rotate.

The detail that should stop you cold, per Snyk and StepSecurity: the compromised packages carry valid SLSA Build Level 3 provenance attestations. SLSA — Supply-chain Levels for Software Artifacts — is the framework the industry has been building toward as the answer to exactly this class of attack. The Sigstore attestations on the malicious versions are not forged. They correctly attest that the packages were built and published by release.yml running on refs/heads/main in the TanStack/router repository. The standard simply doesn't attest that the workflow was authorized to run from a protected branch, or that the commit triggering it was legitimate. The cryptographic guarantee everyone thought they had didn't cover this attack class.

StepSecurity attributes the campaign to TeamPCP (also tracked as UNC6780), the same group behind the March compromise of Aqua Security's Trivy scanner and April's Bitwarden CLI poisoning. Per Wiz, the malware checks if the system is configured for the Russian language and terminates without exfiltrating data if so — the same evasion technique seen in Russian-linked ransomware strains for years.

What changes if this attack class scales: the working assumption that "signed package from a legitimate maintainer" equals "safe" stops being defensible. The observable signal that it's spreading: other major maintainers publishing releases attested by their own pipelines that nonetheless contain post-install network beacons.

If you installed any @tanstack/ package on May 11, rotate AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials reachable from the install host — after removing the malware. Block git-tanstack.com and .getsession.org at your DNS layer now.

There is a particular kind of uncomfortable when the company selling you a security scanner keeps getting its own scanner picked.

Over the weekend, Checkmarx confirmed that a rogue version of its Jenkins Application Security Testing plugin had been published to the Jenkins Marketplace. This is the third supply-chain attack the application security firm has endured since late March, all attributed to TeamPCP. Jenkins is the CI/CD automation platform that runs builds, deployments, and security scans at thousands of companies. The Checkmarx plugin sits directly in that pipeline — which means it has access to almost everything that matters.

The compromise has been assigned CVE-2026-33634 with a CVSS of 9.4, per Techzine. TeamPCP renamed the plugin's marketplace page to "Checkmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now" and altered the description to claim Checkmarx had failed to rotate its secrets — a taunt that, per SOCRadar's analysis quoted in The Hacker News, appears largely correct: "The fact that TeamPCP is back inside Checkmarx systems just weeks later points to one of two possibilities: either the initial remediation was incomplete and credentials were not fully rotated, or the group retained a foothold that wasn't identified during the March response."

Checkmarx's own incident guidance, posted to its blog, names checkmarx[.]zone as a confirmed indicator of compromise and advises customers to inspect runners for unexpected scripts (a setup.sh is called out specifically) and any Open VSX-sourced Checkmarx plugin installed during the affected period. The payload was designed to exfiltrate environment variables and secrets from affected GitHub repositories and execution environments.

If your Jenkins environment installed Checkmarx AST plugin version 2026.5.09, treat that environment as compromised. Rotate every secret visible to the Jenkins runner: GitHub tokens, AWS/GCP/Azure credentials, Kubernetes configs, Docker credentials, SSH keys. Roll back to version 2.0.13-829.vc72453fa_1c16, published December 17, 2025, or an older release until Checkmarx ships clean code.

The pattern worth naming: TeamPCP is treating each victim's credentials as the next attack's entry point. Trivy in March, Checkmarx KICS in late March, Bitwarden CLI in April, TanStack and Checkmarx Jenkins this week. The group is industrializing the supply-chain pivot.

The worst kind of breach is the one that crashes into real life at exactly the wrong moment, and Canvas managed to do that during finals week.

Instructure now says Canvas is fully restored, and in its updated incident FAQ has identified the access path the attackers used: an issue tied to Free-For-Teacher accounts. Per the company's notice, Instructure temporarily shut those accounts down to close the path, revoked privileged credentials and access tokens, rotated internal keys, restricted token creation paths, and added monitoring. For the May 7 defacement activity that followed the initial intrusion, Instructure says it has not found evidence that data was taken during that later phase — though the investigation into earlier access continues.

For schools and admins, the practical takeaway is narrow: Instructure is not recommending broad customer-side remediation unless contacted directly. Watch for targeted notifications, review your integrations and admin activity, and treat anything unusual against your tenant as worth escalating.

What changes if the earlier-access investigation produces a worse finding: the ShinyHunters claim of 275 million records becomes credible rather than aspirational, and Instructure's "no evidence of data theft during the May 7 activity" caveat starts to read less like a clarification and more like a hedge. The observable signal that this is the calm before the next wave: any indication that paid Canvas tenants — not just Free-For-Teacher accounts — were reachable through the same path.

Russian security publication Xakep published an extensive reconstruction of the TeamPCP campaign — the same group behind this week's TanStack and Checkmarx Jenkins compromises — tracing it back to the March compromise of Aqua Security's open-source Trivy vulnerability scanner. The piece argues, persuasively, that each subsequent victim was reached using credentials harvested from the previous one: Trivy's secrets opened Checkmarx KICS, which opened Bitwarden CLI, which is now opening TanStack. The framing matters because it reframes "supply-chain attack" from a single event into a sustained campaign that compounds its own access. Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

A separate Xakep technical walkthrough demonstrates that large language models paired with dynamic instrumentation tools like Frida can dismantle commercial code obfuscation in hours rather than weeks. The author's argument is that the economics of obfuscation — which assume reverse engineering is expensive enough to deter casual attackers — break down once an LLM can read obfuscated control flow and reconstruct intent at scale. This pairs uncomfortably with Google's GTIG findings: if LLMs can both find semantic logic flaws and unwrap the protections meant to slow exploit development, the defender's time advantage is shrinking on both ends. Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

A Python exploit script that wrote its own CVSS score before bypassing 2FA, a worm that asked GitHub politely every sixty seconds whether it should delete your home directory, and a security vendor whose Jenkins plugin briefly renamed itself to advise customers to cancel their contracts. The supply-chain standard everyone agreed to trust just shipped malware with a valid signature, which is either the most expensive lesson in cryptographic semantics the industry has ever paid for or merely the down payment.

Stay paranoid. Rotate in the right order.

Forward this to the colleague who still thinks "signed package" means "safe package" — they need it more than they know.