The Lyceum: Cyber Intelligence Daily — May 19, 2026

The week opens with a Windows zero-day that survived its own patch, a supply-chain worm that learned to forge cryptographic signatures, and — most embarrassingly — CISA's own contractor leaving the keys to GovCloud sitting in a public GitHub repo since November. The people setting the rules and the people writing the patches are both having a rough morning. Keep your coffee close.

• MiniPlasma Windows zero-day — Windows 11 (fully patched, May 2026 updates): no fix available, PoC public, confirmed working on latest builds. Grants SYSTEM privileges via cldflt.sys — the same flaw Microsoft thought it patched in 2020.
• Mini Shai-Hulud supply-chain worm — npm ecosystem (TanStack, AntV, UiPath, Mistral AI, guardrails-ai packages): actively spreading May 11–12, attributed to TeamPCP. Self-propagates by stealing CI/CD credentials and republishing as the maintainer.
• CVE-2026-20182 — Cisco Catalyst SD-WAN Controller & Manager: in CISA KEV, federal deadline was Sunday (May 17), unauthenticated authentication bypass yielding admin access.
• CVE-2026-42897 — Microsoft Exchange Server (on-prem, OWA): in CISA KEV, federal deadline May 29, actively exploited spoofing flaw in Outlook Web Access.
• Apple M5 macOS kernel exploit — macOS 26.4.1 on bare-metal M5 hardware: no patch yet for the underlying bugs, working data-only LPE to root, AI-assisted development in five days.

You patched Windows last Tuesday. You're still vulnerable.

A researcher operating as Chaotic Eclipse (also Nightmare Eclipse) has published proof-of-concept code for a Windows privilege escalation zero-day they call MiniPlasma, which delivers SYSTEM privileges — full operating-system control — on fully patched Windows 11. The flaw lives in cldflt.sys, the Cloud Filter driver that backs OneDrive synchronization, in a routine called HsmOsBlockPlaceholderAccess. Google Project Zero's James Forshaw reported this same code path in September 2020 as CVE-2020-17103. Microsoft shipped a fix that December. According to Chaotic Eclipse, "the exact same issue that was reported to Microsoft by Google Project Zero is actually still present, unpatched."

BleepingComputer confirmed the exploit works on a Windows 11 Pro system running the May 2026 Patch Tuesday updates, and Will Dormann, principal vulnerability analyst at Tharros, replicated the result independently. The flaw does not work on the latest Windows 11 Insider Preview Canary build — which strongly suggests Microsoft has a fix in internal testing but hasn't shipped it.

The weaponization scenario is straightforward: every ransomware affiliate who already has a low-privileged foothold — phishing payload, browser exploit, stolen RDP creds — gains a reliable path to SYSTEM. The Cloud Filter driver ships on essentially every modern Windows installation. Watch for an out-of-band patch this week. The prior three Chaotic Eclipse disclosures — BlueHammer, RedSun, and UnDefend — were all exploited in real attacks within days of publication. There is no reason to expect a different trajectory here.

Defenders should monitor \Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps and \Registry\User\.DEFAULT\Volatile Environment for modifications via EDR.

If your build pipeline pulled from npm between May 11 and May 12, stop reading and check what it pulled.

StepSecurity, working with security researcher Varun Sharma, has documented a fresh wave of the Mini Shai-Hulud supply-chain worm, attributed to a threat actor StepSecurity tracks as TeamPCP. The worm compromised maintainer accounts across the @antv and @tanstack npm ecosystems, plus packages from UiPath, Mistral AI, and guardrails-ai. It harvests CI/CD credentials, cloud API keys, and developer tokens — then uses those credentials to republish itself as the legitimate maintainer of other packages those credentials had access to. Hence "self-spreading."

Here's the detail that should make every security architect put down their coffee: per StepSecurity, the attacker used stolen OIDC tokens with the legitimate Sigstore stack to produce cryptographically valid Build Level 3 provenance attestations for the malicious packages. In plain language — the malware was correctly signed by the real maintainer's CI infrastructure, because the attacker briefly was the real maintainer's CI infrastructure. Running npm audit signatures will tell you the package is properly attested. It will not tell you the package is safe.

Signed-but-malicious is now a documented category. The core premise of modern supply-chain defense — that cryptographic provenance equals trust — needs a second layer. Watch whether Sigstore, GitHub, and npm publish guidance on detecting attestations produced under credential compromise, or whether the industry quietly pretends this didn't happen.

If your pipelines ran any affected package after May 11, rotate every secret those workflows touched. Cloud keys, deployment tokens, SSH keys — all of it.

Brian Krebs broke the story Sunday, and it gets worse the longer you sit with it.

Until last weekend, a contractor working for the Cybersecurity and Infrastructure Security Agency — the federal agency that tells everyone else how to do security — maintained a public GitHub repository called "Private-CISA." The repo contained administrative credentials to three AWS GovCloud accounts in a file titled "importantAWSTokens," plaintext usernames and passwords in a CSV called "AWS-Workspace-Firefox-Passwords.csv," and references to internal systems including one labeled "LZ-DSO" — apparently Landing Zone DevSecOps, CISA's secure code development environment. Security researcher Philippe Caturegli of Seralys validated that the exposed credentials authenticated successfully against high-privilege GovCloud accounts.

The contractor had actively disabled GitHub's default secret-scanning protections. Backups were committed directly to git. Krebs reports the archive had been public since at least November 2025.

CISA told Krebs there is "no indication" sensitive data was compromised. That phrasing is doing heroic work. Valid GovCloud admin credentials sat in a public repo for roughly six months; anyone with a GitHub search query and patience could have found them. "No indication" means "we don't have logs proving someone used them" — not "nobody used them." If forensic review surfaces unauthorized access, CISA's credibility as the federal cyber standard-setter takes a hit it won't quietly recover from, and every state and local government that follows CISA's playbook gets a harder conversation with its auditors. Watch whether any subsequent advisory mentions the contractor by name, or whether the agency lets the story age out without one.

Security firm Calif — researchers Bruce Dang, Dion Blazakis, and Josh Maine — has published what they describe as the first public kernel local privilege escalation exploit against macOS 26.4.1 on bare-metal Apple M5 hardware. Starting from an unprivileged local account and using only standard system calls, they deliver a full root shell while Apple's Memory Integrity Enforcement (MIE) is active. MIE was Apple's flagship hardware mitigation for the M5 and A19, specifically designed to break the memory-corruption exploit chains used against modern iOS — including the leaked Coruna and Darksword kits.

Two details deserve attention. First, the attack is "data-only": it doesn't inject code but manipulates existing trusted memory structures and execution paths, largely sidestepping anti-malware approaches that hunt for injected payloads. Second, the timeline — bugs found April 25, second researcher pulled in April 27, working chain May 1. Five days, with substantial assistance from Claude Mythos Preview, Anthropic's restricted frontier model for vulnerability research.

The window between "AI found a bug in flagship hardware" and "working root shell" is now measured in days. Vendor patch cycles, which still run in weeks, become the bottleneck. Watch whether the next public M-series chain follows the same compressed timeline, or whether this turns out to be a one-off enabled by access to a model most researchers don't have. Calif has held the 55-page writeup pending Apple's patches; macOS Tahoe 26.5 already credits Calif and Anthropic Research for related fixes, suggesting at least part of the chain is closed.

CERT-UA published advisory CERT-UA#19092 describing a targeted campaign by the cluster it tracks as UAC-0190, internally codenamed "Ненадійний фонд" — "Unreliable Foundation." The targets are Ukrainian defense-sector organizations, and the weapon is a previously undocumented backdoor named PLUGGYAPE delivered via spearphishing lures tailored to defense operations. What makes this notable beyond the immediate Ukrainian context: PLUGGYAPE has no prior public documentation, which means existing antivirus signatures and Western threat-intel feeds won't catch it yet. Organizations supporting Ukrainian defense efforts — contractors, NGOs, Western government liaisons — are plausible secondary targets. CERT-UA has not formally attributed UAC-0190 to a named Russian service.

Source: CERT-UA Advisory #19092 — Ukrainian. No English-language coverage confirmed at time of publication.

CERT-UA's advisory CERT-UA#18329 documents a targeted attack on an educational institution in eastern Ukraine using a previously undocumented malware family called GAMYBEAR. An education-sector target this far east is operationally interesting — it suggests either intelligence collection on students and faculty (think: families with military connections) or use of the institution as a pivot into adjacent networks. GAMYBEAR, like PLUGGYAPE, has no prior public documentation. The advisory is available only in Ukrainian.

Source: CERT-UA Advisory #18329 — Ukrainian. No English-language coverage confirmed at time of publication.

Russian-language outlet Xakep, citing Kaspersky research, reports that the Leek Likho cluster — also tracked as SkyCloak and Vortex Werewolf — is increasingly using large language models to generate phishing scripts, payload filenames, and other artifacts customized for specific Russian government, industrial, and construction targets. This isn't "AI malware" in the sci-fi sense; it's LLMs as workflow glue inside a real intrusion set, eroding the templated quality that defenders normally rely on as a tell. Kaspersky's visibility into Russia-focused activity is unusually deep, which makes the operational takeaway worth taking seriously: the baseline quality of social engineering against Russian targets is rising.

Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

A government contractor uploading GovCloud admin keys to a repo called "Private-CISA," a worm forging valid cryptographic signatures while the industry insists signatures are the answer, and a Windows driver still vulnerable to a bug Google reported when most of us were learning to bake bread. The agency that writes the patching guidance is overdue on its own KEV deadline; the kernel maintainer who built the most-deployed OS on Earth says his security mailing list has been DDoSed by helpful robots. Sleep well.

Forward this to the friend who still thinks "signed package" means "safe package" — they're about to have a week.