Hello, stay ahead with CISO Brief 🚀

🔧 Google today introduced Agent Executor, an open-source runtime standard for durable, resumable, and distributed agent execution. It offers event logging and snapshotting to enable durable execution, secure sandbox isolation to limit harm, and a single-writer architecture to maintain session consistency. Agent Executor also supports connection recovery so clients can reconnect to long-running workflows. The project is available in preview and pairs with Agent Substrate to improve Kubernetes-scale agent scheduling.

🚀 Google Cloud announced general availability of GKE Agent Sandbox and introduced the open-source Agent Substrate. Agent Sandbox is a cloud-native execution environment designed for AI agents, offering pod snapshots to suspend idle workloads, an integrated warm pool for sub-second provisioning, gVisor and pluggable kernel isolation, and standby suspended VMs to reduce warm-pool cost. Agent Substrate aims to provide a minimal control plane and scheduler optimizations to support ultra-dense, low-latency agent workloads at scale.

🚀 Google AI Edge Portal now enables developers to benchmark and debug on-device LLMs across a physical lab of over 120 representative Android devices. It profiles initialization time, prefill and decode speeds, and peak memory usage across CPU, GPU, and NPU backends to surface real user-impacting metrics. The integrated Model Explorer visualizes model graphs, tensor shapes, and traces to speed root-cause analysis and collaboration.

🚀Urban Outfitters, Inc. (URBN) recently migrated its IBM Sterling OMS from an 11TB Oracle backend to Google Cloud’s AlloyDB for PostgreSQL to reduce TCO and improve scalability and performance. The migration was executed through close collaboration among URBN, IBM, and Google Cloud, with embedded engineering teams driving planning, testing, and tuning. Outcomes included optimized storage and compute, two read replicas for higher availability, significant performance improvements, and a shift toward open standards to future-proof operations.

⚠ GitHub confirmed attackers exfiltrated code from roughly 3,800 internal repositories after a compromised employee device and a poisoned VS Code extension were used to gain access. The company detected and contained the compromise on May 19, removed the malicious extension, isolated the endpoint, and began incident response. A threat actor calling itself TeamPCP posted lists of stolen repos and claimed responsibility, threatening to leak the data if not sold. GitHub is rotating secrets, analyzing logs, and said it will publish a full incident report when investigations conclude.

🔐 Grafana confirmed its recent data breach stemmed from a single missed GitHub workflow token that was exfiltrated after malicious TanStack npm packages executed in its CI/CD environment. The company detected the intrusion on May 1, rotated most tokens, and launched its incident response, but one token was overlooked and allowed attackers repository access. Grafana says source code wasn't altered and no customer production systems were impacted.

📱 Zimperium's zLabs uncovered a 10-month Android malware campaign that used nearly 250 fake apps to enroll victims in premium carrier billing services across Malaysia, Thailand, Romania and Croatia. The operation, running from March 2025 to January 2026, included three variants that ranged from cookie- and SMS-harvesting to a fully automated subscription flow against DiGi. The most advanced variant abused Google's SMS Retriever API, forced traffic onto cellular, loaded hidden carrier billing pages and intercepted one‑time passwords. Users are advised to avoid sideloading apps, verify installed apps and review mobile bills for unexplained charges.

🔒 Microsoft has open-sourced two engineering tools—RAMPART and Clarity—to make agent safety a continuous part of development. RAMPART provides a pytest-style framework that brings red-team and adversarial tests into CI, evaluating tools invoked and side effects. Clarity is a structured design companion that captures problem statements, failure analyses, and decisions in a .clarity-protocol directory. Both aim to create living safety artifacts integrated into normal workflows.

🚨 The Mini Shai-Hulud worm resurfaced in a coordinated supply-chain wave that published 639 malicious versions across 323 npm packages tied to the AntV visualization ecosystem on 19 May, lasting roughly an hour. Analysis by Socket and updates from Microsoft show the payload added preinstall hooks executing an obfuscated Bun bundle to harvest cloud and CI secrets. Many affected packages are high-download dependencies and the compromised maintainer account held rights to over 500 packages. Responders should pin pre-19 May versions, rotate exposed credentials and audit GitHub for forged repository activity.

🔒 Microsoft says it disrupted a malware-signing-as-a-service operation, codenamed OpFauxSign, that abused Artifact Signing to produce short-lived fraudulent code-signing certificates and deliver signed malware. The company seized the SignSpace site signspace[.]cloud, took hundreds of virtual machines offline, and blocked hosting for the underlying code. Operators tied to the group, called Fox Tempest, sold signing services for $5,000–$9,000 and facilitated distribution of Rhysida ransomware and loaders like Oyster. Microsoft added the actor likely used stolen U.S. and Canadian identities to pass verification and repeatedly adapted its tradecraft as defenders revoked certificates.

🔒 AI security cannot be reduced to a single benchmark. Over the past 30 years software security evolved from black‑box penetration testing to white‑box analysis and process-driven standards such as BSIMM, and the report argues that AI requires a similar assurance-first approach. Benchmarks fail to capture emergent, systemic properties, so organizations should clean up their WHAT piles, adopt risk-based processes, and accept that there is no simple security meter for AI.

🚀 AWS announces general availability of a new AWS Local Zone in Istanbul, Türkiye, bringing compute, storage, networking, and select services closer to end users. The Local Zone supports Amazon EC2 (C7i, M7i, R7i), Amazon S3 One Zone-Infrequent Access, Amazon EBS (local snapshots and gp3/gp2/io1/sc1/st1), Amazon ECS, Amazon EKS, VPC, AWS Direct Connect, and Application Load Balancer. To enable, turn on the zone (eu-central-1-ist-1a) in the EC2 console or use the ModifyAvailabilityZoneGroup API to reduce latency and meet data residency needs.

🛡️ Drupal has issued a core security release scheduled for May 20 between 17:00 and 21:00 UTC, warning that exploits could appear within hours of disclosure. Administrators are urged to reserve time for the update and to upgrade sites running Drupal 8 or 9 to at least 10.6. Patches will be released for several 10.x and 11.x branches, and although some older branches are EOL, hotfixes will be provided for affected 9.5 and 8.9 releases. Sites using Drupal Steward have mitigations but should still apply updates promptly.

🔍 ESET researchers observed that China-aligned Webworm expanded its toolkit in 2025 with two new backdoors—EchoCreep and GraphWorm—that use Discord and the Microsoft Graph API for C2 communications. The actor increasingly favors proxy-based utilities and staging techniques such as SoftEther VPN and GitHub repositories to blend malicious traffic. Targets include government and enterprise entities across Asia and Europe, while older RATs appear to be abandoned.

⚠️Orchid Security's Identity Gap: Snapshot 2026 reveals that unseen, unmanaged identity elements now exceed visible ones, with 'identity dark matter' at 57% versus 43%. The report warns that rapid adoption of Agent AI amplifies risk because autonomous agents look for the most efficient access paths, often exploiting hard-coded or orphaned credentials and excessive privileges. Orchid urges strengthening identity and access management controls and using its readiness checklist to mitigate exposures.

🛡️ SentinelOne researchers describe a new SHub variant named Reaper that targets macOS users by impersonating Apple, Google, and Microsoft across a single attack chain. The campaign uses fake security alerts and a ClickFix-style workflow to trick victims into running malicious AppleScript via the applescript:// URI handler and the Script Editor, bypassing Terminal paste protections. Reaper performs environment checks, drops payloads, and establishes persistence through LaunchAgents, then harvests credentials, Keychain items, cryptocurrency wallets, and messaging data. Defenders are advised to shift toward behavior-based detection and monitor Script Editor, osascript, and suspicious LaunchAgent activity.

🔒 ESET researchers report that the China-aligned APT group Webworm expanded operations in 2025 to target European government organizations in Belgium, Italy, Poland, Serbia and Spain, and also compromised a university in South Africa. Analysis presented at ESET World on 19 May by Robert Lipovsky described the campaign as largely semi-opportunistic, with some cases linked to legacy vulnerabilities such as a discontinued SquirrelMail flaw. The group introduced two new backdoors — Discord-based EchoCreep and Microsoft Graph-based GraphWorm — and continues to use a complex set of proxy tools and cloud-based data exfiltration techniques.

🔒 A public proof-of-concept (PoC) exploit has been released for the recently patched local privilege escalation flaw dubbed PinTheft, which targets an RDS zerocopy double-free in the Linux kernel. The issue can lead to a page-cache overwrite via io_uring fixed buffers and allow a local attacker to obtain a root shell. Exploitation requires the RDS kernel module, io_uring enabled, a readable SUID-root binary and x86_64 support, so the impact is limited in practice and Arch Linux defaults make it the most exposed. Administrators are advised to apply kernel updates or unload and blacklist the RDS modules as an interim mitigation.