Supply Chain Worm, Critical Patches, And AI Agents For Defense

A high-impact supply chain campaign against popular JavaScript and Python ecosystems dominated the day, while critical patches landed across industrial control systems, SAP platforms, and Microsoft products. At the same time, major vendors advanced AI-driven security tooling and rolled out stronger default protections for mobile users and cross‑platform messaging. The result is a divided focus for defenders: rapid containment and forensics for compromised developer environments, plus disciplined patching and measured adoption of new agentic security capabilities.

Worm-Like Supply Chain Campaign Hits npm and PyPI

Researchers detailed Mini Shai‑Hulud, a broad supply chain operation attributed to TeamPCP that planted trojanized packages across npm and PyPI maintained by projects and organizations including TanStack, Mistral AI, OpenSearch, UiPath, and Guardrails AI. The npm variant deploys an obfuscated JavaScript loader (router_init.js) that profiles hosts and runs a multi-capability credential stealer targeting cloud providers, cryptocurrency wallets, AI tools, messaging apps, and CI systems. PyPI variants fetch and execute remote artifacts with distinct operational and geofencing logic. Exfiltration is routed through redundant channels—among them a Session Protocol domain (filev2.getsession[.]org), a typosquat (git-tanstack[.]com), and commits via GitHub GraphQL using the author string "claude@users.noreply.github.com"—to evade common enterprise blocking.

Persistence and propagation mechanisms focus on developer and CI/CD identities. The malware installs IDE persistence for Claude Code and VS Code, runs a gh-token-monitor service, and injects malicious GitHub Actions workflows that serialize repository secrets and export them externally. TanStack traced its compromise to a chained GitHub Actions attack leveraging an orphaned commit, the pull_request_target trigger, cache poisoning, and runtime extraction of an OIDC token from the runner. Malicious releases carried valid SLSA Build Level 3 provenance and were assigned CVE-2026-45321 (CVSS 9.6), affecting 42 packages and 84 versions in TanStack.

The campaign automates lateral movement by locating publishable npm tokens (including bypass_2fa tokens), enumerating maintainers’ packages, and exchanging OIDC tokens for per‑package publish tokens—sidestepping traditional authentication flows. A dangerous dead‑man’s switch polls for token revocation and can trigger destructive "rm -rf" routines. Telemetry points to more than 170 affected packages across both registries, with over 518 million cumulative downloads and roughly 400 attacker‑controlled repositories labeled "Shai-Hulud: Here We Go Again." Recommended mitigations include isolating and imaging impacted hosts before revocation to preserve evidence, auditing and scoping OIDC trust, tightening workflow permissions, monitoring install/build behavior, and rotating pipeline credentials only after safe containment and forensics.

Patching Priorities in ICS and Enterprise Software

ABB AC500 programmable logic controllers face a critical stack-based buffer overflow (CWE‑787, CVSS 9.8) when parsing CMS (Auth)EnvelopedData or EnvelopedData with AEAD ciphers such as AES‑GCM. An oversized IV in ASN.1 parameters is copied into a fixed-size stack buffer without length checks, causing a pre‑authentication out‑of‑bounds write that requires no valid key material. Exploitation risk ranges from crashes and denial of service to potential remote code execution, depending on platform/toolchain mitigations. ABB released corrective firmware (AC500 V3 firmware 3.9.0 HF1) for all AC500 V3 PLC types, with no vendor workarounds. CISA republished the advisory and reinforced standard ICS practices: isolate control networks, minimize exposed services, place devices behind firewalls, and use secure remote access where necessary. Operators should prioritize patching and segregation from business networks while monitoring for suspicious activity.

Microsoft’s monthly releases include 137 vulnerabilities with 31 Critical issues, according to Talos Patch. Notable CVEs include CVE‑2026‑32161 (race‑driven use‑after‑free in the Windows Native WiFi Miniport Driver enabling adjacent‑network code execution), CVE‑2026‑41089 (stack‑based buffer overflow in Windows Netlogon enabling unauthenticated RCE against domain controllers), and CVE‑2026‑41096 (heap overflow in the Windows DNS Client via malicious DNS responses). Additional significant issues affect Microsoft Office and Word, Windows GDI (CVE‑2026‑35421), SharePoint (authenticated RCE), Azure Managed Instance for Apache Cassandra, Office for Android, and Dynamics 365 (on‑prem code injection). While Microsoft reported no in‑the‑wild exploitation at publication, some bugs are marked "more likely" to be exploited. Talos released Snort rules to detect exploitation attempts; defenders should prioritize internet‑facing and privileged systems and update intrusion detection signatures.

SAP shipped May updates for 15 vulnerabilities across its portfolio, including two critical flaws in Commerce Cloud and S/4HANA, per SAP fixes. CVE‑2026‑34263 (Commerce Cloud) is a missing authentication check from improper Spring Security configuration that can allow unauthenticated code execution via malicious configuration uploads. CVE‑2026‑34260 (S/4HANA) is a low‑complexity SQL injection that enables attackers with basic privileges to retrieve sensitive data or crash applications, with high confidentiality and availability impact. One high‑severity and eleven medium‑severity issues also received fixes, spanning command injection, missing authorization checks, XSS, CSRF, and denial‑of‑service. SAP reported no evidence of exploitation of these specific bugs; given realistic exploitability, organizations should prioritize testing and deploying the updates—particularly for public‑facing instances—enforce least privilege, harden Spring Security configurations, consider WAF protections for injection attempts, rotate credentials where appropriate, and monitor logs for anomalies.

AI Systems Step Into Vulnerability Discovery and Enterprise Operations

Microsoft’s Autonomous Code Security team introduced Microsoft MDASH, a production multi‑model, agentic vulnerability discovery system that coordinated more than 100 specialized AI agents to find, debate, validate, and prove exploitability. Microsoft credits MDASH with 16 new CVEs across Windows networking and authentication components, including four Critical remote code execution issues—several remotely reachable without credentials and impacting kernel‑mode or elevated contexts. In testing, the system identified all 21 seeded bugs in a private driver sample with zero false positives, reached 96% recall on five years of confirmed MSRC cases in clfs.sys and 100% in tcpip.sys, and scored 88.45% on the public CyberGym benchmark. The design treats models as inputs to a modular pipeline for targeting, validation, deduplication, and proof, preserving portability across model generations. In parallel, AWS expanded code‑level analysis with AWS Security Agent full repository reviews, delivering deep, context‑aware scanning across entire codebases, precise remediation suggestions, and exploit‑based proofs‑of‑concept at no additional charge during preview in all Regions where the agent is available.

OpenAI announced OpenAI Daybreak, a cybersecurity service that couples generative models with Codex Security to generate threat models, test vulnerabilities in isolated environments, and prioritize remediation with patch validation. The offering spans three model variants—GPT‑5.5, GPT‑5.5 with Trusted Access for Cyber for verified defensive work, and GPT‑5.5‑Cyber for permissive red‑teaming and controlled validation—with access primarily through partners or by request. OpenAI cites integrations with Akamai, Cisco, Cloudflare, CrowdStrike, Fortinet, Oracle, Palo Alto Networks, and Zscaler under the Trusted Access for Cyber initiative, framing Daybreak as a response to AI‑accelerated vulnerability discovery and the resulting remediation bottleneck. In the enterprise data and SAP landscape, Google and SAP introduced a unified, agentic data fabric at SAP SAPPHIRE, including GA of BDC Connect for BigQuery for bidirectional, zero‑copy access to SAP data, new X5 memory‑optimized instances up to 48TB for large HANA and RISE deployments, a SecNumCloud‑qualified Sovereign Cloud option with S3NS in France, and a preview of Google SecOps for SAP for agentic security workflows and SAP‑aware detections, as outlined in Google Cloud SAP.

Stronger Defaults for Users: Mobile and Messaging

Google’s next Android release expands protections against banking scam calls, device theft, and app abuse, according to Android 17. Android will collaborate with banking apps to verify call authenticity via app‑level queries and bank‑supplied number lists, with the ability to automatically terminate flagged calls. Live Threat Detection broadens to catch additional abuse techniques such as SMS‑forwarding misuse, concealed accessibility overlays, apps that alter icons, and malicious background launches. Advanced Protection adds stricter controls around accessibility services, disables device‑to‑device unlocking, turns off Chrome WebGPU, and introduces scam detection for chat notifications. Anti‑theft improvements include an enhanced "Mark as lost" mode enforcing biometric unlock, hiding Quick Settings, disabling Wi‑Fi and Bluetooth, and preventing tracking from being disabled—even when a thief knows the passcode. Some protections will be backported to Android 10+ or 11+ devices, with rollout and OEM/carrier adoption varying by market.

Apple rolled out beta support for default end‑to‑end encryption in Rich Communication Services between iPhone and Android, bringing modern, internet‑based messaging security to cross‑platform chats, as reported in iOS 26.5. The feature is enabled by default for supported carriers and for Android users on the latest Google Messages, displaying a lock icon in encrypted threads. Built on the RCS Universal Profile and backed by GSMA’s endorsement of E2EE, the rollout reduces the risk of interception over carrier networks while remaining dependent on carrier support and client compatibility during beta. Apple’s update also addresses more than 50 security flaws across components such as AppleJPEG, ImageIO, Kernel, mDNSResponder, and WebKit—closing issues that could lead to information disclosure, denial‑of‑service, or unexpected termination and strengthening the platform’s overall security posture.