Issue #005 · May 13, 2026
Cyber Threat Brief — Issue #005
What's active. What matters. What to do about it.
Active Campaigns
On May 11, 2026, TeamPCP launched the fourth and most technically sophisticated wave of its Mini Shai-Hulud supply chain campaign, compromising over 170 packages across npm and PyPI — the two largest open-source software package registries, where developers publish and download code — in a five-hour window. The campaign hit @tanstack/react-router, a React routing library with over 12 million weekly downloads, alongside 65 UiPath packages, Mistral AI's Python SDK, the OpenSearch JavaScript client, and Guardrails AI. What makes this wave historically significant is what it achieved. The attacker published malicious packages carrying valid provenance certificates — verifiable records stating exactly where, when, and how a software package was built, and by which trusted system. These certificates exist specifically to prove a package is what it claims to be. TeamPCP didn't steal login credentials. They hijacked TanStack's legitimate automated GitHub release pipeline using a chained three-vulnerability attack, then used the pipeline's own trusted identity to publish malware that carries the same cryptographic proof of legitimacy as a real release — making it indistinguishable from the real thing by any standard security check. Stolen credentials are being exfiltrated via three redundant channels — a lookalike domain designed to appear legitimate, the Session decentralized messenger network, and GitHub itself — where stolen data is quietly deposited into repositories and retrieved later, traffic that blends in with normal developer activity and is rarely blocked. The worm self-propagates by stealing the automated identity credentials of any pipeline that installed a compromised version and using them to infect additional packages.
Google's Threat Intelligence Group confirmed on May 11, 2026 that it identified the first real-world zero-day exploit developed with the assistance of artificial intelligence. A prominent cybercrime group with a documented history of mass exploitation campaigns used an AI model to discover a logic flaw in a widely deployed open-source web administration tool — a hardcoded exception in the authentication flow that allowed attackers to bypass two-factor authentication (2FA) using valid user credentials. Google identified the AI involvement through telltale signs in the exploit code: explanatory comments written in a teaching style, an incorrect severity rating that appeared to be hallucinated, and an unusually clean and structured codebase inconsistent with how human attackers typically write exploits. Google's Threat Intelligence Group worked with the vendor to patch the vulnerability before the planned mass exploitation campaign launched, likely disrupting the operation. Google confirmed neither Gemini nor Anthropic's Mythos was the AI model used. The same report documented North Korean group APT45 sending thousands of repetitive prompts to AI models to systematically analyze known vulnerabilities and validate working exploits at scale — a research workload that would be impractical to sustain without AI assistance.
A memory corruption flaw in Exim — the open-source mail transfer agent running on an estimated 56% of internet-facing mail servers worldwide — was disclosed on May 12, 2026. Tracked as CVE-2026-45185 and nicknamed Dead.Letter, the flaw is triggered by a specific sequence of connection events during email transfer that causes the server's memory to become corrupted in a way an attacker can control. The result is remote code execution — the ability for an attacker to run any command on the mail server with no prior access required. Exim has a documented and severe history of rapid exploitation after disclosure — a prior critical Exim flaw was actively exploited within days and remains in CISA's catalog of actively exploited vulnerabilities years later. Dead.Letter was disclosed with a patch available, but given Exim's slow patch adoption rate across the millions of servers running it globally, the exploitation window is expected to be significant.
CVE Watch
PRODUCT: TanStack npm packages (@tanstack/react-router and 41 others)
WHAT IT MEANS:
This CVE covers 84 malicious package versions published across 42 packages in the @tanstack namespace on May 11, 2026. Any developer or automated build system that installed an affected @tanstack package between 19:20 and 19:26 UTC on May 11 should be treated as fully compromised. The malware steals cloud credentials, GitHub tokens, API keys, cryptocurrency wallets, and secrets from password managers including 1Password and Bitwarden, sending them out through three redundant channels. A self-propagating worm component uses stolen pipeline identity credentials to attempt publishing malicious versions of any additional packages the compromised system has access to. On systems with Israeli or Iranian locale settings, a destructive payload that deletes files across the system may trigger. The valid provenance certificates on these packages mean standard supply chain security checks will not flag them as suspicious — monitoring for unexpected behavior during software installation and build is the only reliable way to detect this.
ACTION:Immediately audit all automated build system activity after 2026-05-11T19:20Z for unexpected package publishing events or outbound connections to filev2.getsession.org or api.masscan.cloud, rotate all cloud credentials and GitHub tokens from any environment that installed affected packages, and verify package signatures while understanding that valid provenance certificates do not guarantee safety in this specific incident.
PRODUCT: Exim Mail Transfer Agent (Dead.Letter)
WHAT IT MEANS:
Dead.Letter is a memory corruption flaw in Exim triggered through a specific sequence of connection events during email transfer. Successful exploitation gives an attacker full remote control over the mail server — including every email flowing through it, the credentials stored on it, and a foothold into the broader network. Exim runs on an estimated 56% of internet-facing mail servers globally, making the potential scale of active exploitation enormous. The vulnerability requires no authentication and no prior relationship with the target server — any attacker on the internet can attempt it. Exim's history with critical vulnerabilities is poor: prior critical flaws have taken months to years to be patched across the installed base, giving attackers extended exploitation windows on unpatched servers.
ACTION:Patch Exim immediately to the version addressing CVE-2026-45185, restrict inbound email connections to known sender ranges where possible, and monitor for unusual outbound connections from mail server processes.
PRODUCT: BerriAI LiteLLM
WHAT IT MEANS:
LiteLLM is a widely used open-source library that acts as a unified gateway connecting applications to multiple AI providers including OpenAI, Anthropic, and Google. This CVE is a SQL injection vulnerability — an attack technique where malicious commands are inserted into database queries, tricking the system into revealing or modifying data it shouldn't. In LiteLLM's case, a successful attack allows an attacker to read and potentially modify its database, gaining access to the API keys and credentials it manages for every AI provider configured. LiteLLM is deployed across thousands of enterprise environments as the central management layer for AI operations. A successful exploit doesn't just expose one API key — it exposes every AI credential the organization has routed through LiteLLM. CISA added this to its catalog of actively exploited vulnerabilities on May 8, 2026 with a federal remediation deadline of May 11 — already past for federal agencies. LiteLLM was previously compromised in a TeamPCP supply chain attack in March 2026, making it a repeated high-value target.
ACTION:Apply the LiteLLM patch per vendor instructions immediately, rotate all AI provider API keys managed through affected LiteLLM instances, and audit database access logs for evidence of unauthorized reads or modifications.
Threat Actor Activity
Launched the fourth and largest Mini Shai-Hulud campaign, compromising 170+ packages across npm and PyPI including TanStack, Mistral AI, UiPath, and Guardrails AI. For the first time in any documented supply chain attack, published malicious packages carrying valid provenance certificates — verifiable records that are supposed to prove a package is legitimate — making them indistinguishable from real releases by standard security tooling. The worm is actively self-propagating through stolen pipeline identity credentials.
Google's Threat Intelligence Group documented APT45 sending thousands of repetitive prompts to AI models to systematically analyze known vulnerabilities and validate working exploits at scale — building an AI-assisted research capability that would be impractical to maintain manually. The group is also testing AI-powered attack tools in intentionally vulnerable environments to refine AI-generated payloads before deployment.
Google intercepted the first confirmed AI-generated zero-day exploit in the wild — a two-factor authentication bypass targeting a widely deployed open-source web administration tool. The group has a documented history of high-profile mass exploitation campaigns. Google's proactive disclosure to the vendor likely disrupted the planned operation before it launched.
No new confirmed incidents. Congressional oversight of carrier remediation claims continues. Full eviction from US telecommunications infrastructure remains unconfirmed by independent sources.
No new confirmed activity. Pre-positioning in US critical infrastructure from prior periods remains unresolved. Continued operational silence consistent with established long-dwell pattern.
| Actor | Status | Activity |
|---|---|---|
| TeamPCP (UNC6780) | [ ESCALATING ] | Launched the fourth and largest Mini Shai-Hulud campaign, compromising 170+ packages across npm and PyPI including TanStack, Mistral AI, UiPath, and Guardrails AI. For the first time in any documented supply chain attack, published malicious packages carrying valid provenance certificates — verifiable records that are supposed to prove a package is legitimate — making them indistinguishable from real releases by standard security tooling. The worm is actively self-propagating through stolen pipeline identity credentials. |
| APT45 (North Korea — Lazarus-adjacent) | [ ACTIVE ] | Google's Threat Intelligence Group documented APT45 sending thousands of repetitive prompts to AI models to systematically analyze known vulnerabilities and validate working exploits at scale — building an AI-assisted research capability that would be impractical to maintain manually. The group is also testing AI-powered attack tools in intentionally vulnerable environments to refine AI-generated payloads before deployment. |
| Unnamed cybercrime group (AI zero-day) | [ ACTIVE ] | Google intercepted the first confirmed AI-generated zero-day exploit in the wild — a two-factor authentication bypass targeting a widely deployed open-source web administration tool. The group has a documented history of high-profile mass exploitation campaigns. Google's proactive disclosure to the vendor likely disrupted the planned operation before it launched. |
| Salt Typhoon | [ ACTIVE ] | No new confirmed incidents. Congressional oversight of carrier remediation claims continues. Full eviction from US telecommunications infrastructure remains unconfirmed by independent sources. |
| Volt Typhoon | [ MONITORING ] | No new confirmed activity. Pre-positioning in US critical infrastructure from prior periods remains unresolved. Continued operational silence consistent with established long-dwell pattern. |
Key Takeaway
Two developments this week mark meaningful escalations in the threat landscape, not incremental steps, but threshold crossings. TeamPCP's Mini Shai-Hulud campaign achieved something no supply chain attack has demonstrated before: publishing malicious software packages that carry valid provenance certificates, the cryptographic records the security industry built specifically to prove a package is legitimate. TeamPCP just demonstrated that the solution can be weaponized by anyone who can compromise the pipeline that generates those certificates. Separately, Google confirmed the first real-world case of an AI-generated zero-day exploit. A cybercrime group used artificial intelligence to discover a logic flaw in widely deployed software and build a working two-factor authentication bypass, which Google intercepted before mass exploitation began. Both events share a common implication: the defenses the security industry has relied on to establish trust, provenance certificates, two-factor authentication, are being systematically studied and circumvented by actors who now have AI assistance in that process. The question for defenders is no longer whether AI-assisted attacks are coming. The answer to that question arrived this week.
Sources
- Google Threat Intelligence Group
- Wiz Security Research
- StepSecurity
- Snyk Security
- Socket Security
- The Hacker News
- CyberScoop
- SecurityWeek
- CISA Known Exploited Vulnerabilities Catalog
- Infosecurity Magazine