This Week in Cybersecurity
Issue 19 is anchored by a milestone that the security industry has been dreading: Google confirmed the first AI-generated zero-day exploit observed being used in the wild against real targets. The flaw targets two-factor authentication — one of the most trusted controls in the enterprise arsenal — and forensic evidence points to a prominent cybercrime organization that used AI tooling to compress a vulnerability research cycle that would normally require rare human expertise. This isn't a theoretical concern anymore. The gap between sophisticated and unsophisticated attackers just shrank measurably.
The week's second dominant thread is supply chain. TeamPCP launched a fresh wave of its Mini Shai-Hulud campaign, this time embedding credential-stealing payloads in npm and PyPI packages from TanStack, Mistral AI, Guardrails AI, UiPath, and OpenSearch. Given that TanStack packages sit in hundreds of thousands of JavaScript projects and Guardrails AI is embedded in enterprise LLM safety pipelines, the blast radius here is substantial. Any organization that installed or updated these packages during the compromise window should assume CI/CD secrets are exposed and rotate accordingly.
The education sector absorbed another hard blow. Instructure — the company behind Canvas LMS, used by over 6,000 institutions — reached an undisclosed "agreement" with ShinyHunters after the group threatened to release 3.65 TB of stolen student and institutional data. Universities had already been forced to reschedule final exams during the height of the extortion campaign. That the term "agreement" was used rather than a denial of payment tells you most of what you need to know about how this resolved.
On the ransomware front, West Pharmaceutical Services — a critical pharmaceutical supply chain manufacturer — filed an SEC disclosure confirming attackers breached its network on May 4, exfiltrated data, and deployed file-encrypting ransomware, forcing a global operational shutdown. A $3 billion manufacturer going dark in the middle of drug packaging production is exactly the kind of leverage double-extortion operators are designed to create.
Rounding out the week: Fortinet issued emergency patches for FortiSandbox and FortiAuthenticator, SAP's May Patch Day addressed two critical flaws including a CVSS 9.6 SQL injection in S/4HANA, the UK fined a water utility £1.3M for allowing hackers to lurk undetected for nearly two years, and GM agreed to a $127.5M California settlement over the unauthorized sale of driver data.
Top Stories
Google Confirms First AI-Generated Zero-Day Exploit in the Wild
Google's threat intelligence team has confirmed what researchers have feared: the first AI-generated zero-day exploit observed being actively used against real targets. The exploit was engineered to bypass two-factor authentication at scale, and the forensic evidence — unusual efficiency in exploit construction, payload optimization patterns inconsistent with known human-authored code, architectural choices characteristic of LLM output — led Google's analysts to conclude with high confidence that AI played a central role in both discovering and weaponizing the underlying vulnerability.
The threat group behind the campaign is described as a prominent cybercrime organization with the resources to access advanced AI tooling. The key implication is not that AI replaced human expertise, but that it dramatically accelerated the research cycle — bringing zero-day-level capability to actors who would previously have lacked the rare technical skill required. A working 2FA bypass is tactically significant precisely because 2FA is so universally recommended and so psychologically trusted: defenders feel protected even as the exploit manipulates the authentication session beneath them.
The immediate priorities: review vendors of widely-used authentication libraries for incoming patches, complement 2FA implementations with device trust and behavioral analytics, and treat AI-assisted exploitation as a permanent fixture of the threat landscape rather than a future concern.
Mini Shai-Hulud Worm Hits TanStack, Mistral AI, Guardrails AI, and More
TeamPCP has launched the latest wave of its Mini Shai-Hulud supply chain attack campaign, compromising npm and PyPI packages from TanStack, Mistral AI, Guardrails AI, UiPath, and OpenSearch. The modified packages deliver credential-stealing payloads that execute silently during installation, enumerate environment variables for CI/CD secrets, and attempt to spread to adjacent packages by abusing stolen maintainer tokens.
TanStack packages — including TanStack Query, Table, and Router — are used across hundreds of thousands of JavaScript projects. Mistral AI's Python SDK is embedded in AI application stacks globally. Guardrails AI sits inside enterprise LLM validation pipelines. This campaign is a direct escalation of TeamPCP's earlier attacks on Checkmarx's Jenkins AST plugin and SAP packages — and it confirms the group has specifically pivoted to target AI tooling and developer infrastructure at scale.
Any organization that installed or updated packages from these projects during the compromise window should: rotate all CI/CD secrets immediately, verify installed package hashes against known-good checksums, review pipeline logs for unexpected outbound connections, and implement dependency pinning with checksums going forward.
Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65 TB Canvas Leak
Instructure, parent company of Canvas LMS, confirmed it reached an "agreement" with the ShinyHunters extortion group after the threat actors stole 3.65 TB of student and institutional data and threatened to release it publicly. The stolen dataset reportedly includes student and faculty PII, authentication credentials, course records, and institutional data from thousands of the 6,000+ educational organizations that use Canvas worldwide.
The "agreement" language is a careful construction — Instructure did not confirm a ransom payment, did not disclose terms, and did not deny payment either. The security community's reading of this phrasing is essentially uniform. The incident follows a chaotic week in which Canvas login portals were disrupted and multiple universities were forced to reschedule final exams during peak exam season.
Affected institutions should communicate proactively with students even though the immediate dump threat is resolved — there is no enforceable guarantee that stolen data is actually deleted after payment, and ShinyHunters has a documented history of re-leveraging datasets. Prioritize credential rotation for any accounts that authenticated through Canvas, and review how third-party LMS providers are addressed in institutional incident response plans.
West Pharmaceutical Services Hit by Disruptive Ransomware Attack
West Pharmaceutical Services (NYSE: WST) filed an SEC Form 8-K disclosing that a ransomware attack has disrupted global business operations. Attackers first breached the network on May 4, conducted lateral movement and data exfiltration, then deployed file-encrypting ransomware — forcing the company to proactively take systems offline globally to contain the spread.
West Pharmaceutical is a critical link in the pharmaceutical supply chain: the company manufactures injectable drug packaging components — rubber closures, seals, and delivery systems for vials and prefilled syringes — used by major pharmaceutical and biotech manufacturers worldwide, with over $3 billion in annual revenue. The combination of production downtime pressure, IP value, and regulatory exposure makes it exactly the kind of target that ransomware groups prioritize. Attribution — which group posts West Pharmaceutical to a dark web leak site — is expected within days.
Pharmaceutical and manufacturing organizations should treat this as an elevated-threat signal for the sector: review third-party supply chain redundancy for affected component types, verify offline backup integrity, and patch externally exposed infrastructure (VPN, RDP) as the most common initial access vectors.
Fortinet Warns of Critical RCE Flaws in FortiSandbox and FortiAuthenticator
Fortinet issued emergency security patches for two critical-severity vulnerabilities affecting FortiSandbox and FortiAuthenticator — both widely deployed across enterprise and government networks. Successful exploitation of either flaw could allow remote attackers to execute arbitrary commands on the affected appliance.
The FortiAuthenticator flaw is particularly dangerous: it is the authentication gateway for enterprise environments, and a compromised instance can be used to bypass MFA across connected Fortinet products (FortiGate VPN, FortiClient, FortiMail) and abuse certificate infrastructure for man-in-the-middle attacks. Fortinet vulnerabilities follow a consistent and well-documented exploitation pattern — threat actors begin scanning within 24-72 hours of public disclosure. CVE-2022-40684 and CVE-2024-21762 both saw mass exploitation before patches were widely applied.
Organizations should patch immediately, restrict management interfaces to trusted source IPs if patching cannot be completed at once, review admin login logs for signs of prior exploitation, and — if FortiAuthenticator is compromised — evaluate temporarily disabling it as an MFA provider and falling back to alternative mechanisms until remediation is complete.
Security Corner
10 CVEs are newly published to the Security Advisories section this week. Key advisories to prioritize:
CVE-2026-34260 — SAP S/4HANA SQL Injection via Enterprise Search for ABAP (CVSS 9.6) A critical SQL injection in the SAP Enterprise Search for ABAP component allows any authenticated SAP user to inject malicious SQL directly into the database layer of S/4HANA — one of the most widely deployed ERP systems in the world. The direct user-input concatenation flaw exposes financial records, HR data, customer PII, and supply chain data to extraction, modification, or destruction. Apply SAP's May 2026 Security Patch Day update immediately, restrict Enterprise Search access to essential users, and audit usage logs for anomalous query patterns prior to patching. Full advisory →
CVE-2026-34263 — SAP Commerce Cloud Unauthenticated RCE A critical remote code execution vulnerability in SAP Commerce Cloud requires no authentication to exploit. An attacker with network access to an exposed Commerce Cloud instance can execute arbitrary code on the underlying server. Apply SAP's May 2026 patch immediately and restrict the application's management interface from untrusted networks pending remediation. Full advisory →
CVE-2026-6433 — WordPress Plugin SQL Injection Enables Unauthenticated PHP Code Execution (CVSS 7.3) The Custom css-js-php plugin through version 2.0.7 fails to sanitize user input before incorporating it into a SQL query, then passes the result to dynamic PHP code execution — allowing unauthenticated attackers to run arbitrary PHP on the server. No valid account is required. WordPress site owners running this plugin should deactivate and delete it immediately, audit for webshell installations and unauthorized admin accounts, and rotate WordPress secret keys. Full advisory →
Also published this week:
- CVE-2026-28872 → Advisory →
- CVE-2025-61311 → Advisory →
- CVE-2026-40636 → Advisory →
- CVE-2021-47923 → Advisory →
- CVE-2021-47932 → Advisory →
- CVE-2021-47933 → Advisory →
- CVE-2021-47936 → Advisory →
Quick Takes
-
UK Water Supplier Fined £1.3M for Exposing 664K Customers' Data: South Staffordshire Water was fined £1.3 million by the ICO after regulators found hackers lurked undetected inside its network for nearly two years before the breach was discovered. The fine reflects both the scale of data exposure (664,000 customers) and the fundamental failure of network monitoring to detect the intrusion over an extended period. Read more →
-
GM Agrees to $127.5M California Settlement Over Driver Data Sale: General Motors settled a California class action for $127.5 million stemming from allegations it sold precise location data and driving behavior records to insurance companies without adequate customer consent. The settlement is one of the largest automotive data privacy judgments to date and signals that regulators and courts are increasingly treating connected-vehicle data as a first-class privacy concern. Read more →
-
Ivanti EPMM CVE-2026-6973 Under Active Exploitation — Admin-Level RCE: A critical remote code execution vulnerability in Ivanti Endpoint Manager Mobile is being actively exploited in the wild, granting attackers admin-level access to affected devices. Ivanti vulnerabilities have been among the most reliably exploited enterprise targets in 2025-2026; organizations should patch immediately and check for indicators of compromise before assuming their environment is clean. Read more →
-
TeamPCP Compromises Checkmarx Jenkins AST Plugin: In a separate Mini Shai-Hulud-linked incident, TeamPCP compromised the Checkmarx Jenkins AST plugin — a security scanning tool trusted with broad CI/CD access. Ironically, the tool designed to protect build pipelines became the vector for credential theft. Organizations using this plugin should audit their Jenkins environments and rotate any credentials the plugin had access to. Read more →
-
Why Changing Passwords Doesn't End an Active Directory Breach: A timely analysis argues that password rotation is insufficient to terminate an Active Directory compromise — attackers commonly maintain persistence through Kerberoastable service accounts, shadow credentials, Golden Ticket attacks, and AdminSDHolder abuse that survive user password changes. Security teams responding to AD incidents should prioritize hunting these persistence mechanisms, not just enforcing resets. Read more →
-
Skoda Data Breach Hits Online Shop Customers: Skoda disclosed a data breach affecting customers of its online store, with attackers gaining access to names, email addresses, and order history. The incident is a reminder that automotive brands' direct-to-consumer e-commerce properties carry the same breach risk as any other retailer — and that brand trust doesn't automatically translate to security investment. Read more →
-
ExaForce Raises $125M for Agentic SOC Platform: Security operations startup ExaForce closed a $125 million funding round to accelerate its AI-driven security operations center platform. The investment reflects continued enterprise appetite for AI-native SOC tooling that can handle alert volumes and triage speeds that human analysts alone cannot sustain — particularly relevant given this week's AI zero-day news. Read more →
Upcoming
-
AI Zero-Day Implications for Patch Timelines: The confirmation of an AI-generated zero-day exploit should trigger a reassessment of patch cycle assumptions across your organization. If AI tooling can compress vulnerability research and weaponization into a fraction of the traditional timeline, remediation windows that felt reasonable last year may now be too slow. Watch for CISA KEV additions related to the disclosed 2FA vulnerability and treat the next CVSS 9.x advisory as a zero-hour item.
-
West Pharmaceutical Attribution: Ransomware group attribution for the West Pharmaceutical Services attack is expected within days as operators post victims to dark web leak sites. Watch for the disclosure: it will reveal the ransom demand, the scope of exfiltrated data, and whether any pharmaceutical supply chain customers received formal notification of potential component delivery disruption.
-
Canvas Post-Ransom Fallout: The Instructure "agreement" with ShinyHunters halted the immediate leak threat, but stolen data does not disappear on payment. Affected educational institutions should prepare for potential secondary exposure of the 3.65 TB dataset and begin proactive student communications now, rather than waiting for evidence of publication. Also watch for FERPA and state data breach notification filings, which will formalize the disclosure timeline.
-
SAP May Patch Day — CVE-2026-34260 Critical Priority: SAP S/4HANA is the financial, HR, and supply chain backbone for thousands of enterprises globally. CVE-2026-34260 at CVSS 9.6 should be treated as a top-priority patching item regardless of current schedule. If the SAP Basis team cannot apply the patch immediately, temporarily restrict Enterprise Search access to essential users and begin reviewing ABAP audit logs for signs of prior exploitation.
-
Fortinet Exploitation Window: History consistently shows Fortinet vulnerabilities are weaponized within 24-72 hours of disclosure. Every day an unpatched FortiSandbox or FortiAuthenticator management interface is exposed to untrusted networks is a day within the exploitation window. Organizations that cannot patch immediately should restrict management access to trusted source IPs and accelerate the maintenance window — the cost of unplanned downtime for patching is lower than the cost of incident response.
By the Numbers
| Metric | Value |
|---|---|
| Canvas breach — data volume threatened for release | 3.65 TB |
| Canvas LMS — institutions potentially affected | 6,000+ |
| West Pharmaceutical — annual revenue at risk of disruption | $3B+ |
| West Pharmaceutical — days between breach and ransomware deployment | ~7 days |
| CVE-2026-34260 (SAP S/4HANA SQLi) CVSS score | 9.6 Critical |
| CVE-2026-6433 (WordPress Plugin) authentication required | None |
| UK water supplier ICO fine | £1.3 million |
| UK water supplier — attacker dwell time before detection | ~2 years |
| GM California data privacy settlement | $127.5 million |
| New CVEs published this week | 10 |
CosmicBytez Labs — IT & Cybersecurity Intelligence Hub