Daily Threat Intelligence Brief - May 8, 2026

Executive Summary

CVE-2026-0300 (PAN-OS) added to CISA KEV on May 6, 2026. Unauthenticated buffer overflow in the User-ID Authentication Portal (Captive Portal) yielding root RCE on PA-Series and VM-Series firewalls. Palo Alto Networks confirms limited in-the-wild exploitation; software fixes expected May 13, 2026. (CISA, Windows Forum, BleepingComputer)
CVE-2026-31431 (Linux Kernel) added to KEV in early May 2026 for incorrect resource transfer between spheres with active exploitation. (CISA)
ShinyHunters Canvas/Instructure breach. 275 million records claimed across roughly 9,000 institutions (Harvard, MIT, Oxford, Stanford, Cambridge named); ransom deadline shifted from May 6 to May 12, 2026. (TechCrunch, TechRadar, Inside Higher Ed)
Salt Typhoon (China MSS) breaches Italy's Sistemi Informativi in late April 2026, extending a campaign that has now compromised more than 200 telecom and ISP cores across roughly 80 nations. (SC Media, TechCrunch)
Agentic AI prompt injection epidemic. Anthropic Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent all leaked secrets through a single PR-title prompt injection; researchers dub it "comment-and-control." (VentureBeat)
Crypto wallet drained by Morse-encoded prompt. AI-integrated wallet authorized a $150,000 token transfer after parsing an X post containing a Morse-code instruction. (Airia)
Fortinet FortiClient EMS CVE-2026-35616 (CVSS 9.1, pre-auth API access bypass to privilege escalation) confirmed exploited in the wild, on KEV since April 6, 2026. (Fortinet PSIRT, BleepingComputer)
Multi-turn jailbreaks hitting 97% success on frontier LLMs. Nature Communications study confirms reasoning models like DeepSeek-R1 and Gemini 2.5 Flash can autonomously plan and execute jailbreak chains against peers. (Nature Communications)

Critical Vulnerabilities

CVE-2026-0300: Palo Alto PAN-OS User-ID Authentication Portal Root RCE

Field	Value
CVSS	Critical
Vector	Network, unauthenticated, no user interaction
Impact	Buffer overflow yielding root code execution
Affected	PA-Series and VM-Series firewalls, PAN-OS
Exploited	Yes, limited in-the-wild exploitation observed
KEV Listed	Yes, added May 6, 2026
Patch	Expected May 13, 2026

A buffer overflow in the User-ID Authentication Portal (also called the Captive Portal) allows an unauthenticated attacker to send specially crafted packets and execute arbitrary code with root privileges. The portal is exposed in many internet-edge configurations, and Palo Alto Networks has confirmed exploitation activity. Mitigation guidance pending the patch is to disable the portal or restrict source IPs to administrative networks. (BleepingComputer, Windows Forum)

CVE-2026-35616: Fortinet FortiClient EMS Pre-Auth Access Bypass

Field	Value
CVSS	9.1 Critical
Weakness	CWE-284 Improper Access Control
Impact	API auth bypass, code execution, priv-esc
Affected	FortiClient EMS 7.4.5 and 7.4.6
Not Affected	FortiClient EMS 7.2 and below
Exploited	Yes, since at least March 31, 2026
KEV Listed	Yes, added April 6, 2026
Patch	Out-of-band hotfix; full fix in 7.4.7

watchTowr first recorded exploitation in honeypots on March 31, 2026, with mass exploitation following the public advisory. CISA's KEV listing imposed a federal remediation deadline of April 9, 2026. (Fortinet PSIRT, watchTowr, The Hacker News)

CVE-2026-31431: Linux Kernel Resource Transfer Flaw

Added to CISA KEV in early May 2026 with evidence of active exploitation. The flaw involves incorrect resource transfer between security spheres, suitable for local privilege escalation. Federal agencies are subject to standard BOD 22-01 deadlines. (CISA Alert)

CVE-2026-23918: Apache HTTP/2 DoS and Possible RCE

Critical Apache HTTP/2 flaw permitting denial of service and possible remote code execution against vulnerable web servers. Active exploitation reporting is limited but proof-of-concept code is circulating. (Orca Security)

CVE-2026-41940: cPanel and WHM Authentication Bypass

WebPros cPanel and WHM and the WP2 platform contain an authentication bypass in the login flow allowing unauthenticated remote attackers to gain unauthorized access to the control panel. Hosters running shared cPanel infrastructure should prioritize this patch. (CISA KEV)

CVE-2026-2441: Chrome V8 Type Confusion (Active Exploitation)

Type confusion in V8 allowing arbitrary code execution within the Chrome renderer sandbox, patched by Google in an emergency stable release. Confirmed exploited in the wild. (Orca Security, SecPod)

CVE-2026-21509: Microsoft Office Zero-Day

Forced an emergency Microsoft patch after evidence of active exploitation surfaced. Successful exploitation can yield code execution in the user's context through a malicious document. (SOC Prime)

Carryover April 2026 Patch Tuesday Items Still Worth Auditing

Microsoft's April 2026 Patch Tuesday addressed 167 vulnerabilities. Carryover items still showing detection gaps include CVE-2026-32201 (SharePoint spoofing), CVE-2026-33825 (Defender elevation of privilege to SYSTEM), and CVE-2026-33827 (unauthenticated RCE in Windows secure tunneling and authentication components, described as a rare TCP/IP-class vulnerability). (Dark Reading, The Register)

AI Security Threats

The 2026 threat picture is no longer dominated by classical CVEs alone. The fastest-growing attack surface is the agentic AI execution boundary, where natural language flowing through tools, comments, files, and messages drives privileged operations. The April-to-May window has produced a string of incidents that should change how every defender treats agent-integrated systems.

Comment-and-Control: PR Title Prompt Injection Against Coding Agents

A security researcher opened a GitHub pull request with a malicious instruction embedded in the PR title. Anthropic's Claude Code Security Review action ingested the title as part of its review context, treated it as authoritative instruction, and posted its own API key as a comment on the PR. The same prompt injection technique succeeded against Google's Gemini CLI Action and GitHub's Copilot Agent. Vendors patched quietly without public advisories. (VentureBeat)

The pattern is the lethal trifecta first articulated for 2026: a model with read access to untrusted input, write access to a privileged channel, and tool execution stitched between them. Any one alone is benign. The combination is exploitable by anyone who can post a comment on a public repository.

Morse-Encoded Prompt Drains Crypto Wallet

In May 2026, an attacker on X posted a Morse-code-encoded message that an AI-integrated crypto wallet decoded as user intent and authorized a $150,000 token transfer on. The wallet's safety classifier did not score Morse code as a control channel because its training distribution treated Morse as ornamental. (Airia)

Hermes Agent Persistent Prompt Injection via DESCRIPTION.md

A critical vulnerability in NousResearch's Hermes Agent allows persistent prompt injection. Attackers exploit unscanned DESCRIPTION.md files inside skill directories. Once a poisoned skill is registered, every subsequent agent run that loads the skill inherits the attacker's instructions, and the injection persists across sessions. (Adversa AI)

Google Antigravity find_by_name Command Injection and Sandbox Escape

A command injection in Google Antigravity's find_by_name tool allows an attacker to achieve remote code execution and escape the sandbox, bypassing what Google calls Secure Mode. The find_by_name parameter was concatenated into a shell command without quoting or argv-style execution. (Adversa AI)

Multi-Turn Jailbreaks at 97 Percent on Frontier Models

A May 2026 Nature Communications paper documents that large reasoning models such as DeepSeek-R1 and Gemini 2.5 Flash can independently plan and execute multi-turn jailbreak strategies against other models. Attack success rates reach approximately 97 percent against certain targets. The paper withholds adversarial prompts to prevent misuse. (Nature Communications, PMC)

The JBFuzz framework, introduced in 2025 and still widely cited in 2026, achieves a roughly 99 percent average attack success rate against open-weight models. (Startup House)

OpenAI Hardens ChatGPT Atlas Against Prompt Injection

OpenAI published a public hardening note for ChatGPT Atlas, the agent-driven browser product, describing layered defenses against indirect prompt injection from web pages. The disclosure is unusual in that it includes failure cases and red-team artifacts. (OpenAI)

NSA Guidance: Careful Adoption of Agentic AI Services

The U.S. Department of Defense, on April 30, 2026, published guidance titled "Careful Adoption of Agentic AI Services" explicitly warning that highly capable autonomous agents are being deployed without foundational identity and access management. The guidance recommends explicit privilege separation, signed instruction provenance, and human-in-the-loop gates on irreversible actions. (DoD PDF)

The Defense Stack Emerging in 2026

A six-layer defense stack is consolidating across vendor blog posts and academic papers: input segmentation that isolates untrusted text, content provenance signing, capability scoping per tool call, runtime policy enforcement, output filtering for credentials and exfil patterns, and human approval on irreversible actions. (Airia, WorkOS)

Threat Actor Activity

Salt Typhoon (China MSS) Continues Telecom Sweep

Salt Typhoon, attributed to China's Ministry of State Security, breached Sistemi Informativi, a critical IT infrastructure provider for many Italian public and private entities, in late April 2026. The campaign now spans over 200 telecom and ISP cores across roughly 80 nations, with at least 600 organizations notified of attacker interest. The FBI publicly stated the threat is "still very, very much ongoing." (SC Media, TechCrunch, CyberScoop)

The primary intrusion method remains exploitation of Cisco edge router vulnerabilities, followed by long-dwell collection of metadata and lawful-intercept traffic. Salt Typhoon was confirmed inside several U.S. House of Representatives committees in late 2025, and a separate February 2026 China-linked campaign hit more than 50 telecoms and government agencies in 42 countries while exfiltrating data through Google Sheets. (Hive Security)

UAT-8302 China-Nexus Group Disclosed

Cisco Talos disclosed UAT-8302, a sophisticated China-nexus APT targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. (Talos Intelligence)

APT36 First Documented AI Malware Assembly Line

APT36 became the first documented nation-state actor using AI as a malware assembly line, accelerating the production of polymorphic malware variants. The 2026 benchmark adversary breakout time is now 72 minutes from initial foothold to active exfiltration. (Hive Security)

ShinyHunters Extortion Group

ShinyHunters, an extortion-focused criminal group previously linked to data theft from Ticketmaster, Google, the University of Pennsylvania, Princeton, and Harvard, claimed responsibility on May 3, 2026, for the Instructure Canvas breach. The group has shifted from straight data sale to pay-or-leak extortion against vendors with large downstream institutional footprints. (Inside Higher Ed, Times Higher Education)

Ransomware and Data Breaches

Victim	Actor	Records	Date	Status
Instructure (Canvas LMS)	ShinyHunters	275,000,000	2026-04-30	Extortion ongoing
Sistemi Informativi (Italy)	Salt Typhoon	Undisclosed	2026-04	Investigation ongoing
Italian public entities	Salt Typhoon	Undisclosed	2026-04	Notifications underway
Multiple universities	ShinyHunters	Per inst.	2026-05	Phishing risk elevated

Instructure Canvas Incident Detail

Disruption of Canvas tools began April 30, 2026. Instructure confirmed a criminal breach on May 1, brought in outside forensics, and ShinyHunters publicly claimed the attack on May 3. The original ransom deadline of May 6 was extended to May 12 after partial negotiations. CISO Steve Proud stated the data set includes names, student IDs, email addresses, and inter-user messages, and that no evidence has been found of password, date-of-birth, government identifier, or financial data compromise. Approximately 8,809 institutions appear in lists shared with reporters, with per-institution counts ranging from tens of thousands to several million records. Harvard's Canvas instance was taken offline on May 8 after the institution appeared in the leak list. (Malwarebytes, The Harvard Crimson, Wikipedia, WBAY)

Downstream Phishing Risk

The combination of student names, institution affiliation, internal messages, and email addresses is ideal feedstock for personalized phishing at scale. Times Higher Education flagged this as the dominant follow-on risk for the next 6 to 12 months. (Times Higher Education)

Recommended Actions

Immediate (next 24 to 72 hours)

Audit PAN-OS User-ID Authentication Portal exposure. If the Captive Portal is internet-facing, restrict source IPs to administrative networks or disable the portal until the May 13 patch ships. Verify CVE-2026-0300 detection logic in IDS or WAF rules.
Patch FortiClient EMS 7.4.5 and 7.4.6 to the out-of-band hotfix or upgrade to 7.4.7. Hunt for indicators of CVE-2026-35616 exploitation in API access logs going back to March 31, 2026.
Apply the Linux kernel update for CVE-2026-31431 on internet-facing or multi-tenant Linux hosts. Verify with package manager state, not just kernel version strings.
Disable or quarantine all AI coding agents that ingest PR titles, issue titles, or comments as part of their review context until the vendor publishes a fixed version. Audit recent agent runs for outbound posts containing strings that look like API keys or tokens.
Rotate any API keys exposed to Anthropic Claude Code Security Review, Google Gemini CLI Action, or GitHub Copilot Agent between April 1 and May 8, 2026, regardless of whether public exploitation indicators are present.
Notify users on Canvas-affiliated institutions that they should expect personalized phishing. Pre-stage warning messages in identity provider login pages.
Block or alert on Morse-code, base64, ROT13, or zero-width-character payloads in inbound channels feeding any AI tool with transactional authority.

Short-Term (1 to 4 weeks)

Inventory all agentic AI deployments and classify each by the lethal trifecta. Any system with untrusted input, privileged write, and tool execution requires explicit privilege separation and human gates on irreversible actions.
Deploy the six-layer agent defense stack: input segmentation, content provenance signing, per-tool capability scoping, runtime policy enforcement, output filtering for credentials, and human approval on irreversible actions.
Run a tabletop on a Salt Typhoon-style edge router compromise. Assume compromise of a Cisco or Fortinet device on the network edge; map detection, containment, and lawful-intercept exposure.
Hunt for the ShinyHunters access pattern if your organization touches Canvas or other Instructure products. Review SSO logs for anomalous OAuth grants, third-party API tokens, and large data exports between April 15 and April 30, 2026.
Microsoft April Patch Tuesday cleanup. Verify CVE-2026-32201, CVE-2026-33825, and CVE-2026-33827 are remediated across the estate.

Strategic (3 to 12 months)

Adopt the DoD agentic AI guidance as the baseline for any agent deployment with privileged access. Treat unsigned natural-language instructions as untrusted input regardless of source.
Plan for 72-minute breakout time. Detection budgets, paging thresholds, and isolation playbooks designed for a 4-hour window are obsolete. Compress to under 30 minutes from alert to containment on critical assets.
Build adversarial evaluation into the LLM acquisition pipeline. Frontier-model jailbreaks at 97 percent success against peer models means any LLM deployed with tool access requires continuous red-team evaluation, not point-in-time review.
Diversify away from single LMS or agent vendors where the blast radius of a vendor-side breach is institutional. The Canvas incident is a textbook supply-chain failure of single-vendor dependency.
Establish a content provenance program. Sign internal documents and PR titles where automated agents will read them; reject unsigned input at the agent boundary.