Daily Threat Intelligence Brief - May 11, 2026
Executive Summary
- ShinyHunters claims the largest education breach on record: 275 million Canvas LMS records exfiltrated from Instructure, impacting 8,809 universities and ministries worldwide; ransom deadline extended to May 12, 2026.
- CISA adds three actively exploited flaws to KEV in eight days: Linux Kernel "Copy Fail" (CVE-2026-31431), Palo Alto PAN-OS User-ID Portal RCE (CVE-2026-0300), and LiteLLM SQL injection (CVE-2026-42208, CVSS 9.8).
- AI agent frameworks become RCE primitives: Microsoft Semantic Kernel CVEs (CVE-2026-25592, CVE-2026-26030) let prompt injection escalate directly to code execution; Anthropic, Google, and GitHub agent actions leaked API keys to the same single-prompt payload.
- MCP exposure crisis widens: 8,000+ public MCP servers cataloged; 36.7% of 7,000+ scanned servers are vulnerable to SSRF; nginx-ui MCP endpoint (CVE-2026-33032, CVSS 9.8) leaves 2,600+ instances at full takeover risk.
- Salt Typhoon remains embedded in U.S. networks across 80 countries; APT41 operations surged 113% in Q1 2025, the largest single-quarter expansion documented for any nation-state actor.
- Adversary breakout time benchmark for 2026 is 72 minutes from initial foothold to active exfiltration, with 80% of phishing campaigns now containing AI-generated content per ENISA.
- Cushman & Wakefield extortion confirms Salesforce remains ShinyHunters' preferred SaaS pivot point: 500K+ records exposed via vishing-driven initial access.
Critical Vulnerabilities
CVE-2026-31431: Linux Kernel "Copy Fail" Local Privilege Escalation
A nine-year-old incorrect resource transfer flaw in the Linux kernel allows an unprivileged local user to obtain root. CISA added the CVE to the KEV catalog on May 1, 2026 with a federal remediation deadline of May 15, 2026 after evidence of active exploitation surfaced. The flaw is broadly applicable across distributions and is a strong post-exploitation primitive for any attacker who already has shell access. (CISA KEV announcement, Cybersecurity News writeup)
CVE-2026-42208: LiteLLM SQL Injection (CVSS 9.8)
A critical pre-authentication SQL injection in LiteLLM, the widely deployed multi-provider LLM gateway, allows attackers to extract API keys, audit logs, and provider credentials stored in the LiteLLM database. CISA added the flaw to KEV on May 8, 2026 amid confirmed in-the-wild exploitation. This is a particularly damaging finding because LiteLLM is a credential concentrator: a single compromised instance often unlocks OpenAI, Anthropic, Azure OpenAI, and Bedrock keys for entire enterprises. (Windows News coverage)
CVE-2026-0300: Palo Alto PAN-OS User-ID Authentication Portal RCE
An out-of-bounds write in the PAN-OS User-ID Authentication Portal yields unauthenticated remote code execution as root on perimeter firewalls. CISA added it to KEV on May 6, 2026; vendor patches are expected May 13, 2026. Until then, customers should restrict portal exposure to management networks and inspect for IOCs published by Unit 42. (CISA KEV entry via Windows Forum, The Hacker News)
CVE-2026-6973: Ivanti EPMM Zero-Day RCE
A high-severity improper input validation issue in Ivanti Endpoint Manager Mobile permits authenticated administrators to achieve remote code execution. Exploited in targeted attacks before disclosure. CISA imposed a May 10, 2026 federal remediation deadline. Patches are available in the May 2026 Ivanti security update bundle. (SecurityWeek)
CVE-2026-32202: Windows Shell Zero-Click Information Disclosure
Microsoft's initial patch for a Russian-attributed zero-click exploit was incomplete; a follow-on Windows Shell flaw is now under active exploitation. CISA assigned a May 12, 2026 deadline. Defenders should confirm full deployment of May Patch Tuesday updates and monitor for anomalous icon-rendering process behavior. (The Register)
CVE-2026-41940: cPanel Authentication Bypass
A critical authentication bypass in cPanel has been exploited since at least February 23, 2026, well before the vendor patch shipped in late April. Hosting providers and any shared-hosting customer should patch immediately and audit for unauthorized account creation, mailbox forwarding rules, and webshell artifacts. (Help Net Security)
AI Security Threats
The May 2026 cycle made one thing unambiguous: AI agent frameworks are now first-class RCE surfaces, not toy demos. Three independent disclosures landed within a single week, all chained the same way: untrusted text becomes instruction, instruction becomes tool call, tool call becomes shell.
Microsoft Semantic Kernel: Prompt Injection to Code Execution
Microsoft Security disclosed CVE-2026-25592 and CVE-2026-26030 in its Semantic Kernel agent framework on May 7, 2026. Both let an attacker who controls any input the agent processes (a document, a webpage, a tool response) escalate prompt injection into native code execution inside the host process. The fix requires both a framework upgrade and a developer-side review of tool registration: many built-in tools (file system, shell, HTTP) cannot be safely exposed to agents that consume untrusted content. (Microsoft Security Blog)
"Comment and Control": One Prompt, Three Agents, API Keys Leaked
A security researcher opened a single GitHub pull request containing a malicious instruction in the PR title. Three separate agent products processed it and posted their own credentials as PR comments:
- Anthropic Claude Code Security Review action: leaked its API key.
- Google Gemini CLI action: leaked its key.
- GitHub Copilot Agent (Microsoft): leaked its key.
This is the "lethal trifecta" pattern in production: an agent with (1) access to untrusted external input, (2) access to private data or secrets, and (3) the ability to communicate outward. Anthropic's own system card predicted this class of failure before the disclosure. (VentureBeat coverage, Airia analysis)
CVE-2025-53773: GitHub Copilot PR Description Prompt Injection (CVSS 9.6)
A hidden prompt in a pull request description triggers GitHub Copilot to execute attacker-supplied instructions in the developer's IDE context, including local command execution. Researchers documented working exfiltration via image-URL side channel. CVSS 9.6. Defenders should disable Copilot agentic features on repos that accept external PRs, or require human-in-the-loop confirmation on every tool call. (Cycode roundup)
MCP Exposure Crisis
Adversa AI's May 2026 MCP security report and parallel community scans confirm what red teams have been saying since Q1: the Model Context Protocol shipped without an authentication story, and the install base outran the security tooling.
| Finding | Value | Source |
|---|---|---|
| Publicly exposed MCP servers cataloged | 8,000+ | Medium scan report |
| Scanned MCP servers vulnerable to SSRF | 36.7% of 7,000+ | Adversa AI May report |
| nginx-ui MCP endpoint CVE | CVE-2026-33032, CVSS 9.8 | Adversa AI May report |
| nginx-ui MCP instances at takeover risk | 2,600+ | Adversa AI May report |
| LiteLLM compromised PyPI window (Mar 2026) | 40 minutes (1.82.7 / 1.82.8) | LiteLLM security update |
OWASP LLM Top 10 for 2026 keeps Prompt Injection at LLM01. Multi-turn jailbreaks are now the dominant attack pattern against frontier models, and Unit 42 documented the first wave of large-scale indirect prompt injection in the wild during March 2026, including ad-review evasion and system-prompt leakage on commercial platforms. (Securance overview, Unit 42 MCP attack vectors)
The architectural reality has not changed: LLMs cannot reliably distinguish instructions from data. Any defense built on "the model will know not to follow that" is a defense that has already failed in production somewhere.
Threat Actor Activity
Salt Typhoon (China)
Still embedded in U.S. networks more than 18 months after the original telecom compromise. Salt Typhoon has now compromised networks across 80+ countries spanning telecommunications, transportation, and government. Fresh penetration of House Committee email systems was confirmed earlier this year. Detection remains difficult because the actor maintains long-dormant access and exfiltrates selectively. (CybelAngel China APT overview, Hive Security 2026 deep dive)
APT41 (China)
Q1 2025 saw a 113% surge in APT41 operations, the largest single-quarter increase documented for any nation-state group. Targeting correlated with U.S.-China trade tensions and focused on trade policy officials, academic economists, and think tanks. Operations have continued into 2026. (Hive Security 2026 deep dive)
China-Linked Google Sheets Campaign
A February 2026 campaign hit more than 50 telecoms and government agencies across 42 countries, using Google Sheets for command and control to evade network detection. (CybelAngel)
ShinyHunters (Financially Motivated)
The dominant SaaS extortion brand of 2026. Their playbook: vishing or credential theft against a Salesforce or Salesforce-adjacent target, bulk exfiltration via legitimate APIs, leak-site pressure, dispute over record counts to maximize media coverage. May 2026 saw the Instructure (275M records) and Cushman & Wakefield (500K records) campaigns reach public disclosure. (Google Cloud Threat Intel tracking, Salesforce Ben)
Operational Benchmarks
| Metric | 2026 Value | Source |
|---|---|---|
| Adversary breakout time | 72 minutes | Hive Security |
| Phishing campaigns with AI content | 80% | Hive Security / ENISA |
| APT dwell time before detection (avg) | 6 to 18 mo | Vectra APT guide |
Ransomware and Data Breaches
| Date | Victim | Actor | Records / Scope | Vector | Status |
|---|---|---|---|---|---|
| 2026-05-01 | Instructure Canvas | ShinyHunters | 275M users, 8,809 inst. | Salesforce pivot, social engineering | Ransom deadline 2026-05-12 |
| 2026-05-06 | Cushman & Wakefield | ShinyHunters | 500K Salesforce records | Vishing | Deadline passed, leak risk |
| 2026-05 | GeForce NOW Armenia | ShinyHunters | Full user DB | Partner compromise | Disclosed |
| 2026-05-06 | Russian gov DBs | Ransomware grp | Unknown scope | Unspecified | DOJ disclosure |
Instructure / Canvas LMS Deep Dive
The Instructure breach is the largest education-sector incident on record. Stolen data includes names, email addresses, student ID numbers, and private messages among Canvas users. 3.65 TB exfiltrated. The defacement on May 7 at approximately 1:20 p.m. PDT made the breach public before Instructure could complete notification. Canvas is used by 41% of U.S. higher education institutions and many K-12 districts, making downstream phishing and identity-fraud exposure significant. Sentra's analysis points to Salesforce data governance as the root cause: the same SaaS pivot pattern that has fueled ShinyHunters' 2026 campaign across finance, food, travel, and home security verticals. (TechCrunch, Time, Malwarebytes, Sentra governance analysis)
DOJ Disclosure: Ransomware Gang Tapped Russian Government Databases
A May 6, 2026 DOJ filing revealed that a ransomware operator gained access to Russian government databases, an unusual public attribution that suggests the U.S. is willing to expose offensive-leaning operator activity when it serves prosecutorial goals. (TechCrunch)
Recommended Actions
Immediate (next 24 to 72 hours)
- Patch CVE-2026-31431 (Linux Kernel) on all internet-exposed and shared multi-tenant hosts. Federal deadline May 15.
- Patch CVE-2026-42208 (LiteLLM). Rotate every provider API key configured in the gateway. Audit LiteLLM access logs for unexplained queries over the past 30 days.
- Restrict Palo Alto PAN-OS User-ID Authentication Portal exposure to management subnets pending the May 13 vendor patch for CVE-2026-0300.
- Apply Ivanti EPMM May 2026 updates (CVE-2026-6973). Audit admin account activity.
- Confirm full deployment of May Windows Patch Tuesday for CVE-2026-32202.
- For any organization using Canvas LMS: force password reset, enable MFA, brief faculty and students on the elevated phishing risk.
Short-Term (next 2 to 4 weeks)
- Inventory all MCP servers in the environment. Authenticate every one. Block public exposure. Scan internal instances for SSRF and tool-poisoning primitives.
- Disable Copilot, Gemini CLI, and Claude Code Security Review agentic actions on repositories that accept external pull requests until prompt-injection mitigations are confirmed.
- Audit any Semantic Kernel deployment. Remove built-in shell, file system, and HTTP tools from agents that consume untrusted input.
- Salesforce hardening pass: enforce phishing-resistant MFA, disable legacy connected apps, review Experience Cloud guest-user permissions, enable Salesforce Shield event monitoring.
- Re-baseline phishing simulations to include AI-generated lures; the 80% AI-content figure means user training based on grammar tells is obsolete.
Strategic
- Treat LLM gateways (LiteLLM, OpenAI proxy, Bedrock proxy) as Tier 0 secrets infrastructure. They concentrate provider credentials and warrant the same controls as PAM systems.
- Build a runtime AI security layer: tool-use audit logs, per-tool egress restrictions, secret-redaction at the model boundary, and human-in-the-loop gates on irreversible actions.
- Adopt the lethal-trifecta mental model: any agent with untrusted input, sensitive data access, and outbound communication is one prompt injection away from exfiltration. Break the triangle architecturally, not behaviorally.
- For SaaS-heavy environments, model your data-governance perimeter on the Salesforce object level, not the network level. ShinyHunters' 2026 run is a governance failure pattern, not a credential-theft pattern.
Sources
- CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline (The Hacker News)
- CISA Adds Linux Root Access Bug CVE-2026-31431 to KEV (The Hacker News)
- CISA KEV: Linux Copy Fail CVE-2026-31431 (Windows Forum)
- CISA Adds LiteLLM SQL Injection CVE-2026-42208 to KEV (Windows News)
- CISA KEV: CVE-2026-0300 PAN-OS Root RCE (Windows Forum)
- Ivanti Patches EPMM Zero-Day (SecurityWeek)
- Microsoft Patch Fell Short; Windows Flaw Under Attack (The Register)
- cPanel Zero-Day CVE-2026-41940 (Help Net Security)
- Palo Alto PAN-OS Flaw Under Active Exploitation (The Hacker News)
- When Prompts Become Shells: RCE in AI Agent Frameworks (Microsoft Security Blog)
- Three AI Coding Agents Leaked Secrets (VentureBeat)
- AI Security in 2026: Lethal Trifecta (Airia)
- Top AI Security Vulnerabilities to Watch in 2026 (Cycode)
- Top MCP Security Resources May 2026 (Adversa AI)
- 8,000+ MCP Servers Exposed (Medium)
- LiteLLM Supply Chain Incident March 2026 (LiteLLM)
- MCP Attack Vectors (Unit 42 Palo Alto)
- Prompt Injection: OWASP #1 AI Threat 2026 (Securance)
- 2026 Canvas Security Incident (Wikipedia)
- Hackers Steal Students Data at Instructure (TechCrunch)
- Canvas Cyberattack Explainer (Time)
- Education Breach Detail (Malwarebytes)
- Instructure Salesforce Governance Gap (Sentra)
- ShinyHunters SaaS Data Theft Expansion (Google Cloud Threat Intel)
- ShinyHunters Breach 400 Companies via Salesforce (Salesforce Ben)
- DOJ: Ransomware Gang Tapped Russian Government Databases (TechCrunch)
- State-Sponsored Threat Actors 2026 Deep Dive (Hive Security)
- Chinese Threat Groups in 2026 (CybelAngel)
- CISA Known Exploited Vulnerabilities Catalog
- Cisco State of AI Security 2026 (Cisco Blogs)
- Hardening ChatGPT Atlas Against Prompt Injection (OpenAI)