Reports/Weekly Threat Intel Report — 2026-W19

Weekly Threat Intel Report — 2026-W19

Threat Intelweekly-reportweekly-2026-w19

May 12, 20261,590 words~7 min read

Weekly Threat Intel Report — 2026-W19

TL;DR

The week of 4–10 May 2026 was dominated by a high-impact data-extortion campaign and a pair of severe Linux kernel vulnerabilities. ShinyHunters claimed responsibility for compromising Instructure's Canvas learning management system, defacing login portals at roughly 9,000 US schools and universities and threatening to leak data on 275 million students and faculty. Microsoft disclosed Dirty Frag, a Linux local privilege escalation flaw already being abused post-compromise, while Unit 42 detailed Copy Fail (CVE-2026-31431) — another critical kernel LPE affecting millions of systems. CISA added a PAN-OS Captive Portal zero-day (CVE-2026-0300) and an Ivanti EPMM vulnerability to its Known Exploited Vulnerabilities catalog. ESET disclosed an active ScarCruft (APT37) supply-chain attack against a Yanbian-region gaming platform. Cisco Talos publicly named UAT-8302, a China-nexus APT targeting governments in South America and southeastern Europe. And Google Threat Intelligence Group reported the first publicly documented case of an AI-developed zero-day exploit used in the wild.

Notable Activity by Actor

ShinyHunters — Canvas / Instructure extortion

ShinyHunters claimed two waves of attack against education technology company Instructure during the week, exploiting a flaw in the Canvas learning platform to modify login portals and post extortion messages (BleepingComputer, 11 May; KrebsOnSecurity, 8 May). Brian Krebs reported that the defacement disrupted classes and coursework at school districts and universities nationwide, with attackers threatening to publish records on 275 million students and faculty across nearly 9,000 institutions. DarkReading characterised the breach as a stark illustration of how dependent the US education sector has become on a small set of edtech vendors, noting that PII for hundreds of millions of people is at stake (DarkReading, 6 and 8 May). Instructure confirmed the intrusion on 11 May.

ScarCruft (APT37) — gaming-platform supply chain

ESET researchers disclosed an ongoing campaign by the North Korea-linked ScarCruft group, which compromised a gaming platform serving the Yanbian region and distributed backdoor-laced Windows and Android games through it (ESET, 5 May). The dual-platform delivery — a relatively unusual move for ScarCruft — illustrates the group's continued interest in regional espionage targets and its willingness to invest in supply-chain footholds.

UAT-8302 — newly named China-nexus APT

Cisco Talos publicly disclosed UAT-8302, a China-nexus APT cluster that has targeted government entities in South America since at least late 2024 and expanded to government agencies in southeastern Europe in 2025 (Talos, 5 May). Talos describes a varied toolkit of malware families used for espionage; further hardening of attribution and overlap mapping with existing China clusters will likely come from follow-up reporting.

PCPJack operators — cloud credential theft worm

SentinelLabs detailed PCPJack, a cloud-targeted worm framework that uniquely evicts a rival actor cluster (TeamPCP) from compromised cloud assets, then forgoes cryptomining in favour of bulk credential theft — financial, messaging, and enterprise accounts — for fraud, spam, and potential extortion (SentinelLabs, 7 May). The behaviour underscores an ongoing shift in commodity cloud abuse from mining toward higher-margin identity-driven monetisation.

Play / Android subscription fraud

ESET also exposed CallPhantom, a family of fraudulent Android apps on Google Play that claimed to provide call history "for any number." The apps had been downloaded more than 7 million times before takedown and tricked users into recurring subscription fraud (ESET, 7 May).

Emerging Threats

Two severe Linux kernel privilege-escalation flaws

In the space of a week, defenders learned of two distinct, broadly applicable Linux LPE vulnerabilities:

Copy Fail (CVE-2026-31431) — analysed by Unit 42 on 5 May — is described as the most severe Linux threat in years, enabling stealthy root access on millions of systems.
Dirty Frag — disclosed by Microsoft on 8 May — is a kernel networking and memory-fragment handling flaw (esp4, esp6, rxrpc) that Microsoft reports is already being exploited post-compromise via SSH, web shells, containers, or low-privileged accounts. DarkReading and Ars Technica both ran follow-up coverage warning of likely enterprise impact (DarkReading, 11 May).

Organisations running Linux endpoints, containers, or hypervisors should plan accelerated patching cycles and audit for low-privileged-to-root paths.

KEV additions — actively exploited zero-days

CISA added two notable items to its KEV catalog this week:

CVE-2026-0300 — a PAN-OS User-ID Captive Portal out-of-bounds write enabling unauthenticated RCE on exposed firewalls (CISA, 6 May; Unit 42 threat brief, 7 May).
CVE-2026-6973 — Ivanti Endpoint Manager Mobile (EPMM) improper input validation (CISA, 7 May).

Both are under active exploitation. Edge devices remain the most reliably-exploited attack surface in 2026.

AI-developed exploits move from theory to wild

Google Threat Intelligence Group (GTIG) reported that attackers used large language models to develop a zero-day exploit targeting a popular open-source web administration tool — the first publicly documented instance of an AI-generated exploit observed in the wild (BleepingComputer / GTIG, 11 May). DarkReading's parallel reporting noted that adversaries are also using LLMs to automate post-exploitation orchestration. Mexico saw what DarkReading called the first known AI-integrated attack on a real critical-infrastructure target, where the SCADA login screen ultimately stopped the campaign — a reminder that AI-augmented attackers still depend on classical access prerequisites.

Supply-chain incidents continue

Checkmarx Jenkins AST plugin — Checkmarx warned over the weekend of 10–11 May that a rogue version of its official plugin had been published to the Jenkins Marketplace and was delivering an infostealer (BleepingComputer, 11 May).
TanStack npm compromise — a postmortem published 11 May detailed an npm supply-chain incident affecting the TanStack project.
Trellix source-code breach — claimed by RansomHouse during the week, with a small image set published as proof (BleepingComputer, 8 May; DarkReading, 5 May).

Ransomware ecosystem at scale

Check Point Research's Q1 2026 ransomware report counted 2,122 new victims posted to leak sites in the quarter — the second-highest Q1 on record, down only 12.2% from the all-time record set in Q4 2025 (Check Point, 11 May). The UK ICO simultaneously fined South Staffordshire Water £963,900 over the 2022 Cl0p ransomware intrusion in which attackers reportedly went undetected for nearly two years before exfiltrating data on 633,887 customers and staff (The Record, 11 May).

Defender Takeaways

Patch Linux LPEs aggressively. Copy Fail and Dirty Frag together make 2026 a difficult year for Linux kernel maintenance. Inventory kernel versions across servers, containers, and appliances; prioritise systems where unprivileged code execution is reachable (multi-tenant hosts, web apps, CI runners).
Treat exposed edge devices as the front line. The PAN-OS and Ivanti KEV additions follow a consistent 2025–2026 pattern: pre-auth flaws on perimeter appliances are exploited within days. Maintain a hardened, monitored, fast-patch path for these devices, and assume compromise where patching lags.
Hunt for post-compromise privilege escalation. Microsoft's note that Dirty Frag is being chained after SSH, web-shell, or container access reinforces the importance of EDR telemetry on Linux and the monitoring of suspicious kernel-module and namespace-related activity.
Re-examine SaaS vendor concentration. The Canvas/Instructure incident shows the blast radius when a single platform underpins thousands of organisations. Identify your equivalent single-points-of-failure SaaS and demand visibility into authentication-portal integrity and breach-notification commitments.
Prepare for AI-augmented adversaries. GTIG's finding does not change the underlying defensive playbook, but it does shorten exploit development cycles. Expect faster weaponisation of newly-disclosed CVEs and a higher volume of lower-quality but novel exploit code.
Verify build-tool and plugin provenance. Checkmarx Jenkins and TanStack npm are this week's reminders that developer tooling marketplaces remain a soft underbelly. Pin versions, monitor for plugin-version anomalies, and scan CI workers for stealer activity.
Reset more than passwords. BleepingComputer's Specops-sponsored note this week reiterates an old truth: Kerberos tickets and cached credentials survive password resets. Incident-response playbooks for AD compromise must include ticket invalidation and golden-ticket detection.

Sources

KrebsOnSecurity — Canvas Breach Disrupts Schools & Colleges Nationwide (8 May 2026): https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/
DarkReading — Instructure Breach Exposes Schools' Vendor Dependence (6 May 2026): https://www.darkreading.com/cyberattacks-data-breaches/instructure-breach-exposes-schools-vendor-dependence
DarkReading — ShinyHunters Claims Second Attack Against Instructure (8 May 2026): https://www.darkreading.com/cyberattacks-data-breaches/shinyhunters-second-attack-instructure
BleepingComputer — Instructure confirms hackers used Canvas flaw to deface portals (11 May 2026): https://www.bleepingcomputer.com/news/security/instructure-confirms-hackers-used-canvas-flaw-to-deface-portals/
ESET WeLiveSecurity — A rigged game: ScarCruft compromises gaming platform in a supply-chain attack (5 May 2026): https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/
ESET WeLiveSecurity — Fake call logs, real payments: How CallPhantom tricks Android users (7 May 2026): https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/
Cisco Talos — UAT-8302 and its box full of malware (5 May 2026): https://blog.talosintelligence.com/uat-8302/
Microsoft Threat Intel — Active attack: Dirty Frag Linux vulnerability expands post-compromise risk (8 May 2026): https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/
Unit 42 — Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years (5 May 2026): https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/
Unit 42 — Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day (7 May 2026): https://unit42.paloaltonetworks.com/captive-portal-zero-day/
CISA — KEV Catalog addition: CVE-2026-0300 (PAN-OS) (6 May 2026): https://www.cisa.gov/news-events/alerts/2026/05/06/cisa-adds-one-known-exploited-vulnerability-catalog
CISA — KEV Catalog addition: CVE-2026-6973 (Ivanti EPMM) (7 May 2026): https://www.cisa.gov/news-events/alerts/2026/05/07/cisa-adds-one-known-exploited-vulnerability-catalog
SentinelLabs — PCPJack: Cloud Worm Evicts TeamPCP and Steals Credentials at Scale (7 May 2026): https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/
BleepingComputer / GTIG — Hackers used AI to develop zero-day exploit for web admin tool (11 May 2026): https://www.bleepingcomputer.com/news/security/google-hackers-used-ai-to-develop-zero-day-exploit-for-web-admin-tool/
BleepingComputer — Official Checkmarx Jenkins package compromised with infostealer (11 May 2026): https://www.bleepingcomputer.com/news/security/official-checkmarx-jenkins-package-compromised-with-infostealer/
BleepingComputer — Trellix source code breach claimed by RansomHouse hackers (8 May 2026): https://www.bleepingcomputer.com/news/security/trellix-source-code-breach-claimed-by-ransomhouse-hackers/
Check Point Research — The State of Ransomware – Q1 2026 (11 May 2026): https://research.checkpoint.com/2026/the-state-of-ransomware-q1-2026/
The Record — UK water company allowed hackers to lurk undetected for nearly two years (11 May 2026): https://therecord.media/uk-water-company-had-hackers-lurking-for-years
DarkReading — Dirty Frag Exploit Poised to Blow Up on Enterprise Linux Distros (11 May 2026): https://www.darkreading.com/vulnerabilities-threats/dirty-frag-exploit-blow-up-enterprise-linux-distros

Found this useful?

Related Reports

Threat IntelMay 12, 2026

PAN-OS Zero-Day CVE-2026-0300 Exploited Since April: State-Sponsored Actors Gain Root on Palo Alto Firewalls

CVE-2026-0300PAN-OS

Threat IntelMay 8, 2026

Why Security Teams Miss One Critical Threat Every Week Despite Processing 25M Alerts

cybersecuritythreat detection

Threat IntelMay 5, 2026

Trellix Source Code Repository Hack: What the Silence Says About Enterprise Security

trellixdata-breach

← All Reports

Reports/Weekly Threat Intel Report — 2026-W19

Weekly Threat Intel Report — 2026-W19

Threat Intelweekly-reportweekly-2026-w19

May 12, 20261,590 words~7 min read

Weekly Threat Intel Report — 2026-W19

TL;DR

Notable Activity by Actor

ShinyHunters — Canvas / Instructure extortion

ScarCruft (APT37) — gaming-platform supply chain

UAT-8302 — newly named China-nexus APT

PCPJack operators — cloud credential theft worm

Play / Android subscription fraud

Emerging Threats

Two severe Linux kernel privilege-escalation flaws

In the space of a week, defenders learned of two distinct, broadly applicable Linux LPE vulnerabilities:

Copy Fail (CVE-2026-31431) — analysed by Unit 42 on 5 May — is described as the most severe Linux threat in years, enabling stealthy root access on millions of systems.
Dirty Frag — disclosed by Microsoft on 8 May — is a kernel networking and memory-fragment handling flaw (esp4, esp6, rxrpc) that Microsoft reports is already being exploited post-compromise via SSH, web shells, containers, or low-privileged accounts. DarkReading and Ars Technica both ran follow-up coverage warning of likely enterprise impact (DarkReading, 11 May).

Organisations running Linux endpoints, containers, or hypervisors should plan accelerated patching cycles and audit for low-privileged-to-root paths.

KEV additions — actively exploited zero-days

CISA added two notable items to its KEV catalog this week:

CVE-2026-0300 — a PAN-OS User-ID Captive Portal out-of-bounds write enabling unauthenticated RCE on exposed firewalls (CISA, 6 May; Unit 42 threat brief, 7 May).
CVE-2026-6973 — Ivanti Endpoint Manager Mobile (EPMM) improper input validation (CISA, 7 May).

Both are under active exploitation. Edge devices remain the most reliably-exploited attack surface in 2026.

AI-developed exploits move from theory to wild

Supply-chain incidents continue

Checkmarx Jenkins AST plugin — Checkmarx warned over the weekend of 10–11 May that a rogue version of its official plugin had been published to the Jenkins Marketplace and was delivering an infostealer (BleepingComputer, 11 May).
TanStack npm compromise — a postmortem published 11 May detailed an npm supply-chain incident affecting the TanStack project.
Trellix source-code breach — claimed by RansomHouse during the week, with a small image set published as proof (BleepingComputer, 8 May; DarkReading, 5 May).

Ransomware ecosystem at scale

Defender Takeaways

Patch Linux LPEs aggressively. Copy Fail and Dirty Frag together make 2026 a difficult year for Linux kernel maintenance. Inventory kernel versions across servers, containers, and appliances; prioritise systems where unprivileged code execution is reachable (multi-tenant hosts, web apps, CI runners).
Treat exposed edge devices as the front line. The PAN-OS and Ivanti KEV additions follow a consistent 2025–2026 pattern: pre-auth flaws on perimeter appliances are exploited within days. Maintain a hardened, monitored, fast-patch path for these devices, and assume compromise where patching lags.
Hunt for post-compromise privilege escalation. Microsoft's note that Dirty Frag is being chained after SSH, web-shell, or container access reinforces the importance of EDR telemetry on Linux and the monitoring of suspicious kernel-module and namespace-related activity.
Re-examine SaaS vendor concentration. The Canvas/Instructure incident shows the blast radius when a single platform underpins thousands of organisations. Identify your equivalent single-points-of-failure SaaS and demand visibility into authentication-portal integrity and breach-notification commitments.
Prepare for AI-augmented adversaries. GTIG's finding does not change the underlying defensive playbook, but it does shorten exploit development cycles. Expect faster weaponisation of newly-disclosed CVEs and a higher volume of lower-quality but novel exploit code.
Verify build-tool and plugin provenance. Checkmarx Jenkins and TanStack npm are this week's reminders that developer tooling marketplaces remain a soft underbelly. Pin versions, monitor for plugin-version anomalies, and scan CI workers for stealer activity.
Reset more than passwords. BleepingComputer's Specops-sponsored note this week reiterates an old truth: Kerberos tickets and cached credentials survive password resets. Incident-response playbooks for AD compromise must include ticket invalidation and golden-ticket detection.

Sources

KrebsOnSecurity — Canvas Breach Disrupts Schools & Colleges Nationwide (8 May 2026): https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/
DarkReading — Instructure Breach Exposes Schools' Vendor Dependence (6 May 2026): https://www.darkreading.com/cyberattacks-data-breaches/instructure-breach-exposes-schools-vendor-dependence
DarkReading — ShinyHunters Claims Second Attack Against Instructure (8 May 2026): https://www.darkreading.com/cyberattacks-data-breaches/shinyhunters-second-attack-instructure
BleepingComputer — Instructure confirms hackers used Canvas flaw to deface portals (11 May 2026): https://www.bleepingcomputer.com/news/security/instructure-confirms-hackers-used-canvas-flaw-to-deface-portals/
ESET WeLiveSecurity — A rigged game: ScarCruft compromises gaming platform in a supply-chain attack (5 May 2026): https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/
ESET WeLiveSecurity — Fake call logs, real payments: How CallPhantom tricks Android users (7 May 2026): https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/
Cisco Talos — UAT-8302 and its box full of malware (5 May 2026): https://blog.talosintelligence.com/uat-8302/
Microsoft Threat Intel — Active attack: Dirty Frag Linux vulnerability expands post-compromise risk (8 May 2026): https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/
Unit 42 — Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years (5 May 2026): https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/
Unit 42 — Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day (7 May 2026): https://unit42.paloaltonetworks.com/captive-portal-zero-day/
CISA — KEV Catalog addition: CVE-2026-0300 (PAN-OS) (6 May 2026): https://www.cisa.gov/news-events/alerts/2026/05/06/cisa-adds-one-known-exploited-vulnerability-catalog
CISA — KEV Catalog addition: CVE-2026-6973 (Ivanti EPMM) (7 May 2026): https://www.cisa.gov/news-events/alerts/2026/05/07/cisa-adds-one-known-exploited-vulnerability-catalog
SentinelLabs — PCPJack: Cloud Worm Evicts TeamPCP and Steals Credentials at Scale (7 May 2026): https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/
BleepingComputer / GTIG — Hackers used AI to develop zero-day exploit for web admin tool (11 May 2026): https://www.bleepingcomputer.com/news/security/google-hackers-used-ai-to-develop-zero-day-exploit-for-web-admin-tool/
BleepingComputer — Official Checkmarx Jenkins package compromised with infostealer (11 May 2026): https://www.bleepingcomputer.com/news/security/official-checkmarx-jenkins-package-compromised-with-infostealer/
BleepingComputer — Trellix source code breach claimed by RansomHouse hackers (8 May 2026): https://www.bleepingcomputer.com/news/security/trellix-source-code-breach-claimed-by-ransomhouse-hackers/
Check Point Research — The State of Ransomware – Q1 2026 (11 May 2026): https://research.checkpoint.com/2026/the-state-of-ransomware-q1-2026/
The Record — UK water company allowed hackers to lurk undetected for nearly two years (11 May 2026): https://therecord.media/uk-water-company-had-hackers-lurking-for-years
DarkReading — Dirty Frag Exploit Poised to Blow Up on Enterprise Linux Distros (11 May 2026): https://www.darkreading.com/vulnerabilities-threats/dirty-frag-exploit-blow-up-enterprise-linux-distros

Found this useful?

Related Reports

Threat IntelMay 12, 2026