AI exploits KEV vulns in 21 minutes now

Mini Shai-Hulud Hits PyPI and Packagist: Lightning, Intercom, 1,800 Developers Compromised

• Lightning 2.6.2 and 2.6.3 are malicious — safe version is 2.6.1: on import, start.py downloads the Bun runtime and executes an 11 MB obfuscated router_runtime.js; validated GitHub tokens inject worm payloads into up to 50 branches and modify local npm packages via postinstall hooks, per THN and Aikido's write-up. Malicious commits are authored as Anthropic's Claude Code identity to blend into commit histories.
• intercom-client@7.0.4 (npm) and intercom/intercom-php@5.0.2 (Packagist) carry the same Bun-based payload; Socket traced the Intercom compromise to a local install of pyannote-audio, which pulled poisoned Lightning as a transitive dependency — one compromised PyPI package bridged three ecosystems. Combined monthly downloads for Lightning and Intercom exceed 10 million.
• SecurityWeek confirms 1,800+ victim exfil repos created on GitHub with description "A Mini Shai-Hulud has Appeared"; C2 is zero.masscan.cloud:443/v1/telemetry with a GitHub commit fallback keyed on strings "beautifulcastle" and "EveryBoiWeBuildIsAWormyBoi". Shared RSA-4096 key links both compromises to TeamPCP. (Previously: Mini Shai-Hulud hit SAP CAP npm packages and elementary-data — Lightning and Intercom are the fifth and sixth package families confirmed in this campaign.)
• Targeted secrets include Kubernetes, HashiCorp Vault, AWS/GitHub/npm tokens, database connection strings, Stripe/Slack/Twilio API keys, VPN credentials, and crypto wallets. PyPI quarantine has been lifted and malicious versions deleted — remove 2.6.2/2.6.3 from lockfiles, rotate all credentials from affected environments, and audit .claude/settings.json and .vscode/tasks.json for unexpected entries.

---

BufferZoneCorp: Ruby and Go Ecosystems Hit with PATH-Hijacking Sleeper Packages

• Socket researcher Kirill Boychenko documented a campaign by GitHub account "BufferZoneCorp": 7 Ruby gems and 9 Go modules masquerading as activesupport-logger, devise-jwt, go-retryablehttp, grpc-client, and config-loader — all pulling from registries as of today; two Ruby and two Go packages are confirmed sleeper packages installed but not yet activated.
• Ruby gems execute credential theft at install time targeting env vars, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI config, and RubyGems credentials, exfiltrating to Webhook.site. Go modules are more capable: init() detects GITHUB_ENV/GITHUB_PATH, writes a fake go binary into a cache directory, and prepends it to the workflow PATH, intercepting subsequent go executions while silently passing control to the real binary.
• SSH persistence is achieved via a hardcoded attacker key written to ~/.ssh/authorized_keys — backdoor access that survives package removal. Audit authorized_keys on all CI runners, rotate credentials from affected environments, and inspect outbound HTTPS to Webhook.site in network logs.

---

MOAK Closes Exploit Window to 21 Minutes; Six AI Agent Credential Exploits Documented

• MOAK (Mother of All KEVs) is an agentic AI workflow that autonomously exploits ~98% of open-source CVEs on CISA's KEV catalog using publicly available models — no restricted Mythos access required. Mean time to working exploit: 21 minutes, vs. Rapid7's 28.5-day mean TTX for 2025. KEV is no longer a 30-day remediation cadence; it is a same-day threat feed.
• VentureBeat's nine-month retrospective across six AI coding agent breaches — Claude Code, Copilot, Codex, Vertex AI — finds every exploit targeted runtime credentials, not model output. BeyondTrust's branch-name injection into Codex exfiltrated GitHub OAuth tokens via 94 Unicode Ideographic Space characters (U+3000) that made a malicious branch visually identical to main; Orca's RoguePilot hijacked Copilot inside GitHub Codespaces via a crafted issue, stealing GITHUB_TOKEN via symlink with zero user interaction; Vertex AI's default P4SA scope reached every Cloud Storage bucket in the project and Google-internal Artifact Registry.
• Claude Code's 50-subcommand deny-rule bypass is now fully documented: enforcement was silently dropped after the 50th subcommand for performance reasons — patched in 2.1.90. Verify Claude Code ≥ 2.1.90; audit .claude/settings.json for permissions.defaultMode: bypassPermissions entries, and monitor for subcommand chains exceeding 50 in CI logs.
• Practitioner action list from the retrospective: inventory every AI coding agent with its OAuth scopes in CIEM; treat branch names, PR descriptions, and GitHub issues as untrusted input; govern agent credentials through PAM/IGA with rotation and least-privilege scoping; if a vendor cannot answer "show me your agent identity lifecycle controls," that is the audit finding.

---

Defensive Tooling: Claude Security Beta, Model Provenance Kit, slopcheck, OWASP DockSec

• Anthropic opened Claude Security to public beta for Enterprise customers (Team and Max coming soon): runs on Opus 4.7 with parallel agents tracing data flows across codebases and a validation pipeline that challenges its own findings before surfacing them; each result includes confidence rating, reproduction steps, and a ready-to-apply patch. CrowdStrike, Microsoft Security, Palo Alto, SentinelOne, and Wiz are integrating Opus 4.7 into existing platforms.
• OpenAI restricted GPT-5.5 Cyber to "critical cyber defenders" via an application/vetting process — despite Sam Altman publicly criticizing Anthropic's identical Mythos approach weeks earlier. XBOW benchmarks show GPT-5.5 Cyber delivers a Mythos-level step change in vulnerability detection across pen testing, exploitation, and malware reverse engineering.
• ~20% of AI-generated code samples reference non-existent package names; 43% of hallucinated names repeat deterministically on identical prompts, making them predictable pre-registration targets for attackers without any human typo required, per ToxSec's slopsquatting research. slopcheck is a new open-source CLI that validates dependency names against live registries before pip/npm runs — flags [SLOP], [SUS], or [OK]; supports PyPI, npm, crates.io, Go, RubyGems, Maven, and Packagist with a GitHub Actions gate.
• Cisco released the Model Provenance Kit: a Python CLI fingerprinting AI models from metadata, tokenizer similarity, and weight-level signals (Compare mode: shared origin detection; Scan mode: comparison against Cisco's HuggingFace database). Addresses the trust-reputation gap that attackers exploited in HuggingFace-hosted Marimo payloads. Repo: cisco-ai-defense/model-provenance-kit.
• OWASP accepted DockSec as an Incubator Project (13,000+ downloads, 40+ countries): correlates Trivy, Hadolint, and Docker Scout findings, weights by deployment context, and outputs plain-language remediation with CI/CD and VS Code integration.

---

CISA KEV: cPanel Zero-Day Confirmed Since February; ConnectWise and APT28 Windows Flaw Added

• CVE-2026-41940 (cPanel/WHM, CVSS 9.8) is now on CISA KEV with confirmed exploitation since at least February 2026 — a 65-day zero-day window across ~1.5M internet-exposed instances. (Previously: Issue #18 covered the full CRLF-to-root technical chain and patch commands — the KEV addition is new today.) Run /scripts/upcp --force; if unpatched, block ports 2083, 2087, 2095, and 2096 at the firewall immediately.
• CISA added two CVEs on April 28 with a May 12 FCEB deadline: CVE-2024-1708 (ConnectWise ScreenConnect path traversal, CVSS 8.4 — chainable with auth bypass CVE-2024-1709 for full RCE; patch to ScreenConnect 23.9.8) and CVE-2026-32202 (stems from an incomplete APT28 zero-day patch for CVE-2026-21510; the residual flaw triggers an automatic SMB connection during LNK folder rendering, leaking Net-NTLMv2 hashes for relay attacks with no user interaction; patched April 14 Patch Tuesday).