Your AI tools are now the attack surface

Cursor CVE-2026-26268: Git Hook RCE; Cursor Security Review and Claude Security Ship the Same Day

• CVE-2026-26268 in Cursor chains Git hooks and bare repositories to execute attacker scripts when the AI agent interacts with a maliciously crafted repo — Check Point Research confirmed May 4 that no user interaction beyond cloning and opening is required; exposed assets include source code, API tokens, and internal tool credentials. No patch status publicly confirmed at disclosure. Audit .git/hooks/ in every externally-sourced repo opened in Cursor. (Distinct from the NomShub prompt-injection chain in Issue #11 — this exploits Git's native hook execution mechanism, not model input.)

• On April 30, Cursor shipped Cursor Security Review and Anthropic moved Claude Security to public beta on the same day, per this comparative analysis: both package the same surface — codebase scanning, multi-stage validation, and fix-in-context patches. Claude Security runs parallel Opus 4.7 agents with a self-validation pipeline before surfacing findings; Cursor deploys two always-on agents for PR review and scheduled sweeps. Teams running internal /security-review agent stacks now face packaged vendor alternatives with faster model update cycles.

---

LiteLLM SSRF: Three New Sinks — One Requires Only Authenticated Access; OpenSSH SplitSSHell, CPython, MOVEit

• Escape AI Pentesting documented three confirmed SSRF vulnerabilities in LiteLLM — all distinct from CVE-2026-42208 (SQL injection, Issue #19): Sink 1 (/v1/rag/ingest) has no destination validation and requires only authenticated access, enabling IMDS queries for AWS/GCP/Azure credential exfiltration; Sinks 2–3 require admin but bypass is_request_body_safe by nesting api_base inside litellm_params — a flat-check defense blind to LiteLLM's nested request schema. LiteLLM internally confirmed all findings. Restrict /v1/rag/ingest to trusted users; enforce IMDSv2; network-segment admin endpoints.

• Sink 3 (/health/test_connection) is full-read SSRF — the internal HTTP service response is returned verbatim to the attacker, enabling infrastructure fingerprinting and content extraction from backend services.

• CVE-2026-35414 "SplitSSHell" in OpenSSH: a single comma in a certificate field breaks SSH certificate authentication, enabling root privilege escalation via improper certificate parsing. Patch immediately in any environment using SSH certificate-based auth.

• CVE-2026-6100 in CPython is a zero-day in the core interpreter discovered and patched in hours via AI-assisted research; update Python runtimes and rebuild container base images embedding CPython. Progress Software separately disclosed two critical authentication bypass vulnerabilities in MOVEit Automation; patch immediately given MOVEit's history as a high-priority ransomware target.

---

cPanel CVE-2026-41940: Three Concurrent Campaigns, 8,859 Encrypted Hosts, APT Targeting Government and MSP Networks

• Three exploitation tracks are confirmed running simultaneously: (1) Sorry ransomware wiping backups before encrypting — Censys confirmed 8,859 exposed hosts with open directories of .sorry-encrypted files; (2) Mirai nuclear.x86 creating rogue admin accounts and disabling security logging; (3) an unnamed APT targeting SE Asian military and MSP networks in the Philippines, Laos, Canada, South Africa, and the US via AdaptixC2 and Ligolo for persistence, per THN's full breakdown. (Previously: Issue #20 covered KEV addition and initial three-actor identification — the Censys 8,859 host count and APT network targeting scope are new today.)

• Re-run cPanel's compromise detection script if executed before May 3 — the initial version had significant false positives, per Help Net Security. Confirmed IOCs in /var/cpanel/sessions/raw/: session files containing user=root, hasroot=1, tfa_verified=1, or multiple pass= lines. Apply /scripts/upcp --force; block ports 2083/2087/2095/2096 if unpatched.

---

Noma: 76% of MCP Servers Are High-Risk; Trellix Source Code Breached; GitGuardian's 33,185-Credential Reckoning

• Noma Security's Spring 2026 research finds 76% of deployed MCP servers carry high-risk capabilities; 25% expose arbitrary code execution; 60% expose state-change capability; Meta's "Agents Rule of Two" has already failed in two confirmed production incidents — an Amazon Q VS Code agent wiped a filesystem with only two of three risk conditions met; a Replit agent destroyed a 1,200-record production database via hallucination with no attacker involved. Agent Skills leave no forensic trail: observable only at load time, not traceable when a harmful action follows.

• Noma's No Excessive CAP framework defines three controllable levers: Capabilities (whitelist required tools, pin MCP server versions, never use @latest), Autonomy (gate high-blast-radius actions behind human approval, calibrate inversely to capability breadth), Permissions (delegated, user-scoped, expiring credentials — no shared service accounts).

• Trellix confirmed unauthorized access to a portion of its internal source code repository; forensic experts and law enforcement are engaged, with no product tampering or customer environment compromise confirmed so far. Source code access at a security vendor exposes detection rule logic, product architecture, and potentially embedded secrets — monitor Trellix advisories for follow-on binary or signature integrity disclosures.

• GitGuardian's Shai-Hulud forensics quantify the developer workstation attack surface: 33,185 unique credentials across 6,943 compromised machines, with 3,760 valid at discovery; developers co-authoring commits with AI tools leak twice as many secrets per commit vs. traditional workflows. Recommended layered controls: ggshield pre-commit and pre-push hooks; IDE extensions scanning on file save; and AI guardrails at prompt submission, pre-tool-use, and post-tool-use stages within Claude Code and Cursor.

---

NCSC Formalizes Patch Tsunami Warning; Xygeni Compromise Linked to TP-Link Botnet C2; Deep#Door; 389% Ransomware Surge

• UK NCSC CTO Ollie Whitehouse formally warned that AI-equipped researchers are exposing decades of technical debt faster than teams can remediate: "Prepare to patch quickly, more often, and at scale." The NCSC blog post urges minimizing internet-facing attack surfaces now, prioritizing perimeter technologies first, and treating unsupported EOL systems as hardware replacement candidates rather than patch targets.

• Ctrl-Alt-Intel identified direct infrastructure links between the Xygeni vulnerability scanner's GitHub Action compromise and a residential proxy botnet of hacked ASUS and TP-Link routers running Microsocks: the ShadowLink C2 beacon embedded in compromised routers uses an identical authentication secret to the backdoor in the Xygeni Action. A security scanning tool's supply chain attack is serving double duty as botnet C2 infrastructure.

• Deep#Door — a new Python-based backdoor — uses bore[.]pub tunneling to evade C2 domain blocking, patches AMSI and ETW at runtime, unhooks ntdll to blind EDR instrumentation, and exfiltrates browser credentials, cloud tokens, SSH keys, and Wi-Fi credentials. Monitor for unexpected outbound HTTPS to bore[.]pub and Python processes with anomalous tunnel connections.

• Fortinet's 2026 Global Threat Landscape Report documents 7,831 confirmed ransomware victims in 2025 vs. ~1,600 in 2024 — a 389% increase attributed to AI crime kits (WormGPT, FraudGPT, BruteForceAI) automating deployment at scale; the US accounted for 3,381 of 7,831 victims; manufacturing, business services, and retail are the top-targeted sectors.