Three actively exploited zero-days hit defenders today: a CVSS 10 authentication bypass in Cisco SD-WAN controllers, an XSS-to-code-execution chain in on-premises Exchange Server, and an npm supply chain worm that already breached OpenAI. Add an 18-year-old NGINX RCE, two critical PAN-OS flaws, and a threat group open-sourcing their worm framework with bounties — and this is one of the highest-density vulnerability days of 2026.

In the News

Cisco SD-WAN Zero-Day CVE-2026-20182 Actively Exploited — Sixth in 2026

The threat actor tracked as UAT-8616 is actively exploiting CVE-2026-20182, a critical authentication bypass (CVSS 10) in Cisco Catalyst SD-WAN Controllers and Managers. The flaw allows unauthenticated remote attackers to gain full administrative access to the SD-WAN control plane — no credentials required, no user interaction needed.

This is the sixth exploited Cisco SD-WAN zero-day in 2026, a pattern that reflects sustained threat actor interest in WAN infrastructure as an initial access vector. CISA added CVE-2026-20182 to its Known Exploited Vulnerabilities (KEV) catalog, establishing a federal patching deadline. Cisco Talos published the advisory with detection signatures for Secure Firewall (Snort) on the same day.

The operational risk is not limited to the controller itself. SD-WAN controllers manage routing policy, tunnel configuration, and device provisioning across the entire WAN fabric. An attacker with admin access to the controller can redirect traffic, deploy configuration changes to branch routers, or pivot into connected network segments. The blast radius of a compromised SD-WAN controller extends to every device it manages.

What defenders should do: Apply Cisco’s patches immediately. As a compensating control while patching, restrict management-plane access to SD-WAN controllers via ACLs — these interfaces should never be reachable from untrusted networks. Verify that SD-WAN controllers appear in your vulnerability management platform’s asset inventory; infrastructure control-plane devices are frequently missing from scan scope.

Source: Cisco Talos

Microsoft Exchange Zero-Day CVE-2026-42897 Exploited via Crafted Email

Microsoft confirmed active exploitation of CVE-2026-42897, an XSS-based spoofing flaw (CVSS 8.1) in on-premises Exchange Server. The attack mechanism is straightforward and effective: an attacker sends a crafted email that, when rendered in Outlook on the Web (OWA), triggers cross-site scripting that chains into arbitrary code execution on the server.

No user interaction is required beyond the target reading the email in their browser. The victim does not need to click a link or open an attachment — the malicious payload executes during HTML rendering. Microsoft has published mitigations but has not yet released a full patch.

This flaw reinforces a persistent operational reality for organizations still running on-premises Exchange: the attack surface of a self-hosted mail server includes every email it receives. Unlike cloud-hosted Exchange Online, where Microsoft controls the rendering pipeline, on-prem deployments expose organizations to server-side rendering vulnerabilities that they must detect and mitigate themselves.

What defenders should do: Apply Microsoft’s published mitigations immediately. Deploy email security controls that inspect HTML body content — not just attachments and URLs. For OWA access specifically, browser isolation can contain XSS-triggered execution. Organizations that have been deferring Exchange migration to cloud-hosted email now have another concrete risk data point for that business case.

Source: BleepingComputer

TanStack Supply Chain Attack Hits OpenAI — Shai-Hulud Worm Now Open-Sourced

OpenAI confirmed that the supply chain worm known as Mini Shai-Hulud compromised two corporate macOS devices through poisoned TanStack npm packages. The worm exfiltrated credential material from internal code repositories. OpenAI responded by rotating certificates and pushing emergency macOS updates to affected users.

The attack exploited a common software supply chain weakness: developer workstations pulling dependencies from public package registries without integrity validation. The TanStack packages — widely used JavaScript/TypeScript libraries for data fetching and table rendering — were the distribution vector. Once installed, the worm established persistence and targeted credential stores.

The situation escalated significantly when the threat group TeamPCP open-sourced the Shai-Hulud worm framework on GitHub and offered monetary bounties to anyone who successfully reuses it. This converts a single incident into a reusable attack kit. The barrier to executing npm and PyPI supply chain attacks has dropped from “develop your own tooling” to “fork a repo and follow the README.” Expect a measurable increase in supply chain poisoning campaigns using this framework in the coming weeks.

What defenders should do: Audit CI/CD pipelines for package integrity validation — lockfiles, signature verification, and pinned versions. Ensure developer workstations have the same endpoint detection coverage as the rest of the fleet; they are frequently exempted from security controls for “productivity” reasons, and this incident demonstrates the cost of that exemption. Implement software composition analysis (SCA) to flag newly-published or recently-modified packages entering your dependency tree.

Sources: The Record, SecurityWeek

18-Year-Old NGINX Flaw CVE-2026-42945 Enables Remote Code Execution

CVE-2026-42945 is a heap buffer overflow in NGINX’s ngx_http_rewrite_module that has existed in the codebase for 18 years. It affects both NGINX Open Source and NGINX Plus, scores CVSS 9.2, and enables unauthenticated remote code execution. Patches are available for both product lines.

The rewrite module is one of the most commonly used NGINX modules — it handles URL rewriting, conditional logic, and variable manipulation in virtually every non-trivial NGINX configuration. The vulnerability was discovered through autonomous scanning, not through observed exploitation, and no in-the-wild attacks have been reported. That said, NGINX’s installation base is enormous: it proxies a significant percentage of global web traffic and is embedded in container images, load balancer configurations, API gateways, and reverse proxy stacks across nearly every organization.

The challenge with patching is inventory. NGINX instances are not always visible to traditional vulnerability scanners. They exist inside container images that may have been built months or years ago, in appliance firmware, and in configurations managed by teams that do not interact with the security organization.

What defenders should do: Patch all known NGINX instances. Conduct an asset discovery sweep specifically targeting NGINX — including container registries, Kubernetes clusters, and load balancer tiers that may run NGINX without it appearing in a centralized CMDB. WAF rules can provide interim protection against exploitation attempts targeting the rewrite module.

Source: The Hacker News

Additional CVEs Worth Tracking

CVE-2026-0300 — Palo Alto PAN-OS User-ID Authentication Portal (CVSS 10). Unauthenticated buffer overflow enables remote code execution on the User-ID portal. No in-the-wild exploitation reported. Patches available. Restrict User-ID portal access to trusted management networks. Palo Alto Networks advisory

CVE-2026-0264 — Palo Alto PAN-OS DNS Proxy/Server (CVSS 8.8). Heap-based buffer overflow in the DNS proxy and DNS server components allows unauthenticated RCE. Patches available. Disable DNS proxy functionality if not operationally required. Palo Alto Networks advisory

CVE-2026-46300 — Linux kernel XFRM page cache (CVSS 7.8). Dubbed “Fragnesia,” this is the third Linux kernel local privilege escalation in two weeks. XFRM page cache corruption enables a local attacker to gain root. Patches rolling out across RHEL, Ubuntu, and SUSE. SecurityWeek

CVE-2026-44338 — PraisonAI authentication bypass (CVSS 7.3). Exploited in the wild less than four hours after public disclosure. The authentication bypass exposes sensitive endpoints in the multi-agent AI orchestration framework. If you run PraisonAI, update immediately and audit exposed API endpoints. The Hacker News

Threat Pulse

TeamPCP open-sources Shai-Hulud worm. The supply chain attack framework that compromised OpenAI is now available on GitHub with monetary bounties encouraging reuse. This lowers the barrier for npm/PyPI poisoning campaigns to near zero. SecurityWeek

Gremlin Stealer evolves. Unit 42 tracks a new Gremlin variant that hides in resource files and adds crypto wallet clipping and session hijacking capabilities. Stealer campaigns remain a persistent threat to corporate identity infrastructure — credential theft feeds initial access brokers. Unit 42

Ghostwriter (FrostyNeighbor/TA445) targets Ukrainian government. Belarus-aligned APT uses geofenced PDF phishing to fingerprint victims before delivering Cobalt Strike payloads. Espionage-focused campaign against Ukrainian government targets. The Hacker News

KongTuke pivots to Microsoft Teams. The initial access broker now uses Teams messages for social engineering, achieving persistent network access in under five minutes from first contact. Collaboration application controls and external tenant restrictions are the primary countermeasures. MITRE ATT&CK: T1566.003 (Phishing: Spearphishing via Service). BleepingComputer

Microsoft analyzes Kazuar botnet. Secret Blizzard (Russia-aligned APT) evolved the Kazuar backdoor into a modular peer-to-peer espionage botnet targeting government and diplomatic networks in Europe, Central Asia, and Ukraine. The P2P architecture makes takedown significantly harder than traditional C2-based botnets. Microsoft Security Blog

Vendor Moves

Akamai acquires LayerX for $205M. Adds browser security and AI application protection to its Zero Trust portfolio. Expect Akamai to pitch inline AI app controls and credential theft prevention alongside its existing SSE offerings starting Q3. SecurityWeek

SecurityScorecard acquires Driftnet. Deepens third-party ecosystem visibility and supply chain risk intelligence for its TPRM platform. If you compete on vendor risk management, expect SecurityScorecard to differentiate on partner ecosystem mapping. Dark Reading

Breach Note

American Lending Center disclosed a breach affecting 123,000 individuals. Ransomware was discovered in May 2025; investigation completed a full year later in May 2026. A 365-day timeline from discovery to notification completion. SecurityWeek

Today’s Deep Dive — Supply Chain Worms and the Economics of Open-Sourced Attack Tooling

The Shai-Hulud incident is worth deeper examination because it marks a shift in the supply chain threat model. The problem is no longer “a sophisticated group poisoned a package to target a specific organization.” The problem is now “the tooling to poison packages is free, documented, and incentivized.”

Mechanism

Shai-Hulud operates by injecting malicious code into legitimate npm packages during the build or publish process. The worm targets packages with high downstream dependency counts — libraries like TanStack that are pulled into thousands of projects automatically. Once a developer’s machine installs the compromised package, the worm:

  1. Establishes persistence via macOS launch agents or Linux cron jobs
  2. Enumerates credential stores — SSH keys, browser session tokens, cloud provider credentials, code repository access tokens
  3. Exfiltrates credential material to attacker-controlled infrastructure
  4. Attempts to propagate by using stolen credentials to publish poisoned versions of other packages the victim maintains

Step 4 is what makes it a worm rather than a trojan. The propagation is automated: one compromised maintainer account can cascade into dozens of poisoned packages.

The Open-Source Escalation

TeamPCP publishing the source code with bounties transforms the economics. Previously, executing a supply chain attack at this scale required developing custom tooling, maintaining C2 infrastructure, and understanding npm’s publishing pipeline. Now, the attack framework is a GitHub repository with documentation. The threat actor pool expands from “groups with supply chain development capability” to “anyone who can fork a repo.”

MITRE ATT&CK mapping: T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain), T1059.007 (Command and Scripting Interpreter: JavaScript), T1555 (Credentials from Password Stores).

Detection

The primary detection surface is at the package level: unexpected version bumps, new post-install scripts, or dependency tree changes in previously stable packages. On the endpoint:

  • macOS: monitor for new LaunchAgent or LaunchDaemon plist files created by non-standard processes
  • Linux: monitor cron modifications and systemd service creation
  • All platforms: alert on credential store access (SSH key reads, browser cookie database access) by processes that are not the expected consumer

Defense

  1. Pin dependencies and use lockfilespackage-lock.json, yarn.lock, pnpm-lock.yaml. Never run npm install without a lockfile in CI/CD.
  2. Enforce package integrity verification — npm’s --ignore-scripts flag prevents post-install script execution during CI builds. Review any package that requires post-install scripts.
  3. Monitor for dependency tree changes — SCA tools should alert on new transitive dependencies or version changes that were not initiated by a developer commit.
  4. Treat developer workstations as high-value endpoints — endpoint detection, disk encryption, and credential store protection are not optional for machines that have publish access to package registries.
  5. Rotate credentials proactively — if any developer machine in your organization installed TanStack packages in the affected version range, assume credential compromise and rotate.

Detection Spotlight

Monitor for suspicious npm post-install script execution on developer workstations and CI/CD build agents. This Sigma-style detection logic catches processes spawned by npm’s lifecycle script execution that attempt to access credential stores:

 1title: NPM Post-Install Script Accessing Credential Stores
 2id: 7a3e2d1f-b8c4-4f9e-a1d6-3c5e8f2b7a90
 3status: experimental
 4description: Detects processes spawned by npm lifecycle scripts that access SSH keys, browser credential databases, or cloud provider credential files
 5logsource:
 6  category: process_creation
 7  product: macos
 8detection:
 9  selection_parent:
10    ParentCommandLine|contains:
11      - 'npm run'
12      - 'node_modules/.hooks'
13      - 'preinstall'
14      - 'postinstall'
15      - 'install'
16  selection_access:
17    CommandLine|contains:
18      - '.ssh/id_'
19      - '.ssh/known_hosts'
20      - 'Login Data'
21      - 'Cookies'
22      - '.aws/credentials'
23      - '.config/gcloud'
24      - 'security find-generic-password'
25      - 'keychain'
26  condition: selection_parent and selection_access
27  falsepositives:
28    - Legitimate SSH-based package installations (git+ssh dependencies)
29    - Developer tools that intentionally read cloud credentials during setup
30  level: high

Adapt ParentCommandLine patterns for your environment. On Linux CI/CD agents, extend selection_access to include /etc/shadow reads and Docker credential helper invocations. False positive rate is low in production CI environments because build processes should not be reading SSH keys or browser databases.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.