Subscribe Share Full episode and show notes Vulnerability Management , Supply chain , AI/ML Cisco, Canvas, Microsoft, Exchange 0-Days, NPM Backdoors, GPT-5.5 and more… – SWN #581 Cisco Catalyst, Canvas, Exchange 0-Days, BitLocker Bypass, Mini Shai Hulud, Node IPC, Patch Tuesday, GPT-5.5, Supply Chain Attacks, and More on the Security Weekly News May 15, 2026 Full Segment Notes Cisco Catalyst, Canvas, Exchange 0-Days, BitLocker Bypass, Mini Shai Hulud, Node IPC, Patch Tuesday, GPT-5.5, Supply Chain Attacks, and More on the Security Weekly News Host Joshua Marpet https://www.cyturus.com List of Articles Joshua Marpet Cisco Catalyst SD-WAN Controller — CVSS 10.0 Auth Bypass Under Active Exploitation A max-severity authentication bypass (CVE-2026-20182) lets unauthenticated attackers gain admin on Cisco Catalyst SD-WAN Controllers. CISA added it to the KEV catalog this week. Patch now — exploitation is in the wild. Canvas/Instructure Breach — 275M Students and Faculty Exposed ShinyHunters defaced the Canvas LMS login page with a ransom demand, claiming 275M records across roughly 9,000 schools and universities. Instructure took the platform offline mid-semester, disrupting finals nationwide. Microsoft Exchange On-Prem CVE-2026-42897 — Mass-Exploited XSS via Email An XSS flaw in on-prem Exchange is being weaponized by simply sending crafted email; arbitrary JavaScript executes inside Outlook Web Access for any recipient who opens the message. On-prem Exchange admins should patch immediately and audit OWA sessions. Windows Zero-Days “YellowKey” and “GreenPlasma” — BitLocker Bypass + LPE An anonymous researcher dropped two unpatched Windows zero-days: YellowKey bypasses BitLocker via the Recovery Environment (effectively a backdoor on encrypted drives), and GreenPlasma escalates privileges through CTFMON. No fix in this month's Patch Tuesday. TanStack Supply-Chain Compromise Hits OpenAI Devices (“Mini Shai-Hulud”) Two OpenAI employee laptops were compromised through a malicious TanStack package update — the latest in the Shai-Hulud-family npm attacks. Limited internal credentials were exposed; no production systems or user data were touched. Reinforces that dev workstations are now front-line targets. node-ipc Backdoor Returns — 3 Malicious Versions Stealing 90 Categories of Secrets Three poisoned versions of the popular npm package node-ipc contain obfuscated stealer/backdoor code that fingerprints hosts, walks the filesystem, and exfiltrates developer tokens, cloud keys, and browser data across 90 secret categories. Pin versions and audit lockfiles. Microsoft Patch Tuesday May 2026 — 118 CVEs, 16 Critical, Zero Emergency 0-Days Microsoft shipped fixes for 118 vulnerabilities including 16 critical, and for the first time in nearly two years issued no out-of-band emergency zero-day patches. Krebs notes AI-assisted vulnerability discovery is now flagging issues across vendors at scale. PraisonAI CVE-2026-44338 — Auth Bypass Weaponized in 4 Hours A missing-authentication flaw in the PraisonAI agent framework drew exploitation attempts within four hours of public disclosure, giving attackers unauthenticated access to protected API endpoints. Time-to-exploit on AI infrastructure is now effectively zero. Shai-Hulud Offensive Framework Source Code Leaked on GitHub TeamPCP's full offensive framework — the same code family behind a wave of npm supply-chain compromises — was briefly published on GitHub before takedown, and a code-teardown is now circulating. Defenders gain rare visibility into TTPs, but proliferation risk to copycats is high. GPT-5.5 Matches Anthropic’s “Mythos” at Finding Vulnerabilities — UK AISI The UK AI Security Institute concluded that publicly available GPT-5.5, and even smaller open models, match a frontier closed model on vulnerability discovery benchmarks. Schneier's takeaway: the offense-defense gap is no longer gated by access to a single lab's top model — the implications run from code into tax law and any rule-bound system. Show More Stay in the Know, No Smoke and Mirrors – Join Our Newsletter Get expert insights and technical breakdowns straight to your inbox. Join Now Related Segments Vulnerability Management Tomato, JDownloader, TempPCP, Bad Vibes, Dirty Frag, Giedi Prime, Aaran Leyland… – SWN #580 Vulnerability Management Zino, 0auth, VSS, Mental Health Hackers, 3 Days of KEV, Copy/Fail, AI, Aaran Leyland – SWN #578 Vulnerability Management DOS, Seneca the Younger, Outlook, CopyFail, cPanel, QR, Ruby, Go, Talkie, Josh Marpet – SWN #577 Related Content Vulnerability Management Critical vulnerability in Burst Statistics plugin allows admin takeover Vulnerability Management New Linux privilege escalation flaw ‘Fragnesia’ disclosed; PoC available Vulnerability Management Broadcom patches high-severity VMware Fusion flaw allowing local privilege escalation You can skip this ad in 5 seconds