⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More  Ravie Lakshmanan  May 18, 2026 Cybersecurity / Hacking Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off. Patch the quiet risks first. Let’s get into it. ⚡ Threat of the Week On-Prem Microsoft Exchange Server Exploited in the Wild —Microsoft disclosed a security vulnerability impacting on-premise versions of Exchange Server, which has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue. Microsoft is providing a temporary mitigation through its Exchange Emergency Mitigation Service, while it's readying a permanent fix for the security defect. There are currently no details on how the vulnerability is being exploited, the identity of the threat actor behind the activity, or the scale of such efforts. It's also unclear who the targets are and if any of those attacks were successful. The Case for Autonomous Validation in Four On-Demand Sessions Enterprise CISOs, an industry analyst, and security leaders covered why point-in-time testing no longer matches the speed of modern threats, and how teams are using validation evidence to prioritize remediation, prove control effectiveness, and report risk to leadership. Four sessions, all on demand. Watch Now ➝ 🔔 Top News Cisco Catalyst SD-WAN Controller Flaw Under Attack —A sophisticated threat actor tracked as UAT-8616 has been attributed to the exploitation of CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller. "8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor," Cisco Talos said. "UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges." UAT-8616 is the same threat actor that was behind the weaponization of CVE-2026-20127 earlier this year to gain unauthorized access to SD-WAN systems. Cisco isn't the only security vendor facing a barrage of attacks on its customers, but it is among the most heavily targeted, along with Fortinet and Ivanti. "For nation-state operators, a bug like this (as seen with the actively exploited CVE-2026-20127) is ideal for pre-positioning," Rapid7 said . "They are usually not looking for a smash and grab. They want persistence. They want access that blends in. They want to sit in the right place long enough to observe, influence, and pivot when the time is right. An SD-WAN controller is a great place to do that, because it lives in the middle of trust relationships most organizations rarely question." Blast Radius of TeamPCP Attacks Expands —A new wave of the Mini Shai-Hulud campaign compromised dozens of TanStack npm packages as part of a broader supply chain attack worming through developer ecosystems , including packages tied to UiPath, Mistral AI, OpenSearch and PyPI. The activity has been attributed to TeamPCP, which has orchestrated a series of high-profile supply chain attacks targeting popular open-source projects in recent months. The goal is the same across all attack campaigns — use poisoned, open-source software to deploy stealer malware and harvest user credentials, API keys, SSH keys, and other secrets. TeamPCP is said to be weaponizing credentials and secrets obtained in the supply chain attacks to access organizations' cloud infrastructure, not to mention turn into an initial access broker for follow-on attacks like ransomware by teaming up with other cybercrime groups. In some waves, the attackers used the Trufflehog scanner to validate those credentials. The escalating attacks show that TeamPCP prioritizes speed rather than subtlety and stealth. Supply chain attacks have become an increasingly serious concern because of the sheer scale at which trusted dependencies are reused. A single poisoned package can rapidly propagate into thousands of downstream applications, enterprise environments, and production systems. The development coincided with the compromise of the node-ipc package to distribute a stealer malware. It's currently not known who is behind the attack. Since the library is a dependency for hundreds of other packages, which in turn could be dependencies for even more packages, the attack could have cascading consequences. Apple and Google Roll Out Cross-Platform E2EE for RCS Messages —End-to-end encrypted (E2EE) Rich Communication Services (RCS) messaging is being rolled out in beta between iPhone and Android devices, closing one of the biggest interoperability gaps in mainstream mobile messaging. The feature is available to iPhone users on iOS 26.5 with supported carriers and to Android users on the latest version of Google Messages. Encrypted conversations are marked with a padlock icon in the chat interface. The wider rollout to iPadOS, macOS, and watchOS will follow in future software updates, Apple said. Instructure Reaches Ransom Agreement with ShinyHunters —Instructure, the developer of school information portal Canvas, said it struck a deal with the ShinyHunters group, which breached its systems, stole a massive amount of data, and disrupted thousands of schools that rely on the company's software. The company did not say what it had given the threat actors in exchange for the destruction of the data, but it's fair to say it likely made the controversial decision to make a ransom payment. The company said it also received "digital confirmation" that the hackers destroyed any remaining copies in the form of "shred logs." In addition, the agreement included the return of the stolen data, assurances that affected customers would not be extorted, and a commitment that individual institutions would not need to engage with the threat actor. While it remains to be seen if the threat actors will keep their side of the bargain, it's worth highlighting a key problem with paying a ransom: once attackers have a victim's data, there is no guarantee it was not copied or shared with others. As of May 12, the listing for Instructure has been removed from the ShinyHunters' data leak site. The group said: "The data is deleted, gone. The company and it's [sic] customers will not further be targeted or contacted for payment by us." Fake Hugging Face Repository Delivers Stealer Malware —A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart, released by OpenAI late last month (openai/privacy-filter), including copying the entire description verbatim to trick unsuspecting users into downloading it. The description accompanying the fake model diverged from the legitimate project in one aspect: instructing users to run start.bat on Windows or execute python loader.py on Linux and macOS to deploy the stealer. Access to the malicious model has since been disabled by Hugging Face. The incident highlights how public AI model registries are emerging as a new software supply chain risk for enterprises, emphasizing why AI model supply chain security needs the same level of rigor as software supply chain security. It's essential to verify publisher identity, check model card provenance, and scan for unexpected binary downloads. OpenAI Announces Daybreak —OpenAI announced Daybreak, a new initiative based on its frontier large language models (LLMs) and its artificial intelligence (AI)-powered coding assistant, Codex, to help developers secure their software from the ground up. Like Anthropic's Mythos and Project Glasswing, the initiative makes it possible to scan a codebase to identify flaws and fix them, triage vulnerability backlog and prioritize fixes by severity, impact, or exploitability, and automate vulnerability detection, validation and response. In a related development, Microsoft detailed its own AI-assisted vulnerability discovery system called MDASH , which orchestrates more than 100 specialized AI agents across multiple frontiers and distilled AI models to find vulnerabilities in the tech giant's own codebases. MDASH is designed to run a structured pipeline that goes through distinct stages: preparation, scanning, validation, deduplication, and proof construction. The emergence of Daybreak and MDASH comes amid a spike in vulnerability discovery, mainly fueled by the use of AI tools. Five months into 2026, Microsoft has already patched more than 500 vulnerabilities in its software, a rate that could see the company break its own annual record for the most number of security fixes in a year. The U.K. National Cyber Security Centre (NCSC) has also warned organizations that they should prepare for a surge of software updates driven by AI-assisted vulnerability discovery. At this stage, access to these advanced tools is tightly controlled. OpenAI has framed the access controls as a response to the dual-use nature of the underlying technology. The same AI capabilities that allow defenders to identify vulnerabilities and accelerate remediation could be misused by bad actors. Per Google, hacking groups are already using AI models to boost the speed, scale, and sophistication of their attacks, as well as perform reconnaissance and build better mal