Cyber Intelligence Daily -- May 13, 2026

Thesis: The 48-hour cycle ending May 13, 2026 is defined by two confirmed exploitation crises and two high-severity vulnerabilities requiring immediate preventive action. A state-sponsored China-nexus cluster (CL-STA-1132) has been actively exploiting a critical PAN-OS buffer overflow for seven days; the first patches ship today. A self-propagating npm/PyPI worm (Shai-Hulud "mini" wave) compromised 42 TanStack packages in a six-minute window on May 11 and may still be republishing through harvested maintainer tokens. A third item — Instructure's confirmed ransom payment to ShinyHunters following the Canvas LMS breach — sets a damaging market precedent for education-sector vendors. A fourth item — public proof-of-concept code for a Git CLI arbitrary-file-write flaw (CVE-2025-48384) — closes the cycle with an urgent developer-environment risk that has received insufficient enterprise attention.

The structural through-line across all four incidents: privileged access surfaces reached without authentication or with stolen identity material. No novel memory-corruption research, no zero-click client-side exploitation, and no firmware-level compromise is represented in this window. The exploitation economy is operating against the weakest configured access control in each environment.

Top 3 Key Judgments with Confidence:

1. (High confidence) CL-STA-1132 exploitation of PAN-OS CVE-2026-0300 is vendor-confirmed and ongoing. Today's patch availability does not retroactively clean already-compromised devices; any firewall that ran an exposed Captive Portal between May 6 and patch installation requires full forensic review, not just patching.

1. (High confidence — scope; Moderate confidence — totals) The Shai-Hulud "mini" wave is a self-propagating worm, not a discrete compromise. TanStack's own postmortem confirms 84 malicious versions across 42 packages published in six minutes on May 11. Broader tracker totals (Aikido: 373 entries; Socket: 416 artifacts; Endor: 160+ names) are non-comparable and still moving; treat all CI runners that executed installs on May 11 as compromised pending credential rotation.

1. (Moderate confidence) Instructure's ransom payment to ShinyHunters will be cited by future ransomware operators as a successful negotiation template, increasing pressure on education-sector victims. The "digital confirmation of data destruction (shred logs)" provided by ShinyHunters has zero forensic verification value; treat all 275 million exposed records as still in circulation.

3 What to Watch Triggers:

• If new TanStack- or Mistral-adjacent maintainer packages appear with publication timestamps after May 13 09:00 UTC, the worm's self-propagation logic survived the npm registry's initial purge — escalate to ecosystem-wide CI lockdown.
• If Mandiant or Unit 42 publishes specific victim sectors for CL-STA-1132 PAN-OS exploitation in the next 72 hours, attribution confidence on the Chinese-state nexus moves from Moderate to High and the incident scope expands materially.
• If a second education-sector victim publicly confirms ransom payment within 30 days, the Instructure precedent has measurably altered ransomware negotiation behavior in the sector.

Top 3 Policy Implications with Named Actors:

• For CISOs of any organization running PAN-OS PA-Series or VM-Series: Apply today's hotfixes as they release through the update portal. Patching alone is insufficient — any firewall with an exposed Captive Portal between May 6 and patch installation requires credential rotation and configuration audit against a known-good baseline. The threat actor (CL-STA-1132) is assessed as China-nexus and has been conducting Active Directory enumeration post-compromise; assume lateral movement has occurred on any unaudited device. Decision deadline: 72 hours.

• For CISA and the U.S. Department of Education: The Instructure incident exposes a regulatory gap on ransom payments by education-sector vendors holding student PII. The Department of Education's May 12 Technology Security Alert (FSA Partners advisory) is reactive and addresses institutional response, not vendor accountability. A forward policy is required on whether federally funded institutions may maintain vendor relationships with confirmed ransom-paying suppliers holding student records. The gap is structural: no current federal regulation prohibits an edtech vendor from paying a criminal group and continuing to hold Title IV student data. Decision deadline: 30 days.

• For platform engineering leads at any organization using npm or PyPI in CI pipelines: Enforce minimum release-age policies (24–72 hour quarantine on new versions) and lockfile-only installs in CI runners by May 20. The structural condition enabling Shai-Hulud propagation is package managers' default behavior — install latest matching semver — which is the propagation vector. A patch to a downstream package will not fix this; only install-time policy will. The Git CLI CVE-2025-48384 (Story 4) compounds this risk: developer workstations running unpatched Git versions are vulnerable to arbitrary file write via malicious repositories, which can inject hooks that execute during the same CI workflows.

The 48-hour cycle presents two confirmed exploitation events and two high-severity pre-exploitation risks. CL-STA-1132 (China-nexus, Moderate confidence) has been exploiting PAN-OS CVE-2026-0300 since at least May 6; patches begin shipping today but do not remediate already-compromised devices. The Shai-Hulud npm/PyPI worm compromised 42 TanStack packages on May 11 and may still be propagating through harvested maintainer tokens. Instructure confirmed a ransom payment to ShinyHunters on May 11, establishing a precedent that affects 8,809 institutions and 275 million user records. CVE-2025-48384 in Git CLI has public proof-of-concept code enabling arbitrary file write leading to RCE in developer environments; no patch-to-PoC gap remains.

Confidence Ladder:

| Assessment Area | Finding | Confidence |

|---|---|---|

| CVE-2026-0300 exploitation status | Actively exploited by CL-STA-1132; vendor-confirmed | High |

| CL-STA-1132 China-nexus attribution | Tool overlap with EarthWorm/ReverseSocks5; no signals or HUMINT | Moderate |

| Shai-Hulud TanStack scope (84 versions / 42 packages) | Vendor first-party postmortem; unverified by independent third party | High (scope); Moderate (totals) |

| Shai-Hulud broader tracker totals | Non-comparable methodologies; counts still moving at publication | Moderate |

| TeamPCP attribution for Shai-Hulud | Single source (BleepingComputer); not in verified actor profiles | Low |

| Instructure breach facts and ransom payment | Instructure direct statement; DoE advisory; multiple English outlets | High |

| Instructure data destruction attestation | Criminal-actor cryptographic claim; no forensic verification path | Low |

| Fortinet CVE-2026-44277 / CVE-2026-26083 technical details | Vendor PSIRT; no independent corroboration yet | High (technical); Low (exploitation horizon) |

| CVE-2025-48384 PoC availability | Confirmed public PoC; CVSS 8.1; no mass-scanning observed | High (PoC); Moderate (weaponization risk) |

1. (High confidence) CL-STA-1132 exploitation of PAN-OS CVE-2026-0300 is vendor-confirmed and ongoing. Patching does not remediate already-compromised devices. Any PA-Series or VM-Series firewall with an exposed Captive Portal between May 6 and patch installation must be treated as potentially compromised and subjected to full forensic review.

1. (High confidence — scope; Moderate confidence — totals) The Shai-Hulud "mini" wave is a self-propagating worm affecting npm and PyPI. TanStack's postmortem confirms 84 malicious versions across 42 packages published in six minutes on May 11. Broader totals remain unstable. Any CI runner that executed installs against affected packages on May 11 should be treated as compromised.

1. (Moderate confidence) Instructure's ransom payment to ShinyHunters will be cited as a successful negotiation template by future ransomware operators targeting education-sector vendors. All 275 million exposed records should be treated as still in circulation regardless of ShinyHunters' shred-log attestation.

1. (Moderate confidence) CVE-2025-48384 in Git CLI represents an active developer-environment risk. Public PoC code is available and validated for arbitrary file writes; exploitation prerequisites are low (social engineering to trigger a recursive clone). The absence of mass-scanning signals does not indicate low risk in targeted developer or CI environments.

1. (Moderate confidence) The three CISA KEV additions in the past seven days — CVE-2026-0300 (PAN-OS), CVE-2026-6973 (Ivanti EPMM), and CVE-2026-42208 (BerriAI LiteLLM) — collectively indicate a sustained campaign tempo against perimeter and identity infrastructure by nation-state actors including MuddyWater (Iran), Kimsuky (DPRK), and CL-STA-1132 (China-nexus). The convergence of three KEV additions in three consecutive days is above the rolling average and warrants elevated monitoring posture.

Palo Alto Networks begins shipping the first patches for CVE-2026-0300 today, ending a seven-day exposure window during which CL-STA-1132 — a likely China-nexus cluster — was already exploiting unpatched PAN-OS firewalls. In parallel, a fresh wave of the Shai-Hulud npm worm published 84 malicious versions across 42 TanStack packages on May 11, marking the largest verified open-source supply-chain compromise of the quarter. Two additional items — Instructure's confirmed ransom payment to ShinyHunters and a public PoC for Git CLI CVE-2025-48384 — complete a cycle defined entirely by identity and access control failures, not novel exploitation research.

[DIRECTLY ACTIONABLE — PATCH AVAILABLE TODAY]

Original disclosure: May 6, 2026 (Palo Alto Networks PSIRT advisory, https://security.paloaltonetworks.com/CVE-2026-0300). CISA KEV addition: May 6, 2026. New development justifying inclusion today: First fixed PAN-OS versions begin shipping May 13, 2026, ending the seven-day workaround-only period. Patch staging continues through approximately May 28 per Palo Alto's published release schedule.

Vulnerability: CVE-2026-0300 is an unauthenticated buffer overflow (out-of-bounds write) in the User-ID Authentication Portal (Captive Portal) of PAN-OS, allowing arbitrary code execution at root via specially crafted packets to TCP ports 6081/6082. CVSS is 9.3 when the portal is internet-reachable; 8.7 when restricted to trusted internal IPs. Prisma Access, Cloud NGFW, and Panorama are not affected — only PA-Series and VM-Series firewalls with the Authentication Portal enabled and Response Pages reachable from untrusted interfaces.

Attribution: Palo Alto Networks Unit 42 attributed observed exploitation to CL-STA-1132, a state-sponsored cluster deploying open-source tunneling tools (EarthWorm, ReverseSocks5) and conducting Active Directory enumeration post-compromise. The cluster is assessed as China-nexus (Moderate confidence) based on tool overlap with known China-nexus tooling.

Epistemic flag — attribution signal weakness: EarthWorm and ReverseSocks5 are widely shared open-source tools used by multiple threat actor clusters across different nation-state programs. Tool overlap alone is a weak attribution indicator. The China-nexus assessment is supported by Unit 42's broader cluster analysis but has not been corroborated by signals intelligence or HUMINT. Confidence remains Moderate and should not be treated as definitive state attribution. (Palo Alto Networks Unit 42, https://security.paloaltonetworks.com/CVE-2026-0300)

Epistemic flag — internal-process reference removed: A prior draft of this brief referenced "Gemini council research" as a source for a contested EarthWorm co-actor claim. That reference has been removed. Unit 42's published advisory is the sole primary record for the May 2026 campaign attribution; EarthWorm is treated as a tool deployed by CL-STA-1132, not as a separate actor.

Historical graph context: ShinyHunters is linked to CVE-2026-0300 at 50% confidence in the historical graph. This association appears stale relative to the active May 2026 campaign and is not treated as a current attribution.

EPSS divergence note: EPSS scores for CVE-2026-0300 have been reported at divergent values across scoring platforms. Regardless of EPSS reading, exploitation is vendor-confirmed and CISA KEV-listed. Treat as actively exploited. Exploitation prerequisites: Authentication Portal must be enabled AND reachable from untrusted networks. No credentials required.

Independent corroboration: Rapid7 published an independent ETR confirming Palo Alto's limited-exploitation claim (https://www.rapid7.com/blog/post/etr-critical-buffer-overflow-in-palo-alto-networks-pan-os-user-id-authentication-portal-cve-2026-0300/). Wiz Research published independent technical analysis confirming in-the-wild exploitation (https://www.wiz.io/blog/critical-vulnerability-in-pan-os-exploited-in-the-wild-cve-2026-0300). Additional corroboration has been reported by SOC Prime, Beazley Security, and Arctic Wolf; citations for those three vendors were not available at publication time and are flagged as unverified secondary corroboration pending reference confirmation.

Patch versions: Palo Alto Networks' published release schedule lists hotfixes including versions in the 12.1.x, 11.2.x, 11.1.x, and 10.2.x branches releasing through approximately May 28. Specific hotfix version numbers (e.g., 12.1.4-h5, 11.2.7-h13, 11.1.4-h33, 10.2.18-h6) are drawn from Palo Alto's PSIRT advisory and update portal; verify current availability directly at https://security.paloaltonetworks.com/CVE-2026-0300 before applying, as the release schedule may have been updated since this brief was compiled.

Immediate actions:

1. Apply hotfixes as they release through the Palo Alto update portal today and through May 28. Verify current available versions directly against the PSIRT advisory.
2. If unpatched: disable Authentication Portal or restrict to trusted zones; disable Response Pages on internet-facing L3 interfaces.
3. Enable Threat Prevention Signature ID 510019.
4. Critical: Patching does not clean already-compromised devices. Any PA-Series or VM-Series firewall that ran a vulnerable, exposed Captive Portal between May 6 and patch installation requires: configuration audit against a known-good baseline, credential rotation for every account the device brokered, and integrity validation of administrator accounts and SSH keys.

(High confidence on exploitation status and CISA KEV listing — vendor-confirmed, two independently cited technical analyses; Moderate confidence on China-nexus attribution — tool overlap only, no signals or HUMINT corroboration)

[SITUATIONAL AWARENESS — KEV ADDITIONS, NO NEW PATCHES IN THIS CYCLE]

The coverage directive requires sequencing KEV additions before emergency patches. Two additional KEV entries from the past seven days — CVE-2026-6973 (Ivanti EPMM, added May 7) and CVE-2026-42208 (BerriAI LiteLLM, added May 8) — carry nation-state actor attributions that meet the directive's lead-with-attribution condition and are included here for completeness. Neither has a new patch or new exploitation development in the past 48 hours; they are included because the directive mandates coverage of all KEV additions in the rolling window and because the actor attributions are materially significant.

CVE-2026-6973 — Ivanti Endpoint Manager Mobile (EPMM)

Original disclosure / KEV addition: May 7, 2026. CISA description: Improper input validation vulnerability allowing a remotely authenticated attacker to execute arbitrary commands. Affected product: Ivanti EPMM (on-premises).

Attribution (directive-mandated lead): The CISA KEV entry and the intel graph link this CVE to MuddyWater (Iran, nation-state; also known as Earth Vetala, MERCURY, Static Kitten — 12 active/KEV CVEs in current graph), UNC5221 (China, nation-state), and Kimsuky (DPRK, nation-state; also known as Black Banshee, Velvet Chollima, Emerald Sleet — 12 active/KEV CVEs in current graph). All three attributions carry 50% confidence per the historical graph. Mandiant, the Belgian Centre for Cyber Security, and the Dutch NCSC have issued corroborating advisories on Ivanti EPMM exploitation by nation-state actors in prior cycles; those advisories are referenced for context.

Epistemic flag: Three simultaneous nation-state attributions at 50% confidence each reflects the graph's uncertainty, not confirmed multi-actor exploitation of this specific CVE. The 50% confidence figures should not be aggregated or treated as cumulative certainty.

MITRE ATT&CK: T1190 (Exploit Public-Facing Application, Initial Access).

Action: Ivanti EPMM administrators should verify patch status against Ivanti's security advisory for CVE-2026-6973 and apply available fixes. No new patch was released in the past 48 hours; this entry is included for KEV sequencing compliance and actor-attribution awareness.

CVE-2026-42208 — BerriAI LiteLLM

Original disclosure / KEV addition: May 8, 2026. CISA description: SQL injection vulnerability allowing an attacker to read data from the proxy's database. Affected product: BerriAI LiteLLM (AI/LLM proxy infrastructure).

Attribution: The intel graph links this CVE to CL-STA-1132 (unknown confidence) and UNC6780 (unknown confidence). No country attribution is confirmed for UNC6780 in the provided actor profiles; no country attribution is asserted here beyond what the graph provides.

Significance: LiteLLM is widely deployed as an AI gateway/proxy in enterprise and cloud-native AI stacks. SQL injection in this layer could expose model routing configurations, API keys for upstream LLM providers, and query logs. The KEV addition indicates confirmed exploitation in the wild.

Action: LiteLLM administrators should apply the vendor patch immediately and audit database access logs for unauthorized read activity. Verify current patch availability at https://github.com/BerriAI/litellm/security/advisories.

(Moderate confidence on attribution — graph-derived, 50% confidence figures; High confidence on KEV status — CISA primary record)

[DIRECTLY ACTIONABLE — CREDENTIAL ROTATION AND INSTALL HYGIENE]

This story follows directly from the identity-as-attack-surface pattern established in Stories 1 and 2: where CL-STA-1132 exploited a portal authentication path and nation-state actors exploited Ivanti's input validation, the Shai-Hulud actors exploited GitHub Actions OIDC tokens and npm publish trust.

Prefetch reconciliation note: The grounded prefetch for this brief stated "No discoveries of malicious packages published in the last 24 hours" and noted the most recent Socket research item was dated March 30, 2026. The TanStack postmortem (May 11, 2026) and Aikido/BleepingComputer/NHS England reporting (May 12, 2026) postdate the prefetch collection window. The prefetch covered sources through approximately May 12 09:00 UTC; the TanStack incident was disclosed at 19:20 UTC on May 11 and the secondary reporting wave landed May 12 after the prefetch cutoff. This brief relies on the primary sources cited below, not on the prefetch, for this story.

Original disclosure: May 11, 2026, 19:20–19:26 UTC (TanStack postmortem, https://tanstack.com/blog/npm-supply-chain-compromise-postmortem). Secondary reporting expanded May 12, 2026.

Epistemic flag — single-source vendor postmortem: The core figures (84 malicious versions, 42 packages, six-minute publication window) rest entirely on TanStack's own first-party postmortem. Vendor self-disclosure on its own breach scope is not independently verified by a third party at time of publication. The figures are treated as High confidence for planning purposes given TanStack's direct access to npm publication logs, but readers should note the absence of independent corroboration of the specific counts.

Attack chain: TanStack's postmortem confirms an attacker combined the GitHub Actions pull_request_target "Pwn Request" pattern, cache poisoning across the fork/base trust boundary, and runtime extraction of an OIDC token from the GitHub Actions runner process memory. TanStack states no npm tokens were stolen and the publish workflow itself was not compromised — the attacker forged publish authority via the OIDC token.

Supply-chain scope (three figures, three trackers):

| Tracker | Malicious Package-Version Entries | Package Names | Ecosystems |

|---|---|---|---|

| Aikido Security Malware Team (aikido.dev, May 12) | 373 | 169 | npm |

| Endor Labs (endorlabs.com, May 12) | — | 160+ | npm |

| Socket (socket.dev, May 12) | 416 artifacts | — | npm + PyPI |

Counts are non-comparable because trackers define "package-version entry" differently (Aikido counts distinct version strings; Socket counts artifacts including PyPI; Endor counts package names). The campaign is multi-ecosystem (npm and PyPI). Do not frame as npm-only.

Confirmed affected packages (NHS England Cyber Alert CC-4781, https://digital.nhs.uk/cyber-alerts/2026/cc-4781): @tanstack/react-router, @mistralai/mistralai, @opensearch-project/opensearch, @uipath/robot, @tanstack/vue-router (npm); mistralai==2.4.6, guardrails-ai==0.10.1 (PyPI). Composer impact is not confirmed in primary sources — do not treat as Composer-affected.

Malware behavior: The payload executes during npm install, pnpm install, or yarn install; harvests AWS, GCP, Kubernetes, Vault, npm, GitHub, and SSH credentials; exfiltrates through Session/Oxen messenger infrastructure; and self-propagates by enumerating other packages owned by harvested maintainer accounts and republishing them with the same injection. The self-propagation mechanism is what makes ongoing tracker counts unstable.

Attribution: BleepingComputer's May 12 article "Shai-Hulud Attack Ships Signed Malicious TanStack, Mistral npm Packages" (https://www.bleepingcomputer.com/news/security/shai-hulud-attack-ships-signed-malicious-tanstack-mistral-npm-packages/) attributes the campaign to TeamPCP. (Single source — BleepingComputer; TeamPCP is not present in the council's verified actor profile list; no country attribution is asserted. Confidence: Low on actor identity.) The "Shai-Hulud" naming is a campaign descriptor, not an actor name.

Immediate actions:

1. Any host or CI runner that executed npm install, pnpm install, or yarn install against affected packages on May 11 should be treated as compromised.
2. Rotate AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials reachable from any affected host.
3. Review npm and GitHub publishing activity for unexpected releases from your organization's maintainer accounts.
4. Enforce minimum release-age (24–72 hour quarantine) and lockfile-only installs in CI pipelines by May 20.

(High confidence on TanStack-confirmed scope — vendor first-party postmortem with timestamps; Moderate confidence on broader totals — non-comparable methodologies, counts still moving at publication; Low confidence on TeamPCP attribution — single source, unverified actor profile)

[ACTIVE — LEADERSHIP WEBINAR MAY 13; DEPARTMENT OF EDUCATION ALERT ISSUED MAY 12]

This story follows Story 3's credential-theft theme but escalates the consequence dimension: a publicly traded edtech vendor has confirmed a ransom payment affecting 8,809 institutions globally, and the U.S. Department of Education has issued a formal advisory.

Prefetch reconciliation note: The Check Point Research Threat Intelligence Report cited in the prefetch described Instructure as having "confirmed a major data breach" — not a confirmed ransom payment. The ransom payment confirmation (May 11) and the Department of Education advisory (May 12) postdate or extend beyond the Check Point report's coverage. This brief relies on Instructure's direct incident page statement, the FSA Partners advisory, and English-language outlet coverage for the ransom payment claim.

Original disclosure: May 1, 2026 (Instructure first public statement). New developments in last 48 hours: Ransom payment confirmed by Instructure on May 11 (https://www.instructure.com/incident_update); U.S. Department of Education / Federal Student Aid Partners issued a formal Technology Security Alert on May 12 (https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2026-05-12/technology-security-alert-ongoing-cybersecurity-incident-involving-canvas-learning-management-system); Instructure leadership webinar scheduled for May 13.

Breach facts: ShinyHunters claimed 3.65 TB exfiltrated, covering approximately 275 million users across 8,809 institutions, including private student–teacher messages. These figures originate from ShinyHunters' own public claim; they have not been independently verified by a forensic third party. Initial unauthorized activity was detected April 29. A second wave on May 7 defaced approximately 330 Canvas login portals with extortion messages and a May 12 deadline. (The 330-portal figure and the 3.65 TB / 275 million / 8,809 institution figures are sourced from ShinyHunters' public claim as reported by Inside Higher Ed, https://www.insidehighered.com/news/tech-innovation/administrative-tech/2026/05/11/instructure-pays-ransom-canvas-hackers, and BleepingComputer coverage; they have not been independently verified by Instructure or a forensic firm at time of publication.)

Root cause: Instructure confirmed the entry vector was Free-For-Teacher accounts — no-cost Canvas accounts created outside enterprise-managed environments and lacking enforced MFA. This is not a CVE exploitation; it is identity hygiene failure at scale.

Ransom outcome: Instructure stated via its incident page that ShinyHunters returned stolen data and provided "digital confirmation of data destruction (shred logs)" covering all impacted customers. The forensic value of this attestation is zero — cryptographic shred logs from a criminal actor cannot be independently verified. Treat all exposed data as still in circulation.

Regulatory gap (analytical assessment): The Department of Education's May 12 Technology Security Alert addresses institutional response guidance but does not establish vendor accountability requirements or address whether federally funded institutions may maintain vendor relationships with confirmed ransom-paying suppliers holding student PII. This gap is an analytical assessment based on the text of the FSA Partners advisory and the absence of any current federal regulation prohibiting such vendor relationships; it is not sourced to a specific regulatory analysis document.

English coverage verification: BleepingComputer, SecurityWeek, and The Hacker News (https://thehackernews.com/2026/05/instructure-reaches-ransom-agreement.html) have all covered the ransom confirmation. Not [First in English].

Immediate actions for affected institutions:

1. Rotate Canvas LTI integrations, SSO connectors, and API keys.
2. Review authentication and integration logs for unusual access between April 25 and May 8, 2026.
3. Enforce MFA on all Canvas accounts including Free-For-Teacher and external integrations.
4. Brief staff on incoming spear-phishing using authentic course names, advisor names, and student circumstances — the highest-probability post-breach threat vector given the specificity of the exposed data.

(High confidence on breach facts and ransom payment — Instructure direct statement, DoE advisory, multiple English outlets; Low confidence on data destruction — criminal-actor attestation with no forensic verification path; Moderate confidence on breach scope figures — ShinyHunters' own claim, reported by multiple outlets but not independently verified)

[DIRECTLY ACTIONABLE — PUBLIC PoC AVAILABLE; PATCH REQUIRED]

This story addresses the only weaponized-code signal in the past 24 hours identified by the grounded prefetch. Its exclusion from the prior draft was not justified; the coverage directive explicitly requires inclusion of new CVEs with CVSS 9.0+ or public PoC. CVE-2025-48384 carries CVSS 8.1 — below the 9.0 threshold — but the prefetch explicitly flags it as the sole public PoC release in the past 24 hours, and the directive's category (4) encompasses public PoC regardless of CVSS when no higher-scoring item is available. Inclusion is warranted.

Original disclosure: Recent (exact first-public-disclosure date not confirmed in available sources; PoC validated and publicly available as of May 12–13, 2026 per cybersecuritynews.com reporting and researcher Matt Muir). New development justifying inclusion: Public proof-of-concept exploits validated for arbitrary file writes were released or prominently aggregated within the past 24 hours per the grounded prefetch.

Vulnerability: CVE-2025-48384 affects Git CLI on Linux and macOS (versions prior to v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, v2.50.1) and GitHub Desktop on macOS. The flaw allows arbitrary file write leading to remote code execution via malicious .gitmodules files containing carriage return characters, enabling Git hook injection and configuration overwrites during git clone --recursive. CVSS: 8.1.

CVSS-EPSS treatment (CVSS 8.1, EPSS not confirmed): Per directive requirements for CVEs with CVSS ≥ 9.0 and EPSS < 0.10, explicit exploitation prerequisites are required. CVE-2025-48384 is below the 9.0 threshold but the same transparency standard is applied: Exploitation prerequisites are non-trivial. The attacker must control or influence a Git repository that the victim clones with the --recursive flag. In practice, this requires social engineering (e.g., a README or CI configuration prompting a recursive clone of a malicious or attacker-controlled repository). There is no unauthenticated network-reachable attack path; the victim must actively clone the malicious repository. This distinguishes CVE-2025-48384 from the unauthenticated network-reachable flaws in Stories 1 and 2.

PoC status: Working proof-of-concept exploits are publicly available and validated for /tmp writes per cybersecuritynews.com reporting and researcher Matt Muir. The PoC has been aggregated in public GitHub repositories (trickest/cve, nomi-sec/PoC-in-GitHub). No Metasploit module, GreyNoise mass-scanning detection, or Shodan mass-exposure event has been observed as of publication. The absence of mass-scanning signals reflects the social-engineering prerequisite, not low risk in targeted developer or CI environments.

Affected versions and patches:

| Branch | Vulnerable | Fixed |

|---|---|---|

| 2.43.x | < 2.43.7 | 2.43.7 |

| 2.44.x | < 2.44.4 | 2.44.4 |

| 2.45.x | < 2.45.4 | 2.45.4 |

| 2.46.x | < 2.46.4 | 2.46.4 |

| 2.47.x | < 2.47.3 | 2.47.3 |

| 2.48.x | < 2.48.2 | 2.48.2 |

| 2.49.x | < 2.49.1 | 2.49.1 |

| 2.50.x | < 2.50.1 | 2.50.1 |

| GitHub Desktop (macOS) | Affected | Patch per GitHub Desktop release notes |

Immediate actions:

1. Update Git CLI to the fixed version for your branch on all developer workstations, CI runners, and build servers.
2. Update GitHub Desktop on macOS.
3. Audit CI pipeline configurations for any git clone --recursive calls against external or untrusted repositories.
4. Treat any host that executed git clone --recursive against an untrusted repository since the PoC became public as potentially compromised — check for unexpected files in /tmp and review Git hook configurations.

(High confidence on PoC availability — grounded prefetch, cybersecuritynews.com, researcher attribution; Moderate confidence on weaponization risk in targeted environments — social engineering prerequisite limits mass exploitation but not targeted developer attacks; exact first-public-disclosure date unconfirmed — [Unverified - possible English-language exclusive] flag not applied as cybersecuritynews.com is an English-language outlet)

The five items in this cycle share a common failure mode: privileged access surfaces reached without authentication or with stolen identity material. CVE-2026-0300 is unauthenticated portal RCE. The Shai-Hulud worm forges npm publish identity via OIDC tokens. Instructure was breached through MFA-free Free-For-Teacher accounts. The Fortinet flaws (referenced in Intelligence Gaps below) permit unauthenticated command execution on identity and sandbox appliances. CVE-2025-48384 exploits Git's trust in repository-supplied hook configurations. No novel memory-corruption research, no zero-click client-side exploitation, and no firmware-level compromise is represented in this 48-hour window. The exploitation economy is operating against the weakest configured access control in each environment.

Gap 1 — CL-STA-1132 persistence survivability: Whether CL-STA-1132 has established persistence on PAN-OS devices that survives patching is unknown. Discovery would convert the patch story into a forensic-recovery story for potentially hundreds of affected organizations. Collection requirement: Unit 42 and Mandiant incident response telemetry on post-compromise PAN-OS device state; CISA emergency directive follow-up reporting.

Gap 2 — Shai-Hulud propagation boundary: Whether the worm's self-propagation has reached maintainer accounts not yet visible to public trackers is unknown. Discovery would expand the multi-ecosystem scope materially and potentially implicate Composer or other ecosystems not currently confirmed. Collection requirement: npm registry audit logs; GitHub security team disclosure; Socket and Aikido tracker updates after May 13 09:00 UTC.

Gap 3 — Instructure forensic scope: No independent forensic firm has publicly confirmed or denied ShinyHunters' claimed exfiltration figures (3.65 TB, 275 million users, 8,809 institutions). The actual scope of data in circulation is unknown. Collection requirement: Instructure's contracted forensic firm (not yet publicly named) disclosure; state AG notifications under applicable breach notification laws.

Gap 4 — CVE-2026-6973 Ivanti EPMM active exploitation scope: The KEV addition confirms exploitation in the wild, but the specific sectors, victim count, and actor-specific TTPs for the MuddyWater/UNC5221/Kimsuky attributions are not confirmed in available open-source reporting for this specific CVE. Collection requirement: Mandiant, CrowdStrike, and CISA incident response reporting; Ivanti PSIRT updates.

Gap 5 — CVE-2026-42208 LiteLLM exploitation context: The KEV addition confirms exploitation, but no public technical analysis of the exploitation method, victim profile, or actor TTPs for CL-STA-1132/UNC6780 in the LiteLLM context is available. Collection requirement: BerriAI security advisory; CISA technical analysis; Tier 2 vendor reporting.

Gap 6 — CVE-2025-48384 first-public-disclosure date: The exact original disclosure date for CVE-2025-48384 is not confirmed in available sources. This affects the 7-day staleness assessment. Collection requirement: NVD entry; Git project security advisory; researcher Matt Muir's original disclosure post.

Gap 7 — Fortinet CVE-2026-44277 and CVE-2026-26083 exploitation status: Both Fortinet CVEs (CVSS 9.1 each, disclosed May 12) are assessed as not yet exploited per vendor advisories, but no independent third-party corroboration exists. Given Fortinet's historical exploitation pattern — multiple FortiOS and FortiManager flaws weaponized within days of disclosure in 2024 and 2025 (see, e.g., CVE-2024-21762, CVE-2023-27997 as documented by CISA and Mandiant) — the 14-day weaponization horizon is a pattern-based extrapolation, not a confirmed assessment. Collection requirement: Horizon3.ai, Defused Cyber, and GreyNoise scanning telemetry; CISA KEV monitoring for these CVEs.

High confidence:

• CVE-2026-0300 vendor-confirmed exploitation and CISA KEV listing (Palo Alto Unit 42 PSIRT, Rapid7 ETR, Wiz Research independent analysis).
• Shai-Hulud TanStack scope of 84 versions across 42 packages (TanStack first-party postmortem with timestamps — note: unverified by independent third party; see epistemic flag in Story 3).
• Instructure ransom payment and Department of Education May 12 advisory (Instructure direct statement, FSA Partners advisory, BleepingComputer, SecurityWeek, The Hacker News).
• Fortinet CVE-2026-44277 and CVE-2026-26083 technical details (vendor PSIRT, CWE assignments, CVSS scoring — single source, Fortinet PSIRT only).
• CVE-2025-48384 public PoC availability (grounded prefetch, cybersecuritynews.com, researcher Matt Muir).

Moderate confidence:

• CL-STA-1132 China-nexus assessment — tool overlap (EarthWorm, ReverseSocks5) only; both are widely shared open-source tools; no signals or HUMINT corroboration.
• Shai-Hulud broader totals (Aikido 373 / Endor 160+ / Socket 416) — non-comparable methodologies, counts still moving at publication.
• CVE-2026-6973 and CVE-2026-42208 actor attributions — graph-derived at 50% confidence each; not confirmed by primary incident response reporting for these specific CVEs.
• Instructure breach scope figures (3.65 TB, 275M users, 8,809 institutions, 330 portals) — ShinyHunters' own claim, reported by multiple outlets but not independently verified by forensic firm.

Low confidence / unverified:

• TeamPCP attribution for Shai-Hulud — single source (BleepingComputer), not in verified actor profiles, no country attribution.
• Instructure "data destruction shred logs" attestation — criminal-actor cryptographic claim with no forensic verification path.
• Fortinet 14-day weaponization horizon — pattern-based extrapolation from historical Fortinet exploitation cadence, not from current observed activity.
• CVE-2025-48384 first-public-disclosure date — not confirmed in available sources.

Sourcing gaps flagged:

• SOC Prime, Beazley Security, and Arctic Wolf corroboration of CVE-2026-0300 exploitation — referenced in secondary reporting but not independently cited in this brief's reference list.
• EPSS figures for CVE-2026-0300 — divergent values reported across platforms; specific platform citations not available at publication.

Challenge 1 — Is the Shai-Hulud "mini" wave actually a new incident or a continuation of a prior campaign? The "mini" descriptor and the Shai-Hulud campaign name suggest this is a recurrence. If the May 11 TanStack wave is a continuation of a campaign first disclosed more than 7 days ago, the brief's framing as a new 48-hour event may be misleading. The TanStack postmortem treats May 11 as a discrete new attack; however, if the broader Shai-Hulud campaign predates the 48-hour window, the "new development" justification should be the May 11 TanStack-specific wave, not the campaign itself. The brief's framing is defensible but should be read with this caveat.

Challenge 2 — CL-STA-1132 China-nexus attribution may be analytically convenient. EarthWorm and ReverseSocks5 are open-source tools with documented use by multiple actor clusters. The Unit 42 attribution to a China-nexus cluster based on tool overlap, without signals or HUMINT, is the kind of attribution that has historically been revised when additional evidence emerges. Analysts should maintain the Moderate confidence ceiling and not treat this as confirmed Chinese state activity for policy purposes.

Challenge 3 — The Instructure ransom payment precedent claim may be overstated. ShinyHunters has received ransoms before; the education-sector precedent argument assumes this payment is uniquely visible or influential to other ransomware operators. If ShinyHunters routinely receives payments that are not publicly disclosed, the Instructure case may not be as precedent-setting as framed — it may simply be the first publicly confirmed payment in this sector, not the first payment.

Challenge 4 — CVE-2025-48384 inclusion may inflate the brief's actionability signal. The flaw requires social engineering to trigger a recursive clone of a malicious repository. In most enterprise environments, CI pipelines clone from controlled internal mirrors, not arbitrary external repositories. The risk is real for open-source developers and researchers but may be overstated for enterprise environments with controlled source mirrors. The brief's inclusion is justified by the directive's PoC coverage requirement, but CISOs of enterprises with controlled source mirrors should weight this lower than the unauthenticated network-reachable flaws in Stories 1 and 2.

Challenge 5 — The "no novel exploitation research" cross-story pattern may create false comfort. The observation that all four incidents involve access control failures rather than novel memory corruption is analytically accurate but could be read as minimizing. Access control failures at scale — unauthenticated RCE on perimeter firewalls, self-propagating supply-chain worms, MFA-free accounts at 8,809 institutions — are not less dangerous because they are structurally simple. The pattern observation is useful for prioritization but should not be read as a severity downgrade.

Threat Actors:

• CL-STA-1132 — state-sponsored cluster (China-nexus, Moderate confidence; tool overlap only, no signals or HUMINT) — primary attribution for CVE-2026-0300 PAN-OS exploitation per Palo Alto Unit 42. Also linked to CVE-2026-42208 (LiteLLM) in the intel graph.
• ShinyHunters — criminal extortion group — claimed responsibility for Instructure Canvas breach; received ransom payment. Linked to CVE-2026-0300 at 50% confidence in historical graph (assessed as stale relative to current campaign).
• TeamPCP — campaign attribution for Shai-Hulud npm/PyPI worm (single source — BleepingComputer; not in verified actor profiles; no country attribution).
• MuddyWater (Iran, nation-state; also known as Earth Vetala, MERCURY, Static Kitten) — linked to CVE-2026-6973 (Ivanti EPMM) at 50% confidence per intel graph.
• Kimsuky (DPRK, nation-state; also known as Black Banshee, Velvet Chollima, Emerald Sleet) — linked to CVE-2026-6973 (Ivanti EPMM) at 50% confidence per intel graph.
• UNC5221 (China, nation-state) — linked to CVE-2026-6973 (Ivanti EPMM) at 50% confidence per intel graph.
• UNC6780 (unknown; no country attribution confirmed) — linked to CVE-2026-42208 (BerriAI LiteLLM) in intel graph.

Organizations:

• Palo Alto Networks Unit 42 — published CL-STA-1132 attribution and post-exploit toolset analysis for CVE-2026-0300.
• Fortinet PSIRT — published advisories FG-IR-26-128 (CVE-2026-44277) and FG-IR-26-136 (CVE-2026-26083) on May 12.
• Aikido Security Malware Team — tracked 373 malicious package-version entries across 169 npm names in Shai-Hulud campaign.
• Endor Labs — reported 160+ compromised npm package names in Shai-Hulud campaign.
• Socket — tracked 416 compromised artifacts across npm and PyPI in Shai-Hulud campaign.
• NHS England Digital — issued Cyber Alert CC-4781 with specific confirmed package IOCs for Shai-Hulud.
• TanStack — published first-party postmortem confirming 84 malicious versions across 42 packages.
• Instructure — Canvas LMS vendor; confirmed breach and ransom payment to ShinyHunters.
• U.S. Department of Education / Federal Student Aid Partners — issued May 12 Technology Security Alert on Canvas incident.
• Rapid7 — published independent ETR corroborating CVE-2026-0300 exploitation.
• Wiz Research — published independent technical analysis confirming CVE-2026-0300 in-the-wild exploitation.
• Mandiant / Belgian Centre for Cyber Security / Dutch NCSC — corroborating advisories on Ivanti EPMM nation-state exploitation (prior cycles; referenced for context).

1. Palo Alto Networks PSIRT. (2026, May 6; updated May 7). CVE-2026-0300 PAN-OS: Unauthenticated user initiated buffer overflow vulnerability in User-ID Authentication Portal. Retrieved from https://security.paloaltonetworks.com/CVE-2026-0300
2. Cybersecurity and Infrastructure Security Agency. (2026, May 6–8). Known exploited vulnerabilities catalog: CVE-2026-0300, CVE-2026-6973, and CVE-2026-42208. Retrieved from https://www.cisa.gov/known-exploited-vulnerabilities-catalog
3. Rapid7. (2026, May). ETR: Critical buffer overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal CVE-2026-0300. Retrieved from https://www.rapid7.com/blog/post/etr-critical-buffer-overflow-in-palo-alto-networks-pan-os-user-id-authentication-portal-cve-2026-0300/
4. Wiz Research. (2026, May 6). Critical buffer overflow vulnerability in PAN-OS exploited in-the-wild (CVE-2026-0300). Retrieved from https://www.wiz.io/blog/critical-vulnerability-in-pan-os-exploited-in-the-wild-cve-2026-0300
5. TanStack. (2026, May 11). npm supply chain compromise postmortem. Retrieved from https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
6. Aikido Security. (2026, May 12). Mini Shai-Hulud is back: TanStack compromised. Retrieved from https://www.aikido.dev/blog/mini-shai-hulud-is-back-tanstack-compromised
7. BleepingComputer. (2026, May 12). Shai-Hulud attack ships signed malicious TanStack, Mistral npm packages. Retrieved from https://www.bleepingcomputer.com/news/security/shai-hulud-attack-ships-signed-malicious-tanstack-mistral-npm-packages/
8. NHS England Cyber Alert CC-4781. (2026, May 12). Shai-Hulud npm/PyPI compromise. Retrieved from https://digital.nhs.uk/cyber-alerts/2026/cc-4781
9. Instructure. (2026, May 11–12). Incident update. Retrieved from https://www.instructure.com/incident_update
10. U.S. Department of Education / FSA Partners. (2026, May 12). Technology security alert: Ongoing cybersecurity incident involving Canvas learning management system. Retrieved from https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2026-05-12/technology-security-alert-ongoing-cybersecurity-incident-involving-canvas-learning-management-system
11. The Hacker News. (2026, May 12). Instructure reaches ransom agreement. Retrieved from https://thehackernews.com/2026/05/instructure-reaches-ransom-agreement.html
12. Inside Higher Ed. (2026, May 11). Instructure pays ransom to Canvas hackers. Retrieved from https://www.insidehighered.com/news/tech-innovation/administrative-tech/2026/05/11/instructure-pays-ransom-canvas-hackers
13. Fortinet PSIRT FG-IR-26-128. (2026, May 12). FortiAuthenticator — improper access control (CVE-2026-44277). Retrieved from https://fortiguard.fortinet.com/psirt/FG-IR-26-128
14. Fortinet PSIRT FG-IR-26-136. (2026, May 12). FortiSandbox — missing authorization (CVE-2026-26083). Retrieved from https://fortiguard.com/psirt/FG-IR-26-136
15. BleepingComputer. (2026, May 12). Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator. Retrieved from https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator/
16. BerriAI LiteLLM Security Advisory. (2026, n.d.). CVE-2026-42208. Retrieved from https://github.com/BerriAI/litellm/security/advisories
17. Cybersecurity and Infrastructure Security Agency. (2026, n.d.). CVE-2024-21762 (FortiOS SSL VPN) KEV entry. Retrieved from https://www.cisa.gov/known-exploited-vulnerabilities-catalog
18. Cybersecurity and Infrastructure Security Agency. (2026, n.d.). CVE-2023-27997 (FortiOS/FortiProxy SSL-VPN) KEV entry. Retrieved from https://www.cisa.gov/known-exploited-vulnerabilities-catalog