ShinyHunters Cripples Canvas in Massive Education Breach; Linux Kernel Hit by 'Dirty Frag' Zero-Day

The Anthropic Mythos AI model, previously a source of market concern, has now demonstrated its capability by discovering 271 new vulnerabilities in Firefox 150 and the decade-old 'CopyFail' Linux LPE (CVE-2026-31431). This influx of AI-discovered flaws is compelling organizations like NIST to re-evaluate vulnerability management, shifting towards a risk-based approach. The May 2026 Patch Tuesday forecast highlights these trends, alongside fixes for 'Bluehammer' related exploits (CVE-2026-33825) and an ASP.NET Core RCE (CVE-2026-40372), underscoring the growing challenge of managing AI-driven vulnerability disclosures.

The SilverFox APT campaign, active since December 2025, has expanded its targeting beyond India and Russia to include organizations in Indonesia and South Africa. New analysis reveals the Python-based ABCDoor backdoor possesses extensive capabilities, including remote command execution, file manipulation, screen streaming, and clipboard data theft. This advanced functionality allows for deeper espionage and data exfiltration, indicating a more potent threat than initially understood. The malware also features self-update mechanisms for persistence and evasion. This update highlights the evolving nature and broader reach of the campaign.

OpenAI has unveiled GPT-5.5-Cyber, an updated specialized AI model for cybersecurity professionals, building on the previous 5.4 version. This iteration is being rolled out in a limited preview to vetted experts focused on critical infrastructure defense and has been previewed with U.S. government stakeholders, including the White House. The model aims to augment human analysts in detecting, analyzing, and patching vulnerabilities and malware. Its strategic importance and potential dual-use nature are highlighted, signaling an intensified AI arms race in cybersecurity and ongoing policy discussions.

Kaspersky researchers have provided new details on the DAEMON Tools supply chain attack, confirming it ran for 27 days, from April 8 to May 5, 2026. The vendor has since released a clean version 12.6, ending the compromise window. The attack, which used digitally signed, trojanized installers, led to global infections, with new victim locations identified in Germany, France, and Spain. Notably, 10% of the identified infections occurred on corporate devices, highlighting a significant enterprise risk. The multi-stage payload included an info stealer, persistent backdoor, and an advanced QUIC-based RAT for high-value targets.

Further analysis of the 'Dirty Frag' Linux kernel zero-day reveals it's an exploit chain involving two vulnerabilities: CVE-2026-43284 (xfrm-ESP/IPsec) and the newly identified CVE-2026-43500 (RxRPC subsystem). A public Proof-of-Concept (PoC) exploit is now available, significantly increasing the immediate threat. Patches are reportedly being rolled out by distributions. Updated mitigation guidance involves blacklisting specific kernel modules: esp4, esp6, and rxrpc, which may impact IPsec VPNs and AFS file systems. The vulnerability affects major distributions including Ubuntu, RHEL, and Fedora.

New reports highlight a critical four-day gap between CISA's May 9 deadline for federal agencies to apply mitigations for CVE-2026-0300 and Palo Alto Networks' expected patch release on May 13. This creates a high-pressure situation for defenders, forcing organizations to rely solely on configuration-based workarounds during this period. Experts anticipate increased exploitation activity during this critical window, emphasizing the urgency for immediate workaround implementation to protect internet-facing PA-Series and VM-Series firewalls.

Further analysis indicates that CVE-2026-32202 is a patch-differential vulnerability, arising from an incomplete Microsoft fix for an earlier zero-day, CVE-2026-21510. APT28 initially exploited CVE-2026-21510 from December 2025. Despite a Microsoft patch in February 2026, APT28 quickly identified its incompleteness, enabling them to continue credential harvesting operations for an additional ten weeks before CVE-2026-32202 was added to CISA's KEV catalog on April 28, 2026. This highlights the threat actor's advanced capabilities in vulnerability analysis and persistence, extending the period of risk for targeted entities.