EvilBit Threat Digest - Network Edge Pummeled, Supply-Chain Worms Get Better, AI Starts Finding the Bugs

Four things landed on top of each other this cycle and they keep rhyming. The network edge is back to eating critical bugs. The supply-chain worms got measurably better at faking provenance. NIST quietly admitted it can only enrich roughly the top 20% of new CVEs. And on the Microsoft and Palo Alto Networks patch cycles, the bugs being fixed are increasingly the ones AI agents found first.

Cisco SD-WAN and Microsoft Patch Tuesday

Cisco's Catalyst SD-WAN stack got hammered with a CVSS 10.0 authentication bypass that Cisco PSIRT confirms is already seeing limited exploitation in the wild. The flaw (CVE-2026-20182) lets unauthenticated remote attackers spoof peering requests over UDP/12346 against the vdaemon DTLS service, climb straight to high-privileged vmanage-admin access, and start reconfiguring the fabric via NETCONF. The Hacker News tracks the bypass as actively exploited to gain admin access, and defend.network's daily briefing corroborates exploitation in the wild since the start of May. Patches are out; the advisory ships the exact log lines and show control connections checks to hunt for unauthorized logins and challenge-ack:0 peers. If you run on-prem SD-WAN, treat this like the house is on fire. Collect admin-tech bundles before upgrading, and restrict the SD-WAN management plane to trusted segments if you can't patch immediately.

Microsoft's May 2026 Patch Tuesday followed the familiar drumbeat, with a side helping of disagreement on the count. The Hacker News tallies 138 vulnerabilities (30 critical, 104 important); Infosecurity Magazine puts it at 120 CVEs with 17 critical; TechRepublic also lands at 120 / 17 critical / 31 RCEs. The gap usually comes down to whether you include Edge Chromium and republished advisories. The headliners agree across all three: an unauthenticated heap-based buffer overflow RCE in the Windows DNS Client (CVE-2026-41096, CVSS 9.8) and a stack buffer overflow RCE in Netlogon (CVE-2026-41089, CVSS 9.8). The DNS one is particularly tasty for lateral movement once an attacker can spoof responses on your network. Apply the cumulative updates, restrict outbound DNS to trusted resolvers where possible, and watch for child processes spawned from network services. The usual suspects (SharePoint, Office, Hyper-V) round out the list, and nothing in the May tranche was being exploited as a zero-day at release.

AI Is Now Finding the Bugs

SecurityWeek's joint coverage of Microsoft and Palo Alto Networks confirms that AI agents found a measurable slice of this month's Patch Tuesday fixes on both sides. Microsoft's MDASH multi-model agentic security system reports finding 16 of the 137 Patch Tuesday vulnerabilities, including four critical RCEs in Windows networking and authentication. Palo Alto Networks Unit 42's May 2026 update reports that AI-driven scans found 75 vulnerabilities across 130+ of its own products, leading to 26 CVE advisories on the same patch cycle. Unit 42 calls out a probable 3-5 month defender-advantage window before AI-enabled exploit development catches up. CyberScoop's reporting on the AISI and PANW cyber benchmarks lines up: frontier models are solving 32-step attack simulations and discovering real bugs at a rate that breaks every existing benchmark. Bruce Schneier's analysis of Anthropic's withheld Mythos AI is the right calibration: short-term attacker edge, long-term defender advantage if you wire it into your own pipeline.

Synthesia's writeup of their agentic AppSec stack (Semgrep for entry-point mapping plus Haiku, Sonnet, and Opus for vulnerability hunting, deduplication, and validation) is one of the cleaner end-to-end examples of how you actually wire that pipeline together. Sysdig's argument that runtime security is where you actually catch the AI-era zero-days belongs in the same conversation, as does Tenable's piece on agentic AI for cleaning up zombie cloud assets (orphaned IPs, unattached volumes, stale snapshots are the kind of accidental attack surface AI-assisted attackers will find first). For the regulatory side, the UK ICO's five-step plan to counter AI-powered attacks is the first official guidance to read like it was written by someone who has actually faced one.

Supply-Chain Worms Keep Spreading

TeamPCP's Mini Shai-Hulud worm and its Tor-backed cousin are still chewing through npm and PyPI. The latest wave hit 160+ packages including OpenSearch and Mistral AI SDKs, with @tanstack also caught in the blast radius. Beazley's Q1 2026 quarterly threat report puts that wave in context: TeamPCP is industrializing supply-chain compromise with AI-assisted bots, and Trivy is in the confirmed-compromise list alongside the npm and PyPI hits. The payloads steal OIDC tokens, AWS creds, and Vault secrets, then republish trojanized versions with valid Sigstore provenance to keep spreading. The blast radius is no longer hypothetical: OpenAI has now confirmed two employee devices were compromised via the TanStack wave, with limited internal credentials stolen.

Behavioral hunting is your friend here: look for preinstall hooks, .claude/settings.json drops, portable WinPython in %APPDATA%, and unusual environment variable strings across Mac, Linux, and Windows. The detection tiers from Deriv (credential harvest to in-memory eval to LOLBAS to persistence) give you a solid framework, and the top tiers are where the tightest detection cadence pays off.

On the Linux side, Intezer dropped a deep track on OrBit, an evolved fork of the open-source Medusa LD_PRELOAD rootkit. Two distinct lineages have been active since 2022, used by both UNC3886 and the eCrime crew BLOCKADE SPIDER. The usual LD_PRELOAD magic, PAM/SSH credential harvesting, hidden directories, and XOR-obfuscated strings are all present, plus fresh IoCs and YARA ideas. If you run vCenter, Juniper gear, or IoT/VPS fleets, add /etc/ld.so.preload and /lib/libseconf/ to your monitoring list. Red Canary's Linux DFIR primer on cgroups pairs well if your Linux IR muscle is rusty.

Fraud That Hides in Plain Sight

SANS ISC published a solid guest diary tearing apart SEO-poisoned compromised WordPress sites that redirect victims to fake marketplaces harvesting payment cards. The attack chain is depressingly reliable: compromise, SEO, flashy storefront, payment skimmer. The post ships concrete IOC domains, redirectors, and a methodology that defenders can actually use: VirusTotal domain scans, registration-age checks, reverse image searches on the product photos, and healthy skepticism toward deals that look too good. Blue teams can turn those checks into lightweight hunting queries; for analyst awareness training, this is also one of the cleaner case studies in a while.

On the meaner end of the fraud spectrum, Bitdefender catalogs ransomware crews escalating to physical violence threats (the FBI's PSA on "The Com" network: shootings, kidnappings, violence-as-a-service; Semperis says 40-46% of ransomware attacks now include some flavor of physical threat). If your IR playbook still ends at "restore from backup," it's incomplete. Two pieces worth bookmarking for that conversation: Group-IB on what an incident response retainer actually buys you, and the UHSP CISO's first-24-hours framework from a real LockBit response.

NIST NVD Narrows the Enrichment Pipeline

NIST updated its NVD enrichment policy to focus only on CISA KEV entries, federal software, and EO 14028 critical software. That covers roughly 15-20% of new CVEs, which means the old CVSS-and-CPE firehose is drying up. Vulnerability management teams that still lean exclusively on NVD will start seeing gaps. Time to lean harder on EPSS, exploit-in-wild signals, threat actor activity, and commercial enrichment. Audit where your scanners and workflows get their data; the shift was predictable once CVE volume passed the 40k-per-year mark. If you build dashboards or risk scoring on top of NVD's CVSS/CPE data, plan a tabletop on what breaks when those fields stop arriving for the bottom 80% of CVEs.

Federal and Policy Beat

• The Record reports that ODNI has tapped officials to coordinate the response to foreign 2026 election threats, with FMIC restructuring and explicit AI-disinformation framing. If you support election infrastructure or vendors who do, that's the new coordination layer to map.
• Federal agencies (CISA, DoD, DOE, DOS, FBI) released OT-specific Zero Trust guidance in April covering legacy systems, IT/OT convergence, and kinetic-impact threats. If your environment includes ICS or critical infrastructure, that's now the baseline reference.
• Qualys TotalCloud earned FedRAMP High Authorization, sponsored by DEA and aligned to CISA BOD 22-01 (KEV remediation) and BOD 23-01 (asset and vulnerability visibility). Federal teams chasing an ATO get another option; commercial teams get one more compliance benchmark to read against.
• AWS shipped a PQC readiness scanner built on AWS Config that assesses ALB, NLB, and API Gateway TLS policies against a three-tier framework, deployable via SAM and StackSets. If you have a long-tail PQC migration plan, this is what turns it into a dashboard.
• An EU research paper has stirred concerns that the bloc will move toward age verification for VPNs. If you support EU users, get this on your privacy and legal team's radar early.

Quick Hits

• MongoDB patched an out-of-bounds write in time-series collections (CVE-2026-8053) that lets authenticated writers achieve RCE, with a straightforward upgrade path and a corroborating advisory from the Canadian Centre for Cyber Security.
• PraisonAI's auth bypass (CVE-2026-44338, CVSS 7.3) was probed within four hours of disclosure from a single source IP (146.190.133.49); the usual public Flask endpoint and agents.yaml exposure story, patched in v4.6.34. If you run AI agent frameworks reachable from the internet, this is your reminder to put them behind auth before someone reads your config files for you.
• F5 dropped its quarterly batch fixing 51 issues across BIG-IP, BIG-IQ, and NGINX, including a critical NGINX rewrite-module RCE (CVE-2026-42945) and an iControl REST privilege escalation (CVE-2026-41225), so plan a sweep of the appliance fleet before someone weaponizes the rewrite bug against a production proxy.
• GitLab shipped a critical patch for self-managed instances (18.11.3 / 18.10.6 / 18.9.7) covering high-severity XSS (CVSS 8.7) and an unauthenticated DoS, 25 vulns in total per cyberpress, and anyone running self-managed CE or EE should treat this as the urgent upgrade window for May.
• Canon MailSuite stack-based buffer overflow RCE (CVE-2026-32661 / JVN#35567473) is unauthenticated via crafted web requests to the pop3wallpasswd command, with vendor patches already published.
• PAN-OS RCE (CVE-2026-0300, CVSS 9.8) is being actively exploited per The Hacker News' ThreatsDay roundup, the Cyfirma weekly intel report, and Red Piranha's weekly threat intel. Cyfirma also flags BeyondTrust CVE-2026-1731; Red Piranha adds Ivanti CVE-2026-6973 and LiteLLM CVE-2026-42208 (both 9.8).
• Routine appliance and browser updates landed for Apple Safari 26.5, Google Chrome, and HPE on both ArubaOS AOS-8/AOS-10 and Telco Intelligent Assurance 4.2.14, so push them through the normal patch cycle and audit anywhere the bulletins list versions you actually have deployed.

Also Tracking

Items on the radar that didn't earn a full writeup this week:

• Nation-state and APT activity: Microsoft's Kazuar nation-state botnet analysis (Secret Blizzard / FSB Centr 16, modular Kernel/Bridge/Worker architecture with IOCs and ATT&CK mappings), Check Point's Thus Spoke...The Gentlemen (RaaS internals exposed via leak: nine operators, 332+ victims, YARA rule), Dark Reading on Belarus-aligned FrostyNeighbor / Ghostwriter / UNC1151 targeting Polish and Ukrainian government orgs with PicassoLoader and Cobalt Strike, Iranian Seedworm / MuddyWater abusing legitimate Fortemedia and SentinelOne binaries to deploy ChromElevator, Mustang Panda's updated FDMTP v3.2.5.1 .NET RAT in Asia-Pacific, and China-linked Twill Typhoon spoofing Apple and Yahoo login pages with the same modular FDMTP RAT and icloud-cdn.net C2.
• Stealers, loaders, and RATs: Unit 42's Gremlin Stealer evolution with .NET resource obfuscation and WebSocket session hijacking, ReliaQuest on help-desk lures dropping the evolved ModeloRAT via external Microsoft Teams chats (KongTuke, initial access in ~5 minutes), and Luke Acha on Zapdf, a YAPA-family PDF converter that drops a C++ backdoor beaconing to livilev[.]com.
• Breaches and incidents: West Pharmaceutical confirmed data theft and encryption (intrusion detected May 4, global shutdown), Foxconn confirmed a Nitrogen ransomware hit on North American factories with 8TB stolen including Apple/Intel/Google/Dell/Nvidia IP, and the Instructure / ShinyHunters resolution (the prior week's Canvas breach ended with ShinyHunters returning and destroying 275M records under agreement, also covered by Infosecurity Magazine).
• AI-side attacks and tooling: Langflow being actively exploited (CVE-2026-33017, CISA KEV) with NATS-as-C2 to deploy KeyHunter for AWS and AI credential theft, Android's new opt-in Intrusion Logging for sophisticated spyware forensics, and ThreatLocker's how-to for restricting Syncro RMM access via Entra ID Conditional Access (Named Locations, break-glass accounts, MFA enforcement; useful for any MSP relationship).
• Worth bookmarking: JPCERT/CC's TSUBAME Q4 2025 scanning report (stale Japanese DVR/NVR firmware driving Telnet scans), ASEC's April 2026 phishing email trends report (Trojans at 47% of attachments with 30 MD5 IoCs), Sophos's 2026 identity breach costs report via Help Net Security (71% of orgs hit, 67% of ransomware traced to prior identity compromise, $1.64M average recovery cost), and SecurityWeek's argument for DPU-based data-center security as a hedge against the ESXi-style host-agent failure mode.

Closing note: The edge is still the easy way in. The supply chain is no longer something you can trust just because Sigstore says yes. NVD is going to cover less and less of what hits your scanners next year. And AI now sits on both sides of the bug-finding desk, which is going to keep changing the shape of patch cycles for a while. If you are still treating every CVE as equally urgent, the math is not on your side anymore. Stay patched, hunt the behavioral signals, and maybe stop clicking on suspiciously cheap electronics marketplaces.

Hold the lines. The web waits for slack.

~ UncleSp1d3r