This Month in Security: May 2026 — PAN-OS Firewall Zero-Day, "Copy Fail" Linux LPE, the TanStack npm Worm, and a Zero-Day-Free Patch Tuesday

This image by IStockPhoto is licensed under IStockPhoto.

‍

May 2026 brought a striking contrast: Microsoft delivered its first zero-day-free Patch Tuesday since June 2024, yet the broader threat landscape was anything but quiet. A state-sponsored zero-day in Palo Alto Networks' PAN-OS firewalls gave unauthenticated attackers root-level code execution on internet-facing perimeter devices before patches were available. A nine-year-old Linux kernel flaw dubbed "Copy Fail" emerged with a deterministic, 732-byte proof-of-concept that works across virtually every major distribution since 2017. And the developer ecosystem absorbed its most sophisticated npm supply chain attack on record, when the "Mini Shai-Hulud" worm, which is attributed to threat group TeamPCP, compromised 42 TanStack packages, spread to Mistral AI, UiPath, and over 160 other repositories, and ultimately reached two OpenAI employee devices. CISA continued its aggressive Known Exploited Vulnerabilities (KEV) catalog expansion, adding the Linux kernel flaw, two Microsoft Defender vulnerabilities, Langflow, Trend Micro Apex One, Daemon Tools, and TanStack entries across multiple updates throughout the month. Rounding out May, a Secure Boot certificate expiration deadline looms on June 26.

‍

‍

Critical Zero-Day Exploits

‍

Threat actors zeroed in on perimeter networking gear and developer infrastructure this month, with exploitation in several cases confirmed before patches were available.

• Palo Alto Networks PAN-OS Captive Portal RCE (CVE-2026-0300): Disclosed on May 6, this CVSS 9.3 buffer overflow in the User-ID Authentication Portal (also known as the Captive Portal) of PAN-OS allows unauthenticated remote attackers to execute arbitrary code with root privileges on internet-facing PA-Series and VM-Series firewalls. No credentials or user interaction are required. Palo Alto confirmed limited exploitation in the wild at disclosure — attributed by Unit 42 to a likely state-sponsored cluster (CL-STA-1132) that had been active for nearly a month before public disclosure. Post-exploitation activity included deployment of publicly available tunneling tools, Active Directory enumeration, and lateral movement. Patches arrived May 13; CISA added CVE-2026-0300 to the KEV catalog the day after disclosure. Prisma Access, Cloud NGFW, and Panorama are unaffected (BleepingComputer, Unit 42, CyberScoop).
• Linux Kernel "Copy Fail" Local Privilege Escalation (CVE-2026-31431): Publicly disclosed April 29, this high-severity (CVSS 7.8) flaw in the Linux kernel's algif_aead cryptographic module had been hiding in production kernels since 2017. By chaining the AF_ALG socket interface with the splice() system call, an unprivileged local attacker can write four controlled bytes into the page cache of any readable file, including setuid binaries like /usr/bin/su, without modifying the on-disk file, yielding deterministic root access. Unlike Dirty Cow or Dirty Pipe, exploitation does not require winning a race condition, and a single 732-byte Python script works reliably across Debian, Ubuntu, RHEL, Fedora, and SUSE. In container environments, the flaw also enables cross-container impacts and Kubernetes node escape. CISA added it to the KEV catalog on May 4 with a federal remediation deadline of May 15. Disable algif_aead as an interim mitigation on unpatched hosts (Help Net Security, Wiz, Microsoft Security Blog, CISA).
• Microsoft Defender Elevation of Privilege (CVE-2026-41091 / CVE-2026-45498): Two An elevation of privilege and a denial of service vulnerability in Defender were added to CISA's KEV catalog on May 20, confirming active exploitation in the wild. Both flaws were patched as part of May's Patch Tuesday release (CISA).

‍

‍

Notable Threats and Incidents

‍

Developer tooling, AI infrastructure, and healthcare again bore the brunt of May's attack activity, while a sophisticated supply chain worm demonstrated how far a single compromised CI pipeline can spread.

• Mini Shai-Hulud / TanStack npm Supply Chain Attack: On May 11, the TeamPCP threat group executed the most technically sophisticated npm supply chain attack on record. By chaining a GitHub Actions "Pwn Request" (unsafe pull_request_target workflow), shared Actions cache poisoning, and runtime OIDC token extraction from runner process memory, attackers published 84 malicious versions across 42 @tanstack/* packages in a six-minute window without ever stealing npm credentials. The malware, CVE-2026-45321, stole AWS, GCP, Kubernetes, Vault, GitHub, SSH, and CI/CD secrets, then self-propagated by republishing the payload to every package the victim maintainer owned. The worm spread to @mistralai/*, @uipath/*, and over 160 additional npm and PyPI packages within hours. Malicious versions were detected and deprecated within 20–26 minutes by researcher ashishkurmi at StepSecurity. On May 22, a related follow-on attack rewrote git tags across multiple laravel-lang/* Composer packages, exfiltrating CI secrets to an attacker-controlled domain. TeamPCP is also linked to the earlier compromise of Aqua Security's Trivy scanner (March 2026) and the Bitwarden CLI npm package (April 2026) (TanStack Blog, Wiz, Snyk, StepSecurity, Orca Security).
• OpenAI Caught in TanStack Worm Fallout: OpenAI disclosed that two employee devices were compromised during the Mini Shai-Hulud campaign, resulting in limited credential exfiltration from internal source code repositories. No customer data, production systems, or deployed software were compromised. The incident occurred during a phased rollout of new supply chain security controls, and the two affected devices had not yet received updated package management protections. OpenAI is rotating signing certificates for several desktop products (OpenAI, The Register).
• Daemon Tools Embedded Malicious Code (CVE-2026-8398): CISA added Daemon Tools Lite to its KEV catalog on May 27 after confirming active exploitation of an embedded malicious code vulnerability with high impact on confidentiality, integrity, and availability. The nature of the inclusion suggests opportunistic credential harvesting from endpoints rather than targeted infrastructure attacks. The federal remediation deadline is May 30 (CISA).
• Grafana Coinbase Cartel Ransomware Attack: Grafana, a widely used open-source observability platform, fell victim to a ransomware attack claimed by the Coinbase Cartel group in May. Given Grafana's ubiquity in enterprise monitoring stacks, the incident underscores the ongoing targeting of developer infrastructure and operational tooling by ransomware operators (SharkStriker).
• NVIDIA GeForce NOW Alliance Partner Breach: ShinyHunters claimed a breach of NVIDIA's GeForce NOW Alliance partner in Armenia, exposing a user database including email addresses, nicknames, usernames, dates of birth, membership details, and 2FA status. The quantity of records affected remains under investigation (SharkStriker).
• ChipSoft Healthcare Platform Attack: Dutch healthcare software provider ChipSoft, whose systems support between 70–80% of Dutch hospitals, suffered a ransomware attack that forced the company to take patient portals and mobile applications offline. Multiple hospital institutions disconnected systems as a precaution, and some experienced service disruptions. The Embargo ransomware group was involved; ChipSoft later stated that stolen data had been destroyed without clarifying whether a ransom was paid (BlackFog).
• Laravel-Lang Composer Supply Chain Compromise: On May 22, an attacker with push access to the Laravel-Lang GitHub organization rewrote every git tag across multiple popular Composer packages within a 15-minute window. Any composer update or fresh install against laravel-lang/http-statuses, laravel-lang/actions, or laravel-lang/attributes pulled a payload that exfiltrated CI secrets to a typosquatted attacker domain. The incident is attributed to the same TeamPCP toolchain behind the TanStack worm (StepSecurity).

‍

‍

Policy and Framework Updates

‍

Federal and industry guidance this month centered on supply chain security controls, AI security readiness gaps, and the looming Secure Boot deadline.

• Secure Boot Certificate Expiration is June 26, 2026: Microsoft's May Patch Tuesday guidance flagged a critical operational deadline: organizations have until June 26, 2026, to validate and renew Secure Boot certificates before the critical certificate expiration. Failure to act before the deadline will cause new downloads and launches of apps signed with previous certificates to be blocked by macOS and Windows security protections on affected systems. Microsoft urged organizations to use the zero-day-free patch window to accelerate this word (Zecurit, Redmond Magazine).
• CISA KEV Catalog Expansion: CISA added vulnerabilities to the KEV catalog multiple times in May including Linux kernel Copy Fail on May 1; Palo Alto CVE-2026-0300 on May 7; Microsoft Defender CVEs (41091, 45498) and several legacy Microsoft CVEs on May 20; Langflow (CVE-2025-34291) and Trend Micro Apex One (CVE-2026-34926) on May 21; and Daemon Tools (CVE-2026-8398) and TanStack (CVE-2026-45321) on May 27. The breadth of affected vendors, which spans network security, AI frameworks, observability tooling, and consumer software, reflects the increasingly heterogeneous attack surface facing enterprise environments (CISA KEV Catalog).
• AI Security Readiness Gaps (Proofpoint): Proofpoint data published in May found that half of organizations with security controls in place experienced incidents anyway, with three concrete gaps emerging: 47% of respondents lack adequate AI security training, 42% report visibility gaps into AI and agent activity, and 41% report governance misalignment across teams. As agentic AI deployments scale from piloting toward production, these organizational gaps are becoming primary attack surface rather than edge cases (Hornetsecurity Monthly Threat Report).

‍

‍

May Patches and Vulnerabilities

‍

• Microsoft Patch Tuesday — First Zero-Day-Free Release Since June 2024: Microsoft addressed approximately 118–138 CVEs (counts vary by methodology across sources) on May 12, marking the first Patch Tuesday since June 2024 without any actively exploited or publicly disclosed zero-days. This breaks a 22-month streak that averaged 3.5 zero-days per month. Sixteen critical-severity vulnerabilities still demand urgent attention. Elevation of privilege flaws again dominated at roughly 48% of the total, with RCE accounting for about 25%. Five months into 2026, Microsoft has already patched over 500 CVEs, putting it on pace to approach the annual record (Tenable, BleepingComputer, SC Media).
• Windows Netlogon Stack Overflow (CVE-2026-41089, CVSS 9.8): A stack-based buffer overflow in Windows Netlogon allows an unauthenticated remote attacker to execute code on domain controllers via a specially crafted network request, with no user interaction required. The flaw is wormable; a compromised domain controller is a compromised domain. Zero Day Initiative's Dustin Childs flagged it as the highest-impact bug requiring immediate patching (The Register, Zero Day Initiative).
• Windows DNS Client Heap Overflow (CVE-2026-41096, CVSS 9.8): A heap-based buffer overflow in the Windows DNS Client enables unauthenticated RCE on any Windows machine reachable by a malicious DNS response. Because the DNS client runs on virtually every Windows endpoint, the attack surface is enormous. An attacker in a man-in-the-middle position or controlling a rogue DNS server could achieve unauthenticated RCE across an enterprise. Also wormable (The Register, Zero Day Initiative).
• Microsoft Dynamics 365 On-Premises RCE (CVE-2026-42898, CVSS 9.9): A code injection vulnerability in Dynamics 365 on-premises that allows any authenticated user to execute code with scope change meaning exploitation can break out and affect resources beyond the vulnerable component itself. Scope changes are rare in CVE scoring and indicate elevated blast radius. Prioritize immediately for on-premises Dynamics 365 environments (Zero Day Initiative).
• Microsoft SSO Plugin for Jira & Confluence EoP (CVE-2026-41103, CVSS 9.1): A critical elevation of privilege flaw in the Microsoft Single Sign-On Plugin for Jira and Confluence affecting enterprise collaboration environments broadly integrated with Azure AD (Tenable).
• Microsoft Word Preview Pane RCE (CVE-2026-40361 / 40364 / 40366 / 40367): Four RCE bugs that can be triggered through the Word Preview Pane without opening the document. Users who rely on Outlook or Explorer preview for document triage are exposed without any explicit file launch action (Redmond Magazine).
• SAP S/4HANA SQL Injection (CVE-2026-34260) and SAP Commerce Missing Auth (CVE-2026-34263): SAP's May 2026 Patch Day included two critical CVEs: an SQL injection in SAP Enterprise Search for ABAP and a missing authentication check in SAP Commerce Cloud alongside 13 other vulnerabilities (SC Media).
• Adobe Patch Tuesday: Adobe addressed 52 CVEs across 10 products including Commerce, After Effects, Adobe Connect, Illustrator, Media Encoder, Premiere Pro, Substance 3D Painter and Sampler, Content Authenticity SDK, and Substance 3D Designer. The Adobe Commerce patch (15 bugs) is the priority, followed by Connect (two CVSS 9+ flaws) (Zero Day Initiative).
• Apple Security Updates: Apple shipped unusually large security updates on May 11, resolving 52 CVEs in its most recent iOS update and backporting changes to iOS 15 and iPhone 6s (Computer Weekly).

‍

‍

Key Takeaways for Staying Secure

‍

• Patch PAN-OS and Disable Captive Portal Exposure Immediately: CVE-2026-0300 was exploited by suspected nation-state actors for nearly a month before public disclosure. If your PA-Series or VM-Series firewalls have the User-ID Authentication Portal reachable from untrusted networks, treat those devices as potentially compromised. Apply the May 13 patches, restrict portal access to trusted internal IPs, and audit firewall configurations and credential stores for post-exploitation indicators.
• Patch the Linux Kernel "Copy Fail" on All Affected Hosts: CVE-2026-31431 is deterministic, publicly exploited, and affects virtually every Linux distribution running a kernel from 2017 onward. Prioritize Kubernetes nodes, CI/CD runners, and multi-tenant cloud environments where container escape amplifies the impact. As an interim step, disable the algif_aead kernel module immediately on unpatched hosts, but does not affect dm-crypt/LUKS, kTLS, IPsec, or SSH.
• Treat Developer Environments as a First-Class Attack Surface: The TanStack Mini Shai-Hulud worm compromised 42 npm packages, spread to over 160 repositories, reached OpenAI, and exfiltrated cloud and CI/CD credentials — all without stealing a single npm password. Audit GitHub Actions workflows for unsafe pull_request_target patterns, implement minimum release age policies in package managers, rotate all credentials from any machine that installed @tanstack/* on May 11, and add git-tanstack[.]com, *.getsession.org, and 83.142.209[.]194 to DNS/proxy blocklists.
• Deploy May's Microsoft Patches with Urgency Despite No Zero-Days: The absence of zero-days should not translate to deployment delays. CVE-2026-41089 (Netlogon) and CVE-2026-41096 (DNS Client) are both CVSS 9.8 and wormable — one gives an unauthenticated attacker a compromised domain controller, the other can cascade RCE across every Windows endpoint in range of a malicious DNS response. Patch these in your next emergency maintenance window.
• Act on the June 26 Secure Boot Deadline Now: The Secure Boot certificate expiration on June 26, 2026 is a hard operational deadline, not a patch advisory. Organizations that miss it will find app launches blocked by OS security protections. Use the relative calm of a zero-day-free Patch Tuesday to complete certificate validation and renewal before the window closes.
• Audit AI Frameworks and LLM Tooling in Your Stack: Langflow (CVE-2025-34291) joined the KEV catalog in May, and Proofpoint data confirms that nearly half of organizations lack adequate AI security training and visibility into agent activity. As LLM tooling and agentic workflows proliferate in production, treat AI framework components with the same patching urgency as web-facing infrastructure.
• Harden Healthcare Ransomware Defenses Again: ChipSoft's attack disrupted the majority of Dutch hospital infrastructure and echoes April's healthcare cluster. Validate immutable backups, segment EHR and patient-portal networks from operational infrastructure, and rehearse clinical downtime procedures before the next incident forces an unplanned drill.
• Review Your Security Posture: When needed, reach out to a trusted provider to review your security posture, like Cloud Security Partners. 

‍

‍

About the Author

‍

Jordan Darrah is a Security Consultant at Cloud Security Partners. Jordan's interest in IT started when she was working as a menswear fashion designer and bridal seamstress. Since then, she has built a diverse technical background spanning hardware repair, systems administration, regulatory compliance, and penetration testing.

‍

Currently, Jordan specializes in application and cloud security assessments, where she evaluates system vulnerabilities and conducts penetration tests. Jordan holds multiple industry certifications, including CISSP, eJPT, and CompTIA PenTest+. She also runs an OSCP study group and maintains a blog where she breaks down concepts and tools for new security professionals.

‍