CISO Daily Briefing – May 10, 2026

Executive Summary

This cycle is dominated by Linux and cloud infrastructure threats that demand immediate DevSecOps attention. Dirty Frag (CVE-2026-43284/43500) is an unpatched zero-day delivering deterministic root access on all major Linux distributions — no race condition required, no patch available. Separately, the Quasar Linux RAT is harvesting the full credential set developers use to access package registries and cloud environments, positioning attackers directly upstream of software supply chains.

AI/ML infrastructure has entered the rapid-exploitation era: LiteLLM and LMDeploy vulnerabilities were weaponized within 12–36 hours of disclosure, and a fake OpenAI repository on Hugging Face delivered infostealer malware to developers. On the strategic side, ShinyHunters’ extortion campaign against Instructure/Canvas — disrupting 275 million users across 9,000 institutions during final exams — is the clearest recent demonstration of SaaS concentration risk as a systemic enterprise threat.

Dirty Frag: Unpatched Linux Zero-Day LPE

CRITICAL

Deterministic root escalation on all major Linux distros. No patch exists. Cloud workloads, AI inference servers, and container hosts are all immediately at risk.

Chains two page-cache write bugs — no race condition required
Affects virtually all major Linux distributions as of May 9, 2026
Mitigation limited to workarounds; Linux-based EDR may be blind

Quasar Linux RAT: Supply Chain Credential Theft

HIGH

RAT harvests the complete set of developer secrets needed to poison npm, PyPI, and cloud environments — targeting DevOps pipelines at scale.

Extracts npm, PyPI, git, AWS, Kubernetes, Docker, and Vault tokens
Provides upstream access for registry poisoning attacks
Trend Micro attributes campaign to organized threat actor

AI/ML Infrastructure: Rapid Exploitation Wave

HIGH

LiteLLM exploited 36 hrs post-disclosure, LMDeploy exploited in 12 hrs. Hugging Face model repos now entering the phishing supply chain.

CVE-2026-42208 (LiteLLM SQL injection) weaponized in 36 hours
CVE-2026-33626 (LMDeploy RCE) weaponized in 12 hours
Fake “OpenAI Privacy Filter” repo served infostealer to developers

EU AI Act: August 2026 Deadline Approaching

HIGH

High-risk AI system requirements become enforceable in 90 days. Most security teams haven’t mapped controls to prEN 18286 or ISO 42001.

prEN 18286 defines the conformity assessment path for high-risk AI
Must integrate with existing SOC 2, ISO 27001, and NIST AI RMF
CSA STAR for AI and AICM are natural alignment points

SaaS Concentration Risk: Canvas Case Study

HIGH

ShinyHunters disrupted 275M users at 9,000 institutions during finals. Instructure’s “containment” lasted five days before re-compromise.

Single vendor breach weaponized as platform-wide extortion lever
Eight-month campaign; declared containment quickly refuted
Exposes structural SaaS dependency risk for enterprise risk models

Overnight Research Output

Dirty Frag: Unpatched Linux Kernel Zero-Day LPE

CRITICAL

Summary: Dirty Frag (CVE-2026-43284, CVE-2026-43500) chains two page-cache write vulnerabilities — one in the xfrm-ESP subsystem and one in RxRPC — to achieve deterministic root escalation across virtually all major Linux distributions. Unlike its predecessors Dirty Pipe and Copy Fail, Dirty Frag requires no race condition, making exploitation reliable and difficult to interrupt via runtime defenses. As of May 9, 2026, no patch is available. Cloud workloads, AI inference servers, and container hosts are immediately at risk; enterprises relying on Linux-based EDR tools may be effectively blind to successful exploitation at the kernel level.

Recommended Actions: Apply available workarounds immediately for internet-exposed Linux hosts. Audit Linux kernel versions across cloud and container environments. Enable Sysdig/eBPF-based runtime detection rules for ESP and RxRPC exploitation patterns. Prioritize patching as soon as kernel updates are released.

• Wiz Research — “Dirty Frag: Linux Kernel Local Privilege Escalation via ESP and RxRPC” (Merav Bar & Rami McCarthy, May 8, 2026)

• BleepingComputer — “New Linux ‘Dirty Frag’ zero-day gives root on all major distros” (Sergiu Gatlan, May 8, 2026)

• Sysdig Threat Research — “Dirty Frag: Detecting unpatched LPE via Linux Kernel ESP and RxRPC” (Michael Clark, May 8, 2026)

• The Hacker News — “Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions” (May 8, 2026)

Coverage Gap: CSA has general cloud workload hardening guidance but no current research on unpatched Linux kernel privilege escalation at this severity level affecting AI and cloud infrastructure. This research note delivers immediate, actionable mitigation guidance and runtime detection signatures for containerized environments while patches remain unavailable.

View Full Research Note

Quasar Linux RAT: Developer Credential Harvesting

HIGH URGENCY

Summary: The newly disclosed Quasar Linux RAT (QLNX) establishes persistent footholds on developer machines and harvests the credentials that enable downstream software supply chain attacks. The malware extracts npm tokens, PyPI credentials, git credentials, AWS access keys, Kubernetes configs, Docker tokens, HashiCorp Vault tokens, Terraform credentials, GitHub CLI tokens, and .env files — effectively the complete set of secrets a developer needs to poison a package registry or pivot to production cloud infrastructure. Trend Micro attributes the campaign to a threat group systematically targeting DevOps pipelines at scale.

Recommended Actions: Audit developer workstations for QLNX indicators of compromise. Rotate all developer secrets stored in dot-files (.npmrc, .pypirc, .kube/config, .aws/credentials) as a precaution. Enforce hardware security keys for package registry authentication. Review CI/CD pipeline credentials for signs of unauthorized access.

• The Hacker News — “Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise” (May 8, 2026)

• Trend Micro Research — Aliakbar Zahravi & Ahmed Mohamed Ibrahim (primary technical analysis, referenced in THN article)

Coverage Gap: CSA’s existing supply chain security research addresses SBOM, vendor risk, and dependency hygiene but lacks specific guidance on protecting developer endpoint secrets that serve as upstream attack vectors. This research note fills the developer-side gap in supply chain security.

View Full Research Note

AI/ML Infrastructure Under Rapid Attack

HIGH URGENCY

Summary: Three distinct incidents establish that AI/ML-specific infrastructure is now exploited on the same compressed timelines that API and container platforms experienced five years ago. CVE-2026-42208 (SQL injection in LiteLLM’s authentication path) was actively exploited 36 hours after disclosure. CVE-2026-33626 (remote code execution in LMDeploy) was weaponized within 12 hours. On May 9, a fake “OpenAI Privacy Filter” repository on Hugging Face reached the trending list while delivering infostealer malware to developers — confirming that model repositories have entered the phishing supply chain.

Recommended Actions: Implement a vulnerability management program specifically for AI/ML runtime software (LiteLLM, LMDeploy, vLLM, Ollama). Apply patches for CVE-2026-42208 and CVE-2026-33626 immediately. Establish a policy for vetting third-party model repositories before use; treat Hugging Face repos with the same scrutiny as external package dependencies.

• Sysdig Threat Research — “CVE-2026-42208: Targeted SQL injection against LiteLLM’s authentication path” (Michael Clark, April 27, 2026)

• Sysdig Threat Research — “CVE-2026-33626: How attackers exploited LMDeploy LLM Inference Engines in 12 hours” (April 22, 2026)

• BleepingComputer — “Fake OpenAI repository on Hugging Face pushes infostealer malware” (Bill Toulas, May 9, 2026)

Coverage Gap: CSA has no published research on securing AI inference infrastructure or on the security hygiene of AI model repositories. This research note addresses a rapidly growing gap as organizations deploy self-hosted AI infrastructure without corresponding security controls.

View Full Research Note

EU AI Act Compliance: prEN 18286 & ISO 42001 in Practice

GOVERNANCE

Summary: The EU AI Act’s requirements for high-risk AI systems become enforceable in August 2026 — approximately 90 days from now. Most enterprise security teams are only now realizing that compliance requires implementing a full AI management system, not just documentation. The emerging audit standard prEN 18286 (the conformity assessment standard aligned with the EU AI Act) combined with ISO 42001 defines the practical certification path, yet few security programs have mapped their existing controls to these requirements. A practitioner-focused guide to what these standards require operationally — and how they interact with SOC 2, ISO 27001, and NIST AI RMF — does not yet exist in the CSA library. According to a CSA blog post published April 27, 2026, the CSA STAR for AI program and AICM framework provide natural alignment points for organizations beginning this work.

Recommended Actions: Map your current AI system inventory to EU AI Act high-risk categories by June 2026. Conduct a gap assessment against ISO 42001 requirements using CSA’s AICM framework as a starting point. Engage your external auditor now to understand how they will assess prEN 18286 conformity.

• CSA Blog — “Building EU AI Act Compliance with prEN 18286 and ISO 42001” (April 27, 2026)

• NIST — “AI Agent Standards Initiative for Interoperable and Secure Innovation” (February 17, 2026)

Coverage Gap: CSA has published on AI governance broadly and ISO 42001 briefly, but has no implementation-focused whitepaper mapping EU AI Act high-risk system requirements to specific security controls and audit evidence. With the August 2026 deadline approaching, this is a time-sensitive gap.

View Full Research Note

SaaS Concentration Risk: The Canvas Extortion Case

STRATEGIC RISK

Summary: The ShinyHunters extortion campaign against Instructure/Canvas illustrates a structural vulnerability that enterprise risk models routinely underweight: the ability to weaponize SaaS platform concentration against an entire sector simultaneously. A single sustained breach — running for at least eight months based on the September 2025 University of Pennsylvania incident through the May 7, 2026 re-compromise documented by Krebs on Security — disrupted coursework for 275 million students and faculty at approximately 9,000 institutions during final exam season. According to BleepingComputer’s coverage, Instructure’s declared “containment” on May 2 was refuted five days later when the attacker re-defaced Canvas login pages. The incident exposes a core structural problem: a single vendor’s security posture becomes the effective security ceiling for thousands of dependent organizations that have no practical alternative and limited vendor visibility.

Recommended Actions: Assess your organization’s SaaS concentration risk — identify any single vendor whose breach would disrupt core operations for more than 48 hours. Demand SOC 2 Type II reports and penetration test summaries from tier-1 SaaS vendors. Develop contingency playbooks for scenarios where a mission-critical SaaS platform becomes unavailable for 7+ days.

• Krebs on Security — “Canvas Breach Disrupts Schools & Colleges Nationwide” (May 7, 2026)

• BleepingComputer — “Canvas login portals hacked in mass ShinyHunters extortion campaign” (Lawrence Abrams, May 7, 2026)

Coverage Gap: CSA has substantial research on third-party risk management and cloud shared responsibility, but lacks strategic risk analysis of SaaS concentration as a systemic enterprise vulnerability. The Canvas incident provides a concrete, sector-disrupting case study to anchor guidance on SaaS vendor risk due diligence and contingency planning.

View Full Research Note

Notable News & Signals

PamDOORa: PAM-Based Linux Backdoor on Criminal Forums

A post-exploitation tool exploiting Linux PAM (Pluggable Authentication Modules) is being sold on Russian criminal forums. Lower priority than Dirty Frag — PamDOORa requires existing system access — but signals continued attacker investment in Linux persistence mechanisms for cloud environments.

Source: Security intelligence feeds — lower priority given Dirty Frag remains unpatched

Ivanti EPMM CVE-2026-6973 Actively Exploited

Another actively exploited Ivanti RCE vulnerability (CVE-2026-6973 in Endpoint Manager Mobile). A recurring category well-covered by CISA KEV guidance. Patch immediately if EPMM is in your environment; limited new CSA research value beyond patch-now messaging.

Source: CISA Known Exploited Vulnerabilities Catalog

ClickFix VidarStealer Campaign (ACSC Warning)

Australia’s ACSC issued a warning about ClickFix social engineering campaigns delivering VidarStealer malware. Well-understood technique; no novel AI-security angle. Reinforce user awareness training for ClickFix/CAPTCHA-style lure pages.

Source: Australian Cyber Security Centre (ACSC) advisory

Topics Already Covered — No New Action Required

PAN-OS CVE-2026-0300 RCE: Covered by CSA Research Note published May 8, 2026.
TCLBanker Banking Trojan / AI Tool Trojanization: Covered by CSA Research Note published May 8, 2026.
GPU Rowhammer AI Infrastructure Attacks: Covered by CSA White Paper published May 8, 2026.
DPRK IT Worker AI Insider Threat / North Korean Laptop Farms: Covered by CSA White Paper published May 8, 2026.
Governing Dual-Use AI Offensive Models (Post-Mythos AI Regulation): Covered by CSA White Paper published May 8, 2026.

← Back to Research Index