CISO Daily Briefing
Cloud Security Alliance — AI Safety Initiative Intelligence Report
Executive Summary
The May 20 scan finds the AI supply chain crisis producing second-order effects: while Shai-Hulud worm campaigns continue (600+ new malicious npm packages published May 19), three distinct threat categories are simultaneously reaching critical mass. A max-severity pre-auth RCE in ChromaDB exemplifies a pattern of vulnerable AI infrastructure components that expose enterprise knowledge bases to takeover. The EvilTokens phishing-as-a-service platform compromised 340+ organizations without needing a password by exploiting OAuth device-code flows that bypass enterprise MFA entirely. Researchers have formally named a new attack class — “Living Off the Agent” (LOTA) — in which adversaries weaponize legitimate enterprise AI agents for C2 and exfiltration, evading detection because malicious activity is indistinguishable from normal agent behavior. On governance, the EU AI Act received its first formal amendments, creating immediate compliance divergence with the US regulatory path for multinationals.
Overnight Research Output
Pre-Auth RCE in ChromaDB & the AI Infrastructure Attack Surface
CRITICAL
Summary: A max-severity, pre-authentication remote code execution vulnerability in ChromaDB — the most widely deployed open-source vector database for AI RAG pipelines — was disclosed on May 19, 2026, with no vendor patch available. Exploitation grants an attacker complete access to the enterprise vector store: the proprietary knowledge base of documents, code repositories, email contents, and other data used to ground LLM responses — often more sensitive than the credentials that guard it. This is not isolated: a pattern of critical vulnerabilities across AI infrastructure components has accelerated over the past 30 days, including CVSS 9.8 RCE in SGLang AI Server (CVE-2026-5760, April 22), LMDeploy SSRF exploited within 13 hours of CVE publication (April 28), and an RCE in the Marimo notebook server exploited within 10 hours of disclosure (April 13). These components form the “AI plumbing layer” built largely without the security-by-design culture of traditional enterprise software.
Action Required: Audit all deployed vector databases, embedding servers, AI inference APIs, and ML tooling for network exposure. Isolate ChromaDB deployments behind network controls immediately; do not expose AI infrastructure to untrusted networks until the vendor releases a patch. Apply time-to-exploit metrics from adjacent CVEs (hours, not days) as the response SLA for this component class.
Key Sources:
› BleepingComputer — Max-Severity Flaw in ChromaDB Allows Server Hijacking (May 19, 2026)
› no.security daily digest — “Critical Pre-Auth RCE in ChromaDB — Vendor Unresolved” (May 19, 2026)
› no.security daily digest — “CVE-2026-5760: Critical 9.8 RCE in SGLang AI Server” (April 22, 2026)
› no.security daily digest — “LMDeploy SSRF Exploited Within 13 Hours of CVE Publication” (April 28, 2026)
› no.security daily digest — “Marimo RCE Exploited Within 10 Hours of Disclosure” (April 13, 2026)
Identity Attacks in the AI Era — Device-Code Phishing & OAuth Consent Abuse
CRITICAL
Summary: The EvilTokens Phishing-as-a-Service platform compromised more than 340 Microsoft 365 organizations across five countries in its first five weeks of operation without requiring a single password. Victims complete their normal MFA challenge on a legitimate Microsoft login page and unknowingly issue the attacker a valid OAuth refresh token scoped to their mailbox, OneDrive, calendar — and critically, to Azure AI and Microsoft Copilot access. These tokens persist for the lifetime of the tenant policy, surviving password resets and user sign-outs, giving attackers durable enterprise AI platform access. The ConsentFix v3 criminal toolkit (April 2026) automated this technique and lowered the skill barrier for OAuth grant abuse, while Microsoft separately disclosed on May 19 that a threat actor is abusing Self-Service Password Reset to steal data from Azure production environments. The security gap is structural: enterprise MFA controls verify identity at the credential layer, but OAuth device-code flows operate at the authorization layer — below existing defenses.
Action Required: Audit Conditional Access policies to block or restrict device-code flow authentication. Review OAuth grant permissions for AI platform scopes (Azure OpenAI, Copilot, M365 Copilot) across all identities. Implement token lifetime controls and revocation procedures that account for refresh token persistence beyond password reset cycles.
Key Sources:
› The Hacker News — The New Phishing Click: How OAuth Consent Bypasses MFA (May 19, 2026)
› BleepingComputer — Microsoft SSPR Abused in Azure Data Theft Attacks (May 19, 2026)
› no.security daily digest — “Device Code Phishing Campaign Hits 340+ Microsoft 365 Organizations” (March 30, 2026)
› no.security daily digest — “ConsentFix v3: Automated OAuth Abuse Toolkit Targets Enterprise AI Platforms” (May 3, 2026)
“Living Off the Agent” (LOTA) — Weaponizing Enterprise AI Capabilities
HIGH URGENCY
Summary: On May 13, 2026, security researchers formally named and characterized “Living Off the Agent” (LOTA) — an attack class in which adversaries exploit legitimate enterprise AI agent capabilities rather than deploying traditional malware. LOTA is the AI-era parallel to Living Off the Land (LOTL) attacks: just as LOTL used native Windows tools (PowerShell, WMI) to evade detection, LOTA uses enterprise-deployed AI agents, their tool-calling interfaces, and their trusted execution contexts to achieve command-and-control, data exfiltration, and persistence. Multiple independently confirmed instances have been documented: Embrace the Red’s “Agent Commander” demonstrated promptware-powered C2 that hijacks legitimate AI coding agents; researchers showed agentic C2 infrastructure constructed using Claude’s computer-use capabilities; “Comment and Control” attacks subverted AI agents on GitHub via repository comment poisoning; and “Sleeper Channels” research showed persistent prompt injection surviving context resets in deployed agent memory systems (May 14, 2026). Detection is inherently difficult because LOTA activity is indistinguishable from normal agent behavior — the same tool calls, API requests, and execution patterns.
Action Required: Treat enterprise AI agents as privileged execution environments requiring the same behavioral monitoring as privileged accounts. Establish baselines for normal agent tool-call patterns. Implement guardrails and human-in-the-loop controls for agents with outbound network access, file system writes, or access to sensitive data repositories.
Key Sources:
› no.security daily digest — “‘Living Off the Agent’ (LOTA) — New Attack Class” (May 13, 2026)
› no.security daily digest — “Sleeper Channels: Persistent Prompt Injection in Agent Memory Systems” (May 14, 2026)
› Embrace the Red — Agent Commander: Promptware-Powered C2 (March 16, 2026)
› Embrace the Red — Given Enough Agents, All Bugs Become Shallow (April 7, 2026)
› no.security daily digest — “‘Comment and Control’: AI Agents on GitHub Subverted for C2 via Comment Poisoning” (April 8, 2026)
EU AI Act First Amendments — Digital Omnibus Compliance Impact
HIGH URGENCY
Summary: The EU AI Act received its first formal legislative amendments on May 19, 2026, via the European Commission’s Digital Omnibus simplification package — the most significant modification to the Act since its original adoption. The amendments alter compliance deadlines, risk-tier reclassifications, and conformity assessment requirements in ways that directly affect enterprise AI governance programs. Unlike the US-focused regulatory convergence story (NIST AI supplements, CISA guidance, CoSAI standards) covered in the previous cycle, the EU AI Act is binding law with financial penalties — not voluntary guidance — and these amendments affect specifically how enterprises must classify, document, audit, and govern AI systems operating in or serving European markets. The practical compliance window is now: organizations still architecting AI governance programs should build against the amended framework, while those with roadmaps based on the original Act must assess required rework. The US trajectory (NIST AI Agent Standards Initiative) is diverging, creating materially different compliance obligations on both sides of the Atlantic.
Action Required: Legal and compliance teams should review the Digital Omnibus amendment text against existing EU AI Act compliance roadmaps. AI governance programs serving European markets or processing EU data subjects must assess which risk-tier reclassifications apply and what conformity assessment changes are required. Prioritize alignment on the amended framework over the original Act for any systems not yet in production.
Key Sources:
› no.security daily digest — “EU AI Act Gets First Amendments — Digital Omnibus Package Published” (May 19, 2026)
› European Commission — Digital Strategy: Artificial Intelligence (official EU policy hub)
› NIST — AI Agent Standards Initiative (US counterpart context) (February 17, 2026)
› no.security daily digest — “The AI Regulation Pendulum — From ‘Build Baby Build’ to Binding Compliance” (May 10, 2026)
The AI Security Governance Gap — Shadow AI & the Breach Blindspot
HIGH URGENCY
Summary: A cross-source synthesis of the HiddenLayer 2026 AI Threat Landscape Report, CSA’s enterprise AI agent security survey, and multiple industry signals reveals a systemic organizational failure mode underlying every AI security risk: enterprises are deploying AI at a pace that has fundamentally outrun their ability to govern it. Shadow AI is now cited as a definite or probable problem by 76% of organizations — up 15 percentage points year-over-year. Nearly three-quarters (73%) of organizations report internal conflict over ownership of AI security controls, with AI systems falling between IT security, data governance, and business unit responsibility without clear accountability. Most alarming: 31% of organizations cannot determine whether they experienced an AI security breach in the past 12 months, and 53% admit to withholding breach disclosures despite publicly supporting mandatory reporting. CSA’s own survey found 65% of enterprises report being hit by an AI agent security incident, while only 22% treat AI agents as real attack surfaces and only 34% partner externally for AI threat detection. This governance gap is structural and cumulative: each ungoverned AI deployment creates a compounding blind spot that enables every other attack class — supply chain compromises, LOTA, infrastructure RCEs — to persist and escalate before detection.
Action Required: Conduct an immediate AI asset inventory to identify all deployed AI systems, agents, and integrations. Assign explicit ownership for AI security controls — document who is accountable. Establish monitoring and incident response procedures specific to AI systems. Review shadow AI management strategies to reduce ungoverned proliferation without blocking productivity.
Key Sources:
› HiddenLayer — 2026 AI Threat Landscape Report (March 18, 2026)
› BleepingComputer — 5 Steps to Managing Shadow AI Without Slowing Down Employees (May 18, 2026)
› no.security daily digest — “CSA Survey: 65% of Enterprises Hit by AI Agent Security Incident in Past 12 Months” (April 22, 2026)
› no.security daily digest — “Only 22% of Organizations Treat AI Agents as Real Attack Surfaces” (April 6, 2026)
› no.security daily digest — “Unmanaged AI Agents Classified as #1 Enterprise Risk in Gartner Emerging Risks Monitor” (April 20, 2026)
Notable News & Signals
Shai-Hulud Supply Chain Escalation: 600+ New Malicious npm Packages (May 19)
The TeamPCP-linked Shai-Hulud worm campaign published over 600 additional malicious npm packages on May 19 alone, extending to the @antv data visualization ecosystem and the Nx Console VSCode extension. The campaign continues its pattern of targeting AI/ML tooling dependencies. Covered by existing CSA research note published May 19.
DirtyDecrypt / CVE-2026-31635 Linux LPE PoC Released Publicly
A public proof-of-concept for the DirtyDecrypt Linux kernel local privilege escalation vulnerability was released, lowering the exploitation barrier for attackers with initial access to Linux systems. General infrastructure risk; outside AI Safety Initiative scope but relevant to teams running AI workloads on Linux infrastructure.
INTERPOL Operation Ramz: Cybercrime Enforcement Action
INTERPOL’s Operation Ramz resulted in arrests and infrastructure takedowns targeting cybercriminal organizations. Notable for threat actors in common sectors, but outside the AI security scope of this initiative.
Drupal Core Security Update (May 20 Release)
A security update for Drupal core was released on May 20, 2026. General web CMS vulnerability; outside the AI Safety Initiative scope. Web teams should apply standard patch response procedures.
Topics Already Covered (No New Action Required)
- Shai-Hulud / Mini Shai-Hulud Supply Chain Campaigns: Covered by CSA Research Note published May 19. New waves represent escalation of the same campaign.
- MCP Infrastructure Vulnerabilities & Agentic Attack Surface: Covered by CSA Whitepaper (May 19). LOTA is proposed as a distinct methodology paper, not a duplicate.
- AI Autonomous Vulnerability Discovery & Enterprise Patch Response: Covered by CSA Whitepaper (May 19). New data points extend existing coverage.
- Sovereign AI / Hyperscaler Concentration Risk: Covered by CSA Whitepaper (May 19). New EU exclusion enforcement signals addressed in Topic 5 from a distinct governance angle.
- AI Security Standards Regulatory Convergence (NIST, CISA, CoSAI, AARM): Proposed in the May 19 daily report (pending publication). Topic 4 above covers the EU AI Act amendments as a distinct binding-law development.
- Linux Kernel LPE (DirtyDecrypt/CVE-2026-31635, Fragnesia): General infrastructure vulnerabilities without AI-specific angle; outside scope.
- INTERPOL Operation Ramz: Cybercrime enforcement; outside AI Safety Initiative scope.
- Drupal Core Security Update: General web CMS; outside scope.