CISO Daily Briefing – May 20, 2026

Executive Summary

The 48-hour window ending May 20 is dominated by accelerating developer supply chain attacks. The TeamPCP Mini Shai-Hulud npm worm has contaminated AI-specific packages — Mistral AI SDK, Guardrails AI, durabletask — and breached GitHub’s internal codebase via a poisoned VS Code extension, exfiltrating ~3,800 internal repositories. Simultaneously, CVE-2026-45829 (CVSS 10.0) in ChromaDB allows unauthenticated remote code execution against AI vector database backends. The EvilTokens OAuth phishing-as-a-service platform has bypassed MFA in 340+ Microsoft 365 tenants, with refresh tokens that survive password resets — directly threatening AI agent deployments. All three incidents trace to the same root cause: non-human machine identities (AI agent tokens, CI/CD credentials, service accounts) are ungoverned at a 45:1 ratio to human identities in enterprise environments.

TeamPCP Worm: AI Packages + GitHub Breach

CRITICAL

Self-propagating npm worm has now poisoned Mistral AI, Guardrails AI, and durabletask, and breached 3,800 GitHub internal repos via a trojanized VS Code extension.

SLSA provenance attestations forged — artifact signing provides no protection
AI pipeline SDKs and agentic orchestration libraries directly affected
Audit all npm/PyPI AI dependencies for TeamPCP indicators immediately

ChromaDB CVE-2026-45829: CVSS 10.0 RCE

HIGH

Max-severity unauthenticated RCE in the de facto AI vector database (14M monthly downloads). Exposed ChromaDB instances hand attackers full control of RAG application backends.

No authentication required — any network-reachable instance is exploitable
ChromaDB often lacks network controls applied to web-facing services
Patch or isolate immediately; audit for public exposure

EvilTokens PhaaS: MFA Bypass via OAuth

HIGH

OAuth device-code phishing-as-a-service has compromised 340+ Microsoft 365 tenants. Issued refresh tokens survive password resets and persist for weeks, bypassing all MFA controls.

AI agents using delegated OAuth to M365 are at direct risk
Tokens persist through password rotation — standard remediation fails
Audit and revoke all active OAuth device-code grants enterprise-wide

CISA Agentic AI Guidance Now Available

HIGH

CISA and international partners released “Careful Adoption of Agentic AI Services” on May 1 — the most authoritative joint government security guidance on agentic AI to date.

Five core risks: privilege creep, behavioral misalignment, obscure audit trails
Covers developers, vendors, and operators — actionable across the enterprise
CSA mapping to AICM/MAESTRO controls in today’s research note

Non-Human Identity Crisis: 45:1 Ratio

HIGH

Enterprise environments carry 45 machine identities per human (144:1 in cloud-native). AI agents dynamically acquire permissions — existing IAM frameworks were not designed for this.

Three this-week incidents all trace to ungoverned machine credentials
73% of orgs report internal conflict over AI security ownership
New CSA whitepaper outlines governance framework for NHI + AI agents

Overnight Research Output

AI-Targeted Supply Chain Worm: TeamPCP Escalates to GitHub

CRITICAL

Summary: TeamPCP’s “Mini Shai-Hulud” worm has moved beyond generic npm poisoning. As of May 20, it has contaminated AI-specific packages — the Mistral AI Python SDK, Guardrails AI, and the durabletask orchestration library used in agentic workflows — and escalated to breach GitHub’s own internal infrastructure via a trojanized VS Code extension. Approximately 3,800 GitHub internal repositories were exfiltrated. The worm forges SLSA Build Level 3 provenance attestations, rendering artifact signing checks ineffective. Organizations running AI pipelines that consume open-source model SDKs or agentic orchestration libraries face active, unresolved exposure.

Action Required: Audit all npm and PyPI AI dependencies against TeamPCP indicators of compromise. Treat any package in the Mistral AI, Guardrails AI, or durabletask dependency trees as suspect until patched versions are confirmed. Do not rely on provenance attestations as a control at this time. Review developer machines for the malicious VS Code extension IOCs.

› The Hacker News — Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI (May 12, 2026)

› Wiz Research — Mini Shai-Hulud Strikes Again: TanStack + npm Packages (May 12, 2026)

› Wiz Research — durabletask: TeamPCP’s Latest PyPI Compromise (May 19, 2026)

› Wiz Research — The Worm That Keeps on Digging: TeamPCP Hits @antv (May 19, 2026)

› BleepingComputer — GitHub confirms breach of 3,800 repos via malicious VSCode extension (May 20, 2026)

› Help Net Security — TeamPCP breached GitHub’s internal codebase via poisoned VS Code extension (May 20, 2026)

Why This Matters: First documented case of a self-propagating npm worm directly contaminating AI model libraries at scale. CSA’s earlier Mini Shai-Hulud note predates the AI-specific escalation — this research note addresses the unique risks for enterprise AI pipelines: poisoned model SDKs, contaminated agentic orchestration packages, and forged provenance attestations.

Read Full Research Note

ChromaDB CVE-2026-45829: RCE in the AI Vector Database Layer

HIGH URGENCY

Summary: CVE-2026-45829 is a CVSS 10.0 unauthenticated remote code execution vulnerability in ChromaDB, the open-source vector database used in the majority of retrieval-augmented generation (RAG) systems and agentic AI applications, with nearly 14 million monthly PyPI downloads. Any unauthenticated attacker with network access to an exposed ChromaDB Python server can execute arbitrary code — effectively gaining full control of the AI application’s retrieval backend. Because ChromaDB is typically deployed as an internal backend component rather than a public-facing service, organizations frequently omit network-layer controls, making accidental public exposure common.

Action Required: Immediately audit all ChromaDB deployments for public or unintended network exposure. Apply the patched release as an emergency change. Restrict ChromaDB to private network segments with explicit allowlist firewall rules. Treat any exposed instance as potentially compromised pending investigation.

› BleepingComputer — Max-severity flaw in ChromaDB for AI apps allows server hijacking (May 19, 2026)

Why This Matters: This is the first max-severity CVE against the AI middleware layer — the vector databases, embedding services, and inference endpoints that enterprises are actively deploying in 2026. CSA has no published guidance on securing this infrastructure class; this research note addresses that gap with a concrete current threat as the hook.

Read Full Research Note

EvilTokens PhaaS: OAuth Device-Code Phishing Bypasses MFA

HIGH URGENCY

Summary: The EvilTokens phishing-as-a-service platform has compromised over 340 Microsoft 365 tenants across five countries since February 2026 by exploiting the OAuth 2.0 device authorization flow — a mechanism that MFA does not protect. The attack yields refresh tokens that persist for weeks or months and survive password resets, producing no sign-in alert recognizable as an intrusion. The threat is structurally distinct from credential phishing and demands different detection and revocation controls. For organizations deploying AI agents with delegated M365 access, a single successful EvilTokens attack can grant the attacker persistent, durable access to every enterprise resource the agent is authorized to reach.

Action Required: Immediately audit all active OAuth device-code authorizations and revoke any that cannot be attributed to known, managed devices. Restrict device-code flow via Conditional Access policies where possible. Implement detection rules for unusual OAuth device-code grant activity. Review AI agent OAuth token scopes for least-privilege.

› The Hacker News — The New Phishing Click: How OAuth Consent Bypasses MFA (May 19, 2026)

› The Hacker News — Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries (March 2026)

› BleepingComputer — Microsoft Self-Service Password Reset abused in Azure data theft attacks (May 19, 2026)

Why This Matters: MFA bypass via OAuth device-code flow is not widely understood, and the intersection with AI agent credential management is a critical unaddressed gap. An EvilTokens compromise of an AI agent’s OAuth token is not merely a mailbox breach — it is persistent access into every system the agent can reach, with no expiry on password rotation.

Read Full Research Note

CISA “Careful Adoption of Agentic AI Services” — Practitioner Guide

GOVERNANCE

Summary: On May 1, 2026, CISA together with the Australian Signals Directorate, UK NCSC, and additional international partners released “Careful Adoption of Agentic AI Services” — the most current and authoritative joint government guidance on agentic AI security. The guide identifies five core risks for enterprise operators: expanded attack surface, privilege creep, behavioral misalignment, obscure event records, and over-reliance on vendor safety claims. It provides tiered recommendations for developers, vendors, and operators. This CSA research note translates the government guidance into an AICM/MAESTRO-aligned framework that enterprise security teams can operationalize immediately, with the week’s incidents serving as concrete illustrations of each identified risk.

Action Required: Share the CISA guidance with your agentic AI program team. Use the CSA research note to map existing AICM controls to the five identified risk areas. Assess your current agentic AI deployments against the operator-level checklist in the CISA guide, paying particular attention to privilege scoping and audit trail completeness.

› CISA Press Release — CISA and International Partners Release Guide to Secure Adoption of Agentic AI (May 1, 2026)

› CISA Resource Page — Careful Adoption of Agentic AI Services (May 1, 2026)

Why This Matters: CISOs are actively requesting guidance on agentic AI security and asking how government guidance maps to frameworks they already use. This research note provides the AICM bridge that turns a 40-page government document into an actionable control checklist for enterprise practitioners.

Read Full Research Note

Non-Human Identity Governance: AI Agents Are the Fastest-Growing Attack Surface

STRATEGIC

Summary: Enterprise environments now carry 45 non-human identities for every human identity — 144:1 in cloud-native environments — and the ratio is accelerating as agentic AI deployments expand. Unlike static service accounts, AI agents dynamically acquire permissions at runtime, spawn sub-agents, and take autonomous action, creating a governance challenge that existing IAM frameworks were not designed to address. This week’s incidents trace directly to this failure: TeamPCP extracted OIDC tokens from GitHub Actions runner memory; EvilTokens issued OAuth refresh tokens that survived password resets; a CISA contractor published AWS GovCloud admin credentials to a public GitHub repository. With HiddenLayer’s 2026 AI Threat Landscape Report finding 73% of organizations report internal conflict over AI security ownership, this is a governance and accountability gap, not a technology one.

Action Required: Initiate a non-human identity inventory project scoped to include all AI agent credentials, CI/CD pipeline tokens, OAuth refresh tokens, and ephemeral cloud credentials. Apply the same lifecycle management discipline to machine identities as human identities: provisioning, rotation, least-privilege scoping, and revocation on decommission.

› The Hacker News Expert Insights — The Non-Human Identity Crisis: Why Your Machine Identities Are Your Biggest Governance Gap (May 18, 2026)

› The Hacker News — Your AI Agents Are Already Inside the Perimeter. Do You Know What They’re Doing? (May 2026)

› KrebsOnSecurity — CISA Admin Leaked AWS GovCloud Keys on Github (May 18, 2026)

› HiddenLayer — 2026 AI Threat Landscape Report (March 2026)

Why This Matters: A full CSA whitepaper on NHI governance for agentic AI addresses the single structural failure that explains three of this week’s five major incidents. This is the strategic document that turns reactive incident response into a proactive governance program.

View Full Research Note

Notable News & Signals

Post-Quantum Cryptography: Wiz Blind Spots Research

Wiz published “From Cryptographic Blind Spots to Post-Quantum Agility” (May 18), identifying common enterprise misconfigurations that will create PQC migration failures. Well-covered in CSA’s existing corpus; no new note required, but useful practitioner reading for teams beginning PQC inventories.

Source: Wiz Research

Windows YellowKey BitLocker Bypass (CVE-2026-45585)

Active zero-day exploit targeting BitLocker full-disk encryption. Limited direct AI Security Initiative scope but notable for enterprises with hybrid cloud/on-premise AI compute. General Windows endpoint hardening topic; defer to appropriate working group.

Source: Microsoft Security Response Center

DirtyDecrypt/DirtyFrag Linux LPE (CVE-2026-31635)

PoC released for a Linux kernel local privilege escalation. Relevant to cloud AI infrastructure broadly — a compromised container escaping to host via this CVE would be high impact for GPU clusters. Recommend tracking via general cloud security working group.

Source: BleepingComputer

Trapdoor Android Ad Fraud Campaign

Large-scale Android adware campaign affecting consumer devices. Limited enterprise AI security relevance; noted for completeness. No action required for CSA AI Safety Initiative scope.

Source: The Hacker News

Topics Already Covered (No New Action Required)

Mini Shai-Hulud Initial npm Campaign: CSA Labs research note covers the early-phase attack. Today’s Topic 1 addresses the AI-specific escalation and GitHub breach not covered in that note.
Post-Quantum Cryptography Readiness: PQC is well-represented in CSA’s existing corpus. Wiz’s May 18 practitioner guide is a useful reference; no new CSA note needed at this time.
Windows YellowKey BitLocker Bypass: Active zero-day but outside AI Security Initiative scope. General Windows hardening topic for another working group.
DirtyDecrypt/DirtyFrag Linux LPE: Linux kernel privilege escalation; cloud infrastructure relevance but not AI-security-specific. Recommend general cloud security working group tracking.
Trapdoor Android Ad Fraud: Consumer-focused campaign with no material enterprise AI security implications.

← Back to Research Index