CISO Daily Briefing — May 24, 2026

Executive Summary

This cycle’s threat landscape is defined by nation-state exploitation of AI infrastructure: CISA confirmed Iranian actor MuddyWater is actively exploiting Langflow CVE-2025-34291, the first CISA KEV entry targeting an AI agent orchestration platform, providing a direct pathway into enterprise LLM workflows. Concurrently, the Megalodon campaign injected malicious GitHub Actions into 5,561 repositories within six hours, exfiltrating 449 GB of CI/CD secrets and OIDC tokens. Anthropic’s Project Glasswing disclosed 10,000+ high-severity vulnerabilities found in open-source projects in 30 days — faster than maintainers can patch, exposing a structural remediation crisis. The CISA Five Eyes agentic AI framework now sets the de facto compliance baseline for enterprise LLM agent deployments.

Langflow CVE-2025-34291 Under Active Exploit

CRITICAL

MuddyWater, an Iranian state APT, is actively exploiting this CISA KEV-listed flaw in Langflow, enabling unauthenticated RCE against enterprise LLM workflow platforms.

First CISA KEV targeting an AI agent orchestration platform
CORS + SameSite cookie exploit — no credentials required
Direct pathway to LLM prompt injection and credential theft

Megalodon Poisons 5,561 GitHub Repos in 6 Hours

HIGH

Automated campaign injected secrets-exfiltrating GitHub Actions workflows across thousands of repositories; 449 GB of cloud credentials, OIDC tokens, and SSH keys stolen.

Requires only fork write access — no owner credentials needed
OIDC token theft bypasses credential rotation controls
575,352 files exfiltrated; active exfiltration ongoing as of May 21

TeamPCP / UNC6780 Targets AI Developer Stack

HIGH

Google-attributed threat actor compromised Microsoft Python SDK on PyPI, a VSCode extension with 2.2M installs, and @antv npm packages in a single wave; GitHub confirmed 3,800 internal repos stolen.

Formally attributed as UNC6780 by Google Threat Intelligence Group
Targets AI middleware: LiteLLM, LangChain, Docker Hub utilities, Trivy
Most sustained multi-ecosystem supply chain campaign of 2026

Glasswing: 10K Vulns Found, Patch Pipeline Fails

HIGH

Anthropic’s Project Glasswing found 10,000+ high-severity vulnerabilities in open-source projects in 30 days — faster than maintainers can patch, inverting responsible disclosure norms.

1,094 high/critical true positives; WolfSSL CVE-2026-5194 (CVSS 9.1) confirmed
Mozilla fixed 271 Firefox vulns in one cycle vs. 25 previously
Maintainers requesting slower disclosure — a systemic structural tension

CISA + Five Eyes: Agentic AI Security Baseline

HIGH

First authoritative international guidance specifically addressing agentic AI security defines five compliance risk categories now expected of enterprise LLM deployments.

Five risk categories: privilege escalation, config failures, behavioral misalignment, brittleness, accountability gaps
Most enterprises lack required access controls and behavioral monitoring
Closest existing standard to a regulatory compliance expectation for AI agents

Overnight Research Output

Langflow CVE-2025-34291: AI Agent Platform Under Active State-Sponsored Exploitation

CRITICAL

Summary: CISA added CVE-2025-34291 to its Known Exploited Vulnerabilities catalog on May 22, confirming active exploitation by MuddyWater — an Iranian state-sponsored APT (APT34-adjacent). The vulnerability combines an overly permissive CORS configuration with SameSite=None refresh token cookies, enabling unauthenticated cross-origin remote code execution against Langflow instances. A compromised Langflow deployment creates a direct pathway to LLM prompt injection, training data exfiltration, and lateral movement into connected AI infrastructure. This is the first CISA KEV-listed vulnerability specifically targeting an AI agent orchestration platform — a threshold moment in AI infrastructure security.

▸ The Hacker News — CISA Adds Exploited Langflow and Trend Micro Flaws to KEV Catalog

▸ Obsidian Security — CVE-2025-34291: Critical Account Takeover and RCE in Langflow

▸ CISA — Guide for Secure Adoption of Agentic AI Services

Why This Matters: Any enterprise running Langflow for LLM workflow automation must patch immediately. Existing CVE response protocols do not address the distinct downstream risks of AI infrastructure compromise — including LLM output manipulation and training data exfiltration. Traditional web CVE guidance is insufficient for AI agent platforms that sit between enterprise models and production data with implicit elevated trust.

Read Full Research Note

Project Glasswing and the AI Vulnerability Disclosure Velocity Crisis

HIGH

Summary: Anthropic disclosed on May 23 that Project Glasswing — using Claude Mythos Preview across ~50 partner organizations — identified over 10,000 high and critical-severity vulnerabilities across 1,000+ open-source projects in under 30 days. Of 1,726 validated true positives, 1,094 are rated high or critical. Mozilla found and fixed 271 vulnerabilities in Firefox 150, versus 25 in a prior AI-assisted run. Open-source maintainers are now explicitly requesting slower disclosure pacing — a direct inversion of traditional responsible disclosure norms. WolfSSL CVE-2026-5194 (CVSS 9.1, certificate forgery) is one confirmed output.

▸ The Hacker News — Claude Mythos AI Finds 10,000 High-Severity Vulnerabilities

▸ Anthropic — Project Glasswing: Initial Update

▸ Security Affairs — Glasswing: 10,000 Vulnerabilities Found in One Month

▸ The Next Web — Anthropic Glasswing Claude Mythos 10,000 Vulnerabilities

Why This Matters: Organizations relying on widely-deployed open-source components must assume their attack surface is expanding at a rate no traditional patch management program can match. AI-accelerated discovery requires SLA recalibration, triage automation, and coordinated disclosure framework adaptation at industry-wide scale — a policy and operational challenge CSA research has not yet addressed.

View Full Research Note

Megalodon: Automated Mass Poisoning of CI/CD Pipelines via GitHub Actions

HIGH

Summary: On May 18, 2026, the Megalodon campaign simultaneously pushed 5,718 malicious commits to 5,561 GitHub repositories in under six hours, injecting GitHub Actions workflows designed to exfiltrate CI/CD secrets, cloud credentials (AWS, GCP, Azure via IMDS), OIDC tokens, SSH keys, and Kubernetes configurations to an attacker-controlled server. As of May 21, 449 GB across 575,352 files had been exfiltrated, with activity still ongoing. The attack requires only write access via a merged pull request from a fork — no repository owner credentials are needed. OIDC token theft is particularly severe: short-lived tokens that bypass standard credential rotation controls were among the targeted artifacts.

▸ The Hacker News — Megalodon GitHub Attack Targets 5,561 Repositories

▸ StepSecurity — Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Repositories

▸ SafeDep — Megalodon: Mass GitHub Repo Backdooring via CI Workflows

▸ OX Security — Megalodon CI/CD Malware on GitHub

Why This Matters: Any organization with public or contributor-accessible GitHub repositories must audit merged pull requests for injected workflow modifications. Implement scoped token permissions, pinned action SHA hashing, and OIDC token scope restrictions immediately — particularly for repositories that contain or access cloud infrastructure credentials.

Read Full Research Note

CISA Agentic AI Guidance: Operationalizing the Five-Risk Framework

HIGH

Summary: On May 1, 2026, CISA and Five Eyes partner agencies (NSA, NCSC-UK, ASD ACSC, NCSC-NZ, CCCS) released Careful Adoption of Agentic AI Services — the first authoritative international guidance specifically addressing agentic AI security. The framework defines five risk categories: privilege escalation, design and configuration failures, behavioral misalignment, structural brittleness, and accountability gaps. Enterprises are expected to begin with low-risk, non-sensitive use cases before expanding agentic AI access. This guidance represents the closest thing to a regulatory expectation for LLM agent production deployments, and most organizations currently lack the required access controls and audit logging to demonstrate compliance.

▸ CISA — U.S. and International Partners Release Guide for Secure Adoption of Agentic AI

▸ CISA — Careful Adoption of Agentic AI Services (Resource Page)

▸ DoD / NSA — Careful Adoption of Agentic AI Services (Full PDF)

Why This Matters: Enterprises deploying AI agents in production now have a documented government standard against which they will be measured. The five-risk framework requires concrete access-control architectures, behavioral monitoring instrumentation, and audit logging that most organizations have not yet implemented. A CSA research note mapping the framework to MAESTRO layers and AICM controls would bridge government guidance to cloud-native implementation.

Read Full Research Note

TeamPCP (UNC6780): The AI Developer Ecosystem’s Most Active Supply Chain Adversary

HIGH

Summary: Google Threat Intelligence Group formally tracks TeamPCP as UNC6780, a financially motivated threat actor executing the most sustained and diverse software supply chain campaign of 2026. In Wave 4 alone (May 19), the group simultaneously compromised Microsoft’s durabletask Python SDK on PyPI, poisoned a VSCode extension with 2.2 million installs, and compromised @antv namespace npm packages — leading GitHub to confirm exfiltration of approximately 3,800 internal repositories. Prior waves targeted LiteLLM, Docker Hub security utilities, Trivy, and LangChain-adjacent packages. This actor has industrialized supply chain compromise and is deliberately concentrating attacks on the open-source AI development stack.

▸ Wiz — Mini Shai-Hulud: TeamPCP Hits @antv Supply Chain

▸ Wiz — DurableTask: TeamPCP Supply Chain Attack

▸ ISC SANS — TeamPCP Supply Chain Campaign Activity Through May 17, 2026

▸ VentureBeat — GitHub Confirms 3,800 Repos Stolen: Poisoned VSCode Extension, Microsoft Python SDK

▸ SecurityWeek — From Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VSCode, PyPI

Why This Matters: TeamPCP represents a persistent, formally attributed threat actor specifically targeting the open-source AI developer stack. No single patch addresses this risk. Enterprises must treat npm, PyPI, and Docker Hub packages as untrusted infrastructure and implement dependency integrity verification, provenance attestation, and behavioral monitoring across all CI/CD pipelines touching AI middleware.

View Full Research Note

Notable News & Signals

CISA Contractor Leaked AWS GovCloud Keys in Public GitHub Repo for 6 Months

A Nightwing contractor’s “Private-CISA” GitHub repository — publicly accessible from November 2025 until mid-May 2026 — exposed administrative credentials for three CISA AWS GovCloud environments, plaintext passwords for internal systems, and detailed CI/CD pipeline configurations. The contractor had disabled GitHub’s default secret-blocking setting. Lawmakers have requested a classified briefing.

Source: KrebsOnSecurity — CISA Admin Leaked AWS GovCloud Keys on GitHub

LiteSpeed cPanel Plugin CVE-2026-48172 (CVSS 10.0) Exploited for Root Access

A maximum-severity privilege escalation flaw in the LiteSpeed cPanel plugin (versions 2.3–2.4.4) allows any logged-in cPanel user to execute arbitrary scripts as root via a logic flaw in the lsws.redisAble JSON-API endpoint. Actively exploited; patch to v2.4.7+ immediately.

Source: The Hacker News — LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root

Drupal Core CVE-2026-9082 SQL Injection Added to CISA KEV

CISA added this unauthenticated SQL injection vulnerability in Drupal Core’s PostgreSQL EntityQuery handler to the KEV catalog on May 22. Imperva reports 15,000+ attack attempts against 6,000 sites across 65 countries. Affects only PostgreSQL-backed Drupal instances; patched in versions 10.4.10, 10.5.10, 11.2.12, and 11.3.10.

Source: The Hacker News — Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV

npm Staged Publishing + 2FA-Gated Controls Now Generally Available

GitHub’s new staged publishing workflow for npm requires a human maintainer to pass a 2FA challenge before a package version goes live. Paired with trusted OIDC publishing, this means CI-automated publishes stage in a queue for human approval — directly addressing the TeamPCP-class threat of automated package poisoning. Three new install-source flags also restrict which package origins can be consumed during builds.

Source: GitHub Changelog — Staged Publishing and New Install-Time Controls for npm

Topics Already Covered — No New Action Required

npm Staged Publishing / 2FA-Gated Controls: Valuable supply chain hardening news, but primarily a vendor feature announcement. Adjacent to workload identity coverage in CSA_research_note_workload-identity-federation-vs-api-keys_20260522.
Drupal Core CVE-2026-9082 SQL Injection: Active CISA KEV exploitation confirmed, but this is a traditional web application vulnerability without AI-specific dimensions. Outside the AI Safety Initiative portfolio scope.
LiteSpeed cPanel Plugin CVE-2026-48172 (CVSS 10.0): Maximum severity, actively exploited — but in the infrastructure/web server category without AI-specific relevance to this initiative.
CISA Private-CISA Contractor GitHub Credential Leak: Compelling insider/contractor risk story. The CI/CD credentials-in-public-repo angle is better addressed by the Megalodon topic (Topic 3), which covers the broader attack class more instructively.
Packagist/Laravel-Lang Supply Chain Attack: Covered thematically by the TeamPCP strategic risk topic (Topic 5). A second PHP supply chain note would create redundancy without adding AI-specific value to this portfolio.

← Back to Research Index