CISO Daily Briefing — May 25, 2026

Executive Summary

The 48-hour intelligence window reveals a concentrated assault on developer toolchains: a malicious VSCode extension compromised 3,800 GitHub repositories, while a CVSS 10.0 privilege escalation flaw in LiteSpeed cPanel is already being actively exploited. Most consequentially, threat actors have deployed the first known AI-developed zero-day 2FA bypass at mass scale — a categorical shift that challenges every MFA trust model currently in production.

On the governance front, Anthropic’s Project Glasswing/Claude Mythos disclosures — 10,000+ high-severity vulnerabilities discovered autonomously — are triggering active regulatory debate across multiple governments on licensing frameworks for offensive AI capabilities. CISOs deploying or evaluating AI security tools should begin tracking this compliance trajectory now.

VSCode Extension Supply Chain Breach

CRITICAL

Malicious IDE extension compromised 3,800 GitHub repositories — a new attack vector targeting developer workstations and local signing credentials.

3,800 repositories confirmed compromised
IDE extension trust model is the attack surface
Survives CI/CD remediation; workstation-level access

LiteSpeed cPanel CVE-2026-48172 (CVSS 10.0)

CRITICAL

Maximum-severity privilege escalation actively exploited within 24 hours of disclosure — any low-privilege cPanel user can execute scripts as root.

CVSS 10.0; active exploitation confirmed
Affects shared hosting globally; large blast radius
IoC pattern already circulating: redisAble function

AI-Developed Zero-Day 2FA Bypass

CRITICAL

Attackers used AI to develop and mass-deploy the first known zero-day 2FA bypass — a qualitative shift in offensive AI capability that invalidates MFA as a reliable baseline.

First confirmed offensive AI zero-day weaponization
Mass-scale deployment; not targeted
Microsoft simultaneously ending SMS MFA

AI Model Regulation Post-Mythos

HIGH

Anthropic’s 10,000+ vulnerability discovery disclosure is pushing governments toward licensing/disclosure frameworks for frontier AI with offensive cyber capabilities.

Multiple governments actively debating regulatory response
Compliance implications for AI security tool deployments
CSA frameworks (AICM, MAESTRO) increasingly relevant

Developer Toolchain as Primary Attack Surface

HIGH

May 2026’s threat pattern is definitive: VSCode extensions, PyPi, npm, GitHub Actions, and Packagist all targeted in a two-week window — requiring architectural, not just patch-level, response.

Five distinct toolchain vectors compromised in 14 days
GitHub mandating 2FA-gated npm publishing in response
Organizational and architectural changes required

Overnight Research Output

GitHub VSCode Extension Supply Chain Breach

CRITICAL

Summary: GitHub has confirmed that a malicious VSCode extension compromised 3,800 repositories in a single campaign. Unlike prior GitHub Actions and package registry attacks, this vector targets developer workstations directly — capturing local signing credentials and providing persistent access that survives CI/CD remediation. The breadth of the campaign signals deliberate targeting of high-value codebases, not opportunistic scanning.

Key Actions: Audit all installed VSCode extensions organization-wide. Review extension installation policies and enforce extension allowlisting where possible. Rotate any signing credentials stored on developer workstations.

▸ BleepingComputer — “GitHub confirms breach of 3,800 repos via malicious VSCode extension” (May 24, 2026)

▸ Risky Business #838 — Episode discussion: GitHub investigates possible breach

Why This Matters: CSA’s existing supply chain notes address GitHub Actions and package registries. No publication covers IDE extension trust models or workstation-level credential exposure — a gap this incident makes urgent.

Read Full Research Note

LiteSpeed cPanel CVE-2026-48172 — Privilege Escalation

CRITICAL

Summary: CVE-2026-48172 (CVSS 10.0) allows any cPanel user — including one operating with a compromised low-privilege account — to execute arbitrary scripts as root via the lsws.redisAble function. Active exploitation was confirmed in the wild less than 24 hours after disclosure. LiteSpeed serves a significant share of the global shared web hosting market, giving this vulnerability a disproportionately large blast radius.

Key Actions: Patch LiteSpeed cPanel plugin immediately. Block cpanel_jsonapi_func=redisAble in WAF rules as an interim IoC. Check CISA KEV for addition status and treat as emergency patch if listed.

▸ The Hacker News — “LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root” (May 23, 2026)

▸ CISA KEV Catalog — Check for active addition status

Why This Matters: No existing CSA publication addresses privilege escalation in shared hosting control panels. Organizations with managed hosting environments or LiteSpeed deployments have no prior CSA guidance to reference.

Read Full Research Note

AI-Developed Zero-Day 2FA Bypass — Mass Exploitation

CRITICAL

Summary: Threat intelligence has confirmed the first known case of attackers using AI to develop a zero-day two-factor authentication bypass and deploying it at mass scale. This represents a categorical shift: AI is no longer solely a defender’s tool but a credible offensive weapon capable of defeating the MFA controls that organizations have treated as a security baseline. This development arrives precisely as Microsoft announces the end of SMS-based MFA for personal accounts, compounding the authentication risk landscape.

Key Actions: Review MFA implementation across all critical systems. Migrate from SMS/TOTP MFA to phishing-resistant options (FIDO2/passkeys) where feasible. Accelerate identity risk model review — treat MFA as one layer, not the final one.

▸ The Hacker News — “Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation”

▸ Risky Bulletin — “Microsoft ends SMS MFA for personal accounts” (contextual backdrop)

Why This Matters: CSA AI safety research focuses on defensive AI and vulnerability discovery. No publication addresses offensive AI defeating standard enterprise authentication — a gap with immediate CISO relevance.

Read Full Research Note

Post-Mythos AI Model Regulation — Policy Landscape

GOVERNANCE

Summary: Anthropic’s disclosure that Project Glasswing/Claude Mythos autonomously identified over 10,000 high-severity vulnerabilities across 1,000+ open-source projects — with 1,094 confirmed true positives — has triggered active regulatory debate across multiple governments. Policymakers are weighing whether frontier AI models with autonomous offensive cyber capabilities require licensing or public disclosure frameworks. This is not abstract: enterprises deploying AI security tools need to track this compliance trajectory now.

Key Actions: Begin mapping your AI security tool inventory against emerging regulatory frameworks. Engage legal/compliance teams on licensing implications for AI-generated security research. Monitor CISA and NIST for formal guidance as the regulatory landscape crystallizes.

▸ Risky Business Newsletter — “Srsly Risky Biz: After Mythos, US Government Weighs AI Model Regulation”

▸ Risky Business Newsletter — “Srsly Risky Biz: The AI Regulation Knife Fight”

▸ The Hacker News — “Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software” (May 23, 2026)

Why This Matters: CSA has published extensively on AI governance (AICM, MAESTRO) but has not addressed the emerging regulatory debate around offensive AI capabilities specifically — distinct from the AI safety/bias governance discussion dominating existing literature.

Read Full Research Note

Developer Toolchain as Primary Enterprise Attack Surface

WHITEPAPER

Summary: May 2026 has produced a definitive pattern: attackers are no longer attempting to breach enterprise perimeters — they are compromising the tools developers use to write, build, and ship code. Within a two-week window, credible incidents targeted VSCode extensions (3,800 repos), PyPi packages (TeamPCP/durabletask), npm packages (Mini Shai-Hulud, TanStack), GitHub Actions workflows (Megalodon, 5,561 repos), and Packagist/Composer packages (Laravel-Lang). This convergence reveals a structural vulnerability: enterprise security programs treat developer tooling as a trusted insider, while attackers treat it as an unguarded gate.

Key Actions: Commission a developer toolchain audit encompassing IDE extensions, package registries, and CI/CD pipeline trust models. Establish organizational controls for supply chain security that go beyond patch management — including allowlisting, artifact signing, and behavioral monitoring of build environments.

▸ Wiz Blog — “The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave” (May 19, 2026)

▸ Wiz Blog — “durabletask: TeamPCP’s Latest PyPi Compromise” (May 19, 2026)

▸ Wiz Blog — “Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised” (May 12, 2026)

▸ The Hacker News — “npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks” (May 23, 2026)

▸ The Hacker News — “Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware” (May 23, 2026)

Why This Matters: Existing CSA notes cover individual incidents (Megalodon, TeamPCP). No whitepaper synthesizes these into a coherent risk model for the developer toolchain as an attack surface category — including architectural mitigations, supply chain trust models, and organizational controls.

View Full Research Note

Notable News & Signals

Microsoft Ending SMS MFA for Consumer Accounts

Microsoft is phasing out SMS-based multi-factor authentication for personal accounts — arriving simultaneously with the first AI-developed MFA bypass, accelerating the urgency of FIDO2 migration timelines.

Source: Risky Bulletin

npm Adds 2FA-Gated Staged Publishing

GitHub’s emergency deployment of mandatory 2FA for npm package publishing is a direct regulatory response to the Mini Shai-Hulud and TeamPCP campaigns — the most significant npm trust control change in years.

Source: The Hacker News

Operation Saffron: First VPN Service Dismantled

Law enforcement successfully dismantled the first VPN service used for criminal infrastructure — an important precedent for cyber law enforcement but not an immediate enterprise defensive action item.

Source: Risky Business

Fragnesia Linux Kernel LPE Under Monitoring

A newly disclosed Linux kernel local privilege escalation via page cache corruption (Fragnesia) is technically significant but at initial disclosure stage — watch for enterprise patch availability before treating as emergency.

Source: Security research community — monitoring for enterprise patch availability

Packagist Supply Chain Attack — 8 Packages via Linux Malware

Eight Packagist/Composer packages were infected using GitHub-hosted Linux malware — extending the developer toolchain attack pattern to the PHP ecosystem and Laravel’s dependency supply chain.

Source: The Hacker News

Topics Already Covered (No New Action Required)

Langflow CVE-2025-34291 active exploitation: Covered by CSA Research Note: Langflow CVE-2025-34291 Agentic AI Exploitation (May 24, 2026)
Megalodon GitHub Actions campaign: Covered by CSA Research Note: Megalodon GitHub Actions CI/CD Supply Chain (May 24, 2026)
TeamPCP / UNC6780 supply chain threat actor: Covered by CSA Research Note: TeamPCP UNC6780 AI Developer Supply Chain Risk (May 24, 2026)
CISA Agentic AI five-risk framework: Covered by CSA Research Note: CISA Agentic AI Five-Risk Framework Implementation (May 24, 2026)
AI vulnerability discovery velocity and disclosure crisis: Covered by CSA Research Note: AI Vuln Discovery Velocity and Disclosure Crisis (May 24, 2026)
Drupal Core CVE-2026-9082 SQL injection: Active exploitation confirmed; below publication threshold given existing CVE coverage and standard SQL injection pattern.
Ghostwriter/UAC-0057 Ukraine phishing campaign: Nation-state threat; geographically scoped to Ukrainian government sector — not immediately actionable for enterprise CISOs.

← Back to Research Index