CISO Daily Briefing
Cloud Security Alliance Intelligence Report
Executive Summary
Today’s cycle surfaces a coordinated escalation across three attack vectors: a critical new TrapDoor supply chain campaign weaponizing AI coding assistants as payload delivery mechanisms across npm, PyPI, and Crates.io; active mass exploitation of Ghost CMS’s AI-discovered CVE-2026-26980 across 700+ sites; and Iran’s Nimbus Manticore deploying AI-generated backdoors against Western aerospace targets. India’s CERT-In issued the world’s first national 12-hour patch mandate explicitly justified by AI-accelerated exploitation windows — a regulatory precedent that will force enterprise patch SLA redesigns globally. Simultaneously, a CISA contractor’s GovCloud credential exposure and the agency’s 30%+ workforce reduction signal a critically degraded US critical infrastructure defense posture.
TrapDoor: AI Assistants Weaponized in Supply Chain Attack
CRITICAL
34 malicious packages across npm/PyPI/Crates.io implant hidden instructions in CLAUDE and .cursorrules to co-opt AI coding tools as payload delivery vectors.
- 384+ malicious package versions since May 22
- Targets AI & crypto developer environments
- Steals AWS tokens, SSH keys, GitHub PATs, crypto wallets
Overnight Research Output
TrapDoor Cross-Ecosystem Supply Chain Attack — AI-Native Persistence via CLAUDE & .cursorrules Implants
CRITICAL
Summary: TrapDoor is the first documented supply chain campaign to weaponize AI coding assistants as a persistence and payload delivery vector. Attackers implanted hidden instructions in CLAUDE and .cursorrules project configuration files — the files that tools like Claude Code and Cursor read at startup — causing them to silently execute attacker payloads when developers request routine operations like “run a security scan.” The campaign spans 34 malicious packages across 384+ versions in npm, PyPI, and Crates.io simultaneously, with activity traced back to May 22. Credential theft targets AWS tokens, SSH keys, GitHub PATs, and crypto wallets, combined with SSH-based lateral movement and systemd/cron persistence mechanisms.
Action Required: Audit all CLAUDE and .cursorrules files in developer repositories for unauthorized instructions. Restrict AI assistant tool execution permissions. Verify package integrity before dependency updates, especially in AI and crypto development pipelines.
● The Hacker News — TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO (May 25, 2026)
● Socket Security — TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages (May 2026)
Ghost CMS CVE-2026-26980 — AI-Discovered Flaw Weaponized in Mass ClickFix Campaign
HIGH URGENCY
Summary: CVE-2026-26980 is a CVSS 9.4 SQL injection vulnerability in Ghost CMS’s Content API, originally discovered by Anthropic using Claude — making it among the first high-impact public CVEs attributed to an AI model. Now fully weaponized: at least 700+ domains compromised including university portals (Harvard, Oxford), AI/SaaS companies, and security-focused sites, with injected JavaScript serving ClickFix social engineering lures to site visitors. The unauthenticated attack chain — API key theft, admin API abuse, content poisoning, victim-side command execution — illustrates how AI-discovered vulnerabilities enter the exploitation pipeline faster than manually discovered predecessors. The patch was available since February 2026; mass exploitation arrived within three months.
Action Required: Organizations running Ghost CMS must patch immediately. Security teams should scan for injected JavaScript in CMS-served content. Treat ClickFix lure delivery from compromised sites as an active threat to end users.
● The Hacker News — Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks (May 25, 2026)
● BleepingComputer — Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign (May 24, 2026)
Nimbus Manticore — Iran Deploys AI-Assisted Backdoors Against Western Aerospace Targets
HIGH URGENCY
Summary: Iran’s IRGC-affiliated Nimbus Manticore group (UNC1549) introduced two new backdoors — MiniFast and MiniJunk V2 — in the post-US/Israel military campaign period beginning March 2026. Check Point Research found strong evidence of AI-assisted code generation: excessive defensive error handling, atypical coding patterns, and rapid capability iteration consistent with LLM-augmented development. Targets span US, European, and Middle Eastern aerospace, aviation, and software sectors, using a new SEO poisoning delivery vector alongside phishing lures. This represents the clearest documented case of a state-sponsored group leveraging AI coding assistance to accelerate offensive malware development — a qualitative shift in the nation-state threat landscape.
Action Required: Aerospace, aviation, and defense contractors should elevate threat hunting for SEO poisoning lures and MiniFast/MiniJunk V2 indicators. Update threat models to account for AI-accelerated malware development cycles reducing detection window.
● The Hacker News — Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning (May 26, 2026)
● Check Point Research — Fast and Furious: Nimbus Manticore Operations During the Iranian Conflict (May 2026)
CERT-In’s 12-Hour Patch Mandate — First National AI-Paced Compliance Standard
GOVERNANCE
Summary: India’s CERT-In published a 38-page national cybersecurity blueprint on May 26, 2026 establishing a 12-hour patching requirement for internet-facing critical vulnerabilities — the most aggressive patch timeline mandate issued by any national authority to date, and the first explicitly justified by AI-accelerated exploitation windows. The blueprint states that AI tools reduce adversarial weaponization timelines to windows that outpace traditional 30/60/90-day patch cycles. While the mandate applies to Indian organizations, it establishes a global regulatory precedent: if major markets adopt comparable AI-paced compliance standards, multinationals face a fundamentally different patch governance model requiring automation-first architectures.
Action Required: Evaluate current patch SLAs against a 12-hour benchmark for internet-facing systems. Assess automation tooling gaps. Begin architectural planning for AI-assisted patch deployment pipelines if not already underway.
● The Hacker News — CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks (May 26, 2026)
CISA’s Institutional Fragility — GovCloud Credential Leak and the Hollowing of America’s Cyber Defense Backstop
STRATEGIC RISK
Summary: A CISA contractor exposed plaintext AWS GovCloud credentials, CI/CD infrastructure details, Kubernetes manifests, ArgoCD configuration, and Terraform code on a public GitHub repository for months. More critically: security researcher Dylan Ayrey confirmed that an RSA private key granting full read access to every private repository in the CISA-IT GitHub organization — plus the ability to register rogue CI/CD runners and modify branch protection rules — remained active a full week after GitGuardian first notified the agency. This incident is less notable as a one-off breach than as a diagnostic of systemic institutional failure: CISA has lost more than one-third of its workforce and all senior leadership through forced attrition, leaving the agency’s security culture in collapse at the moment of peak adversarial pressure.
Action Required: CISOs at critical infrastructure organizations should reassess reliance on CISA threat intelligence, incident response coordination, and vulnerability advisories given degraded agency capacity. Activate peer-network and ISACs as compensating advisory channels. Review internal programs that depend on CISA coordination.
● Krebs on Security — CISA Admin Leaked AWS GovCloud Keys on Github (May 18, 2026)
● Krebs on Security — Lawmakers Demand Answers as CISA Tries to Contain Data Leak (May 22, 2026)
Notable News & Signals
Lazarus Group Deploys RemotePE Memory-Only RAT Against Crypto and DeFi Firms
North Korea’s Lazarus Group introduced RemotePE, a fileless remote access trojan operating entirely in-memory to evade endpoint detection. Targets span crypto exchanges, DeFi protocols, and financial services firms. Assessed lower CSA differentiation than supply chain and nation-state AI topics this cycle given existing crypto-threat coverage in the portfolio.
npm Introduces Staged Publishing and 2FA-Gated Package Controls
npm added two new supply chain defenses: staged publishing (requiring explicit promotion before a package version becomes publicly available) and 2FA-gated publish controls preventing unauthorized package releases even if maintainer credentials are compromised. Low CSA-additive value this cycle given existing supply chain research; adequately covered by vendor documentation.
CISA Adds Drupal Core SQL Injection Flaw to Known Exploited Vulnerabilities Catalog
CISA added a Drupal Core SQL injection vulnerability to the KEV catalog following confirmed active exploitation. This is a routine catalog update without novel research implications; affected organizations should follow standard KEV remediation timelines. No CSA research note warranted.
Topics Already Covered — No New Action Required
- TeamPCP / Nx Console VSCode Extension GitHub Breach: Covered by CSA Research Note: VSCode Extension Supply Chain Breach (May 25, 2026)
- Megalodon GitHub Actions CI/CD Supply Chain Attack: Covered by CSA Research Note: Megalodon GitHub Actions CICD Supply Chain (May 24, 2026)
- AI Model Regulation Landscape Post-Mythos: Covered by CSA Research Note: Post-Mythos AI Model Regulation Policy Landscape (May 25, 2026)
- AI Vulnerability Discovery Velocity / Disclosure Crisis: Covered by CSA Research Note: AI Vuln Discovery Velocity Disclosure Crisis (May 24, 2026)
- Agentic AI Risk Framework — CISA Five-Risk Model: Covered by CSA Research Note: CISA Agentic AI Five-Risk Framework Implementation (May 24, 2026)