Daily Threat Intelligence Brief: 13 May 2026

Executive Summary

The May 12–13 coverage window is dominated by two high-impact supply chain events: the “Mini Shai-Hulud” npm/PyPI worm compromising 172 packages including @tanstack and @mistralai, and a mass malicious package upload against the RubyGems registry that forced a suspension of new user registrations. Microsoft’s May 2026 Patch Tuesday dropped 120 fixes — including a CVSS 9.8 Windows Netlogon RCE with no zero-days — coinciding with CISA releasing six new ICS advisories targeting energy, manufacturing, and utilities vendors. Google Threat Intelligence Group published the first confirmed instance of a criminal threat actor using AI to develop a zero-day exploit for mass 2FA-bypass deployment, a significant inflection point for offensive AI adoption. Updated intelligence confirms active in-the-wild exploitation of the Dirty Frag Linux kernel privilege escalation chain and escalating political fallout from the Instructure/Canvas breach.

Mini Shai-Hulud (TeamPCP npm/PyPI worm) is actively self-propagating across developer toolchains; organisations using @tanstack, @mistralai, @uipath, or guardrails-ai must audit and rebuild any pipelines that ran these packages between 2026-05-11 19:20 UTC and 2026-05-12.
Microsoft Patch Tuesday (CVE-2026-41089 — Netlogon CVSS 9.8) represents an unauthenticated RCE against domain controllers; DC patching must be treated as emergency-priority with a 24-hour SLA.
RubyGems mass package attack is targeting CI/CD credentials and SSH keys; any Ruby-based build pipeline must be audited for secrets exfiltration.
Dirty Frag (CVE-2026-43284 / CVE-2026-43500) is confirmed actively exploited in-the-wild; all Linux hosts must be patched or mitigated immediately; CVE-2026-43500 patches remain incomplete on some distributions.
AI-generated zero-day (GTIG disclosure) signals criminal actors have crossed the threshold to AI-assisted vulnerability development; 2FA implementations on administrative panels warrant immediate review.

Threat Landscape Overview

#	Threat Cluster	Severity	Target Sectors	Attribution	Status	Timestamp
1	Mini Shai-Hulud — npm/PyPI Supply Chain Worm	CRITICAL	Software Development, Technology, Financial Services	TeamPCP (unattributed nation-state affiliation)	NEW	2026-05-12 00:00 UTC
2	Microsoft May 2026 Patch Tuesday — 120 CVEs incl. CVSS 9.8 Netlogon RCE	HIGH	All sectors (Windows enterprise)	N/A (vendor advisory)	NEW	2026-05-12 17:00 UTC
3	CISA ICS Advisories ICSA-26-132 — ABB, Fuji Electric, Subnet Solutions	MEDIUM	Energy, Manufacturing, Utilities	N/A (vendor advisory)	NEW	2026-05-12 00:00 UTC
4	RubyGems Mass Malicious Package Upload	HIGH	Software Development, DevOps	BufferZoneCorp (unattributed)	NEW	2026-05-12 09:00 UTC
5	Google GTIG: First AI-Generated Zero-Day — 2FA Bypass	HIGH	All sectors (open-source admin tools)	Criminal threat actor (unattributed)	NEW	2026-05-12 00:00 UTC
6	Dirty Frag — CVE-2026-43284 / CVE-2026-43500 In-Wild Exploitation	CRITICAL	All sectors (Linux infrastructure)	Multiple threat actors	UPDATED	2026-05-12 00:00 UTC
7	DAEMON Tools Supply Chain Attack — QUIC RAT Backdoor	HIGH	Government, Manufacturing, Retail, Science	China-linked actor (assessed with moderate confidence)	UPDATED	2026-05-12 00:00 UTC
8	MuddyWater — Microsoft Teams False Flag Ransomware / Credential Theft	HIGH	Government, Technology, MENA and Western organisations	MuddyWater / Mango Sandstorm (Iran-affiliated)	UPDATED	2026-05-12 00:00 UTC
9	Instructure/Canvas — ShinyHunters Breach Escalation	HIGH	Education	ShinyHunters (financially motivated)	UPDATED	2026-05-12 00:00 UTC

Campaign Deep-Dives

New Intelligence

1. Mini Shai-Hulud — TeamPCP npm/PyPI Supply Chain Worm

Actor: TeamPCP; no confirmed nation-state affiliation; assessed as financially motivated or state-sponsored supply chain sabotage based on target selection.
Malware Family: Mini Shai-Hulud worm; credential stealer; destructive home-directory daemon.
First Observed: 2026-05-11 19:20 UTC (first malicious publish); broader disclosure 2026-05-12.
Source Timestamp: 2026-05-12 00:00 UTC (Aikido Security, The Hacker News, Socket.dev).

Between 2026-05-11 19:20 UTC and 19:26 UTC, 84 malicious npm artifacts were published across 42 packages in the @tanstack namespace. Within 48 hours, the attack expanded to 172 unique packages spanning 403 malicious versions across npm and PyPI, covering namespaces including @uipath (66 entries), @squawk (87 entries), @mistralai (mistralai, mistralai-azure, mistralai-gcp), @tallyui, @beproduct, and individual packages including intercom-client and opensearch-project/opensearch. On PyPI, guardrails-ai 0.10.1 and mistralai 2.4.6 were confirmed malicious. The packages collectively represent over 518 million cumulative downloads.

What makes this attack technically distinctive is that the adversary did not steal npm credentials. Instead, they exploited a chain of GitHub Actions vulnerabilities against TanStack’s CI/CD pipeline: the attacker forked the TanStack/router repository, opened a pull request triggering a pull_request_target workflow, poisoned the GitHub Actions cache with a malicious pnpm store, and extracted OIDC tokens directly from the runner’s process memory. This allowed publishing under TanStack’s own trusted OIDC identity — the resulting packages carried valid, legitimate provenance signatures, defeating package signature verification as a control.

The malicious payload implements a “triple-channel” C2 architecture: the typosquat domain git-tanstack[.]com, decentralized communication through Session messenger network seed nodes (*.getsession.org), and GitHub API dead drops where stolen tokens create repositories with Dune universe-themed branch names (atreides, sandworm, fremen, harkonnen) as a covert exfiltration channel.

The worm component is self-propagating: once installed in a developer’s environment, it attempts to compromise that developer’s own npm credentials and re-publish malicious versions of other packages they maintain. A destructive daemon is also included that can wipe developer home directories.

Vulnerabilities Exploited: No single CVE; exploitation of pull_request_target GitHub Actions workflow misconfiguration allowing cache poisoning and OIDC token extraction.

TTPs (MITRE ATT&CK):

T1195.001 — Supply Chain Compromise: Compromise Software Dependencies and Development Tools
T1552.001 — Unsecured Credentials: Credentials In Files
T1567.001 — Exfiltration Over Web Service: Exfiltration to Code Repository
T1496 — Resource Hijacking
T1485 — Data Destruction
T1053 — Scheduled Task/Job (persistent daemon)

Malware Toolkit:

Credential Harvester: Extracts npm tokens, GitHub CLI tokens, AWS credentials, SSH keys, and .npmrc contents.
Propagation Engine: Publishes malicious versions to packages the victim developer maintains.
Destructive Daemon: Persistent background process capable of wiping $HOME.
C2 Client: Multi-channel; custom HTTPS to git-tanstack[.]com, Session messenger protocol, and GitHub API.

2. Microsoft May 2026 Patch Tuesday — 120 CVEs Including CVSS 9.8 Netlogon RCE

Actor: N/A (vendor advisory).
First Observed: 2026-05-12 (advisory release).
Source Timestamp: 2026-05-12 17:00 UTC (BleepingComputer, Tenable, Qualys).

Microsoft’s May 2026 Patch Tuesday addressed 120 vulnerabilities with no actively exploited zero-days — notable given the elevated exploitation tempo of recent months. Of the 17 Critical-rated vulnerabilities, 14 are RCE flaws. Elevation of Privilege (EoP) vulnerabilities constitute 48.3% of the total patch volume this cycle, reflecting threat actors’ continued reliance on post-exploitation privilege escalation chains.

The most critical finding is CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon allowing unauthenticated RCE against domain controllers via a crafted network request. Domain controllers are primary targets for ransomware operators and APT actors seeking credential dumping and lateral movement; this vulnerability represents a direct path to domain compromise. Four Microsoft Word RCEs are included, with CVE-2026-40361 and CVE-2026-40364 assessed by Microsoft as “more likely to be exploited,” making them high-priority phishing-vector concerns. SharePoint CVE-2026-40365 allows authenticated network-based RCE and will be attractive to actors with prior credential access.

Key CVEs:

CVE-2026-41089 — Windows Netlogon; CVSS 9.8; unauthenticated RCE via crafted network packet to domain controllers
CVE-2026-41096 — Windows DNS Client; attacker-controlled DNS server can corrupt memory via malformed DNS response
CVE-2026-35421 — Windows GDI; RCE via malicious Enhanced Metafile (EMF) opened in Microsoft Paint
CVE-2026-40361 — Microsoft Word RCE; rated “more likely to be exploited”
CVE-2026-40364 — Microsoft Word RCE; rated “more likely to be exploited”
CVE-2026-40365 — Microsoft SharePoint; authenticated network RCE
CVE-2026-40397 — Windows CLFS Privilege Escalation
CVE-2026-41610 — VS Code Security Bypass

TTPs (MITRE ATT&CK):

T1190 — Exploit Public-Facing Application (SharePoint, DNS)
T1203 — Exploitation for Client Execution (Word, GDI)
T1068 — Exploitation for Privilege Escalation (CLFS)
T1210 — Exploitation of Remote Services (Netlogon)

Technical Mechanism (CVE-2026-41089 — Netlogon):

Attacker identifies a domain controller exposed to the network (port 445/TCP or RPC dynamic ports).
Attacker sends a crafted Netlogon RPC request without authenticating.
The malformed packet triggers a stack-based buffer overflow in the Netlogon service.
Overflowed buffer overwrites the return address, redirecting execution to attacker-controlled shellcode.
Code executes as SYSTEM on the domain controller, providing full domain compromise capability.

3. CISA ICS Advisories ICSA-26-132 — ABB, Fuji Electric, Subnet Solutions

Actor: N/A (vendor advisories).
Source Timestamp: 2026-05-12 00:00 UTC (cisa.gov).

CISA released six ICS advisories on May 12–13, 2026 under the ICSA-26-132 series. These vulnerabilities affect operational technology (OT) products deployed in energy generation, smart grid management, manufacturing, and utilities. Given the ongoing Iranian-affiliated targeting of PLCs and SCADA/HMI interfaces documented in earlier advisories, these vulnerabilities merit immediate assessment by asset owners.

ABB AC500 V3 (ICSA-26-132-03) contains three vulnerabilities: an unauthenticated forced-browsing vulnerability (CVE-2025-2595) allowing user management bypass and visualisation file read; a certificate/key read-write vulnerability (CVE-2025-41659); and a DoS vulnerability (CVE-2025-41691). The AC500 V3 is a widely deployed industrial PLC family used in energy, water treatment, and building automation.

Fuji Electric Tellus (ICSA-26-132-01) contains a privilege escalation from user to SYSTEM, affecting SCADA visualisation software used in manufacturing and process industries. Subnet Solutions PowerSYSTEM Center (ICSA-26-132-02) contains sensitive information exposure and CRLF injection vulnerabilities in a power system management platform used by electric utilities.

TTPs (MITRE ATT&CK):

T0866 — Exploitation of Remote Services (OT)
T0862 — Supply Chain Compromise (OT)
T0829 — Loss of View (HMI/SCADA manipulation)

4. RubyGems Mass Malicious Package Upload — BufferZoneCorp Campaign

Actor: “BufferZoneCorp” GitHub account; assessed as financially motivated CI/CD credential theft; no confirmed nation-state attribution.
Malware Family: Sleeper packages with post-install credential harvesters; CI/CD pipeline poisoning payloads.
Source Timestamp: 2026-05-12 00:00 UTC (The Hacker News, Risky Business).

RubyGems temporarily suspended new account registrations on May 12, 2026 following a coordinated attack in which hundreds of malicious packages were uploaded over two consecutive days. This is connected to the earlier “BufferZoneCorp” campaign in which the attacker published sleeper packages — initially clean, professional-looking releases — that silently harvested SSH keys, AWS credentials, GitHub CLI tokens, npm configuration files, and RubyGems credentials from developer environments and CI/CD runners, exfiltrating all data to an attacker-controlled endpoint.

The RubyGems attack is particularly significant because it demonstrates attacker awareness of the registry’s trust model: developers and CI pipelines consume gems without strong verification, meaning a malicious gem that passes initial review can reach production build environments at scale. The credential theft focus suggests the actor is building an initial-access broker capability, accumulating cloud and source-code credentials for subsequent sale or use.

Vulnerabilities Exploited: No CVEs; exploitation of developer trust in package registries and lack of runtime behavioural controls on gem install hooks.

TTPs (MITRE ATT&CK):

T1195.001 — Supply Chain Compromise: Compromise Software Dependencies and Development Tools
T1552.001 — Unsecured Credentials: Credentials In Files
T1567 — Exfiltration Over Web Service
T1059.006 — Command and Scripting Interpreter: Python/Ruby

Malware Toolkit:

Sleeper Package: Clean initial release with embedded post-install hooks that activate on subsequent version updates.
Credential Harvester: Extracts SSH keys (~/.ssh/*), AWS credentials (~/.aws/credentials), GitHub CLI tokens, npm/RubyGems tokens from config files.
CI Pipeline Backdoor: Modifies GitHub Actions workflow files to persist access and exfiltrate future secrets.

5. Google GTIG: First AI-Generated Zero-Day Exploit — 2FA Bypass

Actor: Criminal threat actor group (unattributed; Google declined to name the group pending investigation); assessed as financially motivated.
Malware Family: AI-generated Python exploit script.
Source Timestamp: 2026-05-12 00:00 UTC (Google Cloud Blog, The Register, Axios).

Google’s Threat Intelligence Group (GTIG) disclosed on May 12, 2026 the first confirmed instance of a criminal threat actor using an AI model to develop a zero-day exploit intended for a mass exploitation event. The exploit targeted a popular open-source web-based system administration tool, exploiting a hard-coded trust exception in the authentication flow that allowed attackers to bypass two-factor authentication entirely after obtaining valid user credentials (obtainable through phishing or credential stuffing). Google proactively detected the planned campaign and disclosed the vulnerability to the vendor before the attack was launched, likely preventing exploitation at scale.

GTIG researchers identified multiple AI-generation markers throughout the exploit code: clean ANSI colour output classes, educational docstrings with textbook explanations, a fabricated CVSS score embedded in comments, organised help menus, and a consistent code style characteristic of LLM output. The attack required multiple criminal actors collaborating — one responsible for initial access/credential collection, another operating the AI-assisted vulnerability research and exploit development.

This event is significant because it confirms that the barrier to zero-day exploit development has materially lowered. John Hultquist, chief analyst at GTIG, stated: “For every zero-day we can trace back to AI, there are probably many more out there.”

TTPs (MITRE ATT&CK):

T1078 — Valid Accounts
T1556.006 — Modify Authentication Process: Multi-Factor Authentication
T1190 — Exploit Public-Facing Application
T1588.005 — Obtain Capabilities: Exploits

Updated Intelligence

6. Dirty Frag — CVE-2026-43284 / CVE-2026-43500 Linux Kernel Privilege Escalation

[UPDATED — first reported 2026-05-07, updated 2026-05-12 00:00 UTC]

Actor: Multiple threat actors; initially opportunistic exploitation; Microsoft Defender for Endpoint observed exploitation in targeted attacks.
Malware Family: Exploit tooling (Bash script + compiled C exploit); observed in post-compromise privilege escalation chains.

What Changed: SecurityWeek confirmed within the coverage window that Dirty Frag is now “possibly exploited in attacks” with limited in-wild evidence. Daily Security Review published that “Microsoft Defender confirmed limited in-the-wild exploitation.” The ZDI May 2026 Security Update Review highlighted the ongoing exploitation risk. Patch status for CVE-2026-43500 (RxRPC component) remains incomplete across some distributions as of 2026-05-13. Go and Rust reimplementations of the original Python PoC have been detected in public repositories.

Dirty Frag chains two Linux kernel vulnerabilities: CVE-2026-43284, an xfrm-ESP page-cache write affecting esp4/esp6 modules, and CVE-2026-43500, an RxRPC page-cache write. Unlike many kernel exploits, Dirty Frag is a deterministic logic bug, not a race condition, making it highly reliable. Exploitation typically requires CAP_NET_ADMIN capability, which reduces risk in hardened Kubernetes environments but leaves VMs, bare-metal Linux servers, and containers with elevated privileges fully exposed.

TTPs (MITRE ATT&CK):

T1068 — Exploitation for Privilege Escalation
T1543.002 — Create or Modify System Process: Systemd Service (post-escalation persistence)
T1059.004 — Command and Scripting Interpreter: Unix Shell

Technical Mechanism:

Attacker gains initial low-privilege foothold on Linux system.
Attacker confirms presence of esp4/esp6 or rxrpc kernel modules.
Exploit script compiles and executes — deterministic write to xfrm-ESP page cache corrupts memory structures without triggering kernel panic.
Page cache corruption is leveraged to overwrite protected kernel memory, gaining CAP_NET_ADMIN and then root.
Root shell obtained; subsequent persistence mechanisms deployed (systemd service, cron, SSH key injection).

7. DAEMON Tools Supply Chain Attack — QUIC RAT Backdoor

[UPDATED — first reported 2026-05-05, updated 2026-05-12 00:00 UTC]

Actor: China-linked threat actor (assessed with moderate confidence based on Chinese-language strings in information collector); no named APT attribution confirmed.

What Changed: New secondary analyses published within the window (PolySwarm, State of Surveillance) confirmed that the QUIC RAT payload was observed in an additional targeted deployment against an educational institution. Updated IOC lists published by Kaspersky and third-party researchers added new network indicators. The DAEMON Tools v12.6 clean release has been confirmed and pushed by the vendor; remediation guidance updated to include cleanup steps for the QUIC RAT persistence mechanism.

Since April 8, 2026, the official DAEMON Tools download portal served signed, trojanised Windows installers for versions 12.5.0.2421 through 12.5.0.2434. The campaign affected thousands of users across more than 100 countries, but advanced payloads (QUIC RAT) were deployed selectively to approximately a dozen high-value targets in government, scientific, manufacturing, and retail sectors across Russia, Belarus, and Thailand. QUIC RAT is a sophisticated C++ implant obfuscated with control flow flattening and statically linked with WolfSSL, supporting HTTP, UDP, TCP, WebSocket Secure, QUIC, DNS, and HTTP/3 for C2 communications.

TTPs (MITRE ATT&CK):

T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain
T1036.001 — Masquerading: Invalid Code Signature (legitimate certificate used)
T1071.001 — Application Layer Protocol: Web Protocols (QUIC, HTTP/3 C2)
T1055 — Process Injection (code injection into notepad.exe)
T1041 — Exfiltration Over C2 Channel

8. MuddyWater — Microsoft Teams False Flag Ransomware / Credential Theft

[UPDATED — first reported 2026-05-06, updated 2026-05-12 00:00 UTC]

Actor: MuddyWater (aliases: Mango Sandstorm, Seedworm, Static Kitten); Iran-affiliated; assessed to be working under MOIS (Ministry of Intelligence and Security) direction.

What Changed: Rewterz published an active IOC advisory within the coverage window with updated network indicators. Xcitium Threat Labs published a detailed technical breakdown including the code-signing certificate thumbprint as a detection anchor. Additional reporting confirmed that the campaign’s geographic targeting extended to European government organisations.

A code-signing certificate issued to “Donald Gay” by Microsoft ID Verified CS AOC CA 02 (thumbprint: B674578D4BDB24CD58BF2DC884EAA658B7AA250C) serves as a direct forensic link to MuddyWater’s toolkit and was observed in use in this campaign, directly tied to “Operation Olalampo.” Organisations should treat any process signed with this certificate as an immediate indicator of MuddyWater presence.

TTPs (MITRE ATT&CK):

T1566.004 — Phishing: Spearphishing via Service (Teams)
T1078 — Valid Accounts
T1056.002 — Input Capture: GUI Input Capture (screen sharing credential capture)
T1003 — OS Credential Dumping
T1486 — Data Encrypted for Impact (Chaos ransomware false flag)
T1036 — Masquerading (IT support impersonation)
T1071 — Application Layer Protocol (C2 via legitimate services)

9. Instructure/Canvas — ShinyHunters Breach Escalation and Ransom Payment

[UPDATED — first reported 2026-05-01, updated 2026-05-12 00:00 UTC]

Actor: ShinyHunters (financially motivated cybercriminal group).

What Changed: The Register published two new articles confirming: (1) a second intrusion wave with a reset leak deadline, and (2) Congressional investigation after Instructure paid the ransom and received shred logs. The US House Homeland Security Committee requested an emergency briefing. Higher education institutions should treat this as a confirmed data exposure of approximately 275 million records from ∼8,800 institutions.

Following the initial May 1 breach, ShinyHunters re-compromised Instructure on May 7, defacing Canvas login portals with extortion messages at approximately 330 institutions and threatening to release 3.65 TB of data (∼275 million records including Harvard, Columbia, Stanford, Rutgers, Georgetown, and Penn). Instructure confirmed payment of the ransom, receiving digital confirmation of data destruction (shred logs). Congressional investigation is now underway. The impact spanned the end-of-semester period, disrupting final exams at institutions worldwide.

IOC Pack

New IOCs (first observed in this coverage window)

Type	Value	Campaign	Notes
Domain	git-tanstack[.]com	Mini Shai-Hulud	Primary C2 and exfiltration endpoint; typosquatting TanStack project
IP	83.142.209[.]194	Mini Shai-Hulud	C2 IP associated with git-tanstack[.]com
Domain Pattern	*.getsession[.]org	Mini Shai-Hulud	Decentralised Session messenger nodes used for C2

Malicious Package IOCs

Package Manager	Package	Malicious Version(s)	Safe Version	Notes
npm	@tanstack/router	Multiple versions published 2026-05-11 19:20–19:26 UTC	Latest post-incident clean version	83 entries across @tanstack scope affected
npm	@uipath/*	66 malicious versions	Latest post-incident clean version	Full list via OX Security advisory
npm	@squawk/*	87 malicious versions	Latest post-incident clean version	Full list via Orca Security advisory
npm	@mistralai/mistralai	Malicious version	Latest post-incident clean version	—
npm	@mistralai/mistralai-azure	Malicious version	Latest post-incident clean version	—
npm	@mistralai/mistralai-gcp	Malicious version	Latest post-incident clean version	—
PyPI	guardrails-ai	0.10.1	0.10.2+	Confirmed malicious
PyPI	mistralai	2.4.6	2.4.7+	Confirmed malicious

Updated IOCs

Type	Value	Campaign	First Seen	Update Note
Domain	env-check.daemontools[.]cc	DAEMON Tools / QUIC RAT	2026-04-08	Confirmed still active; additional second-stage payload delivery confirmed within window
IP	38.180.107[.]76	DAEMON Tools / QUIC RAT	2026-04-08	Confirmed still active in coverage window
Cert Thumbprint	B674578D4BDB24CD58BF2DC884EAA658B7AA250C	MuddyWater	2026-05-06	Rewterz IOC advisory published; confirmed active detection anchor for “Donald Gay” / Operation Olalampo

Behavioural IOCs

Type	Value	Campaign	Notes
DNS query	git-tanstack[.]com	Mini Shai-Hulud	Any DNS query to this domain indicates compromise
DNS query	*.getsession[.]org	Mini Shai-Hulud	Session messenger C2 beaconing
File path	`$HOME/.npm/_npmrc_backup_*`	Mini Shai-Hulud / RubyGems	Credential harvester staging artefact
Process	npm spawning curl/wget to non-registry URLs	Mini Shai-Hulud	Post-install hook exfiltration
Registry key	HKLM\SYSTEM\CurrentControlSet\Services\DTHelper	DAEMON Tools / QUIC RAT	Modified service associated with trojanised installer
Process	notepad.exe with injected network activity	DAEMON Tools / QUIC RAT	QUIC RAT injects into notepad.exe for C2
Outbound port	UDP/443 (QUIC) from notepad.exe	DAEMON Tools / QUIC RAT	QUIC RAT uses HTTP/3 over QUIC
DNS query	env-check.daemontools[.]cc	DAEMON Tools / QUIC RAT	First-stage C2 beacon domain

KQL Hunting Queries

// HUNT-01: Mini Shai-Hulud C2 Beaconing | Covers: TeamPCP npm worm | MITRE: T1195.001, T1071.001
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any ("git-tanstack.com", "getsession.org")
    or RemoteIP == "83.142.209.194"
| extend SuspiciousReason = "Mini Shai-Hulud C2 domain or IP contact"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
          RemoteUrl, RemoteIP, RemotePort, SuspiciousReason
| order by Timestamp desc

// HUNT-02: Mini Shai-Hulud Credential Exfiltration via npm Post-Install Hooks | Covers: TeamPCP npm worm | MITRE: T1552.001
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("node.exe", "npm.cmd", "npm")
| where ProcessCommandLine has_any ("curl", "wget", "Invoke-WebRequest", "fetch")
    and ProcessCommandLine !has "registry.npmjs.org"
    and ProcessCommandLine !has "npmjs.com"
| extend SuspiciousReason = "npm spawning network request to non-registry URL — potential post-install hook exfiltration"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          ProcessCommandLine, SuspiciousReason
| order by Timestamp desc

// HUNT-03: DAEMON Tools QUIC RAT — notepad.exe Network Activity | Covers: DAEMON Tools supply chain / QUIC RAT | MITRE: T1055, T1071.001
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "notepad.exe"
| where RemotePort in (443, 80, 853) or Protocol == "Quic"
| extend SuspiciousReason = "notepad.exe initiating network connection — possible QUIC RAT code injection"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
          RemoteUrl, RemoteIP, RemotePort, Protocol, SuspiciousReason
| order by Timestamp desc

// HUNT-04: DAEMON Tools C2 Domain Contact | Covers: DAEMON Tools supply chain | MITRE: T1071.001
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has "daemontools.cc"
    or RemoteIP == "38.180.107.76"
| extend SuspiciousReason = "Contact with known DAEMON Tools QUIC RAT C2 infrastructure"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
          RemoteUrl, RemoteIP, RemotePort, SuspiciousReason
| order by Timestamp desc

// HUNT-05: MuddyWater Teams Social Engineering — External Chat Followed by Discovery | Covers: MuddyWater | MITRE: T1566.004, T1056.002
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "Teams.exe"
| where ProcessCommandLine has_any ("whoami", "ipconfig", "net user", "net group", "systeminfo", "query user")
| extend SuspiciousReason = "System discovery command executed from Microsoft Teams process — potential MuddyWater social engineering"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          ProcessCommandLine, SuspiciousReason
| order by Timestamp desc

// HUNT-06: Dirty Frag Exploitation Attempt — Kernel Module Load of esp4/esp6/rxrpc | Covers: CVE-2026-43284 | MITRE: T1068
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("modprobe esp4", "modprobe esp6", "modprobe rxrpc", "insmod esp4", "insmod esp6")
    or ProcessCommandLine has "xfrm"
| extend SuspiciousReason = "Potential Dirty Frag exploit preparation — kernel module manipulation of esp4/esp6/rxrpc"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, SuspiciousReason
| order by Timestamp desc

// HUNT-07: Windows Netlogon RCE Reconnaissance — CVE-2026-41089 | Covers: May Patch Tuesday | MITRE: T1210
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (135, 445, 49152, 49153, 49154)
    and LocalPort == 0
    and InitiatingProcessFileName !in~ ("lsass.exe", "svchost.exe", "wininit.exe")
| where DeviceName has_any ("DC", "DOMCON", "PDC", "BDC")
| extend SuspiciousReason = "Unexpected process contacting Netlogon/RPC ports on domain controller — potential CVE-2026-41089 exploitation"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, SuspiciousReason
| order by Timestamp desc

// HUNT-08: RubyGems CI Pipeline Credential Theft | Covers: BufferZoneCorp / RubyGems attack | MITRE: T1552.001
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("ruby.exe", "gem.cmd", "bundler")
| where ProcessCommandLine has_any ("cat ~/.ssh", "cat ~/.aws", "env | grep", "printenv", "curl", "wget")
| extend SuspiciousReason = "Ruby/gem process accessing credentials or exfiltrating — potential malicious gem post-install hook"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          ProcessCommandLine, SuspiciousReason
| order by Timestamp desc

KQL Detection Rules (High Fidelity)

// DET-01: DAEMON Tools QUIC RAT — notepad.exe Network C2 | MITRE: T1055 | Severity: HIGH
// notepad.exe has no legitimate reason to initiate outbound network connections.
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "notepad.exe"
| where isnotempty(RemoteIP)
| extend AlertTitle = "QUIC RAT: notepad.exe initiating network connection — process injection suspected"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1055 - Process Injection"
| extend RecommendedAction = "Isolate host immediately. Collect memory dump of notepad.exe process. Check for DAEMON Tools versions 12.5.0.2421–12.5.0.2434 via 'wmic product get name,version'. Remove affected DAEMON Tools installation and upgrade to v12.6. Submit notepad.exe memory dump to IR team."
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          RemoteIP, RemotePort, RemoteUrl, AlertTitle, Severity, MITRETechnique, RecommendedAction
| order by Timestamp desc

// DET-02: Mini Shai-Hulud C2 Domain Contact | MITRE: T1195.001 | Severity: CRITICAL
// git-tanstack[.]com is a purpose-registered attacker-controlled typosquat domain with no legitimate use.
// Any DNS resolution or connection is definitive evidence of compromise. No allowlist exceptions apply.
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has "git-tanstack.com"
    or RemoteIP == "83.142.209.194"
| extend AlertTitle = "Mini Shai-Hulud: Contact with known supply chain worm C2 infrastructure"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1195.001 - Supply Chain Compromise; T1071.001 - Application Layer Protocol"
| extend RecommendedAction = "Isolate affected developer workstation immediately. Revoke all npm tokens, GitHub tokens, AWS credentials, and SSH keys accessible from the affected host. Rotate all secrets in CI/CD pipelines that ran on this host. Audit all npm packages published by accounts accessible from this workstation in the past 72 hours. Engage IR."
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          RemoteUrl, RemoteIP, RemotePort, AlertTitle, Severity, MITRETechnique, RecommendedAction
| order by Timestamp desc

// DET-03: MuddyWater Teams Social Engineering — Discovery from Teams | MITRE: T1566.004 | Severity: HIGH
// Legitimate IT support interactions via Teams do not require the Teams process to spawn discovery commands.
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "Teams.exe"
| where ProcessCommandLine has_any ("whoami", "ipconfig /all", "net user", "net group", "systeminfo",
          "query user", "tasklist", "netstat", "wmic", "powershell", "cmd.exe /c")
| extend AlertTitle = "MuddyWater: System discovery command spawned from Microsoft Teams — social engineering suspected"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1566.004 - Phishing: Spearphishing via Service; T1082 - System Information Discovery"
| extend RecommendedAction = "Contact the user immediately to determine if they received an unsolicited IT support request via Teams. If confirmed, disable the user account pending investigation, revoke active sessions, and engage IR. Check for credentials.txt file creation in user profile directories. Preserve Teams chat logs."
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          ProcessCommandLine, AlertTitle, Severity, MITRETechnique, RecommendedAction
| order by Timestamp desc

// DET-04: Mini Shai-Hulud / RubyGems — Credential File Access from Package Manager | MITRE: T1552.001 | Severity: HIGH
// Package managers have no legitimate reason to read SSH private keys, AWS credentials, or shell
// environment variables and pipe them to network tools.
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("node.exe", "npm.cmd", "ruby.exe", "gem.cmd", "bundler", "python.exe", "pip.exe")
| where ProcessCommandLine has_any ("id_rsa", "id_ed25519", ".aws/credentials", ".npmrc", ".gem/credentials",
          "GITHUB_TOKEN", "AWS_ACCESS_KEY", "GH_TOKEN")
| extend AlertTitle = "Supply Chain: Package manager process accessing credential files — malicious install hook suspected"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1552.001 - Unsecured Credentials: Credentials In Files"
| extend RecommendedAction = "Immediately rotate all secrets accessible on this host: SSH keys, AWS credentials, GitHub tokens, npm tokens. Identify which package was being installed when this alert fired (check process tree). Report the package to the registry abuse team. Engage IR for full host forensics."
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          ProcessCommandLine, AlertTitle, Severity, MITRETechnique, RecommendedAction
| order by Timestamp desc

// DET-05: Dirty Frag — Privilege Escalation via Kernel Module Manipulation | MITRE: T1068 | Severity: CRITICAL
// Unprivileged users have no legitimate reason to load or manipulate the esp4, esp6, or rxrpc kernel modules.
// Allowlist exception: kernel engineering/testing environments may load these modules legitimately.
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("modprobe esp4", "modprobe esp6", "modprobe rxrpc",
          "insmod esp4.ko", "insmod esp6.ko", "insmod rxrpc.ko")
| where AccountName !in~ ("root", "kernel_test") // Adjust allowlist for your environment
| extend AlertTitle = "Dirty Frag: Unprivileged kernel module load attempt — CVE-2026-43284 exploitation suspected"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1068 - Exploitation for Privilege Escalation"
| extend RecommendedAction = "Isolate the host. Verify kernel version and patch status for CVE-2026-43284 (kernel 6.18.22+, 6.19.12+, or 7.0+). If unpatched, apply emergency update immediately. Review processes running as the user who initiated this command. Engage IR."
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
          AlertTitle, Severity, MITRETechnique, RecommendedAction
| order by Timestamp desc

Mitigation Priorities

Patch (emergency priority)

CVE-2026-41089 (Netlogon CVSS 9.8) — Apply May 2026 Patch Tuesday KB updates to all Windows domain controllers immediately. Unauthenticated RCE with domain compromise capability warrants a 24-hour SLA, not the standard 30-day window. Validate via systeminfo that the relevant KB is installed on all DCs.
CVE-2026-43284 (Dirty Frag — xfrm-ESP) — Update Linux kernel to 6.18.22+, 6.19.12+, or 7.0+ on all Linux hosts. Verify with uname -r. Where immediate patching is not possible, unload esp4 and esp6 modules with modprobe -r esp4 esp6 if not required operationally.
CVE-2026-43500 (Dirty Frag — RxRPC) — Patches not yet universally available as of 2026-05-13. Monitor Red Hat RHSB-2026-003 and Ubuntu security notices for RxRPC patch availability. Mitigate with modprobe -r rxrpc if not operationally required.
CVE-2026-40361, CVE-2026-40364, CVE-2026-40365 (Word / SharePoint RCE) — Apply May 2026 Patch Tuesday updates for Microsoft Office and SharePoint. Prioritise internet-facing SharePoint servers.
DAEMON Tools (trojanised installers) — Uninstall all DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 immediately. Install clean v12.6 from the official site. Run EDR scan for env-check.daemontools[.]cc network connections and notepad.exe injection artefacts.

Network Hardening

Block immediately at DNS and network proxy: git-tanstack[.]com, 83.142.209[.]194, *.getsession[.]org, env-check.daemontools[.]cc, 38.180.107[.]76.
Restrict outbound QUIC (UDP/443) from workstations to allowlisted destinations only; QUIC RAT relies on HTTP/3 over QUIC for resilient C2.
Disable Microsoft Teams external access (federation) for organisations that do not require it. For those that do, enforce a policy requiring IT support interactions to be initiated internally, not via external chat requests.
Restrict Netlogon RPC (port 445/TCP and dynamic RPC ports) to DC-to-DC traffic only; block external access at the perimeter.

Linux and Container Hardening

Apply a seccomp profile blocking init_module and finit_module syscalls on containers and non-kernel-development workloads — this prevents esp4/esp6/rxrpc module loading, removing the primary Dirty Frag attack vector.
Enable CONFIG_SECURITY_LOCKDOWN in kernel lockdown mode (integrity level) to block unprivileged kernel module loading on bare-metal hosts where immediate patching is not possible.
Audit /proc/modules for unexpected presence of esp4, esp6, or rxrpc on hosts that do not require IPsec or kernel-level RPC.

Developer and Supply Chain

Audit all CI/CD pipeline logs for the period 2026-05-11 19:00 UTC to 2026-05-12 23:59 UTC for any npm install or pip install operations involving @tanstack, @mistralai, @uipath, @squawk, guardrails-ai, or mistralai packages. Treat any pipeline that installed these as potentially compromised.
Rotate immediately: npm tokens, GitHub OIDC credentials, AWS credentials, SSH keys, and any secrets accessible to affected CI/CD runners.
Review GitHub Actions workflows for pull_request_target triggers combined with cache operations — this is the exact attack vector used by Mini Shai-Hulud. Replace with pull_request where possible; never checkout PR code in a pull_request_target workflow without explicit safety controls.
Block new RubyGems package versions from entering production builds until RubyGems confirms incident containment. Restrict gem sources to an internal mirror with manual review.
Enable npm --ignore-scripts flag in CI/CD environments where post-install hooks are not required — this prevents malicious post-install hooks from executing during npm install.

ICS and OT

ABB AC500 V3 operators: Apply vendor patches for CVE-2025-2595, CVE-2025-41659, CVE-2025-41691 (CISA advisory ICSA-26-132-03). Until patched, restrict network access to AC500 V3 engineering workstations via VLAN isolation and firewall ACLs.
Fuji Electric Tellus operators: Apply vendor update (ICSA-26-132-01). Ensure Tellus SCADA server accounts follow least privilege.
Subnet Solutions PowerSYSTEM Center operators: Apply vendor patch (ICSA-26-132-02); rotate authenticated user credentials as a precaution given the information disclosure vulnerability.

Awareness and Process

Issue an organisation-wide alert: Microsoft Teams external chat requests claiming to be IT support are an active MuddyWater attack vector. Legitimate IT support will never request screen sharing access via unsolicited Teams messages or ask users to type commands or create files named credentials.txt.
Education sector security teams should treat the Instructure Canvas breach as confirmed data exposure for all institutions using Canvas. Notify affected individuals per applicable breach notification regulations (FERPA, GDPR, state laws). Independently verify ShinyHunters’ claimed data destruction rather than relying on shred logs at face value.
2FA administrators: Audit administrative panel authentication implementations for hard-coded trust exceptions or authentication bypass conditions, following the AI-generated zero-day disclosure by GTIG.

Sources

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages — The Hacker News (2026-05-12)
Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages — Aikido Security (2026-05-12)
TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud — Socket.dev (2026-05-12)
Shai Hulud attack ships signed malicious TanStack, Mistral npm packages — BleepingComputer (2026-05-12)
Mini Shai-Hulud Is Back: 172 npm and PyPI Packages Compromised — Mend.io (2026-05-12)
Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days — BleepingComputer (2026-05-12)
The May 2026 Security Update Review — Zero Day Initiative (2026-05-12)
May 2026 Microsoft Patch Tuesday — Tenable (2026-05-12)
ABB AC500 V3 Multiple Vulnerabilities — CISA ICSA-26-132-03 (2026-05-12)
Fuji Electric Tellus — CISA ICSA-26-132-01 (2026-05-12)
Subnet Solutions PowerSYSTEM Center — CISA ICSA-26-132-02 (2026-05-12)
RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded — The Hacker News (2026-05-12)
Adversaries Leverage AI for Vulnerability Exploitation — Google Cloud Blog / GTIG (2026-05-12)
Google says criminals used AI-built zero-day in planned mass hack spree — The Register (2026-05-11)
New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks — SecurityWeek (2026-05-12)
Popular DAEMON Tools software compromised — Kaspersky Securelist (updated 2026-05-12)
Microsoft Teams Used for Credential Theft and MFA Bypass — Active IOCs — Rewterz (2026-05-12)
Double Canvas breach acknowledged as ShinyHunters resets leak deadline — The Register (2026-05-12)
Congress investigates Canvas breach after Instructure cuts deal with ShinyHunters — The Register (2026-05-12)
Known Exploited Vulnerabilities Catalog — CISA (continuously updated)