Mini Shai-Hulud: Frequently asked questions about the TeamPCP supply chain campaign
Between September 2025 and May 2026, a threat group tracked as TeamPCP has conducted a series of coordinated supply chain attacks across the npm and PyPI package ecosystems. The campaign, which the group calls Shai-Hulud, uses a self-propagating worm that steals developer and cloud credentials, then leverages those credentials to publish poisoned versions of additional packages. Each compromised continuous integration and continuous deployment (CI/CD) pipeline becomes a new distribution vector, enabling exponential spread. The current iteration is known as Mini Shai-Hulud. Tenable’s Research Special Operations Team (RSO) has compiled an FAQ blog to discuss what Mini Shai-Hulud is, how the campaign operates, who has been affected and what organizations should do to protect their software supply chains. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
Drupal has released patches for a highly critical SQL injection vulnerability (CVE-2026-9082) in its database abstraction API. The flaw allows unauthenticated remote attackers to exploit PostgreSQL-backed Drupal sites, potentially leading to data theft, modification, and in some configurations, privilege escalation or remote code execution. No exploitation has been observed yet, but a public detection PoC and reproduction lab were published on the same day as the advisory. CVE Description CVSSv3 CVE-2026-9082 Drupal Core SQL Injection Vulnerability 6.5 Patches are available for Drupal 11.3.x, 11.2.x, 11.1.x, 10.6.x, 10.5.x, and 10.4.x. Sites running MySQL or SQLite are not affected. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitation
Verizon’s annual Data Breach Investigations Report (DBIR) has helped organizations understand evolving cyber threats since its first release in 2008. For the 2026 edition, Tenable Research once again contributed enriched data on vulnerability exploitation and vulnerability remediation trends. This year’s findings paint a stark picture: Compared with last year, organizations are facing a significant increase in the volume of “must-patch” vulnerabilities from the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. The 2026 Verizon DBIR found that vulnerability exploitation is the top initial access vector, accounting for 31% of data breaches during the study period. Even more concerning is that the median time-to-patch has increased from 32 days to 43 days, a 34% increase. This year’s findings paint a stark picture: The number of vulnerabilities continues to snowball, as organizations’ patching rates continue to fall behind. While vulnerability exploitation dominates headlines as the number one initial access vector, it represents only a slice of the exposure problem. The DBIR notably highlights credential abuse as another significant threat vector, underscoring that vulnerabilities don’t exist in isolation. Stolen credentials can transform a moderate-severity vulnerability into a critical breach pathway, while exposed configurations can provide attackers with the access needed to exploit unpatched systems. This interconnected nature of exposures highlights why more and more organizations are adopting comprehensive exposure management. Understanding and addressing the full attack surface, including identity risks, misconfigurations, excessive permissions, and vulnerable assets, is essential to reducing breach risk in today’s threat landscape. The 2026 DBIR, enriched with Tenable Research’s data, provides valuable insights into today’s threat landscape. Tenable encourages security professionals to read the full Verizon DBIR to understand current attack trends and use these findings to inform their exposure management strategies. In addition, please visit our blog for our analysis and insights into the Tenable data used in the DBIR report.Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)
On May 12, Microsoft released its May 2026 Patch Tuesday release which patched 118 CVEs with 16 rated critical and 102 rated as important. This month's updates include CVE-2026-41103, an elevation of privilege vulnerability affecting Microsoft Single-Sign-On (SSO) Plugin for Jira & Confluence. It was assigned a CVSSv3 score of 9.1 and is rated as critical. It was assessed as "Exploitation More Likely" according to Microsoft's Exploitability Index. An unauthorized attacker could exploit this vulnerability during the process of logging in by sending a specially crafted response message. Successful exploitation would allow the attacker to sign-in using a forged identity without Microsoft Entra ID authentication, enabling access to or allowing an attacker to modify data in Jira and Confluence. However, the accessible information is not unfettered, as it is limited by the access defined by the targeted servers for the authorized user. In addition, several Microsoft Office applications were patched, including updates to address three remote code execution (RCE) vulnerabilities in Microsoft Word. CVE-2026-33841, CVE-2026-35420 and CVE-2026-40369 are EoP vulnerabilities affecting the Windows Kernel. Each of the flaws have been assigned CVSSv3 scores of 7.8 and rated as important. Both CVE-2026-33841 and CVE-2026-40369 were assessed as "Exploitation More Likely," which could be abused by a local attacker to elevate to SYSTEM or Medium/High integrity level in the case of CVE-2026-33841. This month’s update includes patches for: .NET ASP.NET Core Azure AI Foundry M365 published agents Azure Cloud Shell Azure Connected Machine Agent Azure DevOps Azure Entra ID Azure Logic Apps Azure Machine Learning Azure Managed Instance for Apache Cassandra Azure Monitor Agent Azure Notification Service Azure SDK Copilot Chat (Microsoft Edge) Data Deduplication Dynamics Business Central GitHub Copilot and Visual Studio M365 Copilot M365 Copilot for Desktop Microsoft Data Formulator Microsoft Dynamics 365 (on-premises) Microsoft Dynamics 365 Customer Insights Microsoft Edge (Chromium-based) Microsoft Edge for Android Microsoft Office Microsoft Office Click-To-Run Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Word Microsoft Partner Center Microsoft SSO Plugin for Jira & Confluence Microsoft Teams Microsoft Windows DNS Power Automate SQL Server Telnet Client Visual Studio Code Windows Admin Center Windows Ancillary Function Driver for WinSock Windows Application Identity (AppID) Subsystem Windows Cloud Files Mini Filter Driver Windows Common Log File System Driver Windows Cryptographic Services Windows DWM Core Library Windows Event Logging Service Windows Filtering Platform (WFP) Windows GDI Windows Hyper-V Windows Internet Key Exchange (IKE) Protocol Windows Kernel Windows Kernel-Mode Drivers Windows LDAP - Lightweight Directory Access Protocol Windows Link-Layer Discovery Protocol (LLDP) Windows Message Queuing Windows Native WiFi Miniport Driver Windows Netlogon Windows Print Spooler Components Windows Projected File System Windows Remote Desktop Windows Rich Text Edit Windows Rich Text Edit Control Windows SMB Client Windows Secure Boot Windows Storage Spaces Controller Windows Storport Miniport Driver Windows TCP/IP Windows Telephony Service Windows Volume Manager Extension Driver Windows Win32K - GRFX Windows Win32K - ICOMP For more information, please visit our blog.Dirty Frag (CVE-2026-43284, CVE-2026-43500): FAQs about this Linux kernel LPE vulnerability chain
Dirty Frag is a local privilege escalation (LPE) vulnerability that allows a local user to escalate their privileges to root. It was publicly disclosed on May 7 after the vulnerability’s embargo was broken by an unrelated third party. On May 8, a proof-of-concept was released alongside technical details and a timeline of the disclosure events. While no CVEs were available at the time of public disclosure, as of May 8, two CVE identifiers have been released to address the two vulnerabilities which encompass Dirty Frag. CVE Description CVSSv3 CVE-2026-43284 Linux Kernel Local Privilege Escalation Vulnerability (xfrm-ESP Page-Cache Write) 7.8 CVE-2026-43500 Linux Kernel Local Privilege Escalation Vulnerability (RxRPC Page-Cache Write) N/A According to the exploit details that have been released, two vulnerabilities are chained in order to craft the exploit. xfrm-ESP Page-Cache Write provided a 4-byte STORE primitive and RxRPC Page-Cache Write provides the privilege to create the namespace. By chaining these two vulnerabilities, root privileges can be obtained on nearly all major Linux distributions. Several Linux distributions are beginning to publish security advisories and patches, while others are expected to release updates soon. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.FAQ on Copy Fail Linux Kernel Privilege Escalation (CVE-2026-31431)
On April 29, researchers at Theori publicly disclosed CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem dubbed "Copy Fail." The flaw has been present in every major Linux distribution since 2017. A public proof-of-concept exploit is available and reported to work reliably, drawing comparisons to Dirty Cow and Dirty Pipe. CVE Description CVSSv3 CVE-2026-31431 Linux Kernel Local Privilege Escalation Vulnerability 7.8 Patched kernel versions are available, though some major distributions have not yet shipped updates. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Oracle April 2026 Critical Patch Update Addresses 241 CVEs
On April 21, Oracle released its Critical Patch Update (CPU) for April 2026, the second quarterly update of 2026. This CPU contains fixes for 241 unique CVEs in 481 security updates across 28 Oracle product families. Out of the 481 security updates published this quarter, 7.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.9%, followed by medium severity patches at 44.1%. For more information about the April 2026 CPU release, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201)
On April 14, Microsoft released its April 2026 Patch Tuesday release which addressed 163 CVEs with eight rated as critical, 154 rated as important and one rated as moderate. This month’s update included one actively exploited zero-day vulnerability. CVE-2026-32201 is a spoofing vulnerability affecting Microsoft SharePoint Server. It received a CVSSv3 score of 6.5 and was rated as important. Microsoft has released updates for SharePoint 2016, 2019 and SharePoint Server Subscription Edition to address this flaw. Microsoft also addressed another zero-day, however this vulnerability was not exploited in the wild, however was publicly disclosed prior to a patch being made available. CVE-2026-33825 is an elevation of privilege vulnerability in Microsoft Defender. It received a CVSSv3 score of 7.8 and was rated important. This month’s update includes patches for: .NET .NET and Visual Studio .NET Framework .NET, .NET Framework, Visual Studio Applocker Filter Driver (applockerfltr.sys) Azure Logic Apps Azure Monitor Agent Desktop Window Manager Function Discovery Service (fdwsd.dll) GitHub Copilot and Visual Studio Code Microsoft Brokering File System Microsoft Defender Microsoft Dynamics 365 (on-premises) Microsoft Edge (Chromium-based) Microsoft Graphics Component Microsoft High Performance Compute Pack (HPC) Microsoft Management Console Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Word Microsoft Power Apps Microsoft PowerShell Microsoft Windows Microsoft Windows Search Component Microsoft Windows Speech Remote Desktop Client Role: Windows Hyper-V SQL Server Universal Plug and Play (upnp.dll) Windows Active Directory Windows Admin Center Windows Advanced Rasterization Platform Windows Ancillary Function Driver for WinSock Windows Biometric Service Windows BitLocker Windows Boot Loader Windows Boot Manager Windows Client Side Caching driver (csc.sys) Windows Cloud Files Mini Filter Driver Windows COM Windows Common Log File System Driver Windows Container Isolation FS Filter Driver Windows Cryptographic Services Windows Encrypting File System (EFS) Windows File Explorer Windows GDI Windows Hello Windows HTTP.sys Windows IKE Extension Windows Installer Windows Kerberos Windows Kernel Windows Kernel Memory Windows Local Security Authority Subsystem Service (LSASS) Windows LUAFV Windows Management Services Windows OLE Windows Print Spooler Components Windows Projected File System Windows Push Notifications Windows Recovery Environment Agent Windows Redirected Drive Buffering Windows Remote Desktop Windows Remote Desktop Licensing Service Windows Remote Procedure Call Windows RPC API Windows Sensor Data Service Windows Server Update Service Windows Shell Windows Snipping Tool Windows Speech Brokered Api Windows SSDP Service Windows Storage Spaces Controller Windows TCP/IP Windows TDI Translation Driver (tdx.sys) Windows Universal Plug and Play (UPnP) Device Host Windows USB Print Driver Windows User Interface Core Windows Virtualization-Based Security (VBS) Enclave Windows WalletService Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) Windows Win32K - GRFX Windows Win32K - ICOMP For more information, please visit our blog.CVE-2026-35616: Fortinet FortiClientEMS zero-day vulnerability exploited in the wild
On April 4, Fortinet published a security advisory (FG-IR-26-099) for CVE-2026-35616, a critical improper access control vulnerability affecting Fortinet FortiClientEMS. CVE Description CVSSv3 CVE-2026-35616 Fortinet FortiClientEMS Improper Access Control Vulnerability 9.1 CVE-2026-35616 is a critical improper access control vulnerability affecting Fortinet FortiClientEMS. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code using specially crafted requests which bypass API authentication. While no attribution has been provided as of the time this blog was published, the advisory from Fortinet confirms that exploitation has been observed. The advisory credits Simo Kohonen from Defused and Nguyen Duc Anh, who reported the vulnerability to Fortinet. On April 4, Defused released a Linkedin post confirming their observations of zero-day exploitation of this flaw. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.FAQ on the Axios npm Supply Chain Attack by North Korea-Nexus Threat Actor UNC1069
On March 31, a North Korea-nexus threat actor (UNC1069) compromised the axios npm package, one of the most widely used JavaScript libraries with over 100 million weekly downloads. The attacker published two malicious versions (1.14.1 and 0.30.4) containing a cross-platform remote access trojan tracked as WAVESHAPER.V2, targeting macOS, Windows and Linux developer environments. The malicious versions were live on the npm registry for approximately three hours before being removed. Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069 based on malware lineage and infrastructure overlaps. Systems that installed the affected versions are considered fully compromised. Developers are advised to downgrade to axios@1.14.0 or 0.30.3, remove the phantom dependency (plain-crypto-js), rotate all secrets and rebuild affected systems. For more information about this supply chain attack, including IoCs, remediation guidance and Tenable product coverage, please visit our blog.
