TLDR Information Security 2026-05-06

RCE in the MCP: The Core Vulnerability No One Would Patch

AI infrastructure is scaling without a safety net.

OX Security researchers discovered a systemic RCE-by-design vulnerability at the core ofAnthropic's MCPSTDIO implementation, propagating silently through all downstream frameworks, IDEs, and registries.

This isn't a bug. It's how it was built to work.

Read the full research: The Mother of All AI Supply Chains →

Microsoft describes a multi-stage credential theft campaign using code-of-conduct themed emails sent via a legitimate mail service to over 35,000 users in 26 countries. Messages use enterprise-style templates, urgent accusations, and PDFs linking to CAPTCHA‑gated flows that lead to AiTM phishing pages harvesting Microsoft credentials and tokens, bypassing MFA.

WhatsApp fixed two medium-severity bugs reported via Meta's bug bounty. One let attackers spoof Windows attachments using NUL bytes, so an apparent document executed instead. The other mishandled AI-rich responses for Instagram Reels in iOS and Android, allowing arbitrary URLs and OS URL schemes to be processed on a victim device. Meta reports no in-the-wild exploitation.

Researchers at threat intel company Vega report that threat actors are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Weaver E-colony enterprise automation software. The vulnerability is caused by an exposed debug API endpoint that improperly allows user-supplied parameters to reach backend RPC functionality without requiring authentication. Users are recommended to upgrade to the latest version as no other workaround exists.

As models have become more advanced, they've evolved from a simple “informational GPS” to a powerful “self-driving Waymo.” The additional power also brings additional risk of leaking sensitive data via the context window or other mechanisms. Sondera implements an agent harness using coding agent hooks in Claude Code to enforce Cedar policy-as-code fine-grained policies to protect against data exfiltration.

Huntress detailed a six-command persistence technique against fully patched Windows Server 2025 in which a low-privilege user with CreateChild on any OU and WriteProperty on a target account creates a delegated Managed Service Account (dMSA), takes ownership to grant itself GenericAll, plants a Shadow Credential on msDS-KeyCredentialLink for PKINIT authentication, and writes the dMSA's own SID into msDS-GroupMSAMembership, so it authorizes itself to extract the superseded account's NT hash. The chain survives password rotation (PKINIT bypasses the managed password and the KDC repopulates the hash on every S4U2Self request), survives deletion of the original attacker account, and can lock Domain Admins out of remediation by writing a restrictive membership descriptor. Defenders should hunt for any dMSA whose own SID appears in its GroupMSAMembership, audit msDS-KeyCredentialLink writes on dMSA objects, monitor Event IDs 5136, 4662, and 4768 for PKINIT against dMSAs, and treat full deletion of the rogue dMSA as the only effective fix since Microsoft closed the report as a persistence technique that does not meet the servicing bar.

A scan of about 6,000 Stripe-style webhook endpoints sent a fake checkout.session.completed event with no Stripe-Signature header and logged which servers still returned 2xx. Around 1,542 endpoints did so, meaning they handle unsigned payment events that appear real. Many SaaS flows upgrade users or confirm bookings directly from webhook payload fields, allowing attackers to script free-plan upgrades or unpaid reservations with crafted JSON. The fix is to enforce official webhook signature verification using raw request bodies and stack-specific SDK helpers, then rerun targeted scans to confirm the behavior.

Research unambiguously shows most orgs have process & control gaps in AI identity management, but most leaders think their security systems are ready. This Delinea survey of 2,000+ IT decision-makers lays out the most common blind spots. Get concrete steps you can take to address them. >> Read the report

Use OSV-Scanner to find existing vulnerabilities affecting your project's dependencies. OSV-Scanner provides an officially supported frontend to the OSV database and CLI interface to OSV-Scalibr that connects a project's list of dependencies with the vulnerabilities that affect them.

reconFTW is a Bash-based automated reconnaissance framework that orchestrates 100+ tools for subdomain enumeration, OSINT, port scanning, web analysis, and vulnerability checks through an 8-module architecture. The v4.1 release adds adaptive rate limiting, incremental/monitor modes, parallel execution, structured JSON logging, a circuit breaker, and checkpoint-based scan resumption, as well as distributed scanning via the Ax Framework and optional AI-generated reports via reconftw_ai. Configuration is centralized in reconftw.cfg with secrets managed via environment variables or a gitignored secrets.cfg, and deployment supports local installs, Docker (with built-in HEALTHCHECK), and Terraform/Ansible on AWS.

Sn1per is an offensive-security platform that consolidates reconnaissance, vulnerability scanning, exploitation, and reporting into a single workspace. The Community Edition orchestrates 90+ third-party tools with 600+ exploits and 10,000+ detections across scan modes, including normal, stealth, flyover, airstrike, nuke, discover, and mass variants for multi-target operations. The Sn1per Professional 2026 release adds Docker-first deployment, a Bootstrap 5/Tabler UI with a Workspace Navigator, JSON API v1.0 for CI/SOAR/SIEM pipelines, CSV/Excel/PDF report export, and expanded modules for ReverseAPK, MassPwn, Threat Intel, Nessus, and Burp Suite, alongside new -v, -db, and -rr CLI flags.

This piece explores the privacy-versus-capability trade-off across six methods: private local models, trusted execution environments, differential privacy, secure multi-party computation, federated learning, and homomorphic encryption. It draws on Nick Lothian's four years of hands-on experience. Private models and Trusted Execution Environments (TEEs) are shown as the most practical defaults, while homomorphic encryption is still too slow for full pipelines and should be used mainly for specific cryptographic tasks. AI system architects should view privacy as a composition problem: combining federated training with local inference, layering differential privacy with trusted execution environments, and applying heavy cryptographic primitives only where their benefits justify the costs.

OSS maintainer Jeremy Stanley highlights the risks that vulnerabilities discovered using LLM tooling may be fed back into the training data and be trivially discoverable by other users. This changes the calculus of coordinated disclosure and embargos as Stanley argues that maintainers should assume that the vulnerability is discoverable. Stanley believes that OSS maintainers shouldn't use LLMs to develop patches or documentation for vulnerabilities that are still under embargo.

KnownHost CEO Daniel Pearson confirmed exploitation attempts against CVE-2026-41940 (CVSS 9.8) starting February 23, roughly 64 days before cPanel's April 28 advisory, indicating attackers found the CRLF injection authentication bypass in cPanel/WHM session handling well before the researcher who responsibly disclosed it. Censys identified over 1 million exposed cPanel/WHM hosts (Rapid7 put the figure near 1.5 million across versions 11.86.0 through 11.136.0 and WP Squared v136.1.7 and earlier), and on May 1 alone, 15,448 cPanel hosts (79.99% of GreyNoise's malicious-host tracking that day) participated in attack activity, with 7,135 hosts already showing Sorry Ransomware ".sorry" extensions on WordPress core files and a separate Mirai variant ("nuclear.x86") deployed via Telnet post-compromise. CISA added the CVE to the KEV catalog on April 30, with a May 3 federal deadline. NocInit recommends migrating any server that was internet-accessible on ports 2082-2096 during the February-April window to a clean install from pre-breach backups rather than cleanup.

This report from the Harvard Business Review takes an in-depth look at today's fragmented GRC silos and makes the case for a new, AI-powered approach. Get the eBook from Optro

The Trump administration is now considering pre-release vetting for high-risk AI models following Anthropic's Mythos Preview.

NHS England ordered maintainers to flip hundreds of GitHub repos from public to private by May 11.

ShinyHunters stole personal information of 119,000 Vimeo users in April by breaching Anodot, a third-party analytics vendor.