A reflection on a single week of cyber security disclosures — and what they tell us about the shape of the threat landscape, the maturity of attackers, and the choices defenders now need to make.
The week of 5 to 11 May 2026 will be a useful reference point for anyone trying to understand the state of cyber security in this decade. Not because any single event was unprecedented in scale, but because the pattern across the week — five active exploitation campaigns, two security-vendor breaches, the largest education-sector data theft on record, an AI agent compromise, and a critical information disclosure flaw in 300,000 self-hosted LLM servers — all landed inside seven days.
If you are responsible for the security of an organisation, large or small, this is what your threat model now looks like. Here is what happened, and what it actually means.
The headlines
Palo Alto Networks PAN-OS — CVE-2026-0300. A critical buffer overflow in the User-ID Authentication Portal of PAN-OS firewalls. CVSS score 9.3. Unauthenticated remote code execution as root. Palo Alto's Unit 42 attributes the campaign to a suspected state-sponsored cluster tracked as CL-STA-1132, with initial exploitation attempts dating from 9 April 2026 and successful RCE the week after. Post-exploitation included Active Directory enumeration and the deployment of open-source tooling — EarthWorm, ReverseSocks5 — consistent with China-nexus tradecraft. Vendor patches expected from 13 May.
Ivanti Endpoint Manager Mobile — CVE-2026-6973. Authenticated remote code execution affecting on-premise EPMM. CISA added it to its Known Exploited Vulnerabilities catalogue on 7 May with a Federal Civilian Executive Branch remediation deadline of 10 May — a three-day window that signals genuine alarm. Ivanti's advisory notes that organisations which rotated credentials following the January 2026 zero-days face significantly reduced risk; those that did not have a second exposure window.
ClaudeBleed. LayerX researchers disclosed a vulnerability in the Claude in Chrome extension that allows any other Chrome extension — including extensions with zero declared permissions — to issue arbitrary prompts to the Claude AI agent and bypass user confirmation flows through DOM manipulation. The attack chain weaponises the Claude agent against the user who installed it, with demonstrated impact including exfiltration of data from Gmail, Google Drive, and GitHub. Anthropic's first patch addressed only the 'standard' execution mode; switching the extension to 'privileged' mode restores exploitability. A full fix is in progress.
Bleeding Llama — CVE-2026-7482. A heap out-of-bounds read in Ollama's GGUF model loader. CVSS 9.1. An unauthenticated attacker submits a crafted GGUF file to the /api/create endpoint, leaks process memory — including environment variables, API keys, system prompts, and other users' conversation data — and exfiltrates the leaked memory via the /api/push endpoint. Approximately 300,000 publicly exposed Ollama instances are vulnerable. Patched in version 0.17.1.
Trellix source code breach. The cyber security firm formed from the McAfee Enterprise and FireEye merger confirmed on 2 May that attackers had accessed a portion of its source code repository. By 7 May, the RansomHouse ransomware group had claimed responsibility on its leak site. The incident sits within a multi-month campaign that has also compromised Checkmarx, Aqua Security, Cisco's internal development environment, and HackerOne's benefits administrator.
Canvas LMS data breach. ShinyHunters defaced Canvas LMS — operated by Instructure — on 7 May, replacing the global login page with a ransom note and claiming theft of 3.65 terabytes covering 275 million records from 8,809 institutions. Instructure has confirmed unauthorised access initially detected on 29 April and identified the entry point as a flaw in the Free-For-Teacher account flow. The incident landed in the middle of final-exam season for thousands of universities and is now considered the largest education-sector data breach on record.
TCLBANKER. Elastic Security Labs disclosed a Brazilian banking trojan that targets 59 banking, fintech and cryptocurrency platforms via a trojanised Logitech installer using DLL sideloading. The notable evolution: it hijacks authenticated WhatsApp Web sessions and Outlook COM automation to redistribute itself to victim contacts at scale — up to 3,000 per infected device.
PCPJack. SentinelLabs documented a credential-theft framework that targets exposed Docker, Kubernetes, Redis, MongoDB and RayML instances, plus web applications vulnerable to five separate CVEs. Distinguishing behaviour: it removes artefacts of competing TeamPCP infections from compromised systems. Operator appears to be a former TeamPCP affiliate.
Malvertising via Claude.ai. BleepingComputer reported an active campaign using Google Ads pointing to genuine claude.ai shared chat URLs that contain attacker-authored installation instructions disguised as Apple Support guidance. Pasting the suggested Terminal command silently installs Mac malware. A textbook trust-laundering attack: the destination domain and Google Ad both pass technical legitimacy checks; the malicious payload sits inside user-generated content on a trusted platform.
That is one week.
What the week actually means
Three observations are worth dwelling on.
First, attackers have operationalised trust as an attack vector. Not the abstract trust of digital certificates and TLS, but the more practical trust users place in things: the genuine claude.ai domain, the official Google Play Store, the security vendor whose product is meant to protect everything else, the WhatsApp account of a known colleague, the AI assistant the user installed themselves. The Canvas, Trellix, ClaudeBleed, TCLBANKER, and malvertising stories are all variations on the same theme — the entity the user trusts has been compromised, or its trust signal has been laundered, and the attack chain rides on that trust.
Defensive strategies built on detecting impersonation are intrinsically limited. The human brain is not built to spot a phishing email from a real CFO's real account, or a malicious command pasted into Terminal from a sponsored search result that resolves to a genuine vendor domain. What works is structural — limiting blast radius, enforcing phishing-resistant authentication, segmenting privileged access, and assuming compromise of any individual trust boundary. The shift from boundary defence to assume-breach is a decade overdue, and the events of this week are simply more evidence.
Second, AI agents are now a first-order attack surface. The ClaudeBleed disclosure is significant not because it is the first AI vulnerability — there have been many — but because it demonstrates a generalisable pattern: an AI agent that has been granted broad OAuth scopes by its user is, in security terms, a deputy with the user's authority. If the agent can be compelled to act, every system it has been authorised to access is in scope. The same pattern will apply to Microsoft Copilot, Google Gemini, ChatGPT enterprise integrations, and the rapidly expanding ecosystem of agentic AI tooling in 2026 and 2027.
This is not an argument against AI assistants. It is an argument that the security model around them needs to mature very quickly. Enterprises with AI assistants integrated to corporate SaaS should be inventorying browser extensions, auditing OAuth grants, restricting autonomous browsing modes, and where possible routing AI assistant usage through a managed gateway rather than user-installed extensions.
Third, the edge is the new perimeter — and the perimeter is the new crown jewels. The Palo Alto incident is the eighth major edge-device exploitation campaign attributed to suspected China-nexus actors in the past eighteen months. The pattern is operationally consistent: target appliances with privileged access and limited endpoint detection coverage, deploy open-source tooling, operate intermittently to stay below behavioural alerting thresholds, clear logs aggressively. Defenders who continue to treat edge devices as boundary controls — rather than as Tier 0 assets with the same telemetry and patch SLAs as their most sensitive internal systems — will continue to lose this class of engagement.
What to do about it
There is no single answer that addresses all of the above. There are, however, a handful of practical actions that materially shift the picture for most organisations.
For the edge, this week's incidents are a useful forcing function to audit patch SLAs for internet-facing appliances. Patches lag inventory in most organisations; the gap is where attackers live.
For AI integrations, inventory matters. Most organisations cannot accurately answer the question "which browser extensions are installed across our managed devices, and what OAuth scopes have those extensions been granted on our corporate identity providers?" Until that question can be answered, the AI threat model is fundamentally unknown.
For SaaS platforms, the Canvas incident is a useful template for incident-response runbook testing. The scenario is straightforward: a major SaaS platform you depend on suffers a data breach, attackers steal customer data including identity information, and your organisation has to manage the downstream consequences — phishing exposure, customer notification, internal communication, regulatory reporting. Walk the runbook with the team. Find what is missing.
For credentials, the shift to phishing-resistant MFA is no longer optional. The Microsoft data from Q1 2026 shows credential harvesting is now the goal of approximately eighty percent of phishing campaigns. SMS, push notifications, and authenticator-app one-time codes are all vulnerable to adversary-in-the-middle attacks; FIDO2 security keys and platform passkeys are not. Migrate privileged accounts first; expand outward from there.
The wider picture
Cybersecurity Ventures' 2026 CISO Report, published this week in partnership with Sophos, observed something that aligns with everything else above: there are approximately 35,000 CISOs serving an estimated 359 million businesses globally — a ratio of roughly 10,000 to one. Gartner separately projects that fifty percent of CISOs will be asked to own disaster recovery alongside incident response by 2028. The personal legal liability now attached to the role, combined with expanding scope and constrained budgets, has been driving experienced practitioners out of senior security roles for years.
What this means in practice is that most organisations do not have, and will not have, a dedicated CISO. They will rely on managed service providers, fractional CISOs, and external advisory firms. They will outsource the security function, deliberately or by default, to vendors. They will, in some cases, be served extremely well by that arrangement; in others, they will discover — usually around the time of an incident — that the arrangement was always more cosmetic than substantive.
The implication is straightforward. The set of decisions that organisations make about their security partnerships matters enormously, and matters more in 2026 than it did even two or three years ago. The threat landscape now moves faster than any in-house team without specialist support can plausibly keep up with. The right partnership is a force multiplier; the wrong one is a single point of failure with a known compromise pattern.
The threat landscape is what it is. What you do about it is what matters. We will be back next week.