Nouvelles du cyberespace

Cyber Roundup — Week of May 4

Écrit par : REACT

8 min lire - mai 11, 2026

Here are the main stories you missed last week.

1. Anthropic: The “ClaudeBleed” vulnerability shows how AI browser agents become privilege escalation engines.

The headline: LayerX security researchers disclosed a vulnerability on May 8, 2026, dubbed “ClaudeBleed,” in Anthropic’s Claude in Chrome extension that allows any other Chrome extension — even one with zero permissions — to hijack the AI agent through remote prompt injection. In proof-of-concept demonstrations, researchers used the flaw to extract files from Google Drive, send emails from a victim’s Gmail, exfiltrate code from private GitHub repositories, and then delete the evidence. Anthropic shipped a partial fix in version 1.0.70 on May 6, but LayerX confirmed the underlying trust model issue remains exploitable through Claude’s “privileged” or “Act without asking” modes.

What we’re actually watching: Browser-based AI agents are becoming a brand new class of high-value target, and the security models around them are dramatically less mature than the capabilities they ship. ClaudeBleed isn’t a Claude problem — it’s a preview of every AI browser agent on the market.

Three things our team tracks as AI agents become embedded in enterprise workflows:

The CISO question: Do you have visibility into which browser extensions and AI agents your employees have installed, and have you mapped which of those agents inherit access to your SaaS platforms — Gmail, Drive, GitHub, your code repositories — through the user’s existing sessions?

2. Instructure: The Canvas breach exposes how a single SaaS platform can become a continental single point of failure

What we’re actually watching: This is the largest education-sector breach on record by a wide margin, and the attack pattern — exploiting a low-friction account type to pivot into a flagship platform — is the same pattern attackers will use against every multi-tenant SaaS with a free or trial tier.

Two patterns we track when major SaaS platforms suffer mass compromise:

Free-tier accounts as the attack surface no one inventories. The Canvas attack vector reportedly traced back to “Free-for-Teacher” accounts — a low-friction account class with reduced verification. Most enterprise customers have no visibility into whether free-tier accounts on their SaaS vendors interact with paid-tier data. We scan dark web forums for credential dumps and seller posts tied to “trial,” “free,” and “demo” accounts on enterprise SaaS, since those credentials are increasingly the entry point for attacks against the paid customer base.
Ransomware deadlines as forced disclosure events. ShinyHunters set a May 12 deadline for affected institutions to negotiate or face data release. That deadline forces nearly 9,000 institutions to simultaneously decide whether to engage with the threat actor — and creates a window where copy-cat impostors flood the same target list with phishing emails impersonating breach notifications. We monitor underground forums for the negotiation chatter that accompanies these deadlines, and we scan for the impersonation domains that always follow.

The CISO question: For every SaaS platform that holds your sensitive data, do you know whether the vendor offers free, trial, or unpaid account tiers — and have you confirmed that those tiers cannot reach the same data tables, message queues, or backend systems that your paid tenant uses?

3. Palo Alto Networks: The PAN-OS CVE-2026-0300 zero-day proves perimeter appliances are still the weakest perimeter

The headline: Palo Alto Networks disclosed CVE-2026-0300 on May 6, 2026, an unauthenticated buffer overflow in the User-ID Authentication Portal (Captive Portal) service of PAN-OS that allows attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending crafted packets. The flaw carries a CVSS score of 9.3 and is under active exploitation. Unit 42 attributed observed attacks to CL-STA-1132, a likely state-sponsored cluster that followed initial compromise with open-source tunneling tools and Active Directory enumeration. CISA added the CVE to its Known Exploited Vulnerabilities catalog the same day with a May 9 federal remediation deadline. The first official patches will not ship until May 13. Shadowserver tracks more than 5,800 internet-exposed PAN-OS VM-Series instances.

What we’re actually watching: Firewall and VPN appliances continue to be the highest-value, lowest-attention attack surface in most enterprise networks. Defenders apply rigorous patching to endpoints and servers but treat perimeter appliances as set-and-forget.

Three things we monitor when a major edge appliance gets a critical zero-day:

The patch gap as a strategic window. Palo Alto disclosed CVE-2026-0300 on May 6 with no patch available; CISA’s federal deadline was May 9; the first vendor patches don’t ship until May 13. That’s a seven-day window where configuration hardening is the only line of defense, and state-sponsored actors are already inside victim networks. We monitor underground forums and intelligence-sharing channels for indicators of compromise during these patch gaps so customers can hunt proactively rather than wait.
Captive portals as forgotten internet exposures. The User-ID Authentication Portal is a non-default feature, typically used for guest networks or unmanaged-device identification. Many organizations enabled it years ago and left it exposed to the public internet. We scan customers’ external attack surfaces specifically for non-default appliance services — captive portals, management interfaces, legacy VPN endpoints — that administrators have forgotten are exposed.
State-sponsored attribution as a force multiplier for urgency. When Unit 42 publicly attributes exploitation to a state-sponsored cluster, the cost-benefit calculation changes for every defender: this isn’t opportunistic scanning, it’s targeted reconnaissance against high-value organizations. We correlate state-sponsored campaign indicators with customers’ specific industry sectors to flag which of our customers are likely already in scope.

The CISO question: Do you have an authoritative inventory of every internet-exposed appliance interface — not just the ones you actively use, but the ones that were enabled at some point and never disabled — and a tested process for emergency hardening when a vendor zero-day lands without a patch?

4. Anthropic + Mitiga: The Claude Code MCP token theft reveals where the real SaaS blast radius lives now

The headline: Mitiga Labs disclosed on May 7, 2026 a man-in-the-middle attack chain against Anthropic’s Claude Code that allows an attacker to silently redirect MCP (Model Context Protocol) traffic, intercept OAuth tokens for connected SaaS platforms like Jira, Confluence, Atlassian, and GitHub, and maintain persistent access even after the victim rotates credentials. The attack starts with a single malicious npm install that runs a post-install hook to modify ~/.claude.json, pointing MCP traffic through attacker-controlled infrastructure. The hook re-seeds the configuration on every load, so token rotation feeds the attacker rather than breaking the chain. Anthropic classified the report as “out of scope” on April 12, 2026, on the grounds that the user has already consented to package installation.

What we’re actually watching: OAuth tokens issued to AI agents are becoming the most valuable credentials in the enterprise, and the standard defensive playbook — rotate credentials, force re-auth — is structurally insufficient against persistent attackers who control the rotation pipeline itself.

Two patterns we track when AI tooling intersects with SaaS authentication:

Configuration files as the new attack surface. The attack chain pivots on ~/.claude.json, a user-writable file that contains both MCP server URLs and OAuth tokens in plaintext. The same pattern exists across nearly every AI coding assistant: dotfiles in home directories that hold credentials for connected services. We monitor dark web marketplaces for offers tied to developer config files (.claude.json, .cursor, .aider) and to npm packages designed to harvest them.
Provider-side logs as false reassurance. Mitiga’s research showed that the attack produces audit logs in Atlassian, Jira, and similar platforms that look completely legitimate — real user, real session, valid token, expected egress range from Anthropic’s infrastructure. SOC teams looking for anomalous SaaS access won’t see anything. We track which SaaS providers are updating their detection logic to flag MCP-mediated access patterns, and which are leaving customers with no signal to work from.

The CISO question: For every developer in your organization using an AI coding assistant, do you know which SaaS platforms they have connected via OAuth — and have you accepted that any one of those tokens, if compromised, gives an attacker the same access as the developer until you can identify, revoke, and reissue every token in scope?

5. Ivanti: The EPMM CVE-2026-6973 exploitation continues a pattern Ivanti customers know too well

The headline: Ivanti disclosed CVE-2026-6973 on May 7, 2026, a remote code execution vulnerability in Endpoint Manager Mobile (EPMM) actively exploited in the wild against a limited number of customers. The flaw requires administrative authentication, but Ivanti pointed customers back to its January 2026 guidance on CVE-2026-1281 and CVE-2026-1340 — meaning organizations that didn’t rotate credentials four months ago are now exposed through their own un-rotated admin sessions. CISA added the CVE to the KEV catalog with a three-day federal remediation deadline of May 10, 2026. Shadowserver tracks more than 800 internet-exposed Ivanti EPMM instances, concentrated in Europe and North America.

What we’re actually watching: This is the fifth major Ivanti-product exploitation event in eighteen months, and the chained pattern — earlier vulnerability leaks credentials, later vulnerability exploits those un-rotated credentials — has now become predictable enough to plan around.

Two things we track when a vendor accumulates a consistent exploitation pattern:

Un-rotated credentials as a permanent attack surface. Ivanti’s advisory explicitly notes that customers who rotated credentials in January 2026 are at significantly reduced risk from CVE-2026-6973. That means the active exploitation we’re seeing is against the subset of customers who didn’t act on the January guidance. We track which customer environments still show indicators consistent with un-remediated past Ivanti incidents, since those environments are now demonstrably the targets.
Vendor exploitation patterns as procurement signals. When a vendor’s exploitation history develops a predictable cadence — credential leak followed by credential abuse — that’s a risk factor for procurement teams, not just security teams. We surface vendor-specific exploitation histories in third-party risk assessments so customers can factor that pattern into renewal and consolidation decisions.

The CISO question: For every appliance and management platform in your environment, can you produce evidence of when you last rotated administrative credentials — and do you have a list of vendors whose past CVEs your team has consciously decided not to take remediation action on?

The pattern across all five stories

Every story this week illustrates the same fundamental shift: AI agents and SaaS platforms have collapsed the traditional security perimeter, and the credentials that flow through them now carry more privilege than any single user account ever did.

ClaudeBleed showed how an AI browser agent inherits the user’s permissions across Gmail, Drive, and GitHub — and how a zero-permission extension can inherit those inherited permissions. The Canvas breach showed how a single SaaS platform’s free-tier account class can become the pivot point for compromising 9,000 institutions. Palo Alto’s PAN-OS zero-day showed how a perimeter appliance, exposed for years and forgotten, becomes a state-sponsored entry point in a seven-day patch gap. Mitiga’s Claude Code research showed how a single npm install can grant an attacker persistent, audit-log-invisible access to every SaaS platform a developer has connected. Ivanti’s EPMM exploitation showed how credentials that weren’t rotated four months ago become the active attack vector today.

The common thread is identity. In each case, the attacker doesn’t need to break the encryption, bypass the authentication, or even establish persistence on the endpoint, they need to inherit, intercept, or impersonate an identity that already has the access they want. That’s the work CybelAngel does: we monitor the external attack surface, threat actor communications, and credential exposure patterns that reveal where your identities are leaking and which of them an attacker is already preparing to use.

Find out more about CybelAngel