Daily Security Briefing #255

May 15, 2026 | Read Online

GRIDTIDE disrupted, Claude Code vulnerabilities exposed, and AI training data poisoning…

Executive Summary

Cybersecurity threats continue to evolve with malicious actors adapting to disruptions. The recent GRIDTIDE campaign disruption highlights collaborative efforts between industry partners. Meanwhile, critical vulnerabilities in Claude Code have been exposed. Additionally, AI training data poisoning has become a growing concern.

The day’s top stories include the exploitation of high-severity vulnerabilities in PraisonAI and OpenClaw, as well as the emergence of Shai-Hulud, a self-propagating npm worm designed to steal sensitive developer credentials. Furthermore, Microsoft Exchange and Windows 11 were hacked during the second day of Pwn2Own Berlin 2026.

Top Articles

Welcome to BlackFile: Inside a Vishing Extortion Operation Google Threat Intelligence Group has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the “BlackFile” brand. The group targets organizations via sophisticated voice phishing (vishing) and single sign-on (SSO) compromise. Google Cloud Blog

The Boring Stuff is Dangerous Now AI agents capable of discovering and exploiting obscure vulnerabilities are emerging alongside developers producing vast amounts of potentially flawed AI-generated code. This forces defenders to adapt accordingly, highlighting the need for stricter security measures in AI development and deployment. DarkReading

PraisonAI Vulnerability Actively Exploited Within Hours of Being Made Public A high-severity vulnerability in PraisonAI is drawing urgent attention after security researchers observed exploitation attempts within hours of public disclosure. The flaw exposes a critical authentication bypass in the platform’s legacy API server, potentially allowing attackers to execute AI workflows without credentials. GBHackers

Shai-Hulud Worm Steals Dev Secrets Across npm, GitHub, AWS & Kubernetes Security researchers are raising alarms over “Shai-Hulud,” a self-propagating npm worm designed to steal sensitive developer credentials from GitHub, AWS, Kubernetes, and local environments. The campaign is already being described as one of the largest npm threats. GBHackers

Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that’s engineered for stealth and persistent access to compromised hosts. The Hacker News

Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own During the second day of Pwn2Own Berlin 2026, competitors collected $385,750 in cash awards after exploiting 15 unique zero-day vulnerabilities in multiple products, including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. BleepingComputer

PraisonAI Vulnerability Exploited Hours After Public Disclosure A high-severity authentication bypass in PraisonAI is drawing urgent attention after security researchers observed active exploitation attempts within hours of public disclosure. The flaw exposes a critical weakness in PraisonAI’s legacy API server. CyberPress

Android 16 VPN Bypass Lets Apps Reveal Users’ Real IP Address A critical security flaw discovered in Android 16 allows malicious apps to leak a user’s real IP address even when “Always-On VPN” and “Block connections without VPN” are fully enabled. The vulnerability exploits the way Android handles VPN connections. CyberPress

Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence Cybersecurity researchers have disclosed a set of four security flaws in OpenClaw that could be chained to achieve data theft, privilege escalation, and persistence. The vulnerabilities can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors. The Hacker News

Metasploit Wrap-Up 05/15/2026 Gather round, dear readers, because today, we (by we, we mean @h00die) dropped the ultimate persistence mechanism: Vim plugin persistence. And honestly, calling it “persistence” feels redundant — Vim is already the most persistent thing ever. Rapid7

The Case for a Vulnerability Operations Center Vulnerability remediation has become an execution problem. Security teams are generating more findings than ever, but too often those findings do not translate into timely risk reduction. The gap between newly introduced exposure and effective remediation continues to widen. Check Point

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.