Bulletin — May 2026

May closes the threads April left hanging. The Digital Omnibus reaches a provisional agreement on 7 May and moves Annex III to December 2027 — ahead of the third trilogue everyone expected on the 13th. Spain approves its AI governance bill on 26 May, with fines up to €35M. Pwn2Own Berlin finally runs ($1,298,250, 47 zero-days, DEVCORE crowned Master of Pwn) with Codex and Claude Code falling in the AI category. Patch Tuesday ships with no zero-days for the first time since June 2024. OpenAI publishes Daybreak and Anthropic starts pulling Mythos out from behind the Glasswing wall. Verizon DBIR 2026 confirms what M-Trends previewed: vulnerability exploitation is the number-one initial vector. And GitHub loses 3,800 internal repos to a poisoned VS Code extension.

EU AI Act Omnibus — provisional deal on 7 May

7 May: Council and Parliament reach a provisional political agreement on the Digital Omnibus on AI, six days before the third trilogue last month’s bulletin placed on 13 May. April’s blocker — the conformity-assessment architecture for Annex I systems — is resolved, and the package ships with three pieces that matter to anyone with a high-risk system on the roadmap:

• Annex III (biometrics, critical infrastructure, employment, education, law enforcement, border management): high-risk obligations move to 2 December 2027. That’s the date last month’s technical asked you to prepare for as the likely scenario.
• Annex I (systems covered by sectoral law — Machinery, MDR, IVDR, motor vehicles): moves to 2 August 2028, with the conformity-assessment dispute resolved by interlocking with existing product legislation.
• New Article 5 prohibition: AI systems designed to generate child sexual abuse material (CSAM) or non-consensual intimate imagery (NCII). It’s the first expansion of the prohibited-practices catalogue since entry into force.

The argument the co-legislators put ahead of the postponement is operational: the harmonised technical standards and the guidance companies need to implement aren’t ready, and penalising failure to meet a standard that doesn’t yet exist doesn’t hold up. The agreement is provisional — formal adoption by Council and Parliament is still pending before it becomes law.

For a provider, the operational picture doesn’t change from the dual plan we covered in the Annex III technical: complete technical file, QMS extended toward ISO/IEC 42001, early contact with notified bodies. What changes is the calendar: there are eighteen more months than March suggested, and the risk now flips — using the postponement as an excuse not to start.

Sources: https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/ · https://www.twobirds.com/en/insights/2026/digital-omnibus-on-ai-provisional-agreement-reached-at-the-may-trilogue · https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/ · https://iapp.org/news/a/ai-act-omnibus-what-just-happened-and-what-comes-next

Spain — the cabinet approves the AI governance bill

26 May: Spain’s Council of Ministers approves the Organic Law bill for the proper use and governance of artificial intelligence, the instrument that maps the AI Act’s enforcement framework onto Spanish law and assigns powers to AESIA. The text now enters parliamentary procedure.

The sanctions regime has three tiers:

• Very serious: up to €35M or 7% of annual turnover.
• Serious: up to €15M or 3%.
• Minor: up to €500,000 or 0.5%.

AESIA becomes the single point of contact for supervising systems not tied to sectoral law — employment, biometrics, education — coordinating with the DPA (AEPD) and sectoral regulators for the rest. The bill also incorporates the national regulatory sandbox the AI Act mandates, operated by AESIA, with priority access for SMEs and startups, plus mechanisms that favour correction over penalty (early-payment reductions, company-size considerations). Failure to meet synthetic-content labelling obligations is among the codified infractions.

The capacity context: AESIA reaches May with 16 technical guides published and, per this month’s reporting, 23 preliminary investigations open. It’s the most advanced national AI regulator in the EU on operational guidance, and the law finally gives it the enforcement teeth it lacked.

Sources: https://digital.gob.es/comunicacion/notas-prensa/mtdfp/2026/05/el-gobierno-aprueba-el-proyecto-de-ley-que-garantizara-una-super · https://aesia.digital.gob.es/en/guides · https://www.bermejoialegret.com/gobernanza-de-la-ia-en-la-ue-y-espana-hitos-y-retos-para-2026/

Pwn2Own Berlin 2026 — $1.3M and the AI category stops being set dressing

14-16 May: Pwn2Own Berlin 2026 runs, the event April’s bulletin logged early because of submission oversubscription. Final figure: $1,298,250 across 47 unique zero-days. Master of Pwn standings:

• DEVCORE — 50.5 points, $505,000.
• STARLabs SG — 25 points, $242,500.
• Out of Bounds — 12.75 points, $95,750.

Day 1 closed at $523,000 with the first public fall of AI products; day 2 added $385,750 with Microsoft Exchange falling and the running total crossing $900,000.

The relevant bit for us is the AI category, which in its second edition stopped being an announcement. Satoki Tsuji (Ikotas Labs) abused an external control flaw in OpenAI Codex to run arbitrary code on the host. Claude Code was targeted several times — Compass Security and Byung Young Yi (Out of Bounds) demonstrated working exploits — though both ended in bug collision: the underlying vulnerabilities had already been reported before the event. The collisions are the confirmation of what April anticipated: there are more bugs circulating in these agents than the contest can process.

The read holds: coding agents are code execution with broad permissions, and local inference servers (Ollama had its own heap 0-day this month, below) are privileged processes consuming arbitrary files. It’s the attack surface that walked into enterprise production without threat modeling, and Pwn2Own is putting a number on it for the first time. The technical analysis of this agentic surface gets its own post.

Sources: https://www.bleepingcomputer.com/news/security/hackers-earn-1-298-250-for-47-zero-days-at-pwn2own-berlin-2026/ · https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html · https://securityaffairs.com/192183/hacking/pwn2own-berlin-2026-day-one-523000-paid-out-ai-products-fall.html · https://www.securityweek.com/hackers-earn-1-3-million-at-pwn2own-berlin-2026/

Patch Tuesday — the first with no zero-days since June 2024

12 May: Microsoft closes ~120 CVEs (the count drifts between 118 and 138 by methodology — Tenable counts 118, BleepingComputer 120, ZDI/Qualys up to 138 including peripheral products), 16 critical and, the month’s headline, zero zero-days. It’s the first Patch Tuesday with no actively exploited or publicly disclosed vulnerability since June 2024.

No zero-days isn’t no work. The priorities:

• CVE-2026-41103 and the RCE block in Windows Netlogon and DNS Client — high CVSS, remote-exploitation-without-interaction profile. Any exposed DC or resolver goes in the queue.
• Four RCEs in Microsoft Word, all exploitable via the Preview Pane. Phishing-to-RCE through a previewed attachment is still a live category, exactly as in April.

Last month was 165 CVEs with two zero-days and a CVSS 9.8 IKE bug; this one, a statistical breather. The operational read doesn’t change: the patch-to-exploitation window for perimeter components is still measured in hours, and a quiet month on Microsoft’s calendar isn’t a quiet month across the rest of the stack (see MOVEit, Palo Alto and Cisco below).

Sources: https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2026-patch-tuesday-fixes-120-flaws-no-zero-days/ · https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103 · https://www.scworld.com/news/patch-tuesday-no-zero-days-among-137-microsoft-cves-4-word-rces

OpenAI Daybreak + Mythos toward GA — the Glasswing wall starts to come down

The pattern April left open — the most capable model stops being the most accessible — moves this month on two fronts, both toward more access, not less.

11 May: OpenAI publishes Daybreak, its cybersecurity initiative and direct answer to Project Glasswing. Daybreak builds an editable per-repository threat model, prioritises realistic attack paths over high-impact code, tests vulnerabilities in an isolated environment, proposes fixes and emits audit-ready evidence. It rests on three models: GPT-5.5 (standard safeguards, general purpose), GPT-5.5 with Trusted Access for Cyber (verified defensive work in authorised environments) and GPT-5.5-Cyber (a permissive model for red teaming and controlled pentesting). Access stays restricted — scan request or sales channel — but Akamai, Cisco, Cloudflare, CrowdStrike, Fortinet, Oracle, Palo Alto Networks and Zscaler are already integrating capabilities under Trusted Access for Cyber. The operational difference from Glasswing: OpenAI structures access by trust tier and product, not by a closed list of fifty partners.

Anthropic moves in parallel. What in April was “a frontier model behind a defensive wall” starts to loosen: Mythos 1 (claude-mythos-1-preview) appears, prepping for Claude Code and Claude Security (the scanning and patch-suggestion product, in beta for Enterprise). The data point that justifies the shift: Anthropic and its Glasswing partners say they’ve found more than ten thousand high- or critical-severity vulnerabilities in essential software since launch. And Anthropic’s calendar is explicit: Mythos-class models “widely available in the next 6-12 months,” with general availability “in the coming weeks” once the stronger safeguards they need are in place.

The asymmetry April flagged — defenders outside the wall vs. an attacker one open-weights release away — narrows from the top, not the bottom: instead of waiting for the open-weights equivalent, the labs are opening the closed model faster than expected. For the median defender, the “only fifty organisations have this” window is now measured in weeks.

Sources: https://openai.com/daybreak/ · https://thehackernews.com/2026/05/openai-launches-daybreak-for-ai-powered.html · https://www.helpnetsecurity.com/2026/05/12/openai-daybreak-openai-daybreak-vulnerability-validation-initiative/ · https://www.bleepingcomputer.com/news/artificial-intelligence/anthropic-confirms-claude-mythos-class-models-will-roll-out-to-the-public/ · https://red.anthropic.com/2026/mythos-preview/

Verizon DBIR 2026 — vulnerability exploitation dethrones credentials

In mid-May Verizon publishes the DBIR 2026 over more than 31,000 incidents and 22,000 confirmed breaches across 145 countries. The structural headline, confirming what M-Trends 2026 previewed last month:

• Vulnerability exploitation (31%) overtakes stolen credentials as the number-one initial vector — for the first time in the report’s 19-year history. It’s the year’s underlying shift.
• Third-party supply chain breaches rise 60% and now account for 48% of all breaches. That more than doubles the 30% April’s own preview projected.
• Ransomware present in 48% of breaches (was 44%). 69% of victims don’t pay, and the median ransom drops to $139,875.
• Human element in 62% of breaches. Shadow AI — employee use of unsanctioned AI tools — triples to 45%, with data leakage as the direct consequence. Mobile social engineering success rate is up 40%.

The cross with M-Trends is the same message from two different houses: the unpatched perimeter is the door, the supply chain is the multiplier, and AI is still amplifier more than primary cause. The supply chain number is the one that should move budget this quarter.

Sources: https://www.verizon.com/business/resources/reports/dbir/ · https://www.helpnetsecurity.com/2026/05/20/verizon-2026-dbir-findings/ · https://blog.qualys.com/vulnerabilities-threat-research/2026/05/19/inside-the-2026-verizon-dbir-what-one-billion-records-revealed-about-vulnerability-remediation

GitHub loses 3,800 internal repos to a VS Code extension

20 May: GitHub confirms attackers accessed its internal repositories after an employee installed a poisoned VS Code extension. The extension was Nx Console (nrwl.angular-console, version 18.95.0), published two days earlier on 18 May. The group TeamPCP (aka UNC6780) claims access to roughly 3,800 repos and lists them for sale at no less than $50,000.

The leaked contents, per the descriptions: GitHub Actions, agentic workflows, internal Copilot projects, CodeQL tooling, internal infrastructure, security tools, Codespaces and Dependabot. GitHub says it has no evidence of impact to customer data stored outside its internal repos.

TeamPCP isn’t a new actor: it’s the same group behind the npm Shai-Hulud campaigns, the Trivy scanner breach, the CheckMarx Jenkins incident (12-13 May) and the compromise of four SAP npm packages earlier in the month. The pattern is consistent and it’s exactly what Verizon just crowned: the developer trust surface — IDE extensions, packages, AI middleware — as the dominant supply chain vector. An extension published 48 hours ago with a legit-sounding name was all it took.

Sources: https://thehackernews.com/2026/05/github-internal-repositories-breached.html · https://www.bleepingcomputer.com/news/security/github-investigates-internal-repositories-breach-claimed-by-teampcp/ · https://www.helpnetsecurity.com/2026/05/20/github-breached-teampcp/

Canvas/Instructure — ShinyHunters, 275M users and ransom paid

1-11 May: ShinyHunters hits Instructure Canvas, the LMS, in what’s already considered the largest education breach on record. On 1 May Instructure acknowledges the incident; on 7 May, after announcing it was resolved, the Canvas login page turns up defaced with a ransom note. The group claims 3.65 TB of data on around 275 million users across 8,809 institutions in the US, UK, Canada, Australia, New Zealand, Sweden, the Netherlands, Hong Kong and Singapore — including private messages between students and teachers.

Instructure paid the ransom on 11 May, a day before the deadline. ShinyHunters keeps the exfiltration-extortion pattern (no encryption) we already saw in the Snowflake/UNC5537 campaign: compromise a SaaS holding massive data, exfiltrate, and negotiate against the publication clock. The FBI issued a warning to students and staff over possible direct secondary-extortion attempts.

Sources: https://en.wikipedia.org/wiki/2026_Canvas_security_incident · https://www.darkreading.com/cyberattacks-data-breaches/shinyhunters-second-attack-instructure · https://www.insidehighered.com/news/tech-innovation/administrative-tech/2026/05/11/instructure-pays-ransom-canvas-hackers

Rest of the month

• MOVEit Automation — CVE-2026-4670, critical auth bypass (5 May) in versions before 2025.1.5 / 2025.0.9 / 2024.1.8. The MFT that already starred in the 2023 Clop disaster is back on the KEV. Any exposed unpatched instance is a priority target.
• Palo Alto PAN-OS — 0-day RCE (7 May): buffer overflow in the User-ID Authentication Portal, unpatched at advisory time. Same appliance, same story as GlobalProtect in 2024.
• Cisco Catalyst SD-WAN Manager — CVSS 10.0 (Rapid7, 20 May): auth bypass allowing full control. Cisco also closes another CVSS 10 on 26 May. The CVSS-10 line in network management planes stays a perennial category, continuing from ArcaneDoor.
• OpenClaw — 4-bug chain (18 May): a TOCTOU write escape enabling host changes, env-var secret leakage, a loopback bug and escalation. It’s a coding-agent sandbox escape, exactly the surface Pwn2Own validated the same week. Required reading for anyone running agents with filesystem access (MCP context).
• Ollama — heap leak 0-day (12 May): the local inference server leaks memory. Confirms the Pwn2Own AI category point: local inference = a poorly modelled privileged process.
• Apple M5 — MIE defeated (25 May): a bypass of the Memory Integrity Enforcement Apple presented as a hardware mitigation. The defence announced as closed is replicable again.
• Megalodon (22 May): an automated campaign pushing 5,718 malicious commits to 5,561 GitHub repos in a six-hour window, injecting GitHub Actions workflows. Supply chain at machine speed.
• LiteSpeed cPanel — CVE-2026-48172, CVSS 10.0 (25 May): a logic flaw in the User-End plugin’s JSON-API endpoint. Ghost CMS (exploited SQLi) and Ubiquiti UniFi OS (three critical) round out the month’s appliance/CMS block.
• Data breaches: NYC Health + Hospitals (1.8M patients, via third-party vendor, Nov 2025-Feb 2026), Foxconn (ransomware at North American plants), Zara (197K), Lithuania’s national registers (600K).
• Five Eyes — agentic AI guidance (5 May): a joint publication on the security risks of autonomous agents. A signal that the problem Pwn2Own and OpenClaw materialise is already on the intelligence regulators’ radar.
• Seedworm (MuddyWater) and ScarCruft (APT37): state-nexus espionage campaigns active in May — Seedworm against nine organisations in nine countries via DLL sideloading; ScarCruft with a supply chain attack on sqgame.net. Classic espionage doesn’t pause while the industry watches AI.

Cross-cutting pattern — the defensive wall lasts weeks, not years

May leaves a correction to April’s thesis. “The most capable model stops being the most accessible” held up as a starting point, but the missing data point was the wall’s duration: it’s measured in weeks. Anthropic opens Mythos toward Claude Code and Claude Security; OpenAI structures Daybreak by trust tier with eight security vendors already inside. The institutional frontier that looked set to separate from the rest of the market for months is diffusing toward GA before the open-weights equivalent even arrives.

The rest of the month all points the same way, and the direction is signed by the DBIR: vulnerability exploitation is now the number-one initial vector, and the supply chain — from MFT to npm package to VS Code extension — is the multiplier up 60%. Pwn2Own puts a number on the new surface (coding agents, local inference) and GitHub proves the old recipe — one developer endpoint, one poisoned extension — still suffices to walk off with 3,800 repos.

What’s operationalisable:

1. AI-assisted vulnerability discovery on your own stack, no longer waiting for Glasswing: with Daybreak in restricted preview and Mythos heading for GA, the “scan your code with the best model you can access, before someone else does” pattern stops being exclusive to fifty organisations.
2. Patch hygiene on legacy perimeter: MOVEit, PAN-OS, Cisco SD-WAN. May’s list is the same as always, and the DBIR explains why it matters more than ever.
3. Developer trust surface as perimeter: inventory and allowlist IDE extensions, pin dependencies, review AI middleware. The GitHub/TeamPCP vector isn’t exotic, it’s the new baseline.
4. Threat modeling for production agents: if you run Claude Code, Codex, Cursor or Ollama with broad permissions, OpenClaw and Pwn2Own tell you you’re already on the attack surface. Sandbox, permission scoping, isolation.
5. AI Act plan with the real date: Annex III on 2 December 2027, pending formal adoption. Eighteen more months is no excuse not to start the technical file and the QMS.

June will bring the technical on the agentic surface (coding agents + local inference, with material from Pwn2Own and OpenClaw) and the follow-up on the Omnibus’s formal adoption, the passage of Spain’s AI law, and the Mythos GA rollout if it lands in the “coming weeks” Anthropic promised.