Security Digest — 2026-05-08

A worm-like cloud credential stealer (PCPJack) and active zero-days in Ivanti EPMM and Palo Alto PAN-OS dominate the operational picture, while AI security research this week zeroes in on jailbreak hardness, MoE routing attacks, and post-fine-tuning safety collapse.

---

AI Security Research

• SoK: Robustness in Large Language Models against Jailbreak Attacks — ArXiv cs.AI — A systematization of knowledge paper surveying how adversarial prompts coerce LLMs into policy-violating outputs and benchmarking the current state of defenses across attack categories.
• On the Hardness of Junking LLMs — ArXiv cs.LG — Argues that effective jailbreaks need not rely on explicit semantic structure, reframing what “robustness” should mean and challenging the standard adversarial-prompt formulation.
• Sparse Tokens Suffice: Jailbreaking Audio Language Models via Token-Aware Gradient Optimization — ArXiv cs.AI — Shows that sparse, token-aware perturbations of audio inputs are enough to elicit unsafe generations from audio LMs, undermining the common assumption that dense waveform perturbations are required.
• Misrouter: Exploiting Routing Mechanisms for Input-Only Attacks on Mixture-of-Experts LLMs — ArXiv cs.CR — Demonstrates a novel attack surface specific to MoE architectures: by manipulating which experts a routing layer selects, adversaries can degrade or steer model behavior using input-only perturbations.
• Beyond Content Safety: Real-Time Monitoring for Reasoning Vulnerabilities in Large Language Models — ArXiv cs.AI — Argues that filtering final outputs misses unsafe chain-of-thought intermediates and proposes runtime monitoring of the reasoning trace itself.
• From Parameter Dynamics to Risk Scoring: Quantifying Sample-Level Safety Degradation in LLM Fine-tuning — ArXiv cs.AI — Investigates why fine-tuning on small benign datasets can erase safety alignment built up from millions of preference examples, scoring per-sample risk during fine-tuning.
• You Snooze, You Lose: Automatic Safety Alignment Restoration through Neural Weight Translation — ArXiv cs.CR — Proposes a method for restoring safety properties after third-party LoRA adapters cause alignment drift, addressing the open-source LLM-with-third-party-adapters threat model.
• Membership Inference Attacks for Retrieval Based In-Context Learning for Document Question Answering — ArXiv cs.LG — Shows that retrieval-augmented in-context learning systems are vulnerable to membership-inference attacks even when the service provider and users are separated.
• Syntax- and Compilation-Preserving Evasion of LLM Vulnerability Detectors — ArXiv cs.AI — Evaluates how easily LLM-based vulnerability detectors used in CI/CD security gating can be evaded by edits that preserve syntax and compilation, raising concerns about deploying these tools as security checkpoints.
• Gray-Box Poisoning of Continuous Malware Ingestion Pipelines — ArXiv cs.LG — Models a realistic gray-box poisoning threat to ML-based malware classifiers operating on continuous data streams, where the attacker has partial knowledge of the pipeline.
• Pen-Strategist: A Reasoning Framework for Penetration Testing Strategy Formation and Analysis — ArXiv cs.AI — Frames penetration testing as a reasoning problem for LLM agents, building strategy formation and analysis capabilities aimed at the cybersecurity skills shortage.
• Do Agents Dream of Root Shells? Partial-Credit Evaluation of LLM Agents in Capture the Flag Challenges — ArXiv cs.AI — Introduces DeepRed, an open-source CTF benchmark with partial-credit scoring for evaluating offensive capabilities of LLM agents in realistic settings.
• Agentic Vulnerability Reasoning on Windows COM Binaries — ArXiv cs.LG — Presents SLYP, an agentic system for finding race conditions in Windows COM services that run with elevated privileges, targeting local privilege escalation as the attack surface.
• The Adversarial Discount — AI, Signal Correlation, and the Cybersecurity Arms Race — ArXiv cs.CR — A contest-theoretic model of how AI changes attacker/defender investment dynamics across multiple attack surfaces.

Vulnerabilities & Exploits

• Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access — The Hacker News — Ivanti is warning of in-the-wild exploitation of CVE-2026-6973 (CVSS 7.2), an improper-input-validation flaw in Endpoint Manager Mobile that grants admin access; patched in 12.6.1.1, 12.7.0.1, and 12.8.0.
• Ivanti warns of new EPMM flaw exploited in zero-day attacks — BleepingComputer — Companion coverage: Ivanti urges customers to patch the high-severity EPMM RCE immediately following confirmed zero-day exploitation.
• PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage — The Hacker News — Palo Alto Networks disclosed CVE-2026-0300, a critical buffer overflow (CVSS 9.3/8.7) in PAN-OS User-ID authentication, with exploitation attempts dating back to April 9, 2026.
• Palo Alto Networks firewall zero-day exploited for nearly a month — BleepingComputer — Suspected state-sponsored activity has been quietly exploiting the PAN-OS firewall zero-day for almost a month before public disclosure.
• After Replacing TeamPCP Malware, ‘PCPJack’ Steals Cloud Secrets — Dark Reading — A new credential-stealing framework, PCPJack, makes innovative use of parquet files for stealthy, pre-validated target discovery while canvassing multiple cloud environments.
• New PCPJack worm steals credentials, cleans TeamPCP infections — BleepingComputer — PCPJack actively evicts the older TeamPCP malware from systems it compromises, a turf-war pattern increasingly common among cloud-targeting credential stealers.
• PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems — The Hacker News — PCPJack chains five CVEs to harvest credentials across cloud, container, developer, productivity, and financial environments — a multi-surface worming behavior that’s unusual for credential theft toolkits.
• vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution — The Hacker News — A dozen critical bugs disclosed in the vm2 sandboxing library, widely used to run untrusted JavaScript, allow attackers to escape and execute arbitrary code on the host.
• ‘TrustFall’ Convention Exposes Claude Code Execution Risk — Dark Reading — Researchers show malicious repositories can trigger code execution in Claude Code, Cursor CLI, Gemini CLI, and CoPilot CLI with minimal or no user interaction due to weak warning dialogs.
• Fake Claude AI website delivers new ‘Beagle’ Windows malware — BleepingComputer — A look-alike Claude AI site distributes a malicious “Claude-Pro Relay” download that installs Beagle, a previously undocumented Windows backdoor.
• PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux — The Hacker News — Three PyPI wheels covertly deliver a previously unknown malware family, ZiChatBot, that uses Zulip APIs for command-and-control on both Windows and Linux.
• Australia warns of ClickFix attacks pushing Vidar Stealer malware — BleepingComputer — The Australian Cyber Security Center is warning of an ongoing campaign using the ClickFix social-engineering technique to install Vidar info-stealer at scale.
• World’s First AI-Driven Cyberattack Couldn’t Breach OT Systems — Dark Reading — The most sophisticated AI-integrated campaign observed to date hit a SCADA login screen and stalled — a useful counter-data point against AI-cyberattack hype around OT environments.
• Mozilla says 271 vulnerabilities found by Mythos have “almost no false positives” — Ars Technica — Mozilla says it has “completely bought in” on AI-assisted bug discovery after Anthropic’s Mythos surfaced 271 high-severity Firefox vulnerabilities with extremely few false positives.

Policy & Compliance

• Smart Glasses for the Authorities — Schneier on Security — ICE is developing its own smart-glasses platform with facial recognition tied to multiple government databases — a notable expansion of in-the-wild law-enforcement biometrics.
• Has CISA Finally Found Its New Leader in Tom Parker? — Dark Reading — Reporting on rumors that boardroom operator and longtime cyber executive Tom Parker is the leading candidate to take over CISA, with implications for federal cybersecurity priorities.
• Americans sentenced for running ‘laptop farms’ for North Korea — BleepingComputer — Two U.S. nationals received 18-month sentences for operating laptop farms that helped North Korean IT workers fraudulently gain remote employment at nearly 70 American companies — continuing enforcement against the DPRK IT-worker scheme.
• Can the GPC standard eliminate consent banners in the EU? — ArXiv cs.CR — Examines whether the Global Privacy Control standard can satisfy GDPR/ePrivacy consent requirements and replace the ubiquitous EU cookie banner ecosystem.