Security Digest — 2026-05-13

A relatively calm Patch Tuesday (no zero-days, but 120+ Microsoft fixes) is overshadowed by an ongoing Shai-Hulud-style supply-chain spree across npm and PyPI, fresh critical Linux kernel bugs, and a wave of research probing how LLM agents fail when adversaries get inside the toolchain.

AI Security Research

SecureForge: Finding and Preventing Vulnerabilities in LLM-Generated Code via Prompt Optimization — ArXiv cs.CR. Even frontier coding agents reliably emit exploitable code at scale; the authors use automated prompt optimization to drive down vulnerability rates without retraining the model.
LITMUS: Benchmarking Behavioral Jailbreaks of LLM Agents in Real OS Environments — ArXiv cs.CR. Introduces a benchmark for “behavior jailbreaks” — adversarial prompts that cause agents to take dangerous actions in real operating systems, distinct from content-safety jailbreaks.
Trust Me, Import This: Dependency Steering Attacks via Malicious Agent Skills — ArXiv cs.CR. Shows that LLM coding agents can be nudged into recommending and installing attacker-controlled packages through poisoned skills, extending supply-chain risk into the model’s planning layer.
BadDLM: Backdooring Diffusion Language Models with Diverse Targets — ArXiv cs.CR. First systematic backdoor attack against diffusion language models, demonstrating that the parallel/bidirectional generation paradigm inherits — and in some cases amplifies — the trojan risks known from autoregressive LLMs.
Removing the Watermark Is Not Enough: Forensic Stealth in Generative-AI Watermark Removal — ArXiv cs.CR. Argues current watermark-removal evaluations miss the point: a stripped image can still betray that tampering occurred, and truly forensic-stealthy removal is much harder than benchmarks suggest.
Usability as a Weapon: Attacking the Safety of LLM-Based Code Generation via Usability Requirements — ArXiv cs.CR. Innocuous “make it easier to use” prompts measurably degrade the security posture of model-generated code, turning UX requests into a stealth jailbreak vector.
From Storage to Steering: Memory Control Flow Attacks on LLM Agents — ArXiv cs.CR. Demonstrates that an attacker who can write to an agent’s persistent memory can hijack its future tool-selection control flow, not just its outputs.

Vulnerabilities & Exploits

Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days — BleepingComputer. First Patch Tuesday in two years with no exploited zero-days, but 120 fixes (nine critical) still demand prompt rollout across Windows, Office, and Azure components.
Copy.Fail Linux Vulnerability — Schneier on Security. A local-privilege-escalation bug in the Linux kernel crypto API (AF_ALG sockets + splice) lets attackers write arbitrary kernel memory four bytes at a time; Schneier calls it the worst Linux flaw in years and a working PoC is public.
Linux bitten by second severe vulnerability in as many weeks — Ars Technica. On the heels of copy.fail, distros are racing out production patches for a second high-severity kernel issue — admins should treat this as back-to-back emergency patching.
Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator — BleepingComputer. Two critical bugs allow arbitrary command/code execution on appliances that typically sit on management networks; Fortinet has shipped patches.
SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA — BleepingComputer. SAP’s May bundle addresses 15 issues, including two criticals in the Commerce Cloud and S/4HANA ERP stacks that enterprises run as crown-jewel systems.
Shai Hulud attack ships signed malicious TanStack, Mistral npm packages — BleepingComputer. Hundreds of npm and PyPI packages — including from TanStack, Mistral AI, UiPath, and Guardrails AI — were trojanized with credential-stealing payloads in a fresh wave of the self-propagating Shai-Hulud worm.
RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded — The Hacker News. RubyGems paused account creation while it cleans up what maintainers described as a “major malicious attack” that flooded the registry with hostile packages.
Hugging Face Packages Weaponized With a Single File Tweak — Dark Reading. Researchers showed a tokenizer-library file inside Hugging Face models can be silently modified to hijack model outputs and exfiltrate data — extending supply-chain risk into the model-weights distribution path.
Google says it stopped a mass cyberattack after AI was used to discover a zero-day exploit — The Decoder. Google’s Threat Intelligence Group reports the first documented case of an attacker using AI to find and weaponize a zero-day, and notes Chinese, North Korean, and Russian state actors are now doing the same.
Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak — The Hacker News. The Canvas LMS parent confirms it paid an extortion group after attackers threatened to leak 3.65 TB of data spanning thousands of schools and universities — a rare public admission of payment.

Policy & Compliance

UK fines water supplier $1.3M for exposing data of 664k customers — BleepingComputer. The ICO penalized South Staffordshire Water £963,900 for the cyberattack that exposed 663,887 customer and employee records, signaling continued regulator appetite for fining critical-infrastructure operators after breaches.
GM agrees to $12.75M California settlement over sale of drivers’ data — BleepingComputer. California AG Rob Bonta extracted a $12.75M settlement from GM over alleged CCPA violations tied to telematics data sold to third parties — a notable CCPA enforcement benchmark for connected-vehicle data.
OpenAI Launches Daybreak for AI-Powered Vulnerability Detection and Patch Validation — The Hacker News. OpenAI’s new Daybreak initiative pairs frontier models with its Codex Security agent to build per-organization threat models and validate patches, positioning AI vendors as defensive-tooling suppliers as offensive AI use rises.
iOS 26.5 Brings Default End-to-End Encrypted RCS Messaging Between iPhone and Android — The Hacker News. Apple is rolling out E2EE for RCS in iOS 26.5 beta as part of a cross-industry push to replace SMS, closing one of the largest plaintext messaging gaps between iPhone and Android.
Why Agentic AI Is Security’s Next Blind Spot — The Hacker News. Argues that agentic AI is already executing tasks and consuming data in enterprise environments without meaningful security-team oversight, and pushes governance beyond policy into operational controls.
Signal adds security warnings for social engineering, phishing attacks — BleepingComputer. Signal is shipping in-app confirmations and contextual warnings to push back against the social-engineering campaigns increasingly aimed at high-value targets on the platform.