This Week in Brief
Week 21, covering the window from 12 May through 19 May. The news pipeline has been down across this period, this issue is researched directly through the local SearXNG instance against open-source reporting. The defining stories are an actively exploited Exchange OWA flaw arriving inside the same Patch Tuesday cycle that supposedly had no zero-days, Anthropic’s quiet but consequential change to the Mythos disclosure policy that lets Project Glasswing partners share AI-found vulnerabilities more broadly, and the Coinbase Cartel’s listing of Grafana with Grafana publicly refusing the ransom on day two. The Mini Shai-Hulud worm strikes npm and PyPI again, MuddyWater’s Q1 espionage campaign turns out to be broader than first reported, and Stortinget’s Epstein commission of enquiry held its first session on 5 May with the work now underway. EU AI Act enforcement starts 2 August 2026, seventy-five days out at the close of this issue.
Security
Exchange OWA XSS Actively Exploited (CVE-2026-42897)
On 14 May, Microsoft disclosed CVE-2026-42897, a cross-site scripting flaw in on-premise Exchange Server affecting Outlook Web Access. CVSS 8.1, described by Microsoft as a spoofing bug stemming from XSS, exploit vector is a specially crafted email sent to an OWA user. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on 15 May, the same week Microsoft’s May Patch Tuesday cycle was billed as containing no zero-days. Microsoft now urges all organisations running on-premise Exchange to enable emergency mitigation immediately.
The compounding detail is that the Patch Tuesday wrap-up on 13 May said no zero-days were disclosed in that cycle, and the Exchange OWA flaw landed publicly on 14 May, a one-day gap that left defenders briefly believing they had a quiet month. CVE-2026-32201, a SharePoint RCE confirmed exploited before the patch release, was the other late-arriving exception. Microsoft Patch Tuesday telemetry for May 2026 includes 120 flaws across the planned cycle, 17 marked Critical.
Operational read: any externally reachable on-premise Exchange OWA endpoint should be treated as actively targeted until proven otherwise. Apply the May Exchange security update immediately, enable the Microsoft emergency mitigation, audit OWA logs for the period 8 to 15 May for crafted-email patterns. Out-of-band, this is the third critical Exchange flaw in eighteen months that has reached active exploitation before broad patching, the structural answer continues to be Exchange Online migration or a hardened reverse proxy that scrubs HTML in OWA-bound mail before delivery.
Anthropic Loosens Mythos Disclosure on Project Glasswing
On 19 May, Anthropic announced a change to the disclosure policy governing Project Glasswing and its underlying Mythos model. Glasswing is Anthropic’s programme for using AI to find zero-day vulnerabilities in critical software infrastructure, the model has been credited with finding flaws in FFmpeg, OpenBSD, and the Linux kernel. Forty plus organisations that build or maintain critical software now have Glasswing access for scanning first-party and open-source systems. Anthropic has committed up to $100 million in usage credits to the programme.
The change this week is that Mythos partners are now permitted to share findings more broadly under coordinated disclosure norms. The earlier posture required tighter Anthropic-mediated handling of every finding, the new posture moves Glasswing closer to the open-research model that maintains downstream patch velocity. Norway’s NSM published an assessment of Mythos on 12 May noting that the model is not yet publicly available but is known to the security community through press coverage and the FFmpeg, OpenBSD, and Linux disclosures.
The frame for FTRCRP readers: the question of who gets to see AI-found zero-days before the patch ships is one of the live policy questions of the regulated-AI period. Anthropic’s policy shift is a small step toward the open-disclosure end of that spectrum, the Mythos infrastructure is now closer to a force-multiplier for the OSS security community than to a private vulnerability stockpile.
Coinbase Cartel Lists Grafana, Grafana Refuses
On 15 May, the data-extortion group Coinbase Cartel listed Grafana Labs on its leak site. Grafana confirmed the breach on 16 May, the attackers stole a portion of Grafana’s source code repository and demanded a ransom. Grafana publicly refused the ransom on the same day and committed to no payment. The Cartel’s response was a public threat, “we can cause you more damage than you would ever imagine”, but as of writing no data has been leaked.
FortiGuard’s assessment of Coinbase Cartel attributes the group to affiliates from ShinyHunters, Scattered Spider, and Lapsus$, three of the most active data-extortion brands of the past three years. The group is also developing ESXi-targeted ransomware, suggesting a coming shift to double-extortion. No relationship to the Coinbase exchange beyond the borrowed brand name.
The Grafana posture, public refusal on day two, is the right posture and the one too few breached vendors take. Refusing the ransom denies the criminal cycle its operational reward, accepts the reputational hit in the short term, and forces the threat actor to either prove damage or fold. The vendor calculus is also rational, paying does not guarantee suppression of the stolen data and creates a documented willingness to pay against the next attempt. Watch the next two weeks for whether Coinbase Cartel publishes, that signal feeds back into the broader market discipline on ransom payment.
Mini Shai-Hulud Strikes Again, 170+ npm Packages Compromised
On 11 May, a coordinated supply chain attack hit npm and PyPI. 170 plus npm packages and 2 PyPI packages were compromised, totalling 404 malicious versions. Affected namespaces include TanStack, Mistral AI, and Guardrails AI. Mistral AI published two advisories confirming impact on its npm and PyPI packages. Attribution to a group called TeamPCP, branding the attack as a follow-on to the original Shai-Hulud worm.
The pattern follows the Shai-Hulud playbook from 2025, compromise the maintainer credential, publish a malicious version, the worm payload exfiltrates secrets from the build environment and uses them to attack the next maintainer’s account. The mini prefix marks a smaller blast radius than the original Shai-Hulud event but a larger one than any of the intervening copycats.
Operational read: anyone running automated builds against npm or PyPI in the window 11 to 14 May should audit for the affected version pins, rotate any secrets that touched the build environment, and verify the SHA-256 checksums of installed package versions against the registries’ current canonical hashes. The structural answer remains the same as it was after the original Shai-Hulud, version pinning by hash not name, secrets isolation in the build environment, package-mirror review before promotion to production.
MuddyWater Q1 Espionage Wider Than First Reported
QuoIntelligence and BleepingComputer reporting on 13 May names MuddyWater (Seedworm, Static Kitten) as the actor behind a Q1 2026 espionage campaign that breached at least nine high-profile organisations across nine countries, including a major South Korean electronics manufacturer. The footprint is broader than the Teams plus Chaos ransomware false-flag campaign the group was running through March, and broader than the CISA AA26-097A advisory captured at the time.
This is the follow-up to the MuddyWater developments brief published 13 May. The pattern that’s holding through 2026 is MuddyWater operating across both genuine cyber-espionage and decoy ransomware operations, with the false-flag deployments serving to obscure the espionage intent. For Norwegian institutional readers, the operational concern remains that any organisation positioned at the intersection of energy, telecoms, defence-adjacent manufacturing, and Middle East policy commentary should treat MuddyWater as a baseline-active threat for the rest of 2026.
Continuing, ChipSoft, SharePoint, Trellix, Linux KEV, PAN-OS
Carry-forward items from issue 016, status updates this week.
- ChipSoft (Netherlands) — operations still degraded at affected Dutch hospitals, no claimed responsibility. The silence pattern continues.
- CVE-2026-32201 (SharePoint) — KEV deadline expired 28 April. Now compounded by CVE-2026-42897 above, any organisation with both unpatched Exchange and unpatched SharePoint is in active double-vulnerability territory.
- Trellix source-code breach — no published downstream advisories yet, vendor still working with forensic experts.
- CVE-2026-31431 (Linux kernel LPE) — federal remediation deadline ongoing, no public exploit kits seen yet but exploitation continues per CISA.
- CVE-2026-0300 (PAN-OS Captive Portal RCE) — Palo Alto continues to push customers to apply the mitigation, exploitation continues in the wild.
Regulatory and Policy
EU AI Act, Seventy-Five Days to Enforcement
The 2 August 2026 enforcement date for the EU AI Act’s high-risk obligations is now seventy-five days out at the close of this issue. Latham & Watkins published an enforcement update on 14 May noting that the European Commission has resolved to change selected rules and extend selected deadlines, the structural framework holds, the operational compliance dates for high-risk systems and for Article 50 transparency apply from 2 August. Reddit’s r/artificial discussion frames the impact correctly, any team building AI agents for European clients in credit scoring, recruitment filtering, healthcare triage, or education assessment has the next seventy-five days to land their conformity assessment, fundamental rights impact assessment, and Article 26 deployer documentation.
For FTRCRP work that touches institutional deployment, the Article 50(4) transparency obligation on AI-generated text published to inform the public is the live one. Editorial responsibility carve-out applies where a natural or legal person holds editorial responsibility, but the safer move for any organisation publishing AI-assisted content is explicit disclosure regardless. The framework is permissive of mature deployer practice, hostile to opacity.
Datatilsynet, Webinar on Public-Sector AI Chatbots
On 13 May, Norway’s Datatilsynet announced a webinar titled Trygg chat med offentlig bot, safe chat with a public bot. The session targets public-sector deployers of customer-facing AI chatbots and frames the operational compliance posture under personopplysningsloven and the incoming AI Act. The webinar landing page sits at datatilsynet.no/aktuelt/aktuelle-nyheter-2026/. For Norwegian institutional deployers, this is the closest thing to operational guidance Datatilsynet has published on AI-mediated public services, worth catching the recording when published.
Dutch DPA Fines Yango €100 Million on Russia Transfers
On 8 May, the Dutch Autoriteit Persoonsgegevens fined MLU B.V., the operator of the Yango ride-hailing app, €100 million for unlawful transfers of personal data to Russia. Schrems II reasoning, GDPR Article 44 and 46, no adequacy decision in place for Russia and no adequate safeguards demonstrated. The size of the fine and the geopolitical context combine to make this the most significant European data-protection enforcement action of 2026 so far. Norwegian Datatilsynet’s adequacy-equivalent analysis is reportedly referenced in the Dutch decision.
DOJ Epstein Archive
The DOJ Epstein archive is now displayed at scale in a New York exhibition opened this week, 3.5 million pages presented as the full released set per the Department of Justice’s consolidated disclosure page. The Guardian profiled Tommy Carstensen on 19 May as the operator of the most sophisticated public archive of the DOJ-released materials, alongside Tristan Lee’s face-recognition database for cross-referencing identifiable individuals across the archive.
The Stortinget commission of enquiry on the Norwegian-Epstein thread held its first meeting on 5 May with President Masud Gharahkhani and the named delegates. The work is underway and the next public update is expected in the next two to three weeks per Stortinget’s standard committee cadence. The Nordic OCR scanner remains down across this digest period, the data-collection slack is being filled by Carstensen’s archive and Lee’s face database upstream.
Conflicts
Hormuz, No New Escalation Step
The “shoot and kill” order against mining-equipped Iranian small craft remains in force. Commercial traffic through the Strait remains effectively paused. Insurance pricing holds at war-risk premium levels. Islamabad talks have not restarted across the period. Iranian maximalist demands stand unchanged.
Israel-Lebanon, Ceasefire Tactically Strained
The three-week ceasefire extension has held into week 21 on paper. Limited tactical exchanges continue with no major escalation step. Hezbollah targeting remains the most likely flashpoint into the next reporting period.
Climate Cost Tracking
The Climate and Community Institute’s carbon-cost quantification continues to surface in European environment-ministry briefings. Arms-export licensing debates in three EU member states have cited the analysis directly across the period.
By the Numbers
| Category | This-week scope |
|---|---|
| CVE-2026-42897 CVSS score | 8.1 |
| Days between Microsoft disclosure of OWA XSS and CISA KEV addition | 1 |
| Microsoft May Patch Tuesday flaws fixed | 120 |
| Of which marked Critical | 17 |
| Mini Shai-Hulud compromised npm packages | 170+ |
| Mini Shai-Hulud malicious versions published | 404 |
| Anthropic Glasswing partner organisations | 40+ |
| Anthropic usage-credit commitment to Glasswing | $100M |
| Coinbase Cartel ransom demand against Grafana | refused day 2 |
| MuddyWater Q1 victim organisations (confirmed) | 9 |
| MuddyWater Q1 victim countries | 9 |
| Days to EU AI Act high-risk enforcement (from 2026-05-19) | 75 |
| Dutch DPA fine on Yango for unlawful Russia transfers | €100M |
| DOJ Epstein archive (NY exhibition release set, pages) | 3,500,000 |
| Stortinget Epstein commission first meeting | 2026-05-05 |
What to Do This Week
- Patch on-premise Exchange. CVE-2026-42897 is actively exploited via crafted email against OWA. Apply the May Exchange security update, enable Microsoft’s emergency mitigation, audit OWA mail processing logs for 8 to 15 May for anomalies. Any externally reachable on-premise OWA should be treated as actively targeted.
- Audit npm and PyPI dependencies installed 11 to 14 May. The Mini Shai-Hulud event hit TanStack, Mistral AI, and Guardrails AI namespaces among others. Rotate any secrets that touched the build environment in that window, verify installed package hashes against the current canonical registry hashes, move to hash-pinning for any production-critical dependencies.
- Read Anthropic’s updated Mythos disclosure policy. For any organisation maintaining open-source software the Mythos partners may now legitimately approach, the engagement pattern is changing. Coordinate disclosure protocols should reflect the new looser sharing posture.
- Apply Grafana’s posture lesson. If your organisation faces a future data-extortion claim, the day-two refusal is the right posture. Bake the decision into the incident-response plan now, not during the incident.
- EU AI Act conformity work, last seventy-five days. Any high-risk deployer not yet through Article 26 documentation, fundamental rights impact assessment, and Article 50(4) disclosure framing should treat this as the final operational window before 2 August enforcement.
- Datatilsynet webinar. Norwegian institutional deployers should plan to catch the Trygg chat med offentlig bot recording when published.
- MuddyWater baseline-active posture. Any Norwegian organisation at the intersection of energy, telecoms, defence-adjacent manufacturing, or Middle East policy commentary should treat MuddyWater as a year-long active threat. Detection focus on the Teams plus Chaos ransomware false-flag pattern, the espionage payload sits behind the visible noise.
FTRCRP Security Digest. The news pipeline has been down across this period, this issue was researched directly against the local SearXNG instance over the week of 12 to 19 May. Sources, open-source reporting including BleepingComputer, The Hacker News, Help Net Security, SecurityWeek, CISA KEV, Microsoft Security Response Center, Anthropic, QZ, FortiGuard, QuoIntelligence, The Guardian, Stortinget, NSM, Datatilsynet, Latham & Watkins, Help Net Security. Pipeline rebuild expected for issue 018. Issue 017, week 21, 2026-05-19