pgcrypto's Twenty-Year Debt, Storm-2949's Invisible Breach, and the @antv Worm

33:4910 scenes7 speakersBriefing

01 Cold Open: Twenty-Year-Old Code, An Invisible Breach, and a Self-Replicating Worm

Chapters

01Cold Open: Twenty-Year-Old Code, An Invisible Breach, and a Self-Replicating Worm

02Sponsor — Blue Cortex AI

03CVE-2026-2005: Twenty Years of Technical Debt, Now Weaponized

04CVE-2026-2005: The Cloud Exposure and the Financial Stakes

05Storm-2949: Breaching Azure Without Touching an Endpoint

06Storm-2949: Hardening SSPR and Building Detection You Don't Have Yet

07Mini Shai-Hulud @antv Escalation: One Account, Hundreds of Packages, a Self-Replicating Worm

08Mini Shai-Hulud: The Financial Picture and What to Do Right Now

09Triage: Foxconn/Nitrogen, THORChain, Vodafone/Lapsus$, and the M5 AI Exploit

10Synthesis: What Today's Threats Have in Common and What You Do Tomorrow Morning

Speakers

HalilAlexLenaJamesPierreTomasRafael

▶01Cold Open: Twenty-Year-Old Code, An Invisible Breach, and a Self-Replicating Worm00:00

HalilA twenty-year-old heap overflow in PostgreSQL now has a public exploit. An attacker just breached an entire Azure environment without touching a single endpoint. And a supply chain worm is republishing its own poison across npm, PyPI, and Composer — autonomously.

HalilWelcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilThree threads today. First: CVE 2026-2005 — a heap buffer overflow in PostgreSQL's pgcrypto extension, code that's been sitting in production databases for nearly two decades. There's a public proof-of-concept. The exploit path runs from any authenticated database user straight to OS command execution. We'll assess how bad this actually is and exactly who is exposed.

HalilSecond: Storm-2949. According to Microsoft's May 18 report, this threat cluster is doing something most detection stacks simply cannot see — abusing Self-Service Password Reset to pivot across SaaS, PaaS, and IaaS without deploying a single piece of malware. Your EDR is blind to this. We'll explain why and what to do about it.

HalilThird: the Mini Shai-Hulud campaign — we covered the early waves last week. Today's delta is significant. The @antv ecosystem. Hundreds of packages. A worm that validates stolen credentials and autonomously republishes poisoned packages. And roughly 1,800 GitHub staging repositories with Dune-themed names. We covered the TanStack and SAP waves. This is a material escalation.

HalilPlus triage on Foxconn, THORChain, and what looks like a potential Lapsus$ resurrection. Full agenda. Let's move.

▶02Sponsor — Blue Cortex AI02:12

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03CVE-2026-2005: Twenty Years of Technical Debt, Now Weaponized03:19

HalilAlex, walk us through the CVE 2026-2005 kill chain. pgcrypto — that's PostgreSQL's cryptographic extension, a contrib module that's been in the codebase for nearly two decades. The PoC is public. How bad is the actual exploit path?

AlexSo, the core flaw is a heap buffer overflow in pgp_parse_pubenc_sesskey — a function in the pgcrypto extension. Code that predates modern memory hardening by a long shot.

AlexThe chain: you feed malicious ciphertext into a pgcrypto function. That triggers the overflow, corrupts heap metadata, and you get a pointer leak — your ASLR bypass. From there, CurrentUserId manipulation gets you superuser context within PostgreSQL. Then COPY FROM PROGRAM, which is a standard PostgreSQL primitive that executes OS commands, gives you code execution as the database OS user.

HalilAnd the privilege requirement? Walk me through who can actually trigger this.

AlexThat's where I had to recalibrate. I initially flagged a concern about a specific vulnerable commit. But the official advisory is clear — CVSS 8.8, AV:N, AC:L, PR:L. Low privilege. Any authenticated database user with pgcrypto function access can trigger this.

LenaRight, and that PR:L designation is doing a lot of work here. In cloud-hosted PostgreSQL environments, application service accounts are authenticated by definition. You don't need a superuser to start this chain.

AlexExactly. And pgcrypto is enabled by default across RDS, Cloud SQL, and Azure Database for PostgreSQL — because customers demanded it for PCI-DSS field-level encryption workloads. So you're not hunting for an exotic extension. It's the baseline.

HalilJames, you pulled the official advisory. Affected versions?

JamesYeah, it's wide. Everything before 18.2, 17.8, 16.12, 15.16, and 14.21 is in scope. That covers four active major release trains. Ubuntu already issued USN-8072-1. RHEL and Debian are tracking it.

AlexPoC is public. Exploitation path is straightforward — craft malicious ciphertext, call a pgcrypto function, heap corruption follows. I'd expect mass scanning for exposed PostgreSQL ports within 48 hours. Exploit-as-a-service tooling within a week.

JamesPatch this hour. Not this week. This hour.

HalilAnd if you can't patch immediately?

JamesTwo things you can do right now. One — audit which database roles have pg_execute_server_program and revoke it from every non-essential account. That cuts off the COPY FROM PROGRAM escalation path. Two — if you're not actively using pgcrypto functions in your application, DROP EXTENSION pgcrypto. It's a contrib module, no restart required.

LenaHmm. And search your codebase for pgp_pub_encrypt, crypt, digest, hmac, gen_random_bytes before you drop it. If your app uses those, disabling breaks functionality.

JamesRight. Test in staging first. But don't let that slow you down on the privilege revocation — that's safe and immediate.

▶04CVE-2026-2005: The Cloud Exposure and the Financial Stakes07:47

HalilPierre — Alex updated his threat model. Cloud-hosted PostgreSQL, pgcrypto enabled by default, any authenticated user as the entry point. Give me the exposure numbers.

PierreLook, the cloud angle is what makes this a board-level conversation. We're talking AWS RDS PostgreSQL, Cloud SQL, Azure Database — all default-enable pgcrypto for compliance workloads. And the CVE covers versions 14 through 18, which is essentially every deployed cloud instance not on legacy 12 or 13.

PierreBest case: cloud providers push patches in 24 to 48 hours, enterprises with good dependency hygiene catch it fast. Maybe forty million dollars in incident response and credential rotation. Worst case — weaponization at scale, two-week patch lag — we're looking at four hundred to six hundred million in aggregate losses across financial services, SaaS, and healthcare.

HalilWow.

AlexAnd Pierre, the SQL injection angle is worth flagging explicitly. If an attacker has SQL injection on a cloud-hosted app connecting to a PostgreSQL instance with pgcrypto enabled, that authenticated restriction is meaningless. They're already in.

PierreExactly. SQL injection becomes instant host compromise. That's not a theoretical escalation path — that's a standard attack chain against web applications. For a Fortune 500 with fifty-plus PostgreSQL instances handling transaction data, you're looking at full environment rebuild, regulatory notification, and potential data exfiltration exposure.

JamesAnd the detection gap here is significant. Standard PostgreSQL logging won't catch the heap overflow exploitation itself. You need behavioral detection on COPY FROM PROGRAM execution and connection anomalies — that's a separate instrumentation layer most teams haven't deployed.

HalilWhat about longer-term governance? This can't be the last time pgcrypto bites someone.

JamesMedium-term — establish a PostgreSQL pgcrypto extension governance policy. If cryptographic functions aren't operationally required in a given environment, disable the extension. For environments where it is required, restrict function-level permissions to dedicated service accounts only. Don't let general application accounts touch pgcrypto directly.

LenaThat's the systemic fix. The immediate fix is still patch and revoke.

▶05Storm-2949: Breaching Azure Without Touching an Endpoint10:33

HalilLet's shift to Storm-2949. Lena, according to Microsoft's May 18 report, this threat cluster is achieving full cloud infrastructure compromise without deploying malware. Walk us through the chain.

LenaSo the chain starts with SSPR — Self-Service Password Reset — that's the Microsoft Entra ID feature that lets users reset their own credentials without calling IT. Storm-2949 social-engineers the victim through the SSPR flow, gets a credential reset, then registers a new MFA device.

LenaFrom that beachhead: Graph API directory enumeration — mapping the entire tenant's users, groups, roles. Then RBAC privilege escalation — Role-Based Access Control — to gain administrative roles. Then lateral movement into App Services, Key Vault, Storage accounts, SQL databases. ScreenConnect — a legitimate remote access tool — gets deployed for persistence.

HalilAnd the EDR blind spot?

LenaYour endpoint agent sees Microsoft Graph API calls as legitimate browser traffic. There's no malware to detect. SSPR abuse looks like legitimate user activity in standard Azure AD logs. Graph API enumeration looks like normal application usage. RBAC role assignments are standard administrative actions.

JamesThat's the core problem. This attack lives entirely in the identity layer. Your SOC needs to be watching Entra ID Protection alerts — not waiting for EDR to fire. EDR is simply not the right tool here.

HalilLena, motivation — financial or espionage?

LenaI assess financial with moderate confidence. The targeting pattern is IT personnel and senior leadership rather than strategic sector focus. No custom malware, shorter dwell times compared to espionage clusters. Post-compromise monetization via RMM deployment fits financial motivation.

LenaI'd contrast this with Octo Tempest — also known as G1015 — which uses SIM swapping and AADInternals for domain federation attacks. Storm-2949 doesn't appear to have the telecom vector. And Storm-2755, which is AiTM-heavy and targets payroll systems, diverges on the technical approach. So this looks like a distinct cluster, though I hold low confidence on whether it's a retool of an established group.

HalilThree egress IPs showing up consistently across victims — what does that tell you about the infrastructure?

LenaStructured rather than opportunistic. Consistency across multiple victims suggests this isn't improvised tooling. Someone is managing that infrastructure deliberately.

JamesHmm. And ScreenConnect is your persistence indicator. Legitimate deployments install in standard paths under Program Files. Adversary instances show up in AppData or Temp directories, randomized service names, egress to newly registered domains or direct IPs. That's your detection hook on the endpoint side.

▶06Storm-2949: Hardening SSPR and Building Detection You Don't Have Yet13:56

HalilJames, concrete hardening path for Storm-2949. Start with SSPR — what's the right configuration?

JamesFirst move: disable SSPR entirely for privileged accounts. In Entra ID — Password Reset, then Properties — use the Select Groups option to exclude your Privileged Role Administrators group. Global admins, User Access Administrators, Privileged Role Administrators should never be able to self-serve a credential reset.

JamesFor accounts where SSPR stays on: require minimum two authentication methods — phone plus email, not just one. Enable Combined Registration with notification to security team alternate contacts. And layer location-based Conditional Access — block SSPR from non-compliant devices or unfamiliar IP ranges.

LenaRight. And the PIM piece — Privileged Identity Management — that's where RBAC escalation fails. If target roles require time-bound activation, the attacker can't silently escalate. That's the structural fix for the privilege escalation step.

HalilDetection. You said standard Azure AD logs miss this. What does an SOC actually need to build?

JamesYou need Sentinel or Defender for Cloud Apps with custom KQL. The logic: correlate an SSPR event against a spike in Graph API calls — Get, List, Export actions — from the same account within a two-hour window. If you see more than one hundred Graph calls in that window post-SSPR, that's your trigger.

JamesTune the threshold per environment — the query runs about a twelve percent false positive rate from legitimate admin tools like PowerShell modules. Manageable for SOC triage.

HalilAnd the ScreenConnect detection rule?

JamesProcess command line events — filter for ScreenConnect where the path does not contain Program Files. Adversary installations appear in user AppData or Temp directories. Randomized service names are another signal. Build that rule with a 24-hour SOC response SLA — it's your persistence indicator.

LenaWorth verifying the ScreenConnect indicators directly against Microsoft's published IOC list from the May 18 report before operationalizing. Don't rely on secondary summaries for path-based execution blocks.

JamesAgreed. Primary source for IOCs, always. The detection logic holds — the specific indicator values need verification.

HalilPriority sequence for an organization that hasn't touched any of this yet?

JamesToday: disable SSPR for privileged accounts, deploy the ScreenConnect execution rule. This week: implement the Graph API enumeration query, roll out location-based Conditional Access for all SSPR flows. Scheduled: full PIM rollout for admin roles, quarterly RBAC access reviews. In that order.

▶07Mini Shai-Hulud @antv Escalation: One Account, Hundreds of Packages, a Self-Replicating Worm17:10

HalilMini Shai-Hulud. We covered the TanStack and SAP waves earlier this week. Today's delta is significant. Tomas, Rafael — the @antv escalation. What actually changed?

TomasSo the structural story is a single compromised maintainer account — the 'atool' maintainer account in the @antv ecosystem — and from that single trust failure, hundreds of interdependent packages fall. According to Socket.dev's analysis, we're looking at 323 packages and 639 compromised versions. That's not a collection of targeted attacks. That's a trust graph collapse.

RafaelAnd it's not just @antv scoped packages. The pivot chain extends to cross-namespace targets — timeago.js, size-sensor, canvas-nest.js. Plus echarts-for-react, which is the distribution mechanism everyone's citing, running around 1.1 million weekly downloads according to Socket.dev.

HalilWalk me through the worm behavior. How does it propagate autonomously?

TomasThe malware drops, harvests npm tokens from the environment, validates them against the registry API, enumerates every package owned by the victim's organization, then republishes those packages with the payload attached. Straight PUT requests to registry.npmjs.org — bypasses npm CLI tooling to avoid detection.

AlexRight. And the sophistication is in the operationalization, not the mechanics. Token validation plus republishing is straightforward Node.js scripting. What's clever is the triple-redundant C2 — typosquat domains, Session messenger P2P, GitHub dead drops — with certificate pinning. Same obfuscation patterns across TanStack, SAP, and now @antv waves. This is a consistent actor.

TomasSame scanner architecture, same credential regex set. And the credential harvest isn't just npm tokens. The payload goes after AWS keys, GCP credentials, Azure tokens, GitHub tokens, Kubernetes configs, Vault tokens, SSH keys, Docker auth. Everything a CI/CD pipeline touches.

HalilRafael, the GitHub staging infrastructure — roughly 1,800 repositories. What's the current status?

RafaelYeah, so — SANS ISC confirms the TeamPCP actor created approximately 1,800 malicious GitHub repositories using stolen credentials. Exfiltration pattern is consistent: AES-256-GCM encrypted data committed as JSON files under results directories, repositories using randomized Dune-themed names, hardcoded description reading 'A Mini Shai-Hulud has Appeared.'

RafaelHonestly, I cannot verify from open sources whether those repositories are still active. GitHub has likely burned them at scale. But here's the thing — the architecture is adaptive. The worm harvests GitHub tokens and can create new repos on demand. The surface is dynamic, not static.

TomasWhich is why hunting for the repository creation pattern matters more than hunting for specific known repos. Look for Dune-themed naming conventions and the reversed marker string in your GitHub organization's token usage logs.

HalilTomas, Composer expansion — that's new this wave.

TomasThe Packagist vector: intercom/intercom-php version 5.0.2 was compromised — that's a package with 20.7 million lifetime installs. Packagist uses mutable Git tags, which means a tag can be silently repointed to a malicious commit. PHP developers who locked to a tag, not a commit hash, pulled the payload without any version number change. That's the cross-ecosystem demonstration — this campaign shows fluency across npm, PyPI, and Composer.

AlexAnd the blast radius math isn't just download counts. A package with 1.1 million weekly downloads hitting developers who each maintain three to five other packages — that's geometric growth through credential cross-pollination between personal and organizational npm accounts.

▶08Mini Shai-Hulud: The Financial Picture and What to Do Right Now21:45

HalilPierre, put a number on the @antv escalation. What's the exposure look like?

PierreFlat-out catastrophic, honestly. echarts-for-react at roughly 1.1 million weekly downloads — that's a data visualization package, which means heavy enterprise React usage. Financial dashboards. Internal tooling. The kind of thing that's pulling external dependencies into production builds automatically.

PierreBest case: organizations with lockfile pinning caught this before dependency updates ran. Maybe five to eight thousand enterprises exposed, mostly caught at build-phase detection. One hundred fifty to two hundred fifty million dollars in credential rotation and pipeline sanitization.

PierreWorst case: fifteen to twenty-five thousand enterprises globally pulled malicious versions into builds. That's eight hundred million to one point five billion in aggregate exposure — credential theft cascading into cloud environment compromise, customer data breaches, supply chain second-order effects.

TomasAnd the timing matters. Socket.dev detected this within six to twelve minutes of the packages going live on the registry. That's fast. But CI/CD pipelines auto-pulling dependencies may have already ingested the payload before that detection window closed.

HalilJames, immediate response actions — what does an affected organization do right now?

JamesAudit CI/CD pipelines for @antv, echarts-for-react, timeago.js, size-sensor, and canvas-nest.js packages installed after May 19 of this year. Check against Socket.dev's published IOC list.

JamesIf you confirm any affected package in your environment — rotate everything. GitHub tokens, AWS keys, Kubernetes configs, Vault tokens, SSH keys, Docker auth. Don't triage which credentials might have been harvested. Assume all of them were and rotate all of them.

TomasAnd this is the moment to lock down your lockfiles. Pin to commit hashes, not version tags — especially in Composer environments after the Packagist mutable tag exploit. Tags can be repointed silently. Commit hashes cannot.

RafaelOne more thing — hunt for GitHub repository creation matching Dune-themed naming patterns in your environment. If any of those stolen tokens were from your organization's GitHub accounts, you may have staging repos you don't know about yet.

HalilYou're running four hundred transitive dependencies in production. How many of those maintainer accounts use MFA?

TomasThat's the question nobody wants to answer. One compromised maintainer account — the 'atool' account — collapsed hundreds of packages. You audited your twenty direct dependencies. You have twelve hundred transitive dependencies you've never looked at.

▶09Triage: Foxconn/Nitrogen, THORChain, Vodafone/Lapsus$, and the M5 AI Exploit24:58

HalilLena, you triaged the May 18 threat intelligence bundle while we were working through PostgreSQL. Walk the room through what's confirmed operational and what's still noise.

LenaSo, four items. Starting with Foxconn and the Nitrogen ransomware group — this one is confirmed operational. Nitrogen has claimed to have stolen 8 terabytes of data containing 11 million documents from Foxconn, including material from major tech clients.

HalilWait — Apple, Nvidia, Intel, Google client data?

LenaThose are the names appearing in threat actor claims. I want to be precise here — these are unverified assertions from the threat actor at this stage. High-priority for supply chain defenders in semiconductor and electronics manufacturing. Monitor Nitrogen's leak site for independently confirmed data publication before treating client names as verified.

PierreFoxconn manufactures components for essentially every major tech hardware company on the planet. If that data is genuine and gets published, the downstream exposure — intellectual property, component specifications, contract terms — is significant.

LenaAgreed. Flag and monitor. Second item: THORChain bridge exploit — that's a decentralized exchange bridge — confirmed operational, one of six vaults affected. Specific loss figures vary across sources. Lower priority for general enterprise unless you're holding RUNE or operating DeFi infrastructure.

HalilAnd Lapsus$? Because that's the one I don't want to gloss over.

LenaVodafone, claimed May 2026. Approximately 7.1 gigabytes — source code and repository structure information tied to multiple Vodafone applications. Law enforcement made significant arrests in 2023 — UK detentions and Brazilian arrests. This is a potential re-emergence of remaining members, not the full group.

LenaLapsus$ was exceptionally disruptive. They pioneered the cloud-native, identity-first extortion approach — social engineering, no custom malware, rapid pivoting across cloud infrastructure. Sound familiar? There's a thematic connection to Storm-2949's tradecraft worth watching.

HalilHmm. That parallel is worth flagging. What about the AI-assisted macOS M5 kernel exploit? Because I want to make sure we separate that from the GTIG story we covered on the sixteenth.

LenaCompletely separate. The Apple M5 Memory Invasion Error bypass — the MIE bypass — is independently sourced from researcher Calif's disclosure on May 15. Currently under embargo. GTIG's earlier story involved criminals using AI for a web admin tool exploit — different actor, different AI model, different platform entirely. The M5 research targets Apple's Memory Integrity Enforcement, combining hardware-level memory protections. High research significance. Not observed in the wild. Treat it as an emerging capability, not an active threat.

HalilGood. Clean separation on that one. Covered it on the sixteenth — today's answer is it's still under embargo and not ITW.

▶10Synthesis: What Today's Threats Have in Common and What You Do Tomorrow Morning28:29

HalilLet me pull this together. Because when you lay today's three primary threats side by side, there's a pattern worth naming.

HalilCVE 2026-2005 — twenty years of code sitting in databases globally, now weaponized because nobody inventoried a default-enabled extension. Storm-2949 — a complete organizational breach executed entirely through legitimate cloud features that your EDR cannot see. Mini Shai-Hulud @antv — hundreds of packages compromised through a single maintainer account that propagated autonomously across three package registries.

HalilThe common thread: trust assumptions that were reasonable years ago and are now exploitable conditions. Default-enabled extensions. Self-service identity features without guardrails. Package registries where maintainer account security is a first-order risk nobody is treating as one.

JamesAnd none of these are novel attack classes. What's changed is the operationalization — public PoC, refined social engineering chains, autonomous credential harvesting. The defenders who are behind are behind on hygiene, not on understanding new attack theory.

TomasYeah. The 'atool' maintainer account compromise is the third wave of this same campaign in two weeks. After TanStack, after SAP — if you haven't audited your transitive dependency graph, you've had three chances and missed them all.

LenaAnd the Lapsus$ re-emergence signal, combined with Storm-2949's very similar tradecraft, suggests the identity-first cloud breach model isn't going away. It's getting refined. Organizations still anchored to endpoint-centric detection are going to keep getting hit.

HalilAction items. Three things for tomorrow morning. One: PostgreSQL. Audit every deployment for pgcrypto. Revoke pg_execute_server_program from non-essential accounts today. Patch to the fixed versions per the official advisory at postgresql.org. If you can't patch immediately, drop the extension where it's not operationally required.

HalilTwo: Entra ID. Disable SSPR for privileged accounts. Require two authentication methods for self-service flows. Deploy PIM for administrative role activations. Build the Graph API enumeration detection in Sentinel. Verify ScreenConnect indicators against Microsoft's May 18 report before blocking.

HalilThree: Supply chain. Audit CI/CD pipelines for @antv packages installed after May 19. If confirmed — rotate all credentials, no triage, all of them. Pin lockfiles to commit hashes. Hunt for Dune-themed repository creation patterns in your GitHub org. Check Socket.dev's published IOC list.

HalilWhat we're watching tomorrow: whether cloud providers have released patched PostgreSQL versions across RDS, Cloud SQL, and Azure Database. Whether the Nitrogen ransomware group publishes Foxconn data that independently confirms the client names they've claimed. And whether the Vodafone/Lapsus$ source code leak triggers follow-on activity from remaining members.

HalilThat's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Wed20May

Exploitation Overtakes Credentials: The DBIR Inflection Point

34:4711 sc

Tue19May

pgcrypto's Twenty-Year Debt, Storm-2949's Invisible Breach, and the @antv Worm

33:4910 sc

NOW PLAYING

Mon18May

47 Zero-Days, No Patches: Pwn2Own Berlin's Reckoning

30:2910 sc

Sun17May