May 12, 2026 by sig9

Hacker Wars - May 12, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Supply chain attacks are having a banner week, SAP admins are losing sleep, and your car might be snitching on your driving habits. Grab your coffee and let’s dive in.

Shai-Hulud Worm Devours npm and PyPI Supply Chain

A self-propagating worm dubbed Shai-Hulud has torn through hundreds of packages on npm and PyPI, embedding signed credential-stealing malware into popular developer dependencies. The attack leveraged package signing to appear legitimate, making detection significantly harder than your typical typosquat. If your CI/CD pipeline pulled TanStack or Mistral-related packages recently, assume compromise.

What to do: Audit your dependency lockfiles immediately and rotate any credentials that were present in build environments.

SAP Patches Critical Flaws in Commerce Cloud and S/4HANA

SAP’s May 2026 security patches drop 15 fixes, including two critical vulnerabilities in Commerce Cloud and S/4HANA that could lead to remote code execution. These are enterprise-grade platforms handling sensitive financial and customer data, so the blast radius of an unpatched exploit is measured in “board presentations.” SAP rated the worst of them CVSS 9.8, which is basically “please patch this before lunch.”

What to do: Review SAP Security Note 3594521 and prioritize patching internet-facing Commerce Cloud instances.

GM Settles for $12.75M Over Selling Driver Data

General Motors agreed to pay $12.75 million to settle California CCPA violations after allegedly selling driver telemetry data without proper consent. The data reportedly included detailed driving behavior that was shared with insurance companies, which is a polite way of saying your car was a narc. This settlement is another reminder that connected vehicles are rolling surveillance platforms with cup holders.

What to do: Review your organization’s connected vehicle policies and check what data your fleet management tools actually collect and share.

GhostLock PoC Weaponizes Windows File API for Ransomware-Style Locking

A researcher released GhostLock, a proof-of-concept that abuses a legitimate Windows file API to lock access to local and SMB network files without encrypting them. This is a nasty twist on the ransomware playbook - no encryption means no decryption keys to negotiate, and traditional anti-ransomware tools won’t flag it. The technique essentially holds your files hostage using the OS’s own locking mechanisms.

What to do: Monitor for unusual file handle patterns and consider implementing behavioral detection rules for bulk file-locking operations.

FCC Softens Its Ban on Foreign-Made Routers

The FCC eased some restrictions and pushed back deadlines on its ban of foreign-manufactured routers, giving vendors more breathing room but keeping the core prohibition intact. The ban, driven by national security concerns over supply chain integrity in networking equipment, still targets routers from specific manufacturers deemed high-risk. If you thought replacing your infrastructure was expensive before, imagine doing it on a government-mandated timeline.

What to do: Inventory your network equipment and identify any affected foreign-manufactured routers before enforcement deadlines hit.

Catch you tomorrow. In the meantime, go check your attack surface.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.