ZeroFox Daily Intelligence Brief - May 12, 2026

ZeroFox Daily Intelligence Brief - May 12, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Strategic Terrain and Infrastructure Data Stolen From Russian Targets
• Rogue Checkmarx Jenkins Plugin Used to Steal Developer Credentials
• Threat Actors Used AI to Identify a Zero-Day Vulnerability

Strategic Terrain and Infrastructure Data Stolen From Russian Targets

Source: https://www.darkreading.com/vulnerabilities-threats/cyber-espionage-group-aviation-firms-steal-map-data

What we know: A threat group known as “HeartlessSoul” is reportedly targeting aerospace firms and drone operators via phishing and malvertising campaigns to distribute malware disguised as legitimate aviation software. HeartlessSoul is suspected to be focused on stealing this data from Russian government and enterprise systems.

Context: HeartlessSoul reportedly stole geospatial mapping and GPS-related data, including Geographic Information System (GIS) shapefiles, digital terrain and elevation data, and proprietary mapping files from systems used for geographic and infrastructure analysis.

Analyst note: HeartlessSoul is very likely building detailed operational awareness of Russian infrastructure, terrain, and aviation activity to improve future targeting and mission planning based on the type of data stolen.

Rogue Checkmarx Jenkins Plugin Used to Steal Developer Credentials

Source: https://www.bleepingcomputer.com/news/security/official-checkmarx-jenkins-package-compromised-with-infostealer/

What we know: Agentic application security company Checkmarx has warned that TeamPCP hackers have uploaded a malicious version of its Jenkins AST plugin to the Jenkins Marketplace. The threat actors compromised the company’s GitHub repositories using credentials stolen during the earlier Trivy supply-chain attack.

Context: The rogue plugin contains credential-stealing code and forms part of an ongoing series of supply-chain compromises targeting developer tools and CI/CD environments. Affected users are advised to rotate secrets and investigate for persistence or lateral movement.

Analyst note: Access to trusted developer infrastructure is likely to enable TeamPCP to push malicious updates in further supply chain attacks, tamper build artifacts, and access connected enterprise environments. Compromising trusted software infrastructure likely gives the group visibility into development workflows, internal architectures, and security tooling that can likely be leveraged in future operations.

Threat Actors Used AI to Identify a Zero-Day Vulnerability

Source: https://www.theregister.com/ai-ml/2026/05/11/google-says-criminals-used-ai-built-zero-day-in-planned-mass-hack-spree/5237982

What we know: Threat actors reportedly used AI to find a zero-day vulnerability in what is described as the world’s first such instance. However, researchers were able to quietly identify and patch the flaw before it was released into the wild.

Context: It was a two-factor authentication bypass flaw targeting a popular open-source web-based administration platform. The flaw’s Python script reportedly showed signs of LLM influence, including educational docstrings, a fake CVSS score, and polished textbook-style code.

Analyst note: Threat actors are very likely using AI to enhance the technical complexity, speed, and scale of cyberattacks, making capabilities such as zero-day discovery and exploitation—once limited to advanced actors—more accessible to lower-level threat actors.

DEEP AND DARK WEB INTELLIGENCE

Breachforums[.]rs / PwnForums user mosad: Threat actor "mosad" has advertised an alleged classified report from the U.S. military’s Defense Advanced Research Projects Agency (DARPA) on dark web forums breachforums[.]rs and PwnForums. The actor claims that the stolen 199-page document details systemic weaknesses across autonomous weapons, sensor platforms, and command systems used by the U.S. military.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-42208: This is a critical SQL injection vulnerability in BerriAI's LiteLLM. The flaw resides in the proxy's API key verification process, where unsanitized user input is passed directly into database queries, enabling an unauthenticated attacker to manipulate those queries through a crafted request to any AI API endpoint. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

Affected products: BerriAI's LiteLLM versions 1.81.16 to 1.83.6