ZeroFox Daily Intelligence Brief - May 13, 2026

ZeroFox Daily Intelligence Brief - May 13, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Foxconn Confirms Cyberattack on North American Operations
• Mini Shai-Hulud Attack Expands; TanStack and Mistral AI Compromised
• New TrickMo Banking Trojan Variant Uses TON Infrastructure to Evade Detection

Foxconn Confirms Cyberattack on North American Operations

Source: https://www.wired.com/story/foxconn-ransomware-attack-shows-nothing-is-safe-forever/

What we know: Taiwanese electronics manufacturer Foxconn has confirmed a cyberattack affecting its North American operations. The disclosure comes after the Nitrogen ransomware group claimed to have breached the company and stolen approximately 8 TB of data.

Context: The stolen data reportedly includes confidential instructions, internal project documentation, and technical drawings linked to major customers including Apple, NVIDIA, and Intel.

Analyst note: Given that Foxconn is a major electronics manufacturer for high-profile technology companies, this data, if sold or leaked, is likely to interest state sponsored actors, like those linked to North Korea or China. These actors are likely to leverage this sensitive information to accelerate hardware development and improve manufacturing capabilities.

Mini Shai-Hulud Attack Expands; TanStack and Mistral AI Compromised

Source: https://www.bleepingcomputer.com/news/security/shai-hulud-attack-ships-signed-malicious-tanstack-mistral-npm-packages/

What we know: TeamPCP’s self-spreading malware dubbed "Mini Shai-Hulud" has reportedly compromised TanStack, Mistral AI, and other widely used npm packages like Guardrails AI, UiPath, and OpenSearch, expanding its blast radius.

Context: Threat actors reportedly hijacked valid OpenID Connect (OIDC) tokens via the legitimate CI/CD pipeline to publish 84 malicious artifacts across 42 TanStack packages.Then they used stolen CI/CD credentials to spread to other projects reportedly affecting over 400 package artifacts across npm and PyPI. The campaign targets GitHub tokens, AWS keys, SSH credentials, and VS Code tasks, and Claude Code configurations, among others.

Analyst Note: TeamPCP’s stealer reportedly uses geofencing logic to skip Russian-language systems, while including a secondary wipe command targeting systems appearing to originate from Israel or Iran. Victims are likely to face credential theft and persistent compromise, as the malware embeds into Claude Code hooks and VS Code tasks.

New TrickMo Banking Trojan Variant Uses TON Infrastructure to Evade Detection

Source: https://thehackernews.com/2026/05/new-trickmo-variant-uses-ton-c2-and.html

What we know: A new version of the TrickMo banking trojan has been observed using The Open Network (TON) blockchain for command-and-control (C2) communications, targeting banking and cryptocurrency wallet users in France, Italy, and Austria. The activity was observed between January and February 2026.

Context: TON is a decentralized blockchain and networking platform supporting cryptocurrency transactions, decentralized applications, and peer-to-peer networking services. This malware strain reportedly adds secure shell tunnelling, SOCKS5 proxying, and network reconnaissance capabilities, enabling compromised Android devices to function as programmable network pivots and traffic-exit nodes for malicious activity.

Analyst Note: The use of TON-based infrastructure will likely make TrickMo’s C2 activity more resilient to disruption and more difficult for defenders to detect or block due to its reliance on decentralized networking services.

DEEP AND DARK WEB INTELLIGENCE

Exploit user shrouded_fang: Threat actor "shrouded_fang" has advertised an alleged internal dataset associated with the governments of Taiwan and the United States on dark web forum Exploit. The actor claims the dataset includes strategic and economic intelligence documents, including an anti-China sovereign drone supply chain assessment, and internal records related to the U.S.-Taiwan reciprocal tariff adjustments.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Microsoft's May 2026 patch Tuesday: Microsoft has released patches for 137 vulnerabilities, with no zero-days disclosed or exploited this month. The majority of the vulnerabilities involve elevation of privilege flaws, with notable critical remote code execution flaws also patched across Windows Netlogon, Microsoft Word, and the Windows DNS Client. Successful exploitation of these flaws is likely to enable threat actors to execute code remotely, and gain unauthorized access to compromised environments.

Affected products: Affected products are listed in this advisory.