ZeroFox Daily Intelligence Brief - May 19, 2026

ZeroFox Daily Intelligence Brief - May 19, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• U.S. Public Health Giant Breached
• Shai-Hulud Worm Cloned After Source Code Release
• Public PoC Released for a Windows Privilege Escalation Zero-Day Vulnerability

U.S. Public Health Giant Breached

Source: https://www.securityweek.com/millions-impacted-across-several-us-healthcare-data-breaches/

What we know: The U.S. Department of Health and Human Services (HHS) recently added multiple data breaches to its breach tracker, affecting major healthcare entities including New York City Health and Hospitals Corporation (NYCHHC).

Context: The NYCHHC is reportedly the largest public health system in the United States. The breach impacts 1.8 million individuals, their personal information, health insurance details, medical records, biometric data, and financial information. Threat actors reportedly maintained undetected access from November 2025 to February 2026 via a compromised third-party vendor.

Analyst note: This can likely be part of a broader campaign targeting healthcare entities by financially motivated threat actors due to low tolerance for disruption. The prolonged undetected access likely aimed for stealth rather than sudden disruption, potentially yielding insights into operational vulnerabilities that can later be bundled with stolen datasets and sold on illicit marketplaces.

Shai-Hulud Worm Cloned After Source Code Release

Source: https://www.bleepingcomputer.com/news/security/leaked-shai-hulud-malware-fuels-new-npm-infostealer-campaign/

What we know: After Shai-Hulud's source code was briefly exposed on GitHub, a threat actor reportedly began weaponizing it to upload new malicious npm packages. Four rogue packages have been published by the npm user “deadcode09284814,” including a non-obfuscated Shai-Hulud clone targeting developer credentials, cloud secrets, cryptocurrency wallets, and account data.

Context: The malware reportedly exfiltrates stolen data to a command and control server (C2) at 87e0bbc636999b[.]lhr[.]life. Stolen credentials are uploaded to auto-generated GitHub repositories, while one package enables HTTP, TCP, and UDP-based DDoS attacks. The typosquatted and malicious packages identified include, “chalk-tempalte,” “axois-utils,” “@deadcode09284814/axios-util,” and “color-style-utils.”

Analyst note: In the near term, several other threat actors are likely to similarly adapt the worm using its source code to launch fresh attacks. Open-source dependencies used in fintech, cryptocurrency, and software-as-a-service (SaaS) environments are likely to be increasingly targeted.

Public PoC Released for a Windows Privilege Escalation Zero-Day Vulnerability

Source: https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html

What we know: A proof-of-concept (PoC) exploit for a Windows privilege escalation zero-day, dubbed “MiniPlasma,” has been released. The flaw reportedly abuses the Windows Cloud Files Mini Filter Driver (“cldflt.sys”) to obtain SYSTEM-level access on fully patched Windows systems.

Context: The flaw reportedly affects the “HsmOsBlockPlaceholderAccess” routine and appears related to a vulnerability originally reported in 2020. The issue allegedly remains exploitable despite Microsoft previously addressing it under CVE-2020-17103, with successful exploitation demonstrated on fully updated Windows 11 systems.

Analyst note: The public release of a working PoC is likely to accelerate exploitation attempts particularly by threat actors actively looking to infect victims for financial gains like ransomware operators and initial access brokers.

DEEP AND DARK WEB INTELLIGENCE

Spear user 303: Untested threat actor 303 has advertised the sale of an alleged one-click remote code execution (RCE) exploit targeting Apple macOS on dark web forum Spear. The actor claims the exploit affects macOS versions 10.11 and later, and grants root-level permissions upon a single interaction by the target.

VULNERABILITY AND EXPLOIT INTELLIGENCE

OpenClaw “Claw Chain” vulnerabilities: Four vulnerabilities in OpenClaw, collectively called “Claw Chain,” have been discovered. The flaws enable attackers to move from initial access, to credential theft, privilege escalation, and persistent backdoor deployment. Each step exploits the agent's own legitimate privileges, making detection difficult for conventional security monitoring tools. Successful exploitation is very likely to result in full administrative control over the agent environment and long-term access to connected systems, credentials, and sensitive data.

Affected products: OpenClaw versions prior to April 23, 2026 (2026.4.22)