A rare quiet Patch Tuesday masked a louder week underneath it: SAP HotNews flaws reaching CVSS 9.6, a fourth-generation self-replicating npm worm hijacking a trusted CI/CD pipeline, and fresh data ranking India as APAC's most-attacked nation. The supply chain, not the perimeter, was where the damage landed.
1CriticalCVSS 10
Microsoft May Patch Tuesday — 118 CVEs, and the first zero-day-free month since June 2024.
Microsoft shipped fixes for 118 CVEs (16 critical) with no flaws exploited in the wild or publicly disclosed at release — ending a 22-month streak that had averaged 3.5 zero-days per month. Standouts to prioritise: CVE-2026-42826 (Azure DevOps info disclosure, CVSS 10), CVE-2026-42898 (Dynamics 365 on-prem RCE, CVSS 9.9) and CVE-2026-41089 (Windows Netlogon unauthenticated RCE, CVSS 9.8). -
India exposureNetlogon and on-prem Dynamics/Azure DevOps are common in Indian government and enterprise estates; a quiet month tempts teams to defer patching exactly when an unauthenticated Netlogon RCE leading to domain-controller takeover is the headline risk. -
ActionPatch the three critical RCE/disclosure CVEs first; do not let "no zero-days" justify slipping the cycle. -
SourceTenable, "May 2026 Microsoft Patch Tuesday," 12 May 2026; BleepingComputer, 12 May 2026.
2CriticalCVSS 9.6
SAP Security Patch Day — three HotNews notes, including unauthenticated RCE (CVE-2026-34263, CVSS 9.6).
SAP's May patch day shipped three HotNews-rated notes: CVE-2026-34263 (missing authentication in Commerce Cloud enabling arbitrary server-side code execution, CVSS 9.6), CVE-2026-34260 (SQL injection in S/4HANA Enterprise Search for ABAP, CVSS 9.6) and a supply-chain note for the SAP Cloud Application Programming model affected by the Shai-Hulud npm compromise. A separate high-priority note, CVE-2026-34259 (OS command injection in Forecasting & Replenishment, CVSS 8.2), was also fixed. None were reported as actively exploited at disclosure. -
India exposureSAP S/4HANA and Commerce Cloud underpin manufacturing, retail and PSU finance operations across India; an unauthenticated RCE in an internet-reachable Commerce instance is a direct path to ERP compromise. -
ActionApply the HotNews notes immediately and inventory any externally exposed SAP NetWeaver/Commerce endpoints. -
SourceOnapsis, "SAP Security Patch Day — May 2026," 12 May 2026.
3
"Mini Shai-Hulud" npm/PyPI worm hijacks TanStack CI/CD pipeline (CVE-2026-45321).
A fourth-generation self-replicating worm compromised 170+ npm and PyPI packages — including TanStack, Mistral AI and UiPath — by chaining weaknesses in TanStack's GitHub Actions configuration, so 84 malicious versions across 42 packages carried valid SLSA Build Level 3 provenance. The worm steals npm tokens, GitHub PATs, AWS credentials and SSH keys, self-propagates using harvested credentials, and plants persistence hooks targeting AI coding agents and IDEs. -
India exposureIndian product engineering, fintech and IT-services build pipelines pull these packages at scale; valid provenance attestations defeat the "trusted signature" assumption many CI/CD gates rely on. -
ActionAudit dependency lockfiles for affected versions, rotate npm/cloud/CI secrets, and pin/verify package versions rather than trusting provenance alone. -
SourceTenable, "Mini Shai-Hulud FAQ," disclosed 12 May 2026; Orca Security, "TanStack npm supply chain worm," 12 May 2026.
4
node-ipc poisoned with credential-stealing payload.
Three malicious versions of the widely used node-ipc package were published to npm, each carrying an identical ~80 KB obfuscated credential-stealing payload — a second supply chain hit on the JavaScript ecosystem in the same week. -
India exposurenode-ipc is a transitive dependency in countless Node.js services; a single npm install in a developer or CI environment can leak secrets from Indian SaaS and BFSI back ends. -
ActionBlock the malicious versions at the registry/proxy, scan for the payload's indicators, and enforce egress controls on build agents. -
SourceThe Hacker News (Socket / StepSecurity analysis), "Stealer Backdoor Found in 3 node-ipc Versions," 14 May 2026.
5
India ranked APAC's most-targeted nation by ransomware in Q1 2026.
Cyble's Asia-Pacific threat landscape report found India the most-attacked APAC country, with ransomware dominant across 238 regional incidents in Q1. IT, manufacturing, healthcare, BFSI and automotive were hardest hit, with groups including CL0P, Sinobi, Tengu and others running large-scale "spray-and-pray" campaigns against Indian organisations. -
India exposureOpportunistic, volume-driven ransomware rewards exposed RDP, unpatched edge appliances and weak MFA — the gaps that this week's SAP and supply chain flaws widen. -
ActionTreat external-facing services and BFSI/manufacturing OT-adjacent systems as primary targets; validate backups and MFA coverage now. -
SourceCyble Q1 2026 APAC Threat Landscape Report, via BW Businessworld, May 2026.
The takeaway: A zero-day-free Patch Tuesday is not a quiet week. This week's real pressure came from the software supply chain — signed, provenance-bearing npm/PyPI packages and unauthenticated SAP RCEs — against a backdrop of India sitting at the top of APAC's ransomware target list. Defenders should patch the named SAP and Microsoft criticals, harden CI/CD secret handling, and assume opportunistic ransomware will probe whatever stays exposed.
