CheckMarx Jenkins Hit ⚙️, OpenAI Daybreak 🤖, Best Western Breached 🏨

Q: TeamPCP compromised CheckMarx's Jenkins AST plugin by injecting a rogue version (2026.5.09) using cr

TeamPCP compromised CheckMarx's Jenkins AST plugin by injecting a rogue version (2026.5.09) using credentials stolen in a prior Trivy breach that were never rotated — users should roll back to version 2.0.13-829.

Q: A Shai-Hulud npm worm hit 42 @tanstack/* packages via GitHub Actions cache poisoning and OIDC token

A Shai-Hulud npm worm hit 42 @tanstack/* packages via GitHub Actions cache poisoning and OIDC token theft, harvesting AWS, GCP, Kubernetes, and SSH credentials and using GitHub's commit search as a P2P C2 channel.

Q: BWH Hotels (Best Western parent) suffered a 6-month breach of its reservation system exposing guest

BWH Hotels (Best Western parent) suffered a 6-month breach of its reservation system exposing guest names, addresses, and stay dates — affected guests should treat all inbound booking-related communications as likely phishing.

TLDR·Wednesday, May 13, 2026·8 min read

Security AI/ML Engineering

Share𝕏 in

AI Summary

This cybersecurity newsletter covers a supply-chain attack on CheckMarx's Jenkins plugin by TeamPCP, a Shai-Hulud npm worm that compromised 42 @tanstack/* packages via GitHub Actions cache poisoning and OIDC token theft, and a months-long breach of BWH Hotels' reservation system. It also highlights Google's threat intelligence on AI-assisted adversarial operations, OpenAI's new Daybreak cybersecurity program, and new open-source defensive tooling.

Key Facts

✓TeamPCP compromised CheckMarx's Jenkins AST plugin by injecting a rogue version (2026.5.09) using credentials stolen in a prior Trivy breach that were never rotated — users should roll back to version 2.0.13-829.

✓A Shai-Hulud npm worm hit 42 @tanstack/* packages via GitHub Actions cache poisoning and OIDC token theft, harvesting AWS, GCP, Kubernetes, and SSH credentials and using GitHub's commit search as a P2P C2 channel.

✓BWH Hotels (Best Western parent) suffered a 6-month breach of its reservation system exposing guest names, addresses, and stay dates — affected guests should treat all inbound booking-related communications as likely phishing.

Author Takes

SkepticalTLDR InfoSec

AI code scanning tools

Mythos's lighter haul on curl reflects diminishing returns on a heavily fuzzed codebase, and AI tools still only surface known bug classes — not novel ones; practitioners should discount 'dangerously good' vendor framing until independent results land.

NeutralTLDR InfoSec

AI code analyzers as baseline security

AI code analyzers are now table-stakes — any project that hasn't run one likely has a backlog of findings waiting — but must be paired with traditional defenses.

More from TLDR

Opus 4.7 Fast ⚡, Qwen Image 2.0 🖼️, serverless GPUs ✨

TLDR AI covers the launch of fast mode for Claude Opus 4.7 in research preview, Meta's Muse Spark model powering voice and glasses features, and Googl

May 13

The Agent Mess Gets Real 🤖, Cyber Gets Autonomous ⚔️, Cloud’s New Pitch 🏗️

This TLDR IT edition covers OpenAI's new Daybreak cybersecurity initiative, a $125M Series B for AI security startup Exaforce, and GitLab's org restru

May 13

Enterprise AI race 🏃, AI P&L shifts 📉, becoming AI native 🤖

Enterprise AI adoption has shifted with Claude up 128% and Gemini up 48% while OpenAI's share dropped to 56%. AI-native SaaS economics are fundamental

May 13