IT News Roundup: PAN-OS Zero-Day, ShinyHunters Resurgence, and AI Agent Breakthroughs - May 27, 2026

The technology landscape this week has been dominated by critical security vulnerabilities, a notable resurgence of ransomware extortion groups, and major announcements in the AI agent space. From a root-level RCE in Palo Alto firewalls to Google's always-on Gemini Spark assistant and Alibaba's 35-hour autonomous AI model, the intersection of security and artificial intelligence continues to define the industry.

Critical Buffer Overflow in Palo Alto Networks PAN-OS Under Active Exploitation

A critical vulnerability (CVE-2026-0300, CVSS 9.3) has been identified in the User-ID Authentication Portal (Captive Portal) component of Palo Alto Networks PAN-OS software, affecting both PA-Series and VM-Series firewall appliances. The flaw is an unauthenticated buffer overflow that allows remote attackers to execute arbitrary code with full root privileges.

Palo Alto Networks confirmed that the vulnerability is being actively exploited in the wild. Multiple security researchers, including Wiz, Rapid7, and Arctic Wolf, have published analyses confirming widespread exploitation attempts. Organizations are urged to implement immediate mitigations, including restricting internet access to the User-ID Authentication Portal and applying available patches as they become available.

The vulnerability carries particular significance for enterprises relying on Palo Alto firewalls as their primary network perimeter defense. CERT-EU has issued an advisory recommending that administrators disable the Captive Portal service if it is not actively required.

Sources: Palo Alto Networks Security Advisory, Wiz Blog, CERT-EU

ShinyHunters Extortion Gang Resurges with 7-Eleven and Canvas LMS Breaches

The notorious ShinyHunters extortion gang has mounted a high-profile campaign targeting major organizations in May 2026. The group claimed responsibility for a breach of 7-Eleven convenience stores, exposing personal data belonging to approximately 185,000 individuals. The attack was confirmed by Have I Been Pwned and reported by multiple security outlets.

More significantly, ShinyHunters breached Instructure, the company behind the Canvas learning management system used by educational institutions across the United States. The gang stole an estimated 3.65 terabytes of data, including billions of private messages among students and teachers. After initial extortion deadlines were ignored, ShinyHunters escalated by defacing Canvas login pages at individual schools, attempting to pressure institutions directly.

Instructure ultimately paid a ransom to prevent public release of the stolen data. The FBI's Internet Crime Complaint Center (IC3) issued an advisory warning students and staff about potential follow-up phishing and extortion attempts. The attack highlights a broader pattern of ShinyHunters targeting education technology platforms through Salesforce environments and credential compromise, joining previous breaches of PowerSchool and Infinite Campus.

Sources: Help Net Security, Bitdefender, Malwarebytes

Google I/O 2026: Gemini Spark, an Always-On AI Agent for Workspace

At Google I/O 2026, the company announced Gemini Spark, a 24/7 agentic personal assistant built on the new Gemini 3.5 model series and powered by Google's Antigravity 2.0 agent platform. Unlike traditional chatbots, Gemini Spark is designed to run continuously in the background, proactively managing tasks across Google Workspace including Gmail, Docs, and Slides, with the ability to connect to third-party applications and eventually interact with local files.

CEO Sundar Pichai declared that Google is "firmly in our agentic Gemini era," signaling a strategic pivot from conversational AI to autonomous agents that can execute multi-step workflows. The event also featured the Gemini Omni model, capable of generating content from virtually any input format including video, and the WebMCP open standard for agent interoperability.

For IT professionals and homelab enthusiasts, the implications are significant: AI agents are moving from proof-of-concept to production-ready tools that can automate routine administrative tasks, manage infrastructure, and serve as always-available assistants without requiring constant user prompting.

Sources: TechCrunch, Google Blog, AP News

Alibaba Unveils Qwen 3.7-Max: AI Agent That Ran Autonomously for 35 Hours

Alibaba announced Qwen 3.7-Max, a new flagship AI model specifically designed for long-running autonomous agent tasks. In a demonstration at the company's inaugural Singapore conference, the model was given a task brief and placed on a Zhenwu M890 chip it had never encountered in training. Over 35 consecutive hours of uninterrupted operation, it executed over 1,158 tool calls and 432 kernel evaluations, autonomously performing code creation, compilation, performance measurement, bug fixing, and redesign — ultimately delivering a production-grade AI computing kernel that outperformed the chip's reference implementation.

The model features a 1 million token context window and scored 56.6 on the Artificial Analysis Intelligence Index, matching Claude Opus 4.6 on several benchmarks while outperforming Chinese competitors including DeepSeek V4 Pro and Kimi K2.6. Alibaba also revealed a custom silicon chip designed to run the model efficiently.

The 35-hour autonomous run represents a significant step toward truly self-sustaining AI systems capable of handling complex engineering workflows without human intervention — a capability with direct relevance to DevOps automation, infrastructure management, and software development pipelines.

Sources: TechNode, Computer Weekly, The Decoder

cPanel Authentication Bypass (CVE-2026-41940) Threatened 1.5 Million Servers

A critical pre-authentication bypass vulnerability (CVE-2026-41940, CVSS 9.8) in cPanel & WHM allowed unauthenticated attackers to gain root access to web hosting servers. The flaw affected all supported versions of cPanel and WHM released after version 11.40, as well as WP Squared, a WordPress management layer built on the same platform.

The vulnerability was exploited as a zero-day before patches were released, with proof-of-concept code circulating on dark web forums. An estimated 1.5 million internet-exposed servers were at risk globally. The Register reported that millions of websites could have been compromised during the window between exploitation and patching.

InMotion Hosting announced on May 26 that it successfully completed a fleet-wide resolution of the vulnerability, keeping customer sites online throughout the incident. Hosting providers worldwide undertook emergency patching operations to mitigate the threat. Administrators should verify that all cPanel installations are running the latest patched version.

Sources: The Register, Help Net Security, PR Newswire

Iranian APT Nimbus Manticore Deploys AI-Assisted MiniFast Backdoor

Check Point Research has documented a renewed campaign by Nimbus Manticore, an IRGC-affiliated threat group also tracked as UNC1549. The group has introduced a new backdoor called MiniFast (also known as MiniUpdate) that appears to incorporate AI-assisted development practices, enabling rapid adaptation of tooling under operational pressure.

The campaign targets defense, aviation, software, and telecommunications sectors across the United States, Europe, and the Middle East. Notably, the group has shifted from its traditional career-themed phishing lures to SEO poisoning techniques, distributing fake software download pages to deliver the MiniFast payload. This marks a significant evolution in the group's delivery tactics.

The use of AI to assist in malware development represents an emerging trend in state-sponsored cyber operations, lowering the barrier for threat actors to produce sophisticated tooling and adapt quickly to defensive measures. Organizations in the targeted sectors should review their endpoint detection capabilities and ensure web filtering blocks known SEO poisoning vectors.

Sources: The Hacker News, GridinSoft Blog, GBHackers

Global Cloud Infrastructure Spending Hits Record $129 Billion in Q1 2026

Enterprise cloud infrastructure spending reached $129 billion in the first quarter of 2026, according to Synergy Research Group — a 35 percent year-over-year increase marking the ninth consecutive quarter of growth. The surge is driven primarily by AI workloads, with hyperscalers investing heavily in data centers, GPUs, and networking equipment.

Amazon Web Services maintains the largest market share, but Microsoft Azure and Google Cloud are closing the gap with aggressive AI-driven expansion. Big Tech companies have committed to approximately $725 billion in combined capital expenditures for 2026, with roughly 75 percent dedicated to AI infrastructure. The global cloud market is on track to exceed $500 billion for the year.

For IT professionals and homelab operators, the trend underscores the growing importance of cloud literacy and hybrid infrastructure skills. As AI workloads continue to reshape data center design and cloud service offerings, understanding cloud architecture, containerization, and AI deployment patterns is becoming essential across all levels of the industry.

Sources: CRN, Data Center Dynamics, Statista