PAN-OS RCE exploited; tokenizer tampering, supply-chain contest

Palo Alto Networks released patches this week for CVE-2026-0300, a buffer overflow in the User-ID Authentication Portal of PAN-OS that can allow unauthenticated attackers to execute code with root privileges. The vendor reported limited exploitation since at least last month. Observed incidents involved unknown operators dropping payloads identified as EarthWorm and ReverseSocks5. Customers were urged to apply available PAN-OS updates for affected versions.

Researchers at HiddenLayer published a demonstration showing how modifying the tokenizer.json file in Hugging Face model packages can give an attacker control over generated text and tool-call arguments. The altered tokenizer can be loaded automatically when a model initializes, and the technique works across Safetensors, ONNX and GGUF model formats. HiddenLayer wrote, “Tokenizer.json ships with the model in a HuggingFace repository … and is loaded automatically when the model is initialized for inference, making it a direct attack surface.”

A threat actor calling itself TeamPCP announced a supply-chain contest on the Breached forum offering a $1,000 prize in Monero. The contest rules required participants to use an open-source worm named Shai-Hulud in real attacks and to submit proof of access to compromised environments. The worm was hosted on the forum’s content delivery network and briefly appeared on GitHub before removal. The contest post instructed participants to prioritize compromises that increase package download counts.

Security firms flagged the contest as a mechanism that could encourage broader supply-chain abuse. One firm characterized the event as a recruitment-style stunt that provides a ready-made tool and a scoring system for lower-tier actors. Observers noted the contest and the worm release combine a public incentive with reusable tooling.

The tokenizer vulnerability affects how model artifacts are packaged and consumed. Because tokenizer.json is a metadata file loaded at runtime, an attacker can change runtime behavior without altering model weights or crafting adversarial inputs. The manipulation can affect conversational responses, injected tool arguments, and any generated text that relies on tokenization.

Security recommendations from researchers and vendors include applying PAN-OS patches where available, auditing model repositories and deployed artifacts for unexpected or modified tokenizer.json files, reviewing repository access controls, and monitoring open-source package registries and forum postings for new worm releases or contest-driven campaigns. Teams were advised to treat unexpected code or metadata changes in model packages as potential compromises and to investigate any unusual download or release activity.