A four-times-a-day standing watch on the open-source supply chain. Each pass pulls newly disclosed CVEs, freshly catalogued KEV adds, and active attacks reported in the wild — then ranks them by severity for the day.
The story of the day — Four concurrent package-poisoning campaigns hit the registries at once.
TrapDoor opened today against 34 packages across npm, PyPI, and crates with hundreds of malicious versions designed to steal crypto wallets. Laravel-Lang turned out worse than first reported — Socket counts 700+ poisoned versions across four packages carrying an RCE backdoor, not just a credential stealer. Packagist disclosed eight Composer packages compromised through GitHub-Releases-hosted Linux malware, and Megalodon strafed 5,561 GitHub repos with malicious CI/CD workflows in a six-hour window.
The week-on-week pattern is the same: registry tokens stolen, version tags abused, GitHub Releases used as the dropper — which is why npm has now shipped 2FA-gated staged publishing in direct response to the Mini Shai-Hulud sweep that hit @antv last week. Underneath the narrative attacks, CISA catalogued three new actively-exploited CVEs (Drupal, Langflow, Trend Micro Apex One), and a fresh maximum-severity LiteSpeed cPanel plugin flaw (CVSS 10) is being weaponised in the wild. GitHub itself disclosed a separate internal-repo exfiltration by TeamPCP — adjacent to the package-hijack story but not part of it.
First Socket disclosure today: a coordinated campaign across three registries simultaneously, targeting developer wallets and CI-stored secrets. Hundreds of malicious versions published — the scale alone is the story. Block any new pinning to the named packages until your dependency-review tool catches up; rotate any wallet or key reachable from a build agent that ran an install since Friday.
Initial reports framed this as a credential stealer in 200+ versions. Socket's deeper analysis upgrades the count to 700+ versions and the payload to a remote-code-execution backdoor, not just a stealer. Attackers abused GitHub version tags to publish releases that Composer pulled without review (the package.json was clean — payload was in tag-only commits). Audit composer.lock for any laravel-lang/* pinned to a tag published in the last 72 hours; rotate every credential reachable from a developer or build machine that resolved the dependency, and assume RCE foothold until proven otherwise.
The poisoned payload was hidden in package.json — not composer.json — targeting Composer packages that also ship JavaScript. Each package pulls a Linux binary from a GitHub Releases URL at install time. The use of GitHub Releases as the dropper is the same TTP pattern as Laravel-Lang; treat these as the same campaign until shown otherwise. Block outbound traffic from build agents to unknown GitHub Releases URLs.
Different campaign from Laravel-Lang, same primitive: a postinstall script that fires on npm install across 700+ repos, including packagist-adjacent ones. The detection underscores why every npm install on an unfamiliar tree should be done with --ignore-scripts unless you've reviewed the postinstall surface. If you onboard contractors who clone-and-install, your laptops are this campaign's reach.
Automated campaign using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot) to inject GitHub Actions workflows that base64-decode and execute bash payloads exfiltrating CI secrets. Six-hour blast radius implies pre-staged tooling — expect follow-on waves. If you accept dependabot or community PRs to .github/workflows, require a code-owner review and run a secret scan in CI.
GitHub says no evidence of impact to customer data so far, but the listing on a cybercrime forum names internal source code and internal organizations. Watch the official advisory channel for the inevitable scope-clarification post; assume any private GitHub tooling referenced in internal repos is now read by an attacker. This is the kind of breach where the second-order disclosures (which integrations, which webhooks, which keys) matter more than the headline.
Incorrect privilege assignment — any cPanel user (or a compromised account) can run arbitrary scripts as root. Maximum severity, in-the-wild exploitation already reported. If you manage any shared-hosting estate running LiteSpeed's cPanel plugin, patch immediately and audit /var/cpanel for scripts executed by non-root users in the last week.
POST /api/v1/cron is wired through the common (any authenticated user) handler instead of the admin handler, and the per-server permission check has a vacuous-true bypass. A low-privilege RoleMember user can schedule a cron with Cover=CronCoverAll and an arbitrary Command, then watch the scheduler run that command on every server in the fleet on the next tick. Update immediately if you run Nezha; until patched, restrict the dashboard to admins only at the proxy layer.
Bazar form-import endpoint concatenates user input straight into an INSERT statement with no quoting — any visitor of a default YesWiki install can read the full database including yeswiki_users.password hashes. Affects 4.6.1, 4.6.2, and current doryphore-dev branch. Patch or take the public form import path offline behind auth today.
publicPatchHandler joins user-controlled fromPath and toPath with the trusted share path before the sanitizer runs, so filepath.Join collapses the .. before validation sees it. Lets an attacker move/copy/rename files outside the shared directory. Same root cause as last month's bulk-DELETE CVE — worth auditing every endpoint that joins-then-sanitizes.
CISA added Drupal Core to KEV on 2026-05-22 — SQLi in the database abstraction API allows privilege escalation and remote code execution via specially crafted requests. If you run Drupal anywhere on the perimeter, patch and grep access logs for the disclosed request signature; this is the kind of bug where exploitation traffic shows up in dumb scanners within 72 hours of CISA adding it.
Overly permissive CORS plus a SameSite=None refresh-token cookie lets a malicious page perform credentialed cross-origin requests to /refresh, harvest tokens, and ride them into authenticated endpoints — full system compromise. Langflow is widely deployed for LLM agent prototypes; check whether internal teams stood one up over the last year and never patched.
Pre-authenticated local attacker can modify a key table on the Apex One server, then inject malicious code that the server pushes to every agent on next sync. Endpoint protection product that ships malware to endpoints is the worst-case shape for a security-vendor CVE. Patch the management plane first.
PUT /api/environments/{id}/templates/variables writes the system-wide .env.global file used for variable substitution in every project's compose file — and the endpoint has no admin check. Any authenticated non-admin can overwrite REGISTRY, IMAGE, DATABASE_URL, SECRET_KEY for every project on the host. Patch fast if you run Arcane in a multi-tenant team setup.
An unauthenticated request whose client SDK version header triggers polynomial backtracking can pin a Node.js worker for seconds-to-minutes. Parsing happens before auth and before rate limiting — a small concurrent flood drops the service. Patch; in the meantime, strip or constrain the X-Parse-Client-Version header at the proxy layer.
Companion bug to the cross-tenant RCE above. Notification routes accept a user-supplied URL, fetch it server-side, and reflect the entire response body back to the caller on non-2xx — perfect for raiding cloud metadata endpoints, internal admin services, and S3 buckets that trust the dashboard's IP. Patch in the same window as the RCE.
Pydantic model_validate runs on the incoming JSON before the HMAC signature check, so anyone can spend your CPU and memory at will. Classic ordering bug — the fix is a one-liner (verify, then parse) but easy to miss in review. If you wrote a webhook handler this quarter, audit it for the same shape.
Maintainers must now pass a 2FA challenge to flip a staged release public. The trigger was the Mini Shai-Hulud sweep that hit the @antv ecosystem last week (639 compromised npm package versions) and npm's emergency invalidation of granular access tokens that followed. Turn 2FA-gated publishing on for every package your team publishes; the migration is a single click in npm settings, and it's the exact control that would have blunted half of today's package-hijack chain.
Five days back but worth carrying forward: the @antv attack is what triggered npm's token invalidation and today's 2FA-gated publishing rollout. The original Shai-Hulud worm last September propagated via stolen npm publish tokens to inject self-replicating malicious package versions; this 'mini' variant is the same primitive at smaller scale. Expect more mini-variants as the attacker toolkit gets refactored.
Not a supply-chain attack per se, but the lure (Prometheus learning platform) is a reminder that branded SaaS pages are first-class phishing infrastructure. Worth a note for awareness training — most users in our orgs trust learning-platform email implicitly.
C2 over Discord and Microsoft Graph blends into normal traffic on most networks. If you allow either at the perimeter (most do), at least log API-key usage patterns and flag mass-message bursts from accounts that never sent them before.