The morning was quiet on the active-attack side, but the disclosure pipeline opened wide after lunch. Socket caught a Brazilian banking-cooperative impersonator on NuGet exfiltrating client IDs, PFX passwords, and signed banking certificates through Sentry telemetry — using a vendor SDK as the lure and Sentry-as-covert-C2 is the same pattern we saw earlier this month in the npm tranche, now rotated to a financial target and a different registry.
Symfony's hardening pass crossed the twenty-advisory line — six more landed today, the worst of them three webhook parsers (Mailtrap, Mailjet, LOX24 SMS) that take a signing secret but never read it, so any unauthenticated POST forges delivery events. compliance-trestle, which we flagged yesterday with a no-patch path-traversal-to-RCE, escalated overnight: a Server-Side Template Injection in `trestle author jinja` makes attacker-controlled data fields executable through Jinja recursion, and three companion advisories — arbitrary file write, arbitrary file read, and SSRF — landed alongside it with patches now available. Yesterday's no-patch is today's patch-tonight. FortiClient EMS remains under active exploitation per Arctic Wolf, dropping a credential stealer named EKZ to managed endpoints — the same endpoint-management-pushes-malware shape as yesterday's Nx Console KEV add. The bright spot is OpenBao publishing a coordinated batch — cross-namespace lease revocation bypass alongside two information-leak mediums in one release. Coordinated disclosure across an entire feature area is the discipline we want to see more of, and it's a notable contrast with the months-long Pimcore drip.
Late escalation at 21:00 ET: GHSA published a paired Dulwich tranche — a `%P` merge-driver command injection via `subprocess.run(..., shell=True)` and an arbitrary file write via NTFS-hostile tree entries (`\`, `:`, `git~N` aliases all accepted by the path-element validator, plus core.protectNTFS silently ignored because of a wrong option name) — both of which reach RCE on Windows the moment a victim clones, fetches, or merges an untrusted repo. The NTFS variant is the same class as upstream Git's 2019 CVE-2019-1353 and lands on every Python tool that wraps Dulwich (dulwich, jelly-fish, pip-tools alternatives). Arcane joined them with an authenticated `include:` directive in a compose file that reads any file the backend can — the project SQLite (`arcane.db`) contains every user's bcrypt hash and API key, so first-hop authenticated turns into platform-admin and host RCE via Docker control plane. The shape is the same ordering bug we keep seeing: `CreateProject` writes the compose content without validation while `UpdateProject` runs the include-path validator. python-tuf rounds out the late batch with a medium that's interesting more than urgent — `fnmatch.fnmatch` calls `os.path.normcase`, so on Windows the TUF spec's case-sensitive delegation path matching silently becomes case-insensitive, breaking the authorization decision for any python-tuf client (including PyPI's update tooling) depending on which OS the client runs on.
→ Operational priority for the night if any Windows endpoint, CI runner, or developer laptop runs a Python tool that bundles Dulwich (check `pip show dulwich` and your dependency-resolver caches), assume cloning an untrusted repo is a write-to-`.git\hooks` primitive and disallow it until you've upgraded; also scan NuGet manifests and lock files for any Sicoob-impersonating package and apply the compliance-trestle update if any part of your compliance pipeline fetches third-party OSCAL profiles.