The day's center of gravity is the Arch User Repository: more than 400 AUR packages were hijacked to ship an infostealer paired with an eBPF rootkit that hides the payload at the kernel level. The AUR builds from source on your own host with no review gate between a maintainer account and your `makepkg` — so this is the npm/PyPI poisoning pattern transplanted into a distro a lot of engineers trust by habit.
Underneath that, today was a coordinated-disclosure firehose. Budibase cut a single 3.39.0 release closing seven advisories, topped by a workspace-scoped builder escalating to global admin (CVE-2026-48150, CVSS 9.0); TYPO3 shipped an emergency set of roughly fifteen fixes spanning Form Framework privilege-escalation-plus-SQL-injection, insecure deserialization and a stack of broken-access-control holes; File Browser patched seven access-control and path-traversal bugs at once; and esbuild — under most of the JavaScript build world — fixed an RCE where a hijacked NPM_CONFIG_REGISTRY defeats its Deno-module integrity check. CISA added Oracle PeopleSoft's unauthenticated-takeover bug to KEV with a ransomware flag, and a decade-long China-linked backdoor in Linux login software surfaced as the patient espionage counterpoint to the noisy registry attack.
The bright spot is that the framework fires are single-bump fixes: one Budibase release, one TYPO3 point release per branch, esbuild 0.28.1. Operational priority for the night: if you build from the AUR, treat anything updated in the last 48 hours as suspect — rebuild from known-good PKGBUILDs, hunt for unexpected eBPF programs with `bpftool prog list`, and rotate any credential those build hosts could read — then bump Budibase to 3.39.0 and esbuild to 0.28.1 before morning.