Today the attack surface and the disclosure surface pointed at the same thing — the tools developers use to build and run AI. The morning opened with the Mastra npm compromise (144 packages in the @mastra/* AI-framework namespace mass-published with an install-time infostealer) and a parallel JetBrains Marketplace campaign shipping fifteen fake AI-coding plugins that steal the provider keys developers paste into them.
Then the advisory feed caught up. A late-afternoon GHSA wave hit the self-hosted LLM stack from every side: Langflow with an unauthenticated file upload (CVSS 9.3), the Open WebUI cluster grew again with two redirect-based SSRF bypasses, LangChain4j with SQL injection through vector-store metadata filters, OpenClaw leaking configured MCP headers across cross-origin redirects, and Claude Code's own WebFetch allow-list turned into a HuggingFace exfiltration channel. Outside the AI lane the day was just as loud — Avo's Rails admin framework with a 9.6 authorization bypass, an XXE in the HAPI FHIR healthcare libraries, and a Gitea trio that lets a read-only org member fork a repo via the API and walk out with every organization CI/CD secret.
The bright spot is speed: the Mastra compromise was corroborated within hours by five independent detection vendors, and every advisory below shipped with a fix and concrete indicators.
→ Operational priority for the night grep CI and developer machines for any @mastra/* install since June 16 and rotate every AI-provider, npm, and cloud key reachable from a host that pulled one — then patch self-hosted Langflow, Open WebUI, and Gitea before re-exposing them.