The Mini Shai-Hulud / Miasma worm did not slow down today. After this morning's LeoPlatform and RStreams compromise, Socket caught a fresh wave by mid-afternoon hitting @immobiliarelabs Backstage authentication plugins β the worm is now deliberately targeting developer-portal backends where SSO and source-control secrets concentrate.
It was not working alone. A malicious litellm wheel sat on PyPI long enough to poison fresh installs of semantic-router through an unbounded transitive pin, running its credential-exfil payload on interpreter startup β the same harvest as the worm, delivered through dependency math instead of a stolen token. In parallel, a cluster of self-hosted MCP servers shipped insecure-by-default HTTP transports, led by mcp-pinot at CVSS 10, each exposing tool invocation to any client that could reach the port. Polymarket disclosed a roughly $3M loss after a third-party vendor breach let attackers inject a script into its frontend, a reminder that the browser is a supply chain too. The bright spot held from this morning: Packagist now blocks known-bad versions at install via Aikido Intel, pushing PHP's defense down to the registry where it stops the most users.
Late escalation at 21:00 ET: the pnpm maintainers published a roughly fourteen-advisory coordinated batch that turns the package manager itself into the attack surface β a project env lockfile that can short-circuit resolution and execute lockfile-selected bytes (CVE-2026-55698, 8.8), registry-metadata path traversal that rewrites project paths to attacker symlinks, malicious patch files that write or delete arbitrary files, and two fail-open integrity gaps where `--frozen-lockfile` installs altered tarballs that `npm ci` would have rejected. Alongside it, a critical Nezha monitoring-dashboard pair (cross-tenant terminal/file-manager hijack at 9.9, pre-auth path traversal leaking jwt_secret_key at 9.1) and an ex_aws_sns signature bypass that rhymes with this evening's Relyra SAML break.
β Operational priority for the night pin litellm and the affected npm packages to known-good versions and rebuild any environment that installed semantic-router or pulled @immobiliarelabs / LeoPlatform packages since the 24th; upgrade pnpm to 10.34.4 / 11.8.0 and treat any committed pnpm-lock.yaml on an untrusted branch as hostile input to CI; rotate every cloud and CI credential those builds could reach; pull self-hosted Nezha off public interfaces and rotate jwt_secret_key; and bind every self-hosted MCP server to loopback with auth enforced before tools/call.