The end-of-day picture lines new disclosures up along the whole build-and-ship path, and one of them is already running in the wild. BleepingComputer surfaced a PyPI campaign — active since last November — that ships trojanized Pyrogram forks to developers building Telegram bots, giving the operator arbitrary file reads on every server that imports them.
Above the registry, the orchestration layer took the heavier hit: Fission, the Kubernetes-native serverless framework, published a coordinated batch of nine advisories today — four of them critical — all tracing to unvalidated PodSpec passthrough that lets a tenant set hostPID/hostNetwork/privileged and escape the node to own the cluster, with a webhook that only fired on create so a clean Environment could be patched dirty afterward. The trust root wasn't spared either: Sigstore's Fulcio CA disclosed an OIDC-discovery SSRF that let a malicious issuer follow cross-host redirects to substitute a poisoned JWKS into the verifier cache (CVE-2026-49478, fixed in v1.8.6). Yesterday's SimpleHelp KEV entry (CVE-2026-48558) stays hot — a second source now confirms the TaskWeaver/Djinn payloads — and npm chipped in an incomplete-fix prototype-pollution bypass in @adonisjs/bodyparser and a query-string authorization bypass in Cedar's Express middleware. The bright spot is that everything except the PyPI campaign is a coordinated disclosure shipping with fixes, and Aikido's acquisition of Root points the backport-not-upgrade model at exactly this kind of pileup.
→ Operational priority for the night if you run Fission, gate Environment CRDs behind the create-and-update webhook and upgrade before a tenant patches in hostPID — then pin Fulcio to v1.8.6, and grep your PyPI lockfiles for Pyrogram forks before tomorrow's first build.