Today read as a coordinated-disclosure day: six unrelated projects — Mautic, SimpleSAMLphp, Steeltoe, Craft CMS, Zebra, and 9router — each shipped a batch of two to twelve CVEs in one release instead of the usual single fix. CISA's only fresh KEV entry, a pair of Ubiquiti UniFi OS bugs added June 23, is only surfacing now through this pipeline's backfill window rather than as same-day news.
The trust-boundary theme that opened the week kept compounding: 9router picked up its third critical advisory in a row (a hardcoded fallback JWT secret, after the RCE and the local-only access-gate bypass), and fast-mcp-telegram's Bearer-token check has the same naive-string-as-authorization-boundary shape. On the credential-theft side, JFrog tied two new npm packages — rollup-packages-polyfill-core and rollup-runtime-polyfill-core, typosquatting the real rollup-plugin-polyfill-node — to North Korea-linked operators, landing alongside PamStealer's fake-Maccy macOS campaign and Kaspersky's new Armored Likho attribution: three separate credential-harvesting threads converged on the same day. Mautic's 7.1.2 release alone closes two independent roads to RCE (campaign-import path traversal and unsandboxed Twig execution), and Steeltoe's seven advisories include two operationally urgent ones — plaintext connection strings leaking over /actuator/env and a spoofable Host-header bypass of the port isolation meant to protect it.
→ Operational priority for the night grep every 9router deployment for an unset JWT_SECRET, confirm no project pulled rollup-packages-polyfill-core or rollup-runtime-polyfill-core this week and rotate credentials on any machine that did, and push the Mautic 7.1.2 and Steeltoe upgrades ahead of anything lower on tonight's list — both close multiple independent RCE or credential-leak paths in a single patch.