Today's shape is breadth, not one dominant story. Vendor security-audit disclosures dropped in four unrelated batches — FacturaScripts (four new advisories, two critical, headlined by an unauthenticated path-traversal RCE and a REST API SQL injection, on top of yesterday's 2FA-bypass finding for the same vendor), Anyquery (three same-root-cause bugs spanning RCE, SSRF, and local file read in server mode), nebula-mesh, and Woodpecker CI — stacked on top of this morning's DIRAC batch.
Two active campaigns are running in parallel: a trusted-scope compromise of the official @asyncapi npm namespace dropping a cross-platform Miasma botnet loader, and a volume impersonation campaign standing up nearly 300 fake GitHub repos to push infostealers. The MCP ecosystem had a rough day too — NetLicensing-MCP, yutu, and n8n-MCP each disclosed a distinct MCP-specific bug (exposed API keys, arbitrary file write, cross-tenant backup access), a reminder that self-hosted MCP servers inherit every ordinary web-service bug class plus a few new ones. CISA also confirmed four fresh KEV exploits today — AD FS, SharePoint, and two SonicWall SMA1000 bugs — none supply-chain, all actively exploited right now.
The bright spot: outside the two campaigns and the four KEV entries, everything else today is disclosed-not-exploited — responsible-research findings with patches or clear mitigations already available for the highest-severity items. Operational priority for the night: pin or roll back any AsyncAPI npm dependency pulled in the last week, and patch the two internet-facing SonicWall SMA1000 KEV entries plus SharePoint and AD FS before their respective BOD 26-04 deadlines this week.