Today paired one confirmed active supply-chain attack with one mass vulnerability dump on a widely self-hosted tool. Security researchers nailed down the exact AsyncAPI npm compromise — five specific package versions, one carrying roughly 2M weekly downloads — and traced the entry point to a backdoored GitHub Actions workflow rather than a stolen token, which shifts the fix from ‘rotate npm tokens’ to ‘audit the org’s CI.’
The bigger story, though, is MantisBT: eight advisories landed at once, headlined by a SOAP API bug that lets anyone who self-registers — the default configuration — read their own session cookie and use it to impersonate the administrator with zero password knowledge, chaining into a SQL injection that dumps the whole database and an eval()-based RCE for anyone who already has admin. Koel added five more advisories showing its earlier SSRF fix only closed one of five vulnerable fetch paths, and a handful of unrelated SSRF and path-traversal bugs (TensorZero, obsidian-local-rest-api, LangBot's MCP config) round out a day where ‘we already patched that’ kept turning out to be only half true.
Late escalation at 21:00 ET: a fresh batch of 22 GHSA advisories landed between First Watch and bedtime, adding a dozen more high-severity items to the board — a W3C baggage-parsing DoS shipped simultaneously across all six Datadog tracer language SDKs, a ViewComponent around_render bypass that defeats Rails' HTML escaping in collection rendering, and a django-haystack eval() RCE triggered by attacker-controlled Elasticsearch content. None of it unseats MantisBT as the day's top story, but it's a lot of ground to cover before bed. The bright spot holds: every high-severity find today — MantisBT, Koel, TensorZero, and tonight's late batch — already ships a patched release or a documented workaround; nothing here is a zero-day with no fix available.
→ Operational priority for the night if MantisBT runs anywhere in your stack, patch now or disable self-registration — the admin-bypass path needs nothing more than a public signup form; if you run Datadog's tracer in any language, drop baggage from DD_TRACE_PROPAGATION_STYLE until you can upgrade.