30 watches published so far. Each one captures what crossed the wire that day — new disclosures, fresh CISA KEV adds, package-hijack campaigns in progress — ranked by severity.
The trusted update channel was the attack: ShapedPlugin shipped a CVSS-10 backdoor through official Pro-plugin releases for a month — and the evening brought a late wave of forge and npm-library disclosures, capped by a fresh SCIM prototype-pollution critical.
A quiet Sunday on the registries — no new criticals and no fresh KEV adds, leaving the day's only live thread an actively-exploited WordPress plugin leaking the API keys and OAuth tokens that downstream attacks usually have to phish for.
Microsoft pinned last week's 140-package Mastra AI npm compromise on North Korea's BlueNoroff while the agent stack kept failing in public — a third critical-class Langflow hole now on CISA KEV, fresh cross-tenant breaks in the agent-memory stores, and another MCP-server SSRF and path-traversal cluster.
The agentic toolchain audited itself in public all day — Langflow and Network-AI criticals, an MCP-server SSRF/XSS cluster, and cross-tenant breaks across the agent-memory stores — and kept going after dark with a LangSmith SDK file-read and a Lokka MCP Azure-token leak.
AI agent frameworks and MCP servers became the day's soft target — a dozen-plus unauthenticated-control-plane and prompt-injection-to-RCE holes landed across PraisonAI, Crawl4AI, OpenClaw and the MCP tooling, while a real update-channel compromise hit WordPress and CISA flagged an actively-exploited Splunk file-write.
The AI development toolchain became the supply chain: two live npm and IDE credential-theft campaigns landed alongside a flood of fresh advisories against the self-hosted LLM stack.
The day escalated after dark: unauthenticated RCE in Rclone, an auth bypass in the LiteLLM proxy, a CVSS-10 unauthenticated browser-control hole and cross-tenant credential takeover in n8n, and a token-scope-bypass cluster across Gitea and Gogs piled onto the AI-development-stack mass disclosure and the IDE plugins caught stealing AI keys.
A live CDN supply-chain attack on three widely-deployed WordPress plugins headlines a day of dev-tooling RCE and fresh CISA KEV adds.
A rare quiet day across the registries, with the lone headline a decade-long hijack of a target's authentication stack that reframes identity as the supply chain's deepest dependency.
The week's File Browser disclosure run crests with six advisories dropped at once — unauth share leaks, a one-packet login DoS, zip-slip and symlink escapes — while esbuild's Deno installer quietly reopens a build-time RCE path.
Four hundred-plus Arch AUR packages are poisoned with an infostealer and eBPF rootkit on the same day Budibase, TYPO3 and File Browser ship coordinated emergency mass-patches.
npm moves to disarm install scripts on the same day a supply-chain worm's source code leaks and PDM lands its second code-execution flaw — the install-time attack surface is the whole story.
CISA KEV deadlines for TanStack and Nx Console land today as Miasma's source code briefly leaks on GitHub and a new supply-chain vector — malicious MCP server config in pull requests — puts Claude Code Action CI pipelines at risk of secret exfiltration.
A late GHSA wave after 18:00 ET delivered unauthenticated RCE in PhoenixStorybook and a connector-ACL bypass in Dex, extending a day already shaped by the Shai-Hulud PyPI worm campaign and five CISA KEV additions.
A 21:00 ET KEV addition dropped a command-injection RCE in the open-source LiteLLM gateway onto the actively-exploited list — capping a day already shaped by two ransomware-linked developer-toolchain compromises, Nx Console and TanStack.
The disclosure feeds went silent for the weekend, leaving one story standing: Miasma opened a Python propagation arm — 37 malicious PyPI wheels that execute on interpreter start, no import required.
The Miasma worm crossed from npm into Microsoft's own GitHub estate — 73 repositories disabled across four organizations — while DbGate disclosed an unauthenticated CVSS-10 RCE.
IronWorm's npm campaign doubles to 50-plus poisoned packages and picks up a self-spreading worm and a kernel rootkit, while CISA's KEV clock runs out on a Magento RCE tonight.
Two self-propagating npm worms hit the registry the same day a triple-critical SSTI flaw turns Jupyter's Kubernetes gateway into full cluster takeover.
A public VS Code / github.dev one-click token steal and a triple-critical RCE chain in Jupyter Enterprise Gateway land in the same 48-hour window CISA pushes four bugs to the KEV catalog and Wordfence logs hundreds of active hits on Kirki.
Two Vitest CVEs, six praisonai IDORs, and a conda write-anywhere push developer tooling into the day's attack surface while CISA stacks three KEV adds on top.
Mini Shai-Hulud lands inside Red Hat's official npm scope — the trusted-vendor namespace compromise the ecosystem has been preparing for since last summer.
DPRK's Contagious Interview crew ports its npm playbook to PHP, dropping malware in a Packagist-listed package on an otherwise quiet KEV-burndown Sunday.
Developers are the day's target — a Ghost CMS RCE has backdoored 700+ tech and university sites into ClickFix droppers, CISA hands PAN-OS a 72-hour patch clock, and another AI-coding CLI ships with implicit working-directory trust.
Late escalation at 21:00 ET: a 19-advisory audit dump against PraisonAI lands on top of the morning's vm2/Redshift/Gotenberg trio — official A2A example reaches unauthenticated `eval()`, `deploy --type api` ships with auth disabled, and Platform's JWT key defaults to a hardcoded `dev-secret-change-me`.
A Sicoob banking-SDK impersonator on NuGet exfiltrates client certs through Sentry, the Symfony tranche tops twenty advisories, and a late-evening paired Dulwich disclosure revives the NTFS-hostile-tree-entry class on Windows.
CISA closes the day with KEV adds for Nx Console and TanStack — turning the npm credential-stealing wave into a federal-mandate clock — while Yamcs hands aerospace operators two critical mission-control RCEs.
Late escalation at 21:00 ET adds a Yamcs algorithm-engine RCE, three pre-auth RCEs in FUXA, and a path traversal in the npm `tmp` transitive dep on top of the day's XWiki and LiteSpeed criticals.
Monday after the storm: TrapDoor's narrative spreads while two Defender CVEs land on the KEV list.
Four concurrent package-poisoning campaigns hit the registries at once.