Must-Know

The critical stories you can't miss.

Monday, May 25, 2026

Laravel-Lang Packages Poisoned to Exfiltrate CI Secrets

supply-chain · malware · github · devsecops

Megalodon Supply Chain Attack Infects 5,500+ GitHub Repositories

supply-chain · github · malware · devsecops

Saturday, May 23, 2026

LiteSpeed cPanel Plugin CVE-2026-48172 Actively Exploited for Root Privilege Escalation

cve · privilege-escalation · vulnerability · zero-day

Friday, May 22, 2026

Megalodon GitHub Attack Injects Malicious CI/CD Workflows into 5,561 Repos

supply-chain · github · malware · devsecops

Grafana Codebase Stolen via TanStack Supply Chain Attack

supply-chain · github · data-breach

Wednesday, May 20, 2026

Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack

supply-chain · npm · malware

GitHub Confirms 3,800 Internal Repos Breached via Malicious VS Code Extension

supply-chain · github · malware · data-breach

Tuesday, May 19, 2026

New Shai-Hulud Wave Compromises 600+ npm Packages in Fresh Supply Chain Hit

supply-chain · npm · malware

Compromised Nx Console 18.95.0 Delivers Credential Stealer to 2.2M VS Code Users

supply-chain · npm · credential-theft · appsec · devsecops

Monday, May 18, 2026

GitHub Actions Supply Chain Attack Hijacks actions-cool/issues-helper Tags

supply-chain · github · credential-theft · devsecops

Friday, May 15, 2026

node-ipc npm Package Compromised in Supply Chain Attack to Steal Credentials

supply-chain · npm · malware · appsec · devsecops

TanStack Supply Chain Attack Compromised Two OpenAI Employee Devices, Credentials Stolen

supply-chain · npm · openai · malware · appsec

TeamPCP Releases Shai-Hulud Worm Source Code, Invites Supply Chain Attacks with Monetary Rewards

supply-chain · malware · npm

Thursday, May 14, 2026

Microsoft Exchange CVE-2026-42897 Zero-Day Exploited via Crafted Email

zero-day · xss · rce · microsoft · cve

Cisco SD-WAN CVE-2026-20182 Added to CISA KEV; Sixth Exploited SD-WAN Zero-Day in 2026

zero-day · cve · vulnerability · cisco

TanStack npm Supply Chain Attack Hits Multiple AI Companies

supply-chain · npm · pypi · openai · appsec

Monday, May 11, 2026

Official Checkmarx Jenkins AST Plugin Backdoored with Infostealer

supply-chain · malware · appsec · devsecops · github

Wednesday, May 6, 2026

PAN-OS Zero-Day CVE-2026-0300 Enables Unauthenticated RCE via Captive Portal

zero-day · rce · vulnerability · cve

DAEMON Tools Supply Chain Attack Hits Government and Scientific Targets

supply-chain · malware

Tuesday, May 5, 2026

Palo Alto PAN-OS RCE Zero-Day CVE-2026-0300 Actively Exploited

zero-day · rce · cve · vulnerability

DAEMON Tools Official Installers Backdoored in Supply Chain Attack

supply-chain · malware

MetInfo CMS CVE-2026-29014 Under Active Exploitation — Unauthenticated RCE (CVSS 9.8)

rce · cve · zero-day · vulnerability

ScarCruft Compromises Gaming Platform to Deploy BirdCall Backdoor on Android and Windows

supply-chain · malware · zero-day

Weaver E-cology CVE-2026-22679 Actively Exploited — CVSS 9.8 Unauthenticated RCE via Debug API

rce · cve · zero-day · vulnerability

Monday, May 4, 2026

Backdoored PyTorch Lightning Package on PyPI Delivers Credential Stealer

supply-chain · pypi · malware · infostealer

'Copy Fail' Linux Flaw Hits CISA KEV as Active Exploitation Begins

vulnerability · cve · privilege-escalation · zero-day

Saturday, May 2, 2026

Critical cPanel Flaw CVE-2026-41940 Mass-Exploited in "Sorry" Ransomware Attacks

ransomware · cve · vulnerability

Friday, May 1, 2026

Trellix Confirms Source Code Breach via Unauthorized Repository Access

data-breach · supply-chain · appsec

TeamPCP 'Mini Shai-Hulud' Supply Chain Attack Hits SAP npm Packages

supply-chain · npm · malware

Thursday, April 30, 2026

PyTorch Lightning Compromised in PyPI Supply Chain Attack to Steal Credentials

supply-chain · pypi · malware · credential-theft

Critical cPanel and WHM Auth Bypass CVE-2026-41940 Exploited as Zero-Day Since February

zero-day · vulnerability · cve · privilege-escalation

Google Patches CVSS 10 Gemini CLI RCE Enabling Supply-Chain Code Execution

rce · supply-chain · npm · github · google

Wednesday, April 29, 2026

SAP npm Packages Compromised in Credential-Stealing Supply Chain Attack

supply-chain · npm · malware

CISA Adds Actively Exploited ConnectWise ScreenConnect and Windows Flaws to KEV

zero-day · vulnerability · cve · microsoft

Monday, April 27, 2026

Medtronic Breach Confirmed: ShinyHunters Claims 9 Million Records Stolen

data-breach

PyPI Package 'elementary-data' with 1.1M Monthly Downloads Backdoored to Steal Credentials

supply-chain · pypi · malware

Incomplete Windows Patch Exposes Systems to Zero-Click APT28 Attack Vector

zero-day · vulnerability · microsoft · apt

Thursday, April 23, 2026

Checkmarx Supply Chain Attack Compromises Bitwarden CLI and KICS Analysis Tool

supply-chain · npm · cve · appsec · devsecops

Microsoft Defender Zero-Day Exploited to Dump NTLM Hashes and Gain SYSTEM Privileges

zero-day · vulnerability · cve · microsoft · privilege-escalation

Tuesday, April 21, 2026

Over 1,300 SharePoint Servers Still Exposed to Actively Exploited Spoofing Zero-Day

zero-day · vulnerability · cve · microsoft

CVE-2026-1731: Critical Bomgar RMM RCE Actively Exploited to Spread Ransomware

rce · supply-chain · ransomware · vulnerability · cve

Thursday, April 16, 2026

Windows Zero-Days Leaked, Now Actively Exploited for SYSTEM Privileges

zero-day · microsoft · privilege-escalation

Wednesday, April 15, 2026

ShinyHunters Claims 45 Million McGraw Hill Records via Salesforce Misconfiguration

data-breach · cloud-security

CVE-2026-33032 (MCPwn): Critical Nginx UI Authentication Bypass Actively Exploited

cve · vulnerability · rce · zero-day

Tuesday, April 14, 2026

April 2026 Patch Tuesday: SharePoint Zero-Day Among 167 CVEs Fixed

zero-day · rce · microsoft · vulnerability · cve

Monday, April 13, 2026

ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

rce · cve · zero-day · vulnerability

OpenAI Rotates macOS Code-Signing Certs After North Korea-Linked Axios Supply Chain Attack

supply-chain · openai · malware · github

Anthropic Restricts Mythos Preview After Model Autonomously Exploits Zero-Days in Major OS and Browsers

anthropic · llm · ai-safety · zero-day · vulnerability

Saturday, April 11, 2026

Adobe Patches Actively Exploited Acrobat Reader RCE — CVE-2026-34621

zero-day · cve · vulnerability · appsec · rce

Friday, April 10, 2026

CPUID Supply Chain Attack Poisons CPU-Z and HWMonitor Downloads

supply-chain · malware

Thursday, April 9, 2026

Smart Slider 3 Pro Update System Hijacked to Deliver Backdoored WordPress and Joomla Versions

supply-chain · malware · wordpress · appsec

Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

zero-day · cve · vulnerability · appsec

Wednesday, April 8, 2026

LiteLLM Supply Chain Attack — PyPI Packages Compromised

supply-chain · pypi · llm · malware

Tuesday, April 7, 2026

Claude Code Source Snippets Leaked Via Misconfigured Bucket

data-breach · anthropic · cloud-security