NewMaxx Bulletin ← borecraft.com

Security Bulletins

Operator-facing response guides for active and recent security incidents affecting AI infrastructure, developer tooling, and the supply-chain surfaces that most pipelines depend on. Each bulletin links to its primary source and lists concrete steps to take if you were affected.

  1. HIGHMay 12, 2026 · Supply-chain · npm + PyPI · Developer tooling / AI/ML · CVE-2026-45321

    Mini Shai-Hulud May 11 Wave (CVE-2026-45321): SLSA-Attested npm Worm, Wiper on Token Revoke, IDE Persistence

    StepSecurity, Wiz, Socket, and Snyk documented a coordinated May 11-12 supply-chain attack by TeamPCP that compromised 42 packages and 84 versions in the @tanstack namespace (entry point @tanstack/react-router, ~12.7M weekly downloads), then self-propagated across at least 169 packages and 373 package-versions on npm and PyPI (Aikido and Snyk tracking, 2026-05-12; counts are tracker-dependent and still moving) including @uipath/* (~65 packages), @mistralai/mistralai npm, mistralai 2.4.6 PyPI, @opensearch-project/opensearch, guardrails-ai, @squawk/*, and @draftlab/*. The TanStack compromise is the first documented npm worm whose packages carry valid SLSA Build Level 3 provenance attestations: the attacker chained a pull_request_target Pwn Request, Actions cache poisoning, and OIDC token extraction from runner memory to hijack TanStack's own release pipeline in flight. Payload installs a gh-token-monitor daemon (LaunchAgent on macOS, systemd user unit on Linux) that runs rm -rf ~/ on receiving a 40X from api.github.com, and IDE persistence in .claude/settings.json and .vscode/tasks.json that survives npm uninstall. Audit lockfiles for any affected version installed on or after 2026-05-11T19:20 UTC, hunt and disarm the gh-token-monitor daemon before revoking any GitHub tokens, strip .claude/ and .vscode/ persistence in every project, then rotate npm tokens and every credential reachable from affected hosts.

    Read the bulletin → Primary source: StepSecurity
  2. CRITICALMay 12, 2026 · Supply-chain · PyPI · Python / ML developer environments · mistralai 2.4.6

    mistralai PyPI 2.4.6 Compromise: Credential Stealer with Geofenced rm -rf Branch, Pin Below 2.4.6 and Triage Linux Hosts

    Microsoft Threat Intelligence disclosed that version 2.4.6 of the official Mistral AI Python client on PyPI has been compromised. Code injected into mistralai/client/__init__.py executes on import, downloads a second-stage payload from 83.142.209.194/transformers.pyz to /tmp/transformers.pyz on Linux, and installs persistence as pgsql-monitor.service with a companion pgmonitor.py. The second-stage filename deliberately mimics Hugging Face Transformers to blend into ML developer environments. The main payload is a credential stealer; a geofenced destructive branch has a 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran, and the malware avoids Russian-language environments. PyPI's cached listing shows the legitimate 2.x line ending at 2.0.1 (March 12, 2026), which makes the jump to 2.4.6 itself anomalous and is consistent with quarantine action. Cap mistralai < 2.4.6 (or pin exactly to 2.0.1) everywhere, block egress to 83.142.209.194, hunt for /tmp/transformers.pyz and the systemd unit on every Linux host that ran import mistralai since 2.4.6 was published, and rotate credentials reachable from those hosts.

    Read the bulletin → Primary source: Microsoft Threat Intelligence
  3. CRITICALMay 10, 2026 · AI/ML infrastructure · Pre-auth memory disclosure · Unpatched Windows updater · CVE-2026-7482, CVE-2026-42248, CVE-2026-42249, CVE-2026-5757

    Ollama Bleeding Llama and Windows Auto-Update RCE: Patch, Restrict Exposure, Disable Windows Auto-Update

    Cyera Research disclosed CVE-2026-7482 ("Bleeding Llama"), a CVSS 9.1 unauthenticated heap out-of-bounds read in Ollama's GGUF model loader that leaks system prompts, API keys, environment variables, and other users' conversation data in three HTTP calls. Cyera estimates ~300,000 Ollama servers are internet-exposed; the upstream /api/create and /api/push endpoints have no authentication by default. The fix shipped in 0.17.1 on Feb 25 but was not flagged as a security update, so many operators are unknowingly still vulnerable. Separately, Striga and CERT Polska published CVE-2026-42248 and CVE-2026-42249 on April 29: a path traversal plus no-op-signature-verification chain in Ollama's Windows auto-updater that produces persistent silent code execution at every login. That chain has no patch as of May 10, including in v0.23.2 (May 7); the vendor stopped responding to Striga's reports in January and CERT Polska had to take over coordination. Upgrade to 0.23.2 to close Bleeding Llama, bind to 127.0.0.1 or put an auth proxy in front of any reachable instance, rotate secrets that were ever in the Ollama process environment, and on Windows additionally disable auto-download updates and remove the Ollama shortcut from the Startup folder.

    Read the bulletin → Primary sources: Cyera Research, Striga, CERT Polska
  4. HIGHMay 8, 2026 · Linux kernel · LPE · Container escape · CVE-2026-43284, CVE-2026-43500

    Dirty Frag (CVE-2026-43284, CVE-2026-43500), Second Linux Kernel LPE in a Week, Bypasses the Copy Fail Mitigation

    Hyunwoo Kim (@v4bel) publicly disclosed "Dirty Frag" on oss-security after the embargo was broken by an unrelated third party. The chain combines two page-cache write primitives, one in the IPsec ESP path (esp4/esp6, CVE-2026-43284, rated 7.8 HIGH by CISA-ADP and Important by Red Hat) and one in rxrpc (CVE-2026-43500, NVD pending), and gives unprivileged local users root in a single command on affected systems. Critically, the Copy Fail mitigation (algif_aead blacklist) does not block Dirty Frag. A second public exploit, "Copy Fail 2: Electric Boogaloo," targets the same vulnerability under a different name. AlmaLinux is the only mainstream distribution shipping patched kernels (testing repo) at publication; Red Hat has published RHSB-2026-003 and is expediting kernel updates; Ubuntu, SUSE, and CloudLinux updates are in build. Apply the three-module modprobe blacklist now and patch when your distribution ships.

    Read the bulletin → Primary source: Hyunwoo Kim, oss-security
  5. HIGHMay 6, 2026 · Certificate Authority · Code-signing trust failure · Support-channel social engineering · Mozilla Bug 2033170

    DigiCert Misissuance via Support-Channel Compromise (Bug 2033170), 60 EV Code-Signing Certificates Revoked, 27 Used to Sign Malware

    DigiCert's Final Incident Report on the Mozilla CA compliance tracker (Bug 2033170) describes how a threat actor compromised a customer support analyst's machine through the support chat channel using a .scr executable disguised as a screenshot, endpoint security blocked four delivery attempts, the fifth succeeded, then used internal support-portal access to harvest initialization codes for ordered-but-not-yet-retrieved EV code-signing certificates. 27 certificates explicitly attributed to the threat actor were used to sign malware in the wild; 33 more were revoked precautionarily. 60 revocations total across four DigiCert intermediate CAs. Detection of the second compromised machine (ENDPOINT2) came from an external researcher's tip eleven days after DigiCert had concluded the original investigation, not from DigiCert's own monitoring; the EDR on ENDPOINT2 had not been functioning correctly. DigiCert's three contributing factors, file-type filtering on the support channel did not block .scr, EDR coverage was inconsistent, initialization codes were not adequately protected, generalize beyond the immediate incident to anyone running a customer-attachment intake channel or an internal "view-as-customer" tool.

    Read the bulletin → Sole source: Mozilla Bugzilla 2033170
  6. CRITICALMay 6, 2026 · Edge appliance · Pre-auth RCE · Firewall · CVE-2026-0300 · Exploited

    PAN-OS Captive Portal Pre-Auth RCE-as-Root (CVE-2026-0300): Mitigate Now; Some Fixes Not Due Until May 28

    Palo Alto Networks PSIRT disclosed a buffer overflow in PAN-OS's User-ID Authentication Portal (Captive Portal) that lets an unauthenticated attacker reach root on PA-Series and VM-Series firewalls by sending specially crafted packets. CVSS-BT 9.3 CRITICAL, urgency HIGHEST, exploit maturity marked ATTACKED, vendor-confirmed in-the-wild exploitation already observed against portals exposed to untrusted IPs or the public internet. Patches are not yet available for every affected branch; fix ETAs span May 13 and May 28, 2026. Threat Prevention signature available 5 May for PAN-OS 11.1+; PAN-OS 10.2 customers must rely on the workaround. Prisma Access, Cloud NGFW, and Panorama are not affected. Restrict the portal to trusted internal zones now or disable it entirely; treat any internet-exposed firewall during the active-exploitation window as potentially compromised.

    Read the bulletin → Primary source: Palo Alto Networks PSIRT
  7. HIGHMay 5, 2026 · Supply-chain · Signed-binary distribution · Windows · DAEMON Tools 12.5.0.2421 – 12.5.0.2434

    DAEMON Tools Supply-Chain Compromise (Apr 8 – Ongoing), Trojanized Installers Signed With Vendor's Legitimate Cert

    Kaspersky GReAT disclosed that DAEMON Tools, a widely used Windows disk-image-mounting utility, has been distributing malware-laden installers from its official site since April 8, 2026, signed with the legitimate AVB Disc Soft Authenticode certificate. Three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) in versions 12.5.0.2421 through 12.5.0.2434 are tampered to launch a backdoor at every startup, beaconing to a typosquat C2 (env-check.daemontools[.]cc). Thousands of infections across 100+ countries; ~10% in business environments. ~12 hosts in government, scientific, manufacturing, retail, and education sectors in Russia, Belarus, and Thailand received targeted second-stage backdoors, including a multi-protocol "QUIC RAT." Chinese- language artifacts noted in the implants but no formal attribution. Campaign reported as still active. Vendor notified; no public advisory yet. Hash-check the affected binaries, hunt the dropped payloads, block the C2, and treat the Authenticode signature as no defense.

    Read the bulletin → Primary source: Kaspersky GReAT (Securelist)
  8. HIGHApr 30, 2026 · Authentication bypass · Web hosting control plane · CVE-2026-41940

    cPanel & WHM Authentication Bypass (CVE-2026-41940), Patch Now and Hunt for Pre-Patch Compromise

    cPanel (WebPros) released emergency patches April 28 for what its release notes called "an issue with session loading and saving." The bug was assigned CVE-2026-41940 the next day with CVSS 9.8: an unauthenticated CRLF injection in cpsrvd's session-handling code that lets a remote attacker promote a pre-auth session to root on WHM, bypassing both password and 2FA gates. Per the cPanel advisory, affects cPanel software including DNSOnly across all versions after 11.40, plus WP Squared. watchTowr Labs published the full chain and a public Detection Artifact Generator on April 29; Searchlight Cyber separately documented that simply closing WHM/cPanel ports is not full containment because cPanel's per-vhost /___proxy_subdomain_whm/ path keeps the same endpoints reachable on 80/443. KnownHost reports execution attempts in the wild as early as February 23, 2026, well before the public advisory; Rapid7's Shodan figure puts internet-exposed cPanel instances at roughly 1.5 million. Patch immediately, then hunt /var/cpanel/sessions/ for injection artifacts.

    Read the bulletin → Primary source: cPanel advisory
  9. HIGHApr 30, 2026 · Supply-chain · PyPI · AI / ML tooling · Mini Shai-Hulud

    PyTorch Lightning 2.6.2 / 2.6.3 Compromised on PyPI, What to Do If You Installed It

    Aikido, Socket, and StepSecurity confirm that two new releases of the popular lightning Python package (PyTorch Lightning, 31k+ GitHub stars, hundreds of thousands of daily downloads) contain a credential-stealing payload injected into __init__.py. The malware runs on every import lightning, downloads an 11 MB Bun-based JavaScript payload, and exfiltrates encrypted credentials to public GitHub repos created under the victim's own account, using commit identities that impersonate Anthropic's Claude Code. PyPI has quarantined the project. Same campaign as the Bitwarden CLI and SAP npm compromises ("Mini Shai-Hulud"). Last pre-incident release: 2.6.1, but the entire lightning project is currently quarantined on PyPI, so reinstall from a verified internal artifact rather than PyPI itself.

    Read the bulletin → Primary source: Aikido Security
  10. HIGHApr 29, 2026 · Linux kernel · LPE · Container escape · CVE-2026-31431 · Updated 4 May

    Copy Fail (CVE-2026-31431), Public PoC for Linux Kernel LPE Across Mainstream Distros Since 2017

    Theori's Xint Code team disclosed "Copy Fail," a logic flaw in the Linux kernel's algif_aead crypto socket interface. A 732-byte Python PoC (already public on GitHub) was directly demonstrated against Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, with no race window and no kernel-version-specific offsets. The page-cache primitive crosses container boundaries, making this critical for Kubernetes nodes, self-hosted CI runners, and any cloud SaaS running tenant code. May 4 update: WSL2 is confirmed vulnerable; Microsoft is shipping the patched WSL2 kernel via the May 12 Patch Tuesday rollout. CISA added the CVE to the KEV catalog on May 1 with a federal patch deadline of May 15. Microsoft Defender reports preliminary in-the-wild testing activity. May 8 update: the algif_aead mitigation does not block the new Dirty Frag chain; hosts hardened against Copy Fail need a separate mitigation.

    Read the bulletin → Primary source: copy.fail (Theori)
  11. HIGHApr 28, 2026 · Platform vulnerability · CI/CD · CVE-2026-3854

    GitHub Push-Pipeline RCE (CVE-2026-3854), Patched on github.com, GHES Admins Must Upgrade

    Wiz Research and GitHub disclosed a critical RCE in GitHub's internal git push pipeline. A single git push with crafted -o push options achieved arbitrary command execution as the git service user via X-Stat header injection. Reported March 4, fixed on github.com the same day, GHES patches released March 10, public disclosure April 28. github.com / GHEC: no action needed. GHES self-hosters: upgrade immediately. No exploitation found in GitHub's forensic review. CVSS 8.7 per Wiz.

    Read the bulletin → Primary source: Wiz Research
  12. HIGHApr 23, 2026 · Supply-chain · npm · CI/CD

    Bitwarden CLI 2026.4.0 Compromised on npm, What to Do If You Installed It

    Socket reports @bitwarden/cli version 2026.4.0 on npm was compromised, with malicious code in bw1.js executed via a preinstall hook. Bitwarden's April 23 statement confirms the package was live on the npm delivery path for roughly 90 minutes, between 5:57 PM and 7:30 PM ET on April 22. Same C2 infrastructure as the Apr 22 Checkmarx compromise (audit.checkmarx[.]cx), with self-propagation via npm-token theft. Targets developer credentials, cloud secrets, GitHub tokens, npm tokens, and Claude/MCP configuration files. Bitwarden says vault data and production systems were not compromised; Chrome extension and MCP server are reported unaffected.

    Read the bulletin → Primary source: Socket Research
  13. HIGHApr 22, 2026 · Supply-chain · Docker Hub · Open VSX

    Checkmarx KICS Docker Hub Compromise, What to Do If You Pulled the Affected Images

    Attackers overwrote legitimate checkmarx/kics Docker tags (v2.1.20, v2.1.20-debian, alpine, debian, latest) with poisoned versions and published counterfeit v2.1.21 / v2.1.21-debian tags. The modified KICS binary harvests secrets from any IaC files it scans and exfiltrates to audit.checkmarx[.]cx. Related Open VSX extensions cx-dev-assist (1.17.0, 1.19.0) and ast-results (2.63.0, 2.66.0) were also flagged for fetching and executing remote code via the Bun runtime.

    Read the bulletin → Primary source: Socket Research
  14. HIGHApr 22, 2026 · Supply-chain · PyPI · AI infra

    xinference PyPI Compromise, What to Do If You Installed It

    Three xinference releases (2.6.0, 2.6.1, 2.6.2) were trojanized on PyPI with code in __init__.py that runs on every import. The payload harvests SSH keys, Git credentials, AWS material (IMDS, Secrets Manager, SSM), Kubernetes tokens, Docker auth, .env files, and TLS keys, exfiltrating to whereisitat[.]lucyatemysuperbox[.]space. Attribution to TeamPCP is contested.

    Read the bulletin → Primary source: JFrog Security Research
  15. HIGHApr 21, 2026 · Authorization flaw · BOLA · AI app builder

    Lovable BOLA Exposure, What to Do If You Built an App on Lovable

    A researcher disclosed a Broken Object Level Authorization flaw in Lovable's /projects/{id}/* endpoints that reportedly allowed unauthenticated access to source code, chat history with embedded secrets, and Supabase service keys for projects created before approximately November 2025. Lovable disputed the framing and has not, based on public sources reviewed, published a formal incident bulletin.

    Read the bulletin → Original disclosure: @weezerOSINT on X
  16. HIGHApr 23, 2026 update · OAuth · Supply-chain · Cloud platform

    Vercel × Context.ai OAuth Supply-Chain Breach, What to Do as a Vercel Customer

    A compromise of Context.ai (per Hudson Rock, traced to a Lumma Stealer infection on a Context.ai employee originating from a Roblox cheat download) led to OAuth-token abuse against a Vercel employee's Google Workspace via Context.ai's Chrome extension, and subsequent enumeration and decryption of customer environment variables not marked sensitive. Vercel's April 23 update expanded customer notifications after broader log review and flagged additional accounts with prior, independent compromise.

    Read the bulletin → Primary source: Vercel security bulletin