Security Bulletins | NewMaxx Bulletin

HIGHJune 3, 2026 · Web server · HTTP/2 · Remote memory-exhaustion DoS · CVE-2026-49975

HTTP/2 Bomb Remote Memory-Exhaustion DoS (CVE-2026-49975): Cap Header Count or Disable HTTP/2 on nginx, Apache, IIS, Envoy, and Pingora

Researcher Quang Luong published a writeup and public PoC for the "HTTP/2 Bomb," a remote denial-of-service that lets one attacker on a home connection drive a vulnerable web server to allocate tens of gigabytes of memory in seconds, unauthenticated. It chains an HPACK indexed-reference bomb (one wire byte expands to a full header allocation, repeated thousands of times) with a zero-byte flow-control window that stops the server ever freeing that memory, and reproduces in the default HTTP/2 config of nginx 1.29.7 and earlier, Apache httpd 2.4.67 and earlier, Microsoft IIS (Windows Server 2025), Envoy 1.37.2 and earlier, and Cloudflare Pingora 0.8.0. Amplification runs up to ~5,700:1 (Envoy). The Apache variant is CVE-2026-49975. nginx fixed it in 1.29.8 (7 Apr 2026, the max_headers directive, default 1000); Apache in standalone mod_http2 v2.0.41 (27 May 2026); IIS, Pingora, and most current Envoy releases had no fix at publication. PoC is public; no confirmed in-the-wild exploitation. This is availability impact only, not RCE or data exposure (the NVD 9.8 overstates a pure DoS). If you terminate HTTP/2 directly on an internet-facing instance, get onto a fixed build (nginx 1.29.8+, Apache mod_http2 v2.0.41+) or, where none exists, disable HTTP/2 or front the listener with a proxy that enforces a hard header-count cap plus per-connection memory limits.

Read the bulletin → Primary source: Calif / Quang Luong

HIGHMay 24, 2026 · Supply-chain · npm + PyPI + Crates.io · Crypto / DeFi / AI dev environments · TrapDoor

TrapDoor Crypto Stealer Across npm, PyPI, and Crates.io (34+ Lure Packages), Grep Your Lockfiles and Rotate Wallet Keys

Socket disclosed TrapDoor, a single coordinated campaign that published at least 34 malicious packages and 384+ versions across npm, PyPI, and Crates.io at once. These are not hijacks of popular libraries but net-new lures named to attract crypto, DeFi, Solana, Sui/Move, AI, and security developers (wallet-security-checker, defi-threat-scanner, move-compiler-tools, and similar). On npm install (postinstall), import (PyPI), or cargo build (build.rs), a shared payload steals Sui/Solana/Aptos and web3 wallet data and seed phrases, SSH keys, AWS credentials, GitHub tokens, browser data, environment variables, and API keys, exfiltrating to attacker GitHub infrastructure (ddjidd564.github.io); a secondary vector injects hidden-Unicode instructions into .cursorrules / CLAUDE.md via PRs. Socket reports a median detection of 5m27s and that some packages were still live at writing, but published no C2 IPs, hashes, or wallet addresses, so package names are the detection signal. Grep every npm, pip, and cargo lockfile for the named packages; if any host installed, imported, or built one, treat it as wallet- and credential-compromised: move crypto funds to a fresh wallet on a clean device, rotate every reachable secret, rebuild clean, and review your repos' AI config files.

Read the bulletin → Primary source: Socket Research

HIGHMay 14, 2026 · Web framework · Pre-auth SSRF · Self-hosted Next.js · CVE-2026-44578

Next.js WebSocket Upgrade SSRF (CVE-2026-44578): Patch Self-Hosted Deployments, Jump to 15.5.18 or 16.2.6 Not 15.5.16 / 16.2.5

Vercel's May 6 coordinated security release for Next.js includes GHSA-c4j6-fc7j-m34r, a pre-auth server-side request forgery in the WebSocket upgrade handler of self-hosted Next.js applications running on the built-in Node.js server. An unauthenticated attacker who can reach the origin can cause it to proxy HTTP requests to arbitrary internal or external destinations, including cloud instance metadata services (IMDS at 169.254.169.254) and any internal-only service reachable from the origin host. The MITRE CVE record (published May 13) lists CVSS 3.1 base 8.6 HIGH (CWE-918). Affected: next >= 13.4.13 < 15.5.16 and >= 16.0.0 < 16.2.5. Vercel-hosted and Netlify-Functions-only deployments are not affected. PoC code is public; no confirmed in-the-wild exploitation as of publication. Upgrade next to 15.5.18 or 16.2.6 (not the minimum 15.5.16 / 16.2.5, which leaves the May 7 Turbopack follow-up open), enforce IMDSv2 with hop-limit 1 on cloud VMs hosting Next.js origins, and if you cannot patch immediately, drop or 403 unsolicited Upgrade: websocket requests at your reverse proxy.

Read the bulletin → Primary source: Vercel changelog

CRITICALMay 12, 2026 · Supply-chain · PyPI · Python / ML developer environments · mistralai 2.4.6

mistralai PyPI 2.4.6 Compromise: Credential Stealer with Geofenced rm -rf Branch, Pin Below 2.4.6 and Triage Linux Hosts

Microsoft Threat Intelligence disclosed that version 2.4.6 of the official Mistral AI Python client on PyPI has been compromised. Code injected into mistralai/client/__init__.py executes on import, downloads a second-stage payload from 83.142.209.194/transformers.pyz to /tmp/transformers.pyz on Linux, and installs persistence as pgsql-monitor.service with a companion pgmonitor.py. The second-stage filename deliberately mimics Hugging Face Transformers to blend into ML developer environments. The main payload is a credential stealer; a geofenced destructive branch has a 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran, and the malware avoids Russian-language environments. PyPI's cached listing shows the legitimate 2.x line ending at 2.0.1 (March 12, 2026), which makes the jump to 2.4.6 itself anomalous and is consistent with quarantine action. Cap mistralai < 2.4.6 (or pin exactly to 2.0.1) everywhere, block egress to 83.142.209.194, hunt for /tmp/transformers.pyz and the systemd unit on every Linux host that ran import mistralai since 2.4.6 was published, and rotate credentials reachable from those hosts.

Read the bulletin → Primary source: Microsoft Threat Intelligence

CRITICALMay 10, 2026 · AI/ML infrastructure · Pre-auth memory disclosure · Unpatched Windows updater · CVE-2026-7482, CVE-2026-42248, CVE-2026-42249, CVE-2026-5757

Ollama Bleeding Llama and Windows Auto-Update RCE: Patch, Restrict Exposure, Disable Windows Auto-Update

Cyera Research disclosed CVE-2026-7482 ("Bleeding Llama"), a CVSS 9.1 unauthenticated heap out-of-bounds read in Ollama's GGUF model loader that leaks system prompts, API keys, environment variables, and other users' conversation data in three HTTP calls. Cyera estimates ~300,000 Ollama servers are internet-exposed; the upstream /api/create and /api/push endpoints have no authentication by default. The fix shipped in 0.17.1 on Feb 25 but was not flagged as a security update, so many operators are unknowingly still vulnerable. Separately, Striga and CERT Polska published CVE-2026-42248 and CVE-2026-42249 on April 29: a path traversal plus no-op-signature-verification chain in Ollama's Windows auto-updater that produces persistent silent code execution at every login. That chain has no patch as of May 10, including in v0.23.2 (May 7); the vendor stopped responding to Striga's reports in January and CERT Polska had to take over coordination. Upgrade to 0.23.2 to close Bleeding Llama, bind to 127.0.0.1 or put an auth proxy in front of any reachable instance, rotate secrets that were ever in the Ollama process environment, and on Windows additionally disable auto-download updates and remove the Ollama shortcut from the Startup folder.

Read the bulletin → Primary sources: Cyera Research, Striga, CERT Polska

HIGHMay 8, 2026 · Linux kernel · LPE · Container escape · CVE-2026-43284, CVE-2026-43500

Dirty Frag (CVE-2026-43284, CVE-2026-43500), Second Linux Kernel LPE in a Week, Bypasses the Copy Fail Mitigation

Hyunwoo Kim (@v4bel) publicly disclosed "Dirty Frag" on oss-security after the embargo was broken by an unrelated third party. The chain combines two page-cache write primitives, one in the IPsec ESP path (esp4/esp6, CVE-2026-43284, rated 7.8 HIGH by CISA-ADP and Important by Red Hat) and one in rxrpc (CVE-2026-43500, NVD pending), and gives unprivileged local users root in a single command on affected systems. Critically, the Copy Fail mitigation (algif_aead blacklist) does not block Dirty Frag. A second public exploit, "Copy Fail 2: Electric Boogaloo," targets the same vulnerability under a different name. AlmaLinux is the only mainstream distribution shipping patched kernels (testing repo) at publication; Red Hat has published RHSB-2026-003 and is expediting kernel updates; Ubuntu, SUSE, and CloudLinux updates are in build. Apply the three-module modprobe blacklist now and patch when your distribution ships.

Read the bulletin → Primary source: Hyunwoo Kim, oss-security

HIGHMay 6, 2026 · Certificate Authority · Code-signing trust failure · Support-channel social engineering · Mozilla Bug 2033170

DigiCert Misissuance via Support-Channel Compromise (Bug 2033170), 60 EV Code-Signing Certificates Revoked, 27 Used to Sign Malware

DigiCert's Final Incident Report on the Mozilla CA compliance tracker (Bug 2033170) describes how a threat actor compromised a customer support analyst's machine through the support chat channel using a .scr executable disguised as a screenshot — endpoint security blocked four delivery attempts, the fifth succeeded — then used internal support-portal access to harvest initialization codes for ordered-but-not-yet-retrieved EV code-signing certificates. 27 certificates explicitly attributed to the threat actor were used to sign malware in the wild; 33 more were revoked precautionarily. 60 revocations total across four DigiCert intermediate CAs. Detection of the second compromised machine (ENDPOINT2) came from an external researcher's tip eleven days after DigiCert had concluded the original investigation, not from DigiCert's own monitoring; the EDR on ENDPOINT2 had not been functioning correctly. DigiCert's three contributing factors — file-type filtering on the support channel did not block .scr, EDR coverage was inconsistent, initialization codes were not adequately protected — generalize beyond the immediate incident to anyone running a customer-attachment intake channel or an internal "view-as-customer" tool.

Read the bulletin → Sole source: Mozilla Bugzilla 2033170

CRITICALMay 6, 2026 · Edge appliance · Pre-auth RCE · Firewall · CVE-2026-0300 · Exploited

PAN-OS Captive Portal Pre-Auth RCE-as-Root (CVE-2026-0300): Mitigate Now; Some Fixes Not Due Until May 28

Palo Alto Networks PSIRT disclosed a buffer overflow in PAN-OS's User-ID Authentication Portal (Captive Portal) that lets an unauthenticated attacker reach root on PA-Series and VM-Series firewalls by sending specially crafted packets. CVSS-BT 9.3 CRITICAL, urgency HIGHEST, exploit maturity marked ATTACKED — vendor-confirmed in-the-wild exploitation already observed against portals exposed to untrusted IPs or the public internet. Patches are not yet available for every affected branch; fix ETAs span May 13 and May 28, 2026. Threat Prevention signature available 5 May for PAN-OS 11.1+; PAN-OS 10.2 customers must rely on the workaround. Prisma Access, Cloud NGFW, and Panorama are not affected. Restrict the portal to trusted internal zones now or disable it entirely; treat any internet-exposed firewall during the active-exploitation window as potentially compromised.

Read the bulletin → Primary source: Palo Alto Networks PSIRT

HIGHMay 5, 2026 · Supply-chain · Signed-binary distribution · Windows · DAEMON Tools 12.5.0.2421 – 12.5.0.2434

DAEMON Tools Supply-Chain Compromise (Apr 8 – Ongoing), Trojanized Installers Signed With Vendor's Legitimate Cert

Kaspersky GReAT disclosed that DAEMON Tools, a widely used Windows disk-image-mounting utility, has been distributing malware-laden installers from its official site since April 8, 2026, signed with the legitimate AVB Disc Soft Authenticode certificate. Three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) in versions 12.5.0.2421 through 12.5.0.2434 are tampered to launch a backdoor at every startup, beaconing to a typosquat C2 (env-check.daemontools[.]cc). Thousands of infections across 100+ countries; ~10% in business environments. ~12 hosts in government, scientific, manufacturing, retail, and education sectors in Russia, Belarus, and Thailand received targeted second-stage backdoors, including a multi-protocol "QUIC RAT." Chinese- language artifacts noted in the implants but no formal attribution. Campaign reported as still active. Vendor notified; no public advisory yet. Hash-check the affected binaries, hunt the dropped payloads, block the C2, and treat the Authenticode signature as no defense.

Read the bulletin → Primary source: Kaspersky GReAT (Securelist)

HIGHApr 30, 2026 · Authentication bypass · Web hosting control plane · CVE-2026-41940

cPanel & WHM Authentication Bypass (CVE-2026-41940), Patch Now and Hunt for Pre-Patch Compromise

cPanel (WebPros) released emergency patches April 28 for what its release notes called "an issue with session loading and saving." The bug was assigned CVE-2026-41940 the next day with CVSS 9.8: an unauthenticated CRLF injection in cpsrvd's session-handling code that lets a remote attacker promote a pre-auth session to root on WHM, bypassing both password and 2FA gates. Per the cPanel advisory, affects cPanel software including DNSOnly across all versions after 11.40, plus WP Squared. watchTowr Labs published the full chain and a public Detection Artifact Generator on April 29; Searchlight Cyber separately documented that simply closing WHM/cPanel ports is not full containment because cPanel's per-vhost /___proxy_subdomain_whm/ path keeps the same endpoints reachable on 80/443. KnownHost reports execution attempts in the wild as early as February 23, 2026, well before the public advisory; Rapid7's Shodan figure puts internet-exposed cPanel instances at roughly 1.5 million. Patch immediately, then hunt /var/cpanel/sessions/ for injection artifacts.

Read the bulletin → Primary source: cPanel advisory

HIGHApr 30, 2026 · Supply-chain · PyPI · AI / ML tooling · Mini Shai-Hulud

PyTorch Lightning 2.6.2 / 2.6.3 Compromised on PyPI, What to Do If You Installed It

Aikido, Socket, and StepSecurity confirm that two new releases of the popular lightning Python package (PyTorch Lightning, 31k+ GitHub stars, hundreds of thousands of daily downloads) contain a credential-stealing payload injected into __init__.py. The malware runs on every import lightning, downloads an 11 MB Bun-based JavaScript payload, and exfiltrates encrypted credentials to public GitHub repos created under the victim's own account, using commit identities that impersonate Anthropic's Claude Code. PyPI has quarantined the project. Same campaign as the Bitwarden CLI and SAP npm compromises ("Mini Shai-Hulud"). Last pre-incident release: 2.6.1, but the entire lightning project is currently quarantined on PyPI, so reinstall from a verified internal artifact rather than PyPI itself.

Read the bulletin → Primary source: Aikido Security

HIGHApr 29, 2026 · Linux kernel · LPE · Container escape · CVE-2026-31431 · Updated 4 May

Copy Fail (CVE-2026-31431), Public PoC for Linux Kernel LPE Across Mainstream Distros Since 2017

Theori's Xint Code team disclosed "Copy Fail," a logic flaw in the Linux kernel's algif_aead crypto socket interface. A 732-byte Python PoC (already public on GitHub) was directly demonstrated against Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, with no race window and no kernel-version-specific offsets. The page-cache primitive crosses container boundaries, making this critical for Kubernetes nodes, self-hosted CI runners, and any cloud SaaS running tenant code. May 4 update: WSL2 is confirmed vulnerable; Microsoft is shipping the patched WSL2 kernel via the May 12 Patch Tuesday rollout. CISA added the CVE to the KEV catalog on May 1 with a federal patch deadline of May 15. Microsoft Defender reports preliminary in-the-wild testing activity. May 8 update: the algif_aead mitigation does not block the new Dirty Frag chain; hosts hardened against Copy Fail need a separate mitigation.

Read the bulletin → Primary source: copy.fail (Theori)

HIGHApr 28, 2026 · Platform vulnerability · CI/CD · CVE-2026-3854

GitHub Push-Pipeline RCE (CVE-2026-3854), Patched on github.com, GHES Admins Must Upgrade

Wiz Research and GitHub disclosed a critical RCE in GitHub's internal git push pipeline. A single git push with crafted -o push options achieved arbitrary command execution as the git service user via X-Stat header injection. Reported March 4, fixed on github.com the same day, GHES patches released March 10, public disclosure April 28. github.com / GHEC: no action needed. GHES self-hosters: upgrade immediately. No exploitation found in GitHub's forensic review. CVSS 8.7 per Wiz.

Read the bulletin → Primary source: Wiz Research

HIGHApr 23, 2026 · Supply-chain · npm · CI/CD

Bitwarden CLI 2026.4.0 Compromised on npm, What to Do If You Installed It

Socket reports @bitwarden/cli version 2026.4.0 on npm was compromised, with malicious code in bw1.js executed via a preinstall hook. Bitwarden's April 23 statement confirms the package was live on the npm delivery path for roughly 90 minutes, between 5:57 PM and 7:30 PM ET on April 22. Same C2 infrastructure as the Apr 22 Checkmarx compromise (audit.checkmarx[.]cx), with self-propagation via npm-token theft. Targets developer credentials, cloud secrets, GitHub tokens, npm tokens, and Claude/MCP configuration files. Bitwarden says vault data and production systems were not compromised; Chrome extension and MCP server are reported unaffected.

Read the bulletin → Primary source: Socket Research

HIGHApr 22, 2026 · Supply-chain · Docker Hub · Open VSX

Checkmarx KICS Docker Hub Compromise, What to Do If You Pulled the Affected Images

Attackers overwrote legitimate checkmarx/kics Docker tags (v2.1.20, v2.1.20-debian, alpine, debian, latest) with poisoned versions and published counterfeit v2.1.21 / v2.1.21-debian tags. The modified KICS binary harvests secrets from any IaC files it scans and exfiltrates to audit.checkmarx[.]cx. Related Open VSX extensions cx-dev-assist (1.17.0, 1.19.0) and ast-results (2.63.0, 2.66.0) were also flagged for fetching and executing remote code via the Bun runtime.

Read the bulletin → Primary source: Socket Research

HIGHApr 22, 2026 · Supply-chain · PyPI · AI infra

xinference PyPI Compromise, What to Do If You Installed It

Three xinference releases (2.6.0, 2.6.1, 2.6.2) were trojanized on PyPI with code in __init__.py that runs on every import. The payload harvests SSH keys, Git credentials, AWS material (IMDS, Secrets Manager, SSM), Kubernetes tokens, Docker auth, .env files, and TLS keys, exfiltrating to whereisitat[.]lucyatemysuperbox[.]space. Attribution to TeamPCP is contested.

Read the bulletin → Primary source: JFrog Security Research

HIGHApr 21, 2026 · Authorization flaw · BOLA · AI app builder

Lovable BOLA Exposure, What to Do If You Built an App on Lovable

A researcher disclosed a Broken Object Level Authorization flaw in Lovable's /projects/{id}/* endpoints that reportedly allowed unauthenticated access to source code, chat history with embedded secrets, and Supabase service keys for projects created before approximately November 2025. Lovable disputed the framing and has not, based on public sources reviewed, published a formal incident bulletin.

Read the bulletin → Original disclosure: @weezerOSINT on X

HIGHApr 23, 2026 update · OAuth · Supply-chain · Cloud platform

Vercel × Context.ai OAuth Supply-Chain Breach, What to Do as a Vercel Customer

A compromise of Context.ai (per Hudson Rock, traced to a Lumma Stealer infection on a Context.ai employee originating from a Roblox cheat download) led to OAuth-token abuse against a Vercel employee's Google Workspace via Context.ai's Chrome extension, and subsequent enumeration and decryption of customer environment variables not marked sensitive. Vercel's April 23 update expanded customer notifications after broader log review and flagged additional accounts with prior, independent compromise.

Read the bulletin → Primary source: Vercel security bulletin