LiquidJS, a templating library with 7 million monthly downloads, lets attackers run any code on your server through a crafted template string. No login required. Public exploit available.
A self-propagating worm is using a blind spot in npm's native build system to execute code the moment you install a package. No install scripts. No warnings. Just binding.gyp.
The token-checking campaign we warned about two weeks ago has entered phase two. Attackers are mass-cloning private repositories using stolen PATs. Your source code is walking out the door.
A 19-year-old flaw in how Linux handles SMB/CIFS file shares lets any local user become root. If your office uses shared drives on a Linux server, you need to patch today.
An unauthenticated CRLF injection in cPanel gives full root control. If your website runs on shared hosting, your host might already be compromised. CVSS 9.8.
LiteLLM, the proxy that manages your AI API keys, has a pre-auth SQL injection. CVSS 9.8. On CISA KEV. Exploited 36 hours after disclosure. Every API key it stores is compromised.
29 packages under the @redhat-cloud-services namespace were compromised with a self-propagating credential stealer. 80,000 weekly downloads. If Red Hat's packages aren't safe, neither are yours.
A use-after-free in Redis's Lua engine has been there since 2012. CVSS 10.0. Demonstrated at Pwn2Own. If your app uses Redis for caching or sessions, you need to check your version.
Attackers exploited FortiClient EMS to push a credential stealer disguised as a Fortinet firmware update. Your endpoint management system delivered the malware for them. You can't make this up.
Any user can get remote code execution on a Gogs server through a malicious branch name. The maintainer was told in March. It's still not fixed. There's a public exploit. Self-hosters, good luck.
Mass automated validation of stolen GitHub PATs from bulletproof hosting. They're testing which tokens are live, what scopes they have, and triaging the valuable ones. Revoke your old tokens today.
Anonymous SQL injection in Drupal core. No login required. On CISA KEV. Mass scanning started within days. If you run Drupal on PostgreSQL, patch right now or take it offline.
The third Linux kernel privilege escalation in six weeks. This one steals your passwords and SSH keys on the way up. Working exploits are public. Patch now.
You don't need a six-figure security budget. These open source and free tools cover email authentication, endpoint protection, vulnerability scanning, password management, and more. No excuses.
AI-assisted credential stuffing against internet-exposed FortiGate admin panels. 600+ devices across 55 countries. Full configs extracted including VPN credentials. If your firewall management is internet-facing, read this now.
Microsoft's official Durable Task Python SDK was hijacked on PyPI with a credential stealer, a Linux file wiper, and worm logic that spreads using your own cloud keys. No CVE was assigned. Most scanners missed it.
Step-by-step incident response for small businesses. What to disconnect, who to call, what to preserve, and what NOT to do. Print this out and tape it to the wall.
Three CVEs. CVSS 10.0. The Node.js sandbox library used by AI agents, online code runners, and plugin engines can be escaped with a WebAssembly trick. The sandbox was never safe.
An attacker registered a co-maintainer's expired email domain, reset the npm password, and published a credential stealer that exfiltrates over DNS. No hack required. Just a $12 domain registration.
The Checkmarx Jenkins plugin, installed to find vulnerabilities in your code, was itself compromised with an infostealer. CVE-2026-33634. CVSS 9.4. Every secret in your CI/CD pipeline was exfiltrated.
Attackers are recruiting internet-exposed Jenkins servers into DDoS botnets using default credentials and built-in script consoles. Your CI server has high bandwidth, elevated privileges, and nobody watching it.
Two new kernel vulnerabilities chain together for race-free root on every major distro. Exploited within 24 hours of disclosure. Same primitive class as Dirty Pipe and CopyFail. Patch your servers.
A 9-year-old kernel bug. 732-byte exploit. Works identically on Ubuntu, RHEL, Debian, Fedora, Amazon Linux. No race condition needed. On CISA KEV. Patch your servers.
An attacker posted a comment on a pull request. Twelve hours later, every data engineer running elementary-data 0.23.3 was exfiltrating their warehouse credentials to a stranger. Your CI/CD pipeline is a factory floor with no locks on the doors.
92% of small businesses have security tools. 1 in 4 got breached anyway. Here are the 7 mistakes we find in almost every assessment we do, and how to fix each one this week.