Vulnerabilities, breaches, supply-chain attacks, and defensive security.
Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.
Cyera disclosed CVE-2026-7482 on May 1, a CVSS 9.1 unauthenticated heap read in Ollama. Three API calls dump prompts, env vars, and API keys from any open instance.
Dirty Frag chains two page-cache flaws in the ESP and RxRPC subsystems into a deterministic privilege escalation that hits every major distro. A PoC exploit is public.
RedAccess found that AI coding tools like Lovable, Base44, and Replit default to public hosting, leaving medical records, bank internals, and corporate secrets indexed by Google.
ShinyHunters breached Canvas LMS again, claiming 275 million records from 9,000 schools. Names, emails, student IDs, and private messages exposed.
Kaspersky pinned a supply-chain attack on the DAEMON Tools installer dating to April 8. Thousands hit globally, dozens upgraded to a QUIC RAT implant via signed binaries.
A researcher showed Edge decrypts the entire password vault at launch and leaves it in process memory. Chrome decrypts on demand. Microsoft says it's intentional.
CISA, NSA, GCHQ, ASD, CSE and NCSC-NZ jointly tell organizations agentic AI isn't ready for fast rollout. The 23-page guide names five risk categories.
The 313 Team flooded Canonical's infrastructure starting May 1, blocking apt updates and the Ubuntu security API just as admins needed both.
Two malicious lightning releases hit PyPI on April 30. The 42-minute window was enough to ship an RSA-encrypted infostealer to ML developers worldwide.
cPanel shipped fixes April 28 for a CVSS 9.8 auth bypass that walks attackers into shared-hosting panels with no password. WatchTowr says exploitation started before the patch.
CVE-2026-31431 chains AF_ALG and splice() to write into the page cache of /usr/bin/su. Xint Code disclosed it on April 29, nine years after the bug shipped.
CVE-2026-3854 is a CVSS 8.7 RCE in GitHub's git-push pipeline. github.com fixed it within hours. 88% of Enterprise Server installs were still vulnerable at disclosure.
Socket flagged a self-propagating worm in @automagik/genie, pgserve, and 14 sibling Namastex Labs packages. It steals 40 credential categories and republishes itself.
CVE-2026-34621 is an actively exploited Acrobat and Reader bug that runs attacker JavaScript inside the PDF runtime. The first sample hit VirusTotal in November and went unflagged.
Project Lighthouse logged 13 million cellular disruptions from car-mounted IMSI catchers spoofing legitimate towers. Three men face 44 charges in Canada's first SMS-blaster bust.
Microsoft's April 8 Patch Tuesday closes 167 CVEs. CVE-2026-32201 in SharePoint is being exploited and CISA added it the same day. Here's what to patch first.
SGLang's reranker renders chat templates without a sandbox. Load a hostile GGUF, hit /v1/rerank, and the attacker has Python on your inference box. No patch yet.