rescana.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-02.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-02 2026 | Critical Supply Chain Attack Compromises 32 Red Hat @redhat-cloud-services NPM Packages with Credential-Stealing MalwareSupply Chain | Library exploiting the @redhat-cloud-services NPM package supply chain attack, which injected Mini Shai-Hulud malware to steal credentials and propagate via GitHub Actions OIDC and NPM's bypass_2fa. This attack compromised 32 Red Hat packages, impacting over 116,000 weekly downloads and necessitating immediate rotation of all exposed secrets and affected package replacements. |
| 2026-05-28 2026 | GlassWorm Malware Takedown: Disruption of Developer Supply Chain Attacks Targeting VSCode npm Python and GitHubSupply Chain | Library detailing the disruption of the GlassWorm malware campaign, which targeted the developer supply chain. The malware utilized trojanized VSCode extensions, compromised npm and Python packages, and poisoned over 300 GitHub repositories using stolen credentials. GlassWorm RAT, its payload, harvested credentials from various developer tools and crypto-wallets, deploying SOCKS proxies and VNC clients. Its resilient C2 infrastructure leveraged the Solana blockchain, BitTorrent DHT, Google Calendar, and traditional VPS providers, requiring a coordinated takedown on May 26, 2026. |
| 2026-05-28 2026 | CVE-2026-41241: Critical Stored XSS in Pretalx Conference Platform Allows Attackers 100% Talk Acceptance (Patched in 2026.1.0)XSS | Writeup of CVE-2026-41241, a critical stored XSS vulnerability in Pretalx versions prior to 2026.1.0, allowing any registered user to compromise organizer accounts and force talk acceptance. Exploitation involves submitting a talk proposal with a crafted XSS payload in fields like title, speaker display name, or email, which executes when an organizer uses the backend search. The vulnerability stems from improper sanitization and unsafe `innerHTML` usage. Immediate upgrade to version 2026.1.0 is recommended. |
| 2026-05-26 2026 | Active Exploitation of CVE-2026-5426 in KnowledgeDeliver LMS Enables Godzilla (BLUEBEAM) Web Shell and Cobalt Strike AttacksRCE | Analysis of CVE-2026-5426 in KnowledgeDeliver LMS reveals exploitation of hardcoded ASP.NET machineKey values, enabling unauthenticated remote code execution. Threat actors deploy the Godzilla (BLUEBEAM) web shell and Cobalt Strike BEACON payloads, targeting Japanese enterprises and educational institutions. Attackers leverage ViewState deserialization for initial access, install web shells for persistence, and employ social engineering to deliver Cobalt Strike to user endpoints, leading to widespread compromise. |
| 2026-05-26 2026 | TrapDoor Supply Chain Attack Actively Exploiting npm PyPI and CratesIO to Steal Developer Credentials in Crypto DeFi Solana and AI SectorsSupply Chain | Library of tools and techniques for detecting and mitigating the TrapDoor supply chain attack, which actively exploits npm, PyPI, and CratesIO packages to steal developer credentials. This sophisticated campaign targets the crypto, DeFi, Solana, and AI sectors, leveraging malicious packages to exfiltrate AWS keys, GitHub tokens, SSH keys, and cryptocurrency wallet secrets. TrapDoor also uniquely abuses AI coding assistants by embedding hidden instructions in `.cursorrules` and `CLAUDE.md` files, tricking tools into exfiltrating secrets. Mitigation involves auditing dependencies, rotating credentials, searching for persistence artifacts like cron jobs and Git hooks, and monitoring for suspicious network traffic. |
| 2026-05-26 2026 | Active Exploitation Alert: Ghost CMS CVE-2026-26980 Mass Attack Hijacks 700 Sites for ClickFix Malware CampaignsSQLi | Library for detecting and mitigating CVE-2026-26980, a critical unauthenticated blind SQL injection vulnerability in Ghost CMS. This flaw allows attackers to steal Admin API Keys, inject malicious JavaScript for social engineering, and deploy stealer malware. The exploit chain involves automated reconnaissance, exploitation of the Content API, and redirection to fake Cloudflare CAPTCHA pages to trick users into downloading malware. Mitigation requires immediate patching to version 6.19.1+, rotating credentials, and scanning content for injected scripts. |
| 2026-05-24 2026 | Megalodon Supply Chain Attack: TeamPCP Compromises 5561 GitHub Repositories via Malicious CI/CD WorkflowsSupply Chain | Library detailing the Megalodon campaign, a supply chain attack by TeamPCP that compromised 5,561 GitHub repositories via malicious CI/CD workflows. The attack leveraged compromised developer credentials, injecting bash scripts that exfiltrated secrets like AWS and Azure credentials, SSH keys, and OIDC tokens to a C2 server. Variants included SysDiag and Optimize-Build workflows, and attackers also published malicious npm packages impersonating the Polymarket project, demonstrating worm-like propagation and reaching targets in Iran and Israel. |
| 2026-05-24 2026 | Critical Active Exploitation Alert: CVE-2026-48172 in LiteSpeed cPanel Plugin Enables Root Privilege EscalationRCE | Alert detailing CVE-2026-48172, a critical privilege escalation vulnerability in LiteSpeed cPanel Plugin versions 2.3 through 2.4.4. This flaw allows authenticated users to execute arbitrary scripts as root due to incorrect privilege assignment in the `lsws.redisAble` function. The vulnerability, classified under CWE-266, is actively exploited in the wild by opportunistic threat actors, leading to full system compromise and potential deployment of malware or ransomware. Mitigation involves upgrading the plugin to version 2.4.7+ or uninstalling it, and reviewing logs for exploitation indicators like `cpanel_jsonapi_func=redisAble`. |
| 2026-05-24 2026 | Active Exploitation Alert: Laravel Lang PHP Packages Compromised in Supply Chain Attack to Deploy Credential-Stealing MalwareSupply Chain | Writeup on a supply chain attack targeting Laravel Lang PHP localization packages (laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, laravel-lang/actions) which deployed credential-stealing malware. Attackers exploited GitHub version tagging to inject malicious code, impacting developers by exfiltrating cloud provider keys, developer secrets, browser passwords, and cryptocurrency wallets via a PHP dropper and secondary payload communicating with flipboxstudio[.]info. |
| 2026-05-21 2026 | GitHub Internal Repositories Breached via Compromised Nx Console VS Code Extension: 2026 Supply Chain Cybersecurity Incident AnalysisSupply Chain | Analysis of the 2026 supply chain attack where a compromised Nx Console VS Code extension (version 18.95.0) led to the exfiltration of credentials and 3,800 internal GitHub repositories. The attack leveraged a stolen GitHub token, with the payload harvesting secrets from cloud providers, CI/CD, password managers, and AI coding assistants, while establishing persistence on macOS systems via a Python backdoor. MITRE ATT&CK techniques T1195.002, T1546.001, T1555, and T1041/T1048 were observed. TeamPCP claimed responsibility for the incident. |
| 2026-05-21 2026 | TanStack npm Supply Chain Attack: Detailed Analysis of the May 2026 GitHub Actions Breach and Multi-Ecosystem ImpactSupply Chain | Analysis of the May 2026 TanStack npm supply chain attack details a sophisticated breach by TeamPCP targeting GitHub Actions workflows. Exploiting cache poisoning and OIDC token theft, attackers published 84 malicious versions across 42 @tanstack npm packages, compromising secondary victims like Mistral AI and UiPath. The payload, router_init.js, exfiltrated credentials and deployed a destructive daemon. This incident highlights the vulnerability of CI/CD pipelines and the challenge of trusting SLSA provenance in light of this first documented npm compromise to carry valid attestations. |
| 2026-05-20 2026 | Critical RCE SQL Injection and Privilege Escalation Vulnerabilities Affecting Ivanti Endpoint Manager Fortinet FortiClient EMS (CVE-2026-21643) SAP VMware and n8n: CVE Analysis Exploitation and Patch GuidanceRCE | Analysis of critical RCE, SQL Injection, and Privilege Escalation vulnerabilities affecting Ivanti Endpoint Manager (CVE-2025-11622, CVE-2025-9713), Fortinet FortiClient EMS (CVE-2026-21643), SAP, VMware, and n8n. This advisory details exploitation vectors, including insecure deserialization and path traversal on Ivanti, and improper Site header handling on Fortinet, which can lead to unauthenticated RCE. The analysis covers affected versions, active exploitation trends, and mitigation strategies such as immediate patching and monitoring for suspicious activity across these enterprise platforms. |
| 2026-05-20 2026 | CVE-2026-42897 Zero-Day Analysis: Microsoft Exchange Server OWA XSS Vulnerability Exploited in the WildXSS | Analysis of CVE-2026-42897 details a zero-day cross-site scripting (XSS) vulnerability affecting on-premises Microsoft Exchange Server 2016, 2019, and Subscription Edition. Actively exploited in the wild, this flaw in Outlook Web Access (OWA) allows attackers to execute arbitrary JavaScript, leading to session hijacking and credential theft. The analysis covers threat actor TTPs, exploitation evidence, and actionable mitigations like the Exchange Emergency Mitigation Service (EEMS) and the Exchange On-premises Mitigation Tool (EOMT), noting potential side effects such as the loss of OWA Print Calendar functionality. |
| 2026-05-18 2026 | OpenAI macOS Products Impacted by TanStack Supply Chain Attack via Mini Shai-Hulud Malware in TeamPCP CampaignSupply Chain | Writeup on the TanStack supply chain attack, where the TeamPCP threat group used the Mini Shai-Hulud worm to compromise OpenAI's macOS products. Attackers injected malicious code into TanStack npm packages, stealing credentials from OpenAI employee devices. This incident highlights risks from compromised CI/CD pipelines and open-source dependencies, impacting multiple AI and software development organizations. OpenAI responded by rotating credentials and reviewing code-signing certificates. |
| 2026-05-18 2026 | OpenAI macOS Apps Targeted in TanStack Supply Chain Attack: Two Employee Devices Compromised Urgent Updates RequiredSupply Chain | Writeup detailing the TanStack supply chain attack, orchestrated by TeamPCP, which compromised two OpenAI employee devices. The attack utilized the Mini Shai-Hulud malware, distributed via trojanized npm and PyPI packages, to exfiltrate credentials and establish persistence through modified VS Code tasks. OpenAI responded by revoking code-signing certificates for macOS, iOS, and Windows products, requiring mandatory updates for specific desktop applications before June 12, 2026, due to the incident's impact on internal source code repositories. |
| 2026-05-10 2026 | Supply Chain Attack: Fake OpenAI Repository on Hugging Face Distributes Infostealer Malware Targeting Developers and AI ToolsSupply Chain | Library of techniques detailing a supply chain attack involving a fake OpenAI repository on Hugging Face that distributed an infostealer malware. The malware targeted developers by exfiltrating credentials, session tokens, and cryptocurrency wallets from Chromium and Gecko browsers, Discord tokens, and local files. The attack leveraged typosquatting, social engineering, and evasion tactics like disabling SSL verification and checking for VMs, mapping to MITRE ATT&CK techniques such as T1566 (Phishing) and T1555 (Credentials from Password Stores). |
| 2026-05-10 2026 | JDownloader Website Supply Chain Attack: Installers Replaced with Python RAT Malware (May 2026)Python | Writeup of the JDownloader website supply chain attack (May 2026), detailing how an unpatched CMS vulnerability allowed attackers to replace Windows and Linux installers with a Python RAT and ELF binaries respectively. The attack, active for approximately 24 hours, utilized obfuscation and persistence techniques, including SUID-root binaries for Linux. This incident highlights the risks of unauthorized changes to web content and the importance of verifying digital signatures. |
| 2026-05-06 2026 | Critical DAEMON Tools Supply Chain Attack: Malware-Compromised Windows Installers Threaten Organizations and Home Users (Versions 12.5.0.242112.5.0.2434)Supply Chain | Writeup detailing a critical supply chain attack on DAEMON Tools Windows installers (versions 12.5.0.2421-12.5.0.2434), which distributed malware via trojanized executables signed with a legitimate AVB Disc Soft certificate. The malware, including an info-gatherer, backdoor, and QUIC RAT, exfiltrates system data and deploys advanced implants to targeted organizations and home users, leveraging MITRE ATT&CK techniques like T1195.002 (Supply Chain Compromise) and T1553.002 (Code Signing). |
| 2026-04-30 2026 | OpenWrt 23.05 Authenticated Remote Code Execution (RCE) Vulnerability: Risk Analysis Impact and Mitigation (CVE-2025-62526)RCE | Analysis of CVE-2025-62526, an authenticated RCE vulnerability in OpenWrt 23.05, details how attackers can compromise devices by exploiting flaws in inter-process communication and sandboxing mechanisms, particularly on Lantiq, Intel, and MaxLinear SoCs. Mitigation involves upgrading to OpenWrt 24.10.4, securing credentials, restricting management interface access, and monitoring for unauthorized changes, with historical exploitation of similar flaws by groups like APT41 and Lazarus serving as a precedent. |
| 2026-04-30 2026 | Critical Authenticated Remote Code Execution Vulnerability in JuzaWeb CMS 3.4.2 (CVE-2025-5425) Exploit in the Wild and Mitigation GuidanceRCE | Writeup detailing CVE-2025-5425, a critical authenticated RCE vulnerability in JuzaWeb CMS 3.4.2. This flaw, stemming from broken access control (CWE-266), allows low-privilege users to access the Theme Editor, inject PHP code, and achieve full server compromise. Exploits are publicly available, and exploitation in the wild has been observed. Mitigation involves restricting access to the Theme Editor endpoint and auditing user roles. The vulnerability maps to MITRE ATT&CK techniques T1190 and T1059. |
| 2026-04-30 2026 | CVE-2026-42208: Critical Pre-Auth SQL Injection in LiteLLM Actively Exploited Within 36 Hours of DisclosureSQLi | Writeup of CVE-2026-42208, a critical pre-authentication SQL injection in LiteLLM, which was actively exploited within 36 hours of disclosure. Attackers leveraged improper handling of the HTTP Authorization header to inject SQL into PostgreSQL databases, targeting sensitive data like API keys and provider credentials. Exploitation involved schema enumeration and targeted UNION SELECT payloads, originating from IP addresses associated with 3xK Tech GmbH. Mitigation requires upgrading LiteLLM, rotating credentials, and auditing logs for suspicious activity. |
| 2026-04-29 2026 | CVE-2026-33626: Critical SSRF Vulnerability in LMDeploy Rapidly Exploited in the Wild Technical Analysis and Mitigation GuideSSRF | Analysis of CVE-2026-33626 details a critical Server-Side Request Forgery (SSRF) vulnerability in LMDeploy, exploited rapidly in the wild. This flaw, affecting versions up to 0.12.0 with vision-language support, allows attackers to fetch arbitrary URLs, leading to the exfiltration of cloud metadata, probing of internal services like Redis and MySQL, and network reconnaissance. Exploitation attempts utilized callback infrastructure such as cw2mhnbd.requestrepo.com, originating from IP 103.116.72.119. Mitigation involves upgrading LMDeploy, enforcing IMDSv2, restricting egress, and implementing runtime detection of suspicious outbound connections. |
| 2026-04-19 2026 | Critical Apache Tika CVE-2025-66516: XXE VulnerabilityXXE | Library that helps secure applications against the critical Apache Tika CVE-2025-66516 XXE vulnerability. This flaw allows attackers to submit crafted PDF files with malicious XFA content to achieve sensitive file disclosure, SSRF, and potential RCE. It affects specific versions of `tika-core`, `tika-parser-pdf-module`, and `tika-parsers`, and has seen active exploitation in the wild with over 500 vulnerable instances discovered. |
| 2026-04-17 2026 | Critical Supply Chain Attack on EssentialPlugin WordPress Suite Exposes Over 400000 Websites to MalwareSupply Chain | Writeup of a critical supply chain attack on the EssentialPlugin WordPress suite, impacting over 400,000 websites. The attack involved a dormant backdoor, introduced after the plugin's acquisition, which activated to enable arbitrary file writes and malware injection. The technique utilized unauthenticated REST API endpoints and PHP object injection to create a backdoor file (wp-comments-posts.php) and modify wp-config.php, leading to spam pages and redirects. Mitigation involves immediate removal of affected plugins and manual inspection for malicious files. |
| 2026-04-17 2026 | April 2026 Patch Tuesday: Critical Vulnerabilities in SAP Adobe Microsoft SharePoint Fortinet and ColdFusion Threaten Enterprise SecuritySQLi | Advisory detailing critical vulnerabilities patched in April 2026 across SAP Business Planning and Consolidation (CVE-2026-27681, SQL injection), Adobe Acrobat Reader (CVE-2026-34621, RCE, actively exploited), Adobe ColdFusion (CVE-2026-34619, CVE-2026-27304, CVE-2026-27305, CVE-2026-27282, CVE-2026-27306, path traversal, ACE), Fortinet FortiSandbox (CVE-2026-39813, CVE-2026-39808, path traversal, command injection), and Microsoft SharePoint Server (CVE-2026-32201, spoofing, data exposure, actively exploited), posing risks of data exfiltration and system compromise. |
| 2026-04-14 2026 | CPUID Supply Chain Attack: STX RAT Malware Distributed via Trojanized CPU-Z and HWMonitor DownloadsSupply Chain | Writeup of the CPUID supply chain attack, detailing how attackers compromised the official website for HWMonitor and CPU-Z, distributing trojanized installers via Cloudflare R2. This attack leveraged DLL sideloading with a malicious cryptbase.dll to execute a five-stage in-memory attack chain, ultimately deploying STX RAT, a remote access trojan capable of stealing credentials, session cookies, and crypto wallet keys. The incident highlights the risks of compromised download channels, affecting global users across various sectors. |
| 2026-04-12 2026 | Google Chrome 147 Security Update: Patches 60 Vulnerabilities Including Critical WebML Remote Code Execution FRCE | Analysis of Google Chrome 147, which patched 60 vulnerabilities including critical heap buffer overflow (CVE-2026-5858) and integer overflow (CVE-2026-5859) flaws in the WebML component. These vulnerabilities, awarded $86,000 in bug bounties, enable remote code execution via crafted web pages. The advisory details technical aspects, exploitation potential, affected versions, and mitigation strategies such as immediate patching. While no in-the-wild exploitation is reported, the significant risk necessitates vigilance, especially concerning APT groups. |
| 2026-04-12 2026 | Critical Marimo Python Notebook RCE Vulnerability (CVE-2026-39987) Exploited Within 10 Hours of DisclosureRCE | Analysis of CVE-2026-39987 details a critical RCE vulnerability in Marimo, an open-source Python notebook platform, allowing unauthenticated attackers shell access via a misconfigured WebSocket endpoint. Exploitation occurred within 10 hours of disclosure, focusing on credential harvesting and reconnaissance using T1190, T1552, and T1083 MITRE ATT&CK techniques. Mitigation involves upgrading to Marimo 0.23.0+, auditing logs, and rotating compromised credentials. |
| 2026-01-19 2026 | Critical XSS Vulnerability in StealC Malware Admin Panel Allows Researchers to Infiltrate and Monitor Threat Actor OperationsXSS | Writeup of a persistent XSS vulnerability in the StealC malware admin panel, version 2.0, which allowed researchers to infiltrate and monitor threat actor operations. Exploitation led to the exfiltration of session cookies and system fingerprints from operators like YouTubeTA, revealing their location and hardware. The flaw enabled the observation of live sessions, stolen data, and malware management, demonstrating that even criminal infrastructure is susceptible to common web application vulnerabilities. |