{ "feed_title": "Halting Problems Threat Intelligence Feed", "feed_description": "Aggregated machine-readable Indicators of Compromise (IOCs) from our active research.", "last_updated": "2026-06-03T20:47:26.326Z", "items_count": 46, "items": [ { "slug": "redhat-cloud-services-npm-miasma-compromise", "title": "Red Hat Cloud Services npm Trusted-Publishing Compromise", "summary": "Multiple @redhat-cloud-services npm packages were compromised on 2026-06-01 through trusted-publishing abuse tied to the Mini Shai-Hulud Miasma wave. The malicious releases added install-time payload execution, credential collection, destructive fallback behavior, and GitHub workflow tampering risk.", "date": "2026-06-02", "severity": "critical", "tags": [ "npm", "redhat", "supply-chain", "ci-cd", "oidc", "credential-theft", "mini-shai-hulud" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/redhat-cloud-services-npm-miasma-compromise/", "ioc_url": "https://haltingproblems.com/analysis/redhat-cloud-services-npm-miasma-compromise/ioc.json", "indicators": { "slug": "redhat-cloud-services-npm-miasma-compromise", "since": "2026-06-02T00:00:00Z", "until": "2026-06-02T23:59:59Z", "ecosystem": "npm", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "@redhat-cloud-services/patch-client@4.0.4", "@redhat-cloud-services/insights-client@3.0.3", "@redhat-cloud-services/host-inventory-client@2.0.4", "@redhat-cloud-services/vulnerabilities-client@2.0.3", "@redhat-cloud-services/vulnerabilities-client@2.0.4", "@redhat-cloud-services/remediations-client@4.0.3", "@redhat-cloud-services/sources-client@3.0.4", "@redhat-cloud-services/compliance-client@3.0.4", "@redhat-cloud-services/rbac-client@2.0.3", "@redhat-cloud-services/advisor-client@4.0.3", "@redhat-cloud-services/notifications-client@3.0.3", "@redhat-cloud-services/integrations-client@2.0.4", "@redhat-cloud-services/drift-client@3.0.3", "@redhat-cloud-services/content-sources-client@4.0.4", "@redhat-cloud-services/approval-client@2.0.3", "@redhat-cloud-services/topms-client@2.0.4", "@redhat-cloud-services/ros-client@2.0.4", "@redhat-cloud-services/cost-management-client@3.0.4", "@redhat-cloud-services/subscriptions-client@3.0.4", "@redhat-cloud-services/swatch-client@2.0.3", "@redhat-cloud-services/image-builder-client@3.0.3", "@redhat-cloud-services/vulnerability-client@2.0.4", "@redhat-cloud-services/provisioning-client@2.0.3", "@redhat-cloud-services/patch-advisory-client@2.0.3", "@redhat-cloud-services/quickstarts-client@2.0.3", "@redhat-cloud-services/notifications-backend-client@2.0.4", "@redhat-cloud-services/landing-page-frontend@2.0.3", "@redhat-cloud-services/frontend-components@6.0.4", "@redhat-cloud-services/frontend-components-utilities@4.0.4", "@redhat-cloud-services/frontend-components-notifications@3.0.4" ], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [ "package.json", "package-lock.json", "pnpm-lock.yaml", "yarn.lock", "bun.lock", "index.js", ".github/workflows/codeql.yml" ], "paths": [ "RedHatInsights/javascript-clients", ".github/workflows", "node_modules/@redhat-cloud-services" ], "services": [], "domains": [ "registry.npmjs.org", "api.github.com", "github.com" ], "urls": [ "https://github.com/RedHatInsights/javascript-clients" ], "ips": [], "hashes": [], "processPatterns": [ "npm install executing lifecycle script from @redhat-cloud-services package", "node or bun process launched from package lifecycle hook", "workflow run using id-token: write and npm trusted publishing" ], "networkPatterns": [ "GitHub API activity from developer or CI host after package install", "npm publish or dist-tag activity tied to trusted-publishing workflow" ], "telemetrySelectors": [ "Miasma", "The Spreading Blight", "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner", "firedalazer", "chore/add-codeql-static-analysis", "BatchedCreateCommitOnBranch", "bypass_2fa", "Runner.Worker", "/proc/*/mem", "trusted publishing", "id-token: write" ] } }, { "slug": "cpanel-whm-cve-2026-41940-kev", "title": "cPanel & WHM CVE-2026-41940: KEV Authentication Bypass in Hosting Control Planes", "summary": "CISA added WebPros cPanel & WHM and WP2 CVE-2026-41940 to KEV on 2026-04-30 and marks ransomware use as known. WebPros patched many cPanel branches and WP2 136.1.7, provided session-file IOC checks, and urged immediate update or service exposure reduction.", "date": "2026-06-01", "severity": "critical", "tags": [ "cpanel", "cisa-kev", "zero-day", "hosting", "ransomware" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/cpanel-whm-cve-2026-41940-kev/", "ioc_url": "https://haltingproblems.com/analysis/cpanel-whm-cve-2026-41940-kev/ioc.json", "indicators": { "slug": "cpanel-whm-cve-2026-41940-kev", "since": "2026-06-01T00:00:00Z", "until": "2026-06-01T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-41940" ], "cwes": [ "CWE-306" ], "advisoryIds": [], "products": [ "cPanel & WHM", "cPanel DNSOnly", "WP2 (WordPress Squared)" ], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [], "services": [], "domains": [ "www.cisa.gov", "support.cpanel.net", "nvd.nist.gov", "docs.wpsquared.com" ], "urls": [ "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json", "https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026", "https://nvd.nist.gov/vuln/detail/CVE-2026-41940", "https://docs.wpsquared.com/changelogs/versions/changelog/#13617" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "linux-copy-fail-cve-2026-31431-kev", "title": "Linux Copy Fail CVE-2026-31431: KEV Privilege Escalation on Shared Build Hosts", "summary": "CISA added Linux kernel CVE-2026-31431 to KEV on 2026-05-01. Theori's Copy Fail research ties the bug to AF_ALG AEAD in-place operation and shows why shared CI runners, Kubernetes nodes, and multi-tenant Linux hosts need kernel patch proof or AF_ALG mitigation.", "date": "2026-06-01", "severity": "high", "tags": [ "linux", "kernel", "cisa-kev", "zero-day", "ci-cd" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/linux-copy-fail-cve-2026-31431-kev/", "ioc_url": "https://haltingproblems.com/analysis/linux-copy-fail-cve-2026-31431-kev/ioc.json", "indicators": { "slug": "linux-copy-fail-cve-2026-31431-kev", "since": "2026-06-01T00:00:00Z", "until": "2026-06-01T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-31431" ], "cwes": [ "CWE-669" ], "advisoryIds": [], "products": [ "Linux kernel" ], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [], "services": [], "domains": [ "www.cisa.gov", "lore.kernel.org", "nvd.nist.gov" ], "urls": [ "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json", "https://xint.io/blog/copy-fail-linux-distributions", "https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5", "https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/", "https://nvd.nist.gov/vuln/detail/CVE-2026-31431" ], "ips": [], "hashes": [ "a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5" ], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "malware-slop-mouse5212-super-formatter", "title": "Malware-Slop mouse5212-super-formatter npm Package Targets AI Workspaces", "summary": "Snyk and OX tracked mouse5212-super-formatter as a malicious npm package published on 2026-05-26 and removed on 2026-05-27. The package should be treated as credential theft risk for AI-assisted workspaces, Claude/Cursor context files, GitHub tokens, npm tokens, and build logs.", "date": "2026-06-01", "severity": "critical", "tags": [ "npm", "supply-chain", "ai-tools", "credential-theft", "github" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/malware-slop-mouse5212-super-formatter/", "ioc_url": "https://haltingproblems.com/analysis/malware-slop-mouse5212-super-formatter/ioc.json", "indicators": { "slug": "malware-slop-mouse5212-super-formatter", "since": "2026-05-26T17:30:57Z", "until": "2026-06-01T23:59:59Z", "ecosystem": "npm", "cves": [], "cwes": [ "CWE-506" ], "advisoryIds": [], "products": [], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [], "services": [], "domains": [ "security.snyk.io", "registry.npmjs.org", "www.ox.security", "www.npmjs.com" ], "urls": [ "https://security.snyk.io/vuln/SNYK-JS-MOUSE5212SUPERFORMATTER-16895729", "https://registry.npmjs.org/mouse5212-super-formatter", "https://www.ox.security/blog/malware-slop-new-malicious-npm-package-leaks-its-own-github-private-token/", "https://www.npmjs.com/package/mouse5212-super-formatter" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "daemon-tools-lite-cve-2026-8398-supply-chain", "title": "DAEMON Tools Lite CVE-2026-8398: Signed Installer Supply-Chain Compromise", "summary": "CISA added DAEMON Tools Lite CVE-2026-8398 to KEV after the vendor confirmed unauthorized interference in its infrastructure and compromised DAEMON Tools Lite installation packages.", "date": "2026-05-31", "severity": "critical", "tags": [ "daemon-tools", "supply-chain", "signed-malware", "cisa-kev", "windows" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/daemon-tools-lite-cve-2026-8398-supply-chain/", "ioc_url": "https://haltingproblems.com/analysis/daemon-tools-lite-cve-2026-8398-supply-chain/ioc.json", "indicators": { "slug": "daemon-tools-lite-cve-2026-8398-supply-chain", "since": "2026-05-31T00:00:00Z", "until": "2026-05-31T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-8398" ], "cwes": [], "advisoryIds": [], "products": [ "DAEMON Tools Lite" ], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "pan-os-cve-2026-0257-globalprotect-auth-bypass", "title": "PAN-OS CVE-2026-0257: GlobalProtect Authentication Bypass Added to KEV", "summary": "CISA added PAN-OS CVE-2026-0257 to KEV on 2026-05-29 after limited exploitation of unpatched GlobalProtect portal and gateway configurations that use authentication override cookies.", "date": "2026-05-31", "severity": "high", "tags": [ "palo-alto-networks", "pan-os", "globalprotect", "cisa-kev", "zero-day" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/pan-os-cve-2026-0257-globalprotect-auth-bypass/", "ioc_url": "https://haltingproblems.com/analysis/pan-os-cve-2026-0257-globalprotect-auth-bypass/ioc.json", "indicators": { "slug": "pan-os-cve-2026-0257-globalprotect-auth-bypass", "since": "2026-05-31T00:00:00Z", "until": "2026-05-31T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-0257" ], "cwes": [], "advisoryIds": [], "products": [ "PAN-OS GlobalProtect portal and gateway" ], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "sicoob-sdk-nuget-certificate-exfiltration", "title": "Sicoob.Sdk NuGet Certificate Exfiltration", "summary": "Malicious Sicoob.Sdk NuGet releases impersonated a banking SDK and exfiltrated Sicoob client IDs, PFX passwords, and base64-encoded PFX certificate archives through a hardcoded Sentry endpoint.", "date": "2026-05-28", "severity": "critical", "tags": [ "nuget", "dotnet", "package-impersonation", "certificate-theft", "credential-theft", "financial-services" ], "sources_count": 6, "feed_url": "https://haltingproblems.com/analysis/sicoob-sdk-nuget-certificate-exfiltration/", "ioc_url": "https://haltingproblems.com/analysis/sicoob-sdk-nuget-certificate-exfiltration/ioc.json", "indicators": { "slug": "sicoob-sdk-nuget-certificate-exfiltration", "since": "2026-05-28T00:00:00Z", "until": "2026-05-28T23:59:59Z", "ecosystem": "nuget, .net nuget", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "Sicoob.Sdk", "Sicoob.Sdk@2.0.0", "Sicoob.Sdk@2.0.1", "Sicoob.Sdk@2.0.2", "Sicoob.Sdk@2.0.3", "Sicoob.Sdk@2.0.4" ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4" ], "affectedVersions": [], "fixedVersions": [], "files": [ "lib/net8.0/Sicoob.Sdk.dll" ], "paths": [], "services": [], "domains": [ "o4511335034847232.ingest.de.sentry.io", "Sicoob.Sdk.dll" ], "urls": [ "https://d565e3f03d0b1a7c8935d7ff94237316@o4511335034847232.ingest.de.sentry.io/4511337546317904" ], "ips": [], "hashes": [ "7d2332e76c266509cdec8b552ccc839f50c28e6b01070071257bd3f57d1d9da2", "f0dff53969080584560b2971411415bdf9064d5a5a50185c4ae018943e7d5cbe", "94eb8da6703dd073184015c9e3cb34e9b6153fc499c9cb1a7db6e4361ec349dd", "ac9dc55f13d973e05865e9674c8b8e6744e7fbfca3355199b292f614f13ac7bc", "190dbcafa776e8cc221106414b8fbd68252d98438c5e46b8449788fbe70316a4", "d565e3f03d0b1a7c8935d7ff94237316" ], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "PackageReference Include=\\\"Sicoob.Sdk\\\"", "dotnet add package Sicoob.Sdk", "new SicoobClient(", "cliend_id", "pass", "Boleto", "SentrySdk", "CaptureMessage", "ReadAllBytes", "ToBase64String" ] } }, { "slug": "gemstuffer-rubygems-exfiltration-channel", "title": "GemStuffer RubyGems Exfiltration Channel", "summary": "GemStuffer used RubyGems package publishing as a data-staging channel, wrapping scraped UK council ModernGov portal responses into junk gem artifacts published with embedded RubyGems API keys.", "date": "2026-05-28", "severity": "medium", "tags": [ "supply-chain", "rubygems", "ruby", "exfiltration", "public-sector" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/gemstuffer-rubygems-exfiltration-channel/", "ioc_url": "https://haltingproblems.com/analysis/gemstuffer-rubygems-exfiltration-channel/ioc.json", "indicators": { "slug": "gemstuffer-rubygems-exfiltration-channel", "since": "2026-05-28T00:00:00Z", "until": "2026-05-28T23:59:59Z", "ecosystem": "rubygems, ruby rubygems.org", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [], "versions": [ "agenda-sample-yard 0.1.1", "bot9evil 0.1.0", "fetchrootx2 0.0.1", "soufetchabc 0.0.3", "lambeth71b 0.0.1" ], "affectedVersions": [], "fixedVersions": [], "files": [ "payload.rb", "script.rb", "evil.rb", "yardload.rb", "yard_plugin.rb", "exploit.rb", "extconf.rb", "fetcher.rb", "/tmp/gemhome/.gem/credentials", "/tmp/rubydocran_*", "lib/result.txt", "x.gemspec" ], "paths": [], "services": [], "domains": [ "rubygems.org", "moderngov.lambeth.gov.uk", "democracy.wandsworth.gov.uk", "moderngov.southwark.gov.uk" ], "urls": [ "https://rubygems.org/api/v1/gems", "https://moderngov.lambeth.gov.uk/mgCalendarMonthView.aspx?M=1&Y=2026&GL=1&bcr=1", "https://democracy.wandsworth.gov.uk/mgCalendarMonthView.aspx?M=1&Y=2026&GL=1&bcr=1", "https://moderngov.southwark.gov.uk/mgCalendarMonthView.aspx?M=1&Y=2026&GL=1&bcr=1" ], "ips": [], "hashes": [ "239440c830e17530dda0a8a06ed2708860998750a1e3ed2239e919465dc59420", "c2d6bcacc88177e0f2c8c262726f86f37e671b1692c8bc135bac4b610ddcf31a", "34212b88108cab6ded037257d6fbc79a61b4c2ea8ecddc6c513b5aad1f308638", "2e4e099275efb8f886824a8eccdc595e624cd08ebb1772bd427710e08ff3ab24", "94d6c0b589704c8cc75e19f7250d6bfda473266dd7dd7e23fd14bd1bb972a717" ], "processPatterns": [ "ruby writing /tmp/gemhome/.gem/credentials", "ruby running gem build", "ruby running gem push", "ruby Net::HTTP::Post to RubyGems" ], "networkPatterns": [ "POST hxxps://rubygems.org/api/v1/gems", "GET ModernGov mgCalendarMonthView.aspx with User-Agent Mozilla/5.0" ], "telemetrySelectors": [] } }, { "slug": "vpmdhaj-npm-opensearch-typosquats", "title": "vpmdhaj npm OpenSearch Typosquats Steal Cloud and CI/CD Secrets", "summary": "Microsoft reported 14 typosquatted npm packages under the vpmdhaj scope that impersonated OpenSearch, AWS SDK, STS, and Bun packages while collecting AWS, GitHub Actions, npm, Vault, Kubernetes, SSH, and local cloud configuration secrets.", "date": "2026-05-28", "severity": "critical", "tags": [ "npm", "typosquatting", "supply-chain", "credential-theft", "ci-cd" ], "sources_count": 6, "feed_url": "https://haltingproblems.com/analysis/vpmdhaj-npm-opensearch-typosquats/", "ioc_url": "https://haltingproblems.com/analysis/vpmdhaj-npm-opensearch-typosquats/ioc.json", "indicators": { "slug": "vpmdhaj-npm-opensearch-typosquats", "since": "2026-05-28T00:00:00Z", "until": "2026-05-28T23:59:59Z", "ecosystem": "npm, node, bun, ci-cd, cloud npm", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "@vpmdhaj/devops-tools", "@vpmdhaj/elastic-helper", "@vpmdhaj/opensearch-setup", "@vpmdhaj/search-setup", "app-config-utility", "elastic-opensearch-helper", "env-config-manager", "opensearch-config-utility", "opensearch-security-scanner", "opensearch-setup", "opensearch-setup-tool", "search-cluster-setup", "search-engine-setup", "vpmdhaj-opensearch-setup", "@vpmdhaj/aws-compat", "@vpmdhaj/aws-credential-provider-env", "@vpmdhaj/aws-credential-provider-http", "@vpmdhaj/aws-sdk-client-opensearch", "@vpmdhaj/aws-sdk-client-sts", "@vpmdhaj/aws-sdk-credential-provider-node", "@vpmdhaj/aws-sdk-types", "@vpmdhaj/bun", "@vpmdhaj/opensearch", "@vpmdhaj/opensearch-project", "@vpmdhaj/opensearch-js", "@vpmdhaj/sts-client" ], "versions": [ "@vpmdhaj/opensearch-setup@1.0.9102", "@vpmdhaj/opensearch-setup@1.0.9103", "@vpmdhaj/elastic-helper@1.0.7267", "@vpmdhaj/elastic-helper@1.0.7268", "@vpmdhaj/elastic-helper@1.0.7269", "@vpmdhaj/elastic-helper@1.0.7270" ], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [ "/api/b" ], "services": [], "domains": [ "aab.sportsontheweb.net", "www.sportsontheweb.net" ], "urls": [], "ips": [], "hashes": [ "a39155771e93e65b05195c8a705dfc03aa85c2ec682505f0d557233a8f275145", "9d962ed605bb4a39991f8fab9b1d2e423ea4d545f23fd44d9473a6423d94bbf" ], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "glassworm-developer-supply-chain-botnet", "title": "GlassWorm Developer Supply-Chain Botnet Takedown", "summary": "CrowdStrike, Google, and Shadowserver disrupted GlassWorm command-and-control on 2026-05-26 after the campaign used Open VSX extensions, npm and Python packages, and poisoned GitHub repositories to maintain access to developer systems.", "date": "2026-05-27", "severity": "critical", "tags": [ "supply-chain", "vscode", "open-vsx", "npm", "pypi" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/glassworm-developer-supply-chain-botnet/", "ioc_url": "https://haltingproblems.com/analysis/glassworm-developer-supply-chain-botnet/ioc.json", "indicators": { "slug": "glassworm-developer-supply-chain-botnet", "since": "2026-04-29T18:15:00Z", "until": "2026-05-27T23:59:59Z", "ecosystem": "", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [], "services": [], "domains": [ "www.crowdstrike.com" ], "urls": [ "https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/", "https://socket.dev/blog/73-open-vsx-sleeper-extensions-glassworm" ], "ips": [], "hashes": [ "1b62b7c2ed7cc296ce821f977ef7b22bae59ef1dcdb9a34ae19467ee39bcf168", "4ebfe8f66ca7e9751060b3301b5e8838d6017593cdae748541de83bfa28183bd", "97c275e3406ad6576529f41604ad138c5bdc4297d195bf61b049e14f6b30adfd" ], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "litespeed-cpanel-plugin-cve-2026-48172", "title": "LiteSpeed cPanel Plugin CVE-2026-48172: Root Privilege Escalation", "summary": "CISA added LiteSpeed User-End cPanel Plugin CVE-2026-48172 to KEV on 2026-05-26 with a 2026-05-29 due date. NVD and LiteSpeed now provide exact advisory links, affected version bounds, and the vendor log-check command for redisAble exploitation.", "date": "2026-05-27", "severity": "critical", "tags": [ "litespeed", "cpanel", "zero-day", "privilege-escalation", "cisa-kev" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/litespeed-cpanel-plugin-cve-2026-48172/", "ioc_url": "https://haltingproblems.com/analysis/litespeed-cpanel-plugin-cve-2026-48172/ioc.json", "indicators": { "slug": "litespeed-cpanel-plugin-cve-2026-48172", "since": "2026-05-27T00:00:00Z", "until": "2026-05-27T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-48172" ], "cwes": [ "CWE-266", "CWE-269" ], "advisoryIds": [], "products": [ "User-End cPanel Plugin" ], "packages": [], "versions": [], "affectedVersions": [ "2.3 <= LiteSpeed cPanel Plugin < 2.4.7", "LiteSpeed WHM Plugin < 5.3.1.0 may bundle an affected cPanel plugin" ], "fixedVersions": [ "LiteSpeed WHM Plugin >= 5.3.1.0 (includes cPanel Plugin 2.4.7)" ], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "cpanel_jsonapi_func=redisAble", "redisAble", "lsws.redisAble" ] } }, { "slug": "windows-shell-cve-2026-32202-kev", "title": "Windows Shell CVE-2026-32202 KEV: Zero-Click NTLM Coercion", "summary": "CVE-2026-32202 is an actively exploited Windows Shell protection-mechanism failure that Akamai traced to an incomplete patch for an APT28 LNK exploit chain, allowing zero-click NTLM authentication coercion when Explorer renders a malicious shortcut.", "date": "2026-05-27", "severity": "high", "tags": [ "microsoft", "windows", "zero-day", "cisa-kev", "credential-theft" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/windows-shell-cve-2026-32202-kev/", "ioc_url": "https://haltingproblems.com/analysis/windows-shell-cve-2026-32202-kev/ioc.json", "indicators": { "slug": "windows-shell-cve-2026-32202-kev", "since": "2026-05-27T00:00:00Z", "until": "2026-05-27T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-32202", "CVE-2026-21510", "CVE-2026-21513" ], "cwes": [], "advisoryIds": [], "products": [ "Windows Shell" ], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [], "services": [], "domains": [ "www.akamai.com", "www.cisa.gov", "nvd.nist.gov" ], "urls": [ "https://www.akamai.com/blog/security-research/2026/apr/incomplete-patch-apt28s-zero-day-cve-2026-32202", "https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog", "https://nvd.nist.gov/vuln/detail/CVE-2026-32202" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "chromium-browser-fetch-leak-zero-day", "title": "Chromium Background Fetch Zero-Day: Persistent Service Worker Exposure", "summary": "A public Chromium Background Fetch proof of concept can keep a service worker alive after a malicious page visit, enabling browser-usage monitoring, proxy-like abuse, and DDoS participation. Reviewed reporting does not support the older SOP/CORS data-theft framing.", "date": "2026-05-26", "severity": "high", "tags": [ "google-chrome", "chromium", "zero-day", "security-bypass", "cross-site-scripting" ], "sources_count": 3, "feed_url": "https://haltingproblems.com/analysis/chromium-browser-fetch-leak-zero-day/", "ioc_url": "https://haltingproblems.com/analysis/chromium-browser-fetch-leak-zero-day/ioc.json", "indicators": { "slug": "chromium-browser-fetch-leak-zero-day", "since": "2026-05-26T00:00:00Z", "until": "2026-05-26T23:59:59Z", "ecosystem": "", "cves": [], "cwes": [ "CWE-912", "CWE-668" ], "advisoryIds": [], "products": [ "Chromium Browser Engine", "Google Chrome", "Microsoft Edge", "Brave", "Opera", "Vivaldi" ], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "fetch", "Background Fetch", "Service Worker", "chrome", "chromium" ] } }, { "slug": "drupal-core-cve-2026-9082-kev", "title": "Drupal Core CVE-2026-9082: KEV SQL Injection Exposure", "summary": "CISA added Drupal Core CVE-2026-9082 to KEV on 2026-05-22. The exploitable surface is PostgreSQL-backed Drupal Core in affected 8.9.x, 10.x, and 11.x ranges; this article provides composer, settings, and telemetry scripts for exposure and closure.", "date": "2026-05-26", "severity": "critical", "tags": [ "drupal", "cisa-kev", "zero-day", "vulnerability-response", "sql-injection" ], "sources_count": 3, "feed_url": "https://haltingproblems.com/analysis/drupal-core-cve-2026-9082-kev/", "ioc_url": "https://haltingproblems.com/analysis/drupal-core-cve-2026-9082-kev/ioc.json", "indicators": { "slug": "drupal-core-cve-2026-9082-kev", "since": "2026-05-26T00:00:00Z", "until": "2026-05-26T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-9082" ], "cwes": [ "CWE-89" ], "advisoryIds": [ "SA-CORE-2026-004" ], "products": [ "Core" ], "packages": [ "drupal/core" ], "versions": [], "affectedVersions": [ "8.9.0 <= Drupal < 10.4.10", "10.5.0 <= Drupal < 10.5.10", "10.6.0 <= Drupal < 10.6.9", "11.1.0 <= Drupal < 11.1.10", "11.2.0 <= Drupal < 11.2.12", "11.3.0 <= Drupal < 11.3.10" ], "fixedVersions": [ "10.4.10", "10.5.10", "10.6.9", "11.1.10", "11.2.12", "11.3.10" ], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "CVE-2026-9082", "SA-CORE-2026-004", "drupal/core", "user_role", "uid=1", "sites/default/files", "pgsql", "PostgreSQL" ] } }, { "slug": "cisco-sdwan-cve-2026-20182-kev", "title": "Cisco Catalyst SD-WAN CVE-2026-20182: KEV Control-Plane Exposure", "summary": "CISA added Cisco Catalyst SD-WAN CVE-2026-20182 to KEV on 2026-05-14. Cisco lists fixed releases across 20.9, 20.12, 20.15, 20.18, and 26.1 trains; CISA ED 26-03 provides concrete artifact selectors for rogue peering, root SSH, downgrades, and log clearing.", "date": "2026-05-26", "severity": "critical", "tags": [ "cisco", "sdwan", "cisa-kev", "zero-day", "vulnerability-response" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/cisco-sdwan-cve-2026-20182-kev/", "ioc_url": "https://haltingproblems.com/analysis/cisco-sdwan-cve-2026-20182-kev/ioc.json", "indicators": { "slug": "cisco-sdwan-cve-2026-20182-kev", "since": "2026-05-26T00:00:00Z", "until": "2026-05-26T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-20182" ], "cwes": [ "CWE-287" ], "advisoryIds": [], "products": [ "Catalyst SD-WAN Controller and Catalyst SD-WAN Manager" ], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [ "20.9.9.1", "20.12.5.4", "20.12.6.2", "20.12.7.1", "20.15.4.4", "20.15.5.2", "20.18.2.2", "26.1.1.1", "20.15.506" ], "files": [], "paths": [ "master install", "system-reboot-issued", "Starting upgrade confirmation timer", "Waiting for upgrade confirmation from user", "Software upgrade not confirmed", "control-connection-state-change", "peer-type:'vhub", "remote-color", "Accepted publickey for root", "PermitRootLogin yes", "/usr/sbin/useradd cfgmgr_config_aaa_user", "cat /dev/null > wtmp", "cat /dev/null > lastlog" ], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "master install", "system-reboot-issued", "Starting upgrade confirmation timer", "Waiting for upgrade confirmation from user", "Software upgrade not confirmed", "control-connection-state-change", "peer-type:'vhub", "remote-color", "Accepted publickey for root", "PermitRootLogin yes", "/usr/sbin/useradd cfgmgr_config_aaa_user", "cat /dev/null > wtmp", "cat /dev/null > lastlog" ] } }, { "slug": "langflow-cve-2025-34291-kev", "title": "Langflow CVE-2025-34291: KEV Origin Validation Exposure", "summary": "CISA added Langflow CVE-2025-34291 to KEV on 2026-05-21. The issue combines permissive CORS and credentialed refresh-token behavior; this article provides dependency, container, HTTP telemetry, and token-abuse audit scripts.", "date": "2026-05-26", "severity": "critical", "tags": [ "langflow", "cisa-kev", "vulnerability-response", "ai-tooling", "cors" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/langflow-cve-2025-34291-kev/", "ioc_url": "https://haltingproblems.com/analysis/langflow-cve-2025-34291-kev/ioc.json", "indicators": { "slug": "langflow-cve-2025-34291-kev", "since": "2026-05-26T00:00:00Z", "until": "2026-05-26T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2025-34291" ], "cwes": [ "CWE-346" ], "advisoryIds": [], "products": [ "Langflow" ], "packages": [ "langflow" ], "versions": [], "affectedVersions": [], "fixedVersions": [ "1.9.3", "v1.9.3" ], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "Origin", "Cookie", "SameSite=None", "refresh token", "refresh_token", "Langflow" ] } }, { "slug": "microsoft-defender-cve-2026-41091-kev", "title": "Microsoft Defender CVE-2026-41091: KEV Engine EoP Exposure", "summary": "CISA added Microsoft Defender CVE-2026-41091 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Malware Protection Engine version 1.1.26040.8.", "date": "2026-05-26", "severity": "high", "tags": [ "microsoft-defender", "cisa-kev", "vulnerability-response", "windows", "privilege-escalation" ], "sources_count": 3, "feed_url": "https://haltingproblems.com/analysis/microsoft-defender-cve-2026-41091-kev/", "ioc_url": "https://haltingproblems.com/analysis/microsoft-defender-cve-2026-41091-kev/ioc.json", "indicators": { "slug": "microsoft-defender-cve-2026-41091-kev", "since": "2026-05-26T00:00:00Z", "until": "2026-05-26T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-41091" ], "cwes": [ "CWE-59" ], "advisoryIds": [], "products": [ "Microsoft Defender Malware Protection Engine" ], "packages": [], "versions": [], "affectedVersions": [ "1.1.26030.3008 <= engine < 1.1.26040.8" ], "fixedVersions": [ "1.1.26040.8" ], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "EventID 4688", "EventID 4698", "EventID 4732", "EventID 7045" ] } }, { "slug": "microsoft-defender-cve-2026-45498-kev", "title": "Microsoft Defender CVE-2026-45498: KEV Platform DoS Exposure", "summary": "CISA added Microsoft Defender CVE-2026-45498 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Defender Antimalware Platform version 4.18.26040.7.", "date": "2026-05-26", "severity": "medium", "tags": [ "microsoft-defender", "cisa-kev", "vulnerability-response", "windows" ], "sources_count": 3, "feed_url": "https://haltingproblems.com/analysis/microsoft-defender-cve-2026-45498-kev/", "ioc_url": "https://haltingproblems.com/analysis/microsoft-defender-cve-2026-45498-kev/ioc.json", "indicators": { "slug": "microsoft-defender-cve-2026-45498-kev", "since": "2026-05-26T00:00:00Z", "until": "2026-05-26T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-45498" ], "cwes": [ "CWE-400" ], "advisoryIds": [], "products": [ "Microsoft Defender Antimalware Platform" ], "packages": [], "versions": [], "affectedVersions": [ "4.18.26030.3011 <= platform < 4.18.26040.7" ], "fixedVersions": [ "4.18.26040.7" ], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "MsMpEng.exe", "EventID 5007", "EventID 5013", "EventID 7031", "EventID 7034" ] } }, { "slug": "microsoft-exchange-cve-2026-42897-kev", "title": "Microsoft Exchange CVE-2026-42897: KEV OWA Mitigation Exposure", "summary": "CISA added Exchange Server CVE-2026-42897 to KEV on 2026-05-15. MSRC marks exploitation detected and points to Exchange Emergency Mitigation Service mitigation ID M2 rather than a normal update table.", "date": "2026-05-26", "severity": "critical", "tags": [ "microsoft-exchange", "cisa-kev", "zero-day", "vulnerability-response", "owa" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/microsoft-exchange-cve-2026-42897-kev/", "ioc_url": "https://haltingproblems.com/analysis/microsoft-exchange-cve-2026-42897-kev/ioc.json", "indicators": { "slug": "microsoft-exchange-cve-2026-42897-kev", "since": "2026-05-26T00:00:00Z", "until": "2026-05-26T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-42897" ], "cwes": [ "CWE-79" ], "advisoryIds": [], "products": [ "Exchange Server OWA", "Exchange Server 2016", "Exchange Server 2019", "Exchange Server Subscription Edition" ], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [ "Logging/MitigationService", "Logging/HttpProxy/Owa" ], "services": [ "MSExchangeMitigation" ], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "Outlook Web Access", "OWA", "MitigationsApplied", "MitigationsBlocked", "M2" ] } }, { "slug": "pan-os-cve-2026-0300-captive-portal-rce", "title": "PAN-OS CVE-2026-0300: Captive Portal Remote Root RCE", "summary": "CISA added PAN-OS CVE-2026-0300 to KEV on 2026-05-06. The vulnerability involves an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls, leading to unauthenticated remote root code execution; this article provides config audits and post-compromise triage scripts.", "date": "2026-05-26", "severity": "critical", "tags": [ "palo-alto-networks", "pan-os", "cisa-kev", "zero-day", "remote-code-execution", "buffer-overflow" ], "sources_count": 3, "feed_url": "https://haltingproblems.com/analysis/pan-os-cve-2026-0300-captive-portal-rce/", "ioc_url": "https://haltingproblems.com/analysis/pan-os-cve-2026-0300-captive-portal-rce/ioc.json", "indicators": { "slug": "pan-os-cve-2026-0300-captive-portal-rce", "since": "2026-05-26T00:00:00Z", "until": "2026-05-26T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-0300" ], "cwes": [ "CWE-787", "CWE-121" ], "advisoryIds": [ "PAN-SA-2026-0300" ], "products": [ "PAN-OS", "PA-Series Firewalls", "VM-Series Firewalls" ], "packages": [], "versions": [], "affectedVersions": [ "PAN-OS < 10.2.11", "11.0.0 <= PAN-OS < 11.0.5", "11.1.0 <= PAN-OS < 11.1.3" ], "fixedVersions": [ "10.2.11", "11.0.5", "11.1.3" ], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "ew", "ReverseSocks5", "captive-portal", "auth-portal", "cldflt.sys" ] } }, { "slug": "starlette-cve-2026-48710-badhost", "title": "Starlette CVE-2026-48710: BadHost Authentication Bypass", "summary": "Starlette CVE-2026-48710 (BadHost) is a Host-header URL reconstruction flaw fixed in Starlette 1.0.1. New OSTIF, X41, Tenable, and BadHost scanner sources clarify that the highest-risk deployments are FastAPI/Starlette/LLM services whose middleware makes security decisions from request.url.path.", "date": "2026-05-26", "severity": "critical", "tags": [ "starlette", "fastapi", "zero-day", "security-bypass" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/starlette-cve-2026-48710-badhost/", "ioc_url": "https://haltingproblems.com/analysis/starlette-cve-2026-48710-badhost/ioc.json", "indicators": { "slug": "starlette-cve-2026-48710-badhost", "since": "2026-05-26T00:00:00Z", "until": "2026-05-26T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-48710" ], "cwes": [ "CWE-346", "CWE-284" ], "advisoryIds": [], "products": [ "Starlette (ASGI toolkit)", "Starlette", "FastAPI applications with affected middleware", "vLLM/LiteLLM/MCP services using affected middleware" ], "packages": [ "starlette", "fastapi" ], "versions": [], "affectedVersions": [ "Starlette < 1.0.1" ], "fixedVersions": [ "1.0.1" ], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "starlette", "fastapi", "Host", "/health" ] } }, { "slug": "trend-micro-apex-one-cve-2026-34926-kev", "title": "Trend Micro Apex One CVE-2026-34926: KEV Server Build Exposure", "summary": "CISA added Trend Micro Apex One CVE-2026-34926 to KEV on 2026-05-21. Trend Micro reports at least one in-the-wild attempt and fixed builds 17079, 18012, and 14.0.20731; this article provides build-export and agent-deployment audit scripts.", "date": "2026-05-26", "severity": "high", "tags": [ "trend-micro", "apex-one", "cisa-kev", "zero-day", "vulnerability-response" ], "sources_count": 3, "feed_url": "https://haltingproblems.com/analysis/trend-micro-apex-one-cve-2026-34926-kev/", "ioc_url": "https://haltingproblems.com/analysis/trend-micro-apex-one-cve-2026-34926-kev/ioc.json", "indicators": { "slug": "trend-micro-apex-one-cve-2026-34926-kev", "since": "2026-05-26T00:00:00Z", "until": "2026-05-26T23:59:59Z", "ecosystem": "", "cves": [ "CVE-2026-34926" ], "cwes": [ "CWE-23" ], "advisoryIds": [], "products": [ "Apex One on-premise", "Apex One 2019", "Apex One as a Service", "Trend Vision One SEP" ], "packages": [], "versions": [], "affectedVersions": [ "Apex One 2019 on-prem Server and Agent builds below 17079", "Apex One as a Service / Trend Vision One SEP agent builds below 14.0.20731" ], "fixedVersions": [ "Apex One on-prem SP1 CP Build 18012 for existing SP1 users", "Apex One on-prem SP1 Build 17079 for new installs", "Security Agent build 14.0.20731", "17079", "18012", "14.0.20731" ], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "Apex One", "key table", "agent deployment", "CWE-23", "CP Build 18012" ] } }, { "slug": "windows-miniplasma-lpe-zero-day", "title": "Windows cldflt.sys Zero-Day: MiniPlasma Kernel LPE", "summary": "MiniPlasma is a public Windows cldflt.sys Cloud Filter driver LPE proof of concept that BleepingComputer tested on fully patched Windows 11 Pro with May 2026 updates. The article now replaces generic secondary sourcing with exact reporting and narrows the claim to local SYSTEM escalation.", "date": "2026-05-26", "severity": "high", "tags": [ "microsoft", "windows", "zero-day", "privilege-escalation", "kernel-exploit" ], "sources_count": 3, "feed_url": "https://haltingproblems.com/analysis/windows-miniplasma-lpe-zero-day/", "ioc_url": "https://haltingproblems.com/analysis/windows-miniplasma-lpe-zero-day/ioc.json", "indicators": { "slug": "windows-miniplasma-lpe-zero-day", "since": "2026-05-26T00:00:00Z", "until": "2026-05-26T23:59:59Z", "ecosystem": "", "cves": [], "cwes": [ "CWE-269", "CWE-119", "CWE-787" ], "advisoryIds": [], "products": [ "Windows Cloud Files Mini Filter Driver (cldflt.sys)", "Windows 10", "Windows 11", "Windows Server 2019", "Windows Server 2022" ], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [ "CldFlt", "cldflt.sys", "miniplasma", "Chaotic Eclipse" ] } }, { "slug": "art-template-coruna-npm-compromise", "title": "art-template npm Coruna Browser Exploit Compromise", "summary": "The npm package art-template was compromised in versions 4.13.5 and 4.13.6 to inject remote browser-side JavaScript that redirected users into a Coruna-like iOS Safari exploit delivery chain.", "date": "2026-05-24", "severity": "high", "tags": [ "supply-chain", "npm", "browser", "javascript", "exploit-delivery" ], "sources_count": 1, "feed_url": "https://haltingproblems.com/analysis/art-template-coruna-npm-compromise/", "ioc_url": "https://haltingproblems.com/analysis/art-template-coruna-npm-compromise/ioc.json", "indicators": { "slug": "art-template-coruna-npm-compromise", "since": "2026-05-24T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "npm npmjs.com", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "art-template" ], "versions": [ "4.13.5", "4.13.6", "art-template 4.13.5", "art-template 4.13.6" ], "affectedVersions": [], "fixedVersions": [], "files": [ "lib/template-web.js", "49554fde7424c31c.js" ], "paths": [], "services": [], "domains": [ "v3.jiathis.com", "utaq.cfww.shop", "cfww.shop", "l1ewsu3yjkqeroy.xyz", "ipv4.icanhazip.com" ], "urls": [ "https://v3.jiathis.com/code/jia.js?uid=artemplate", "https://v3.jiathis.com/code/art.js", "https://utaq.cfww.shop/gooll/gooll.html", "https://utaq.cfww.shop/gooll/49554fde7424c31c.js", "https://l1ewsu3yjkqeroy.xyz/api/ip-sync/sync" ], "ips": [], "hashes": [ "dd9c0268c8944e6ddf90d4d0c81aa843785b7a9ee965faa635841ed9fc0ba086", "387d7ea5ca733b1e7219c943f4b461877a8df0148adfef42b1538b6c398fbb41" ], "processPatterns": [], "networkPatterns": [ "browser requests to v3.jiathis.com/code/art.js", "browser requests to utaq.cfww.shop/gooll/", "POST or beacon to l1ewsu3yjkqeroy.xyz/api/ip-sync/sync" ], "telemetrySelectors": [] } }, { "slug": "actions-cool-github-actions-tag-hijack", "title": "actions-cool GitHub Actions Tag Hijack Credential Theft", "summary": "GitHub Action tags for actions-cool/issues-helper and actions-cool/maintain-one-comment were moved to imposter commits that scraped GitHub Actions runner memory and exfiltrated CI/CD secrets. StepSecurity's incident center now preserves the two-action scope and shared C2 linkage.", "date": "2026-05-24", "severity": "critical", "tags": [ "supply-chain", "github-actions", "ci-cd", "credential-theft", "tag-hijack" ], "sources_count": 2, "feed_url": "https://haltingproblems.com/analysis/actions-cool-github-actions-tag-hijack/", "ioc_url": "https://haltingproblems.com/analysis/actions-cool-github-actions-tag-hijack/ioc.json", "indicators": { "slug": "actions-cool-github-actions-tag-hijack", "since": "2026-05-18T19:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "github actions github repositories and action tags", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "actions-cool/issues-helper", "actions-cool/maintain-one-comment" ], "versions": [ "actions-cool/issues-helper@v1", "actions-cool/issues-helper@v1.0.0", "actions-cool/issues-helper@v1.1.0", "actions-cool/issues-helper@v1.10.0", "actions-cool/issues-helper@v1.11.0", "actions-cool/issues-helper@v1.12.0", "actions-cool/issues-helper@v1.13.0", "actions-cool/issues-helper@v1.14.0", "actions-cool/issues-helper@v1.15.0", "actions-cool/issues-helper@v1.16.0", "actions-cool/issues-helper@v1.17.0", "actions-cool/issues-helper@v1.18.0", "actions-cool/issues-helper@v1.19.0", "actions-cool/issues-helper@v1.2.0", "actions-cool/issues-helper@v1.20.0", "actions-cool/issues-helper@v1.21.0", "actions-cool/issues-helper@v1.22.0", "actions-cool/issues-helper@v1.23.0", "actions-cool/issues-helper@v1.24.0", "actions-cool/issues-helper@v1.25.0", "actions-cool/issues-helper@v1.26.0", "actions-cool/issues-helper@v1.27.0", "actions-cool/issues-helper@v1.28.0", "actions-cool/issues-helper@v1.29.0", "actions-cool/issues-helper@v1.3.0", "actions-cool/issues-helper@v1.30.0", "actions-cool/issues-helper@v1.31.0", "actions-cool/issues-helper@v1.32.0", "actions-cool/issues-helper@v1.33.0", "actions-cool/issues-helper@v1.34.0", "actions-cool/issues-helper@v1.35.0", "actions-cool/issues-helper@v1.36.0", "actions-cool/issues-helper@v1.37.0", "actions-cool/issues-helper@v1.4.0", "actions-cool/issues-helper@v1.5.0", "actions-cool/issues-helper@v1.6.0", "actions-cool/issues-helper@v1.7.0", "actions-cool/issues-helper@v1.8.0", "actions-cool/issues-helper@v1.9.0", "actions-cool/issues-helper@v2", "actions-cool/issues-helper@v2.0.0", "actions-cool/issues-helper@v2.1.0", "actions-cool/issues-helper@v2.2.0", "actions-cool/issues-helper@v2.3.0", "actions-cool/issues-helper@v2.4.0", "actions-cool/issues-helper@v2.5.0", "actions-cool/issues-helper@v3", "actions-cool/issues-helper@v3.0.0", "actions-cool/issues-helper@v3.1.0", "actions-cool/issues-helper@v3.2.0", "actions-cool/issues-helper@v3.2.1", "actions-cool/maintain-one-comment@v1", "actions-cool/maintain-one-comment@v1.0.0", "actions-cool/maintain-one-comment@v1.1.0", "actions-cool/maintain-one-comment@v1.2.0", "actions-cool/maintain-one-comment@v1.3.0", "actions-cool/maintain-one-comment@v2", "actions-cool/maintain-one-comment@v2.0.0", "actions-cool/maintain-one-comment@v2.1.0", "actions-cool/maintain-one-comment@v2.2.0", "actions-cool/maintain-one-comment@v2.3.0", "actions-cool/maintain-one-comment@v3", "actions-cool/maintain-one-comment@v3.0.0", "actions-cool/maintain-one-comment@v3.1.0", "actions-cool/maintain-one-comment@v3.2.0", "actions-cool/maintain-one-comment@v3.3.0", "actions-cool/issues-helper affected tags", "actions-cool/maintain-one-comment affected tags" ], "affectedVersions": [], "fixedVersions": [], "files": [ ".github/workflows/*.yml" ], "paths": [], "services": [], "domains": [ "t.m-kosche.com" ], "urls": [], "ips": [], "hashes": [ "8064d4e0322f069b3dba13e7957ff0ca7dab7984", "6e79ae622b7ef30f31fdbcc2dc65339e" ], "processPatterns": [ "python3 reading /proc//mem", "bun executing unexpected action code" ], "networkPatterns": [ "POST or HTTPS traffic from GitHub Actions runner to t.m-kosche.com" ], "telemetrySelectors": [] } }, { "slug": "laravel-lang-composer-tag-compromise", "title": "Laravel-Lang Composer Tag Rewrite RCE Compromise", "summary": "Laravel-Lang packages were compromised through rewritten Composer tags that loaded a PHP backdoor through Composer autoload and exposed developer, CI/CD, cloud, and application secrets.", "date": "2026-05-24", "severity": "critical", "tags": [ "supply-chain", "packagist", "composer", "laravel", "credential-theft" ], "sources_count": 2, "feed_url": "https://haltingproblems.com/analysis/laravel-lang-composer-tag-compromise/", "ioc_url": "https://haltingproblems.com/analysis/laravel-lang-composer-tag-compromise/ioc.json", "indicators": { "slug": "laravel-lang-composer-tag-compromise", "since": "2026-05-22T22:32:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "composer packagist", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "laravel-lang/lang", "laravel-lang/http-statuses", "laravel-lang/actions", "laravel-lang/attributes" ], "versions": [ "laravel-lang/lang@15.30.0", "laravel-lang/lang@15.28.5", "laravel-lang/lang@15.28.4", "laravel-lang/lang@15.28.3", "laravel-lang/lang@15.28.2", "laravel-lang/lang@15.28.1", "laravel-lang/lang@15.28.0", "laravel-lang/lang@15.27.0", "laravel-lang/lang@15.26.5", "laravel-lang/lang@15.26.4", "laravel-lang/lang@15.26.3", "laravel-lang/lang@15.26.2", "laravel-lang/lang@15.26.1", "laravel-lang/lang@15.26.0", "laravel-lang/lang@15.25.0", "laravel-lang/lang@15.24.5", "laravel-lang/lang@15.24.4", "laravel-lang/lang@15.24.3", "laravel-lang/lang@15.24.2", "laravel-lang/lang@15.24.1", "laravel-lang/lang@15.24.0", "laravel-lang/lang@15.23.3", "laravel-lang/lang@15.23.2", "laravel-lang/lang@15.23.1", "laravel-lang/lang@15.23.0", "laravel-lang/lang@15.22.8", "laravel-lang/lang@15.22.7", "laravel-lang/lang@15.22.6", "laravel-lang/lang@15.22.5", "laravel-lang/lang@15.22.4", "laravel-lang/lang@15.22.3", "laravel-lang/lang@15.22.2", "laravel-lang/lang@15.22.1", "laravel-lang/lang@15.22.0", "laravel-lang/lang@15.21.1", "laravel-lang/lang@15.21.0", "laravel-lang/lang@15.20.2", "laravel-lang/lang@15.20.1", "laravel-lang/lang@15.20.0", "laravel-lang/lang@15.19.9", "laravel-lang/lang@15.19.8", "laravel-lang/lang@15.19.7", "laravel-lang/lang@15.19.6", "laravel-lang/lang@15.19.5", "laravel-lang/lang@15.19.4", "laravel-lang/lang@15.19.3", "laravel-lang/lang@15.19.2", "laravel-lang/lang@15.19.1", "laravel-lang/lang@15.19.0", "laravel-lang/lang@15.18.0", "laravel-lang/lang@15.17.1", "laravel-lang/lang@15.17.0", "laravel-lang/lang@15.16.0", "laravel-lang/lang@15.15.0", "laravel-lang/lang@15.14.0", "laravel-lang/lang@15.13.0", "laravel-lang/lang@15.12.1", "laravel-lang/lang@15.12.0", "laravel-lang/lang@15.11.7", "laravel-lang/lang@15.11.6", "laravel-lang/lang@15.11.5", "laravel-lang/lang@15.11.4", "laravel-lang/lang@15.11.3", "laravel-lang/lang@15.11.2", "laravel-lang/lang@15.11.1", "laravel-lang/lang@15.11.0", "laravel-lang/lang@15.10.0", "laravel-lang/lang@15.9.7", "laravel-lang/lang@15.9.6", "laravel-lang/lang@15.9.5", "laravel-lang/lang@15.9.4", "laravel-lang/lang@15.9.3", "laravel-lang/lang@15.9.2", "laravel-lang/lang@15.9.1", "laravel-lang/lang@15.9.0", "laravel-lang/lang@15.8.1", "laravel-lang/lang@15.8.0", "laravel-lang/lang@15.7.5", "laravel-lang/lang@15.7.4", "laravel-lang/lang@15.7.3", "laravel-lang/lang@15.7.2", "laravel-lang/lang@15.7.1", "laravel-lang/lang@15.7.0", "laravel-lang/lang@15.6.2", "laravel-lang/lang@15.6.1", "laravel-lang/lang@15.6.0", "laravel-lang/lang@15.5.6", "laravel-lang/lang@15.5.5", "laravel-lang/lang@15.5.4", "laravel-lang/lang@15.5.3", "laravel-lang/lang@15.5.2", "laravel-lang/lang@15.5.1", "laravel-lang/lang@15.5.0", "laravel-lang/lang@15.4.1", "laravel-lang/lang@15.4.0", "laravel-lang/lang@15.3.1", "laravel-lang/lang@15.3.0", "laravel-lang/lang@15.2.2", "laravel-lang/lang@15.2.1", "laravel-lang/lang@15.2.0", "laravel-lang/lang@15.1.5", "laravel-lang/lang@15.1.4", "laravel-lang/lang@15.1.3", "laravel-lang/lang@15.1.2", "laravel-lang/lang@15.1.1", "laravel-lang/lang@15.1.0", "laravel-lang/lang@15.0.0", "laravel-lang/lang@14.8.1", "laravel-lang/lang@14.8.0", "laravel-lang/lang@14.7.0", "laravel-lang/lang@14.6.0", "laravel-lang/lang@14.5.2", "laravel-lang/lang@14.5.1", "laravel-lang/lang@14.5.0", "laravel-lang/lang@14.4.0", "laravel-lang/lang@14.3.7", "laravel-lang/lang@14.3.6", "laravel-lang/lang@14.3.5", "laravel-lang/lang@14.3.4", "laravel-lang/lang@14.3.3", "laravel-lang/lang@14.3.2", "laravel-lang/lang@14.3.1", "laravel-lang/lang@14.3.0", "laravel-lang/lang@14.2.9", "laravel-lang/lang@14.2.8", "laravel-lang/lang@14.2.7", "laravel-lang/lang@14.2.6", "laravel-lang/lang@14.2.5", "laravel-lang/lang@14.2.4", "laravel-lang/lang@14.2.3", "laravel-lang/lang@14.2.2", "laravel-lang/lang@14.2.1", "laravel-lang/lang@14.2.0", "laravel-lang/lang@14.1.5", "laravel-lang/lang@14.1.4", "laravel-lang/lang@14.1.3", "laravel-lang/lang@14.1.2", "laravel-lang/lang@14.1.1", "laravel-lang/lang@14.1.0", "laravel-lang/lang@14.0.1", "laravel-lang/lang@14.0.0", "laravel-lang/lang@13.12.1", "laravel-lang/lang@13.12.0", "laravel-lang/lang@13.11.0", "laravel-lang/lang@13.10.0", "laravel-lang/lang@13.9.1", "laravel-lang/lang@13.9.0", "laravel-lang/lang@13.8.0", "laravel-lang/lang@13.7.0", "laravel-lang/lang@13.6.1", "laravel-lang/lang@13.6.0", "laravel-lang/lang@13.5.1", "laravel-lang/lang@13.5.0", "laravel-lang/lang@13.4.0", "laravel-lang/lang@13.3.0", "laravel-lang/lang@13.2.8", "laravel-lang/lang@13.2.7", "laravel-lang/lang@13.2.6", "laravel-lang/lang@13.2.5", "laravel-lang/lang@13.2.4", "laravel-lang/lang@13.2.3", "laravel-lang/lang@13.2.2", "laravel-lang/lang@13.2.1", "laravel-lang/lang@13.2.0", "laravel-lang/lang@13.1.4", "laravel-lang/lang@13.1.3", "laravel-lang/lang@13.1.2", "laravel-lang/lang@13.1.1", "laravel-lang/lang@13.1.0", "laravel-lang/lang@13.0.1", "laravel-lang/lang@13.0.0", "laravel-lang/lang@12.24.3", "laravel-lang/lang@12.24.2", "laravel-lang/lang@12.24.1", "laravel-lang/lang@12.24.0", "laravel-lang/lang@12.23.2", "laravel-lang/lang@12.23.1", "laravel-lang/lang@12.23.0", "laravel-lang/lang@12.22.1", "laravel-lang/lang@12.22.0", "laravel-lang/lang@12.21.10", "laravel-lang/lang@12.21.9", "laravel-lang/lang@12.21.8", "laravel-lang/lang@12.21.7", "laravel-lang/lang@12.21.6", "laravel-lang/lang@12.21.5", "laravel-lang/lang@12.21.4", "laravel-lang/lang@12.21.3", "laravel-lang/lang@12.21.2", "laravel-lang/lang@12.21.1", "laravel-lang/lang@12.21.0", "laravel-lang/lang@12.20.5", "laravel-lang/lang@12.20.4", "laravel-lang/lang@12.20.3", "laravel-lang/lang@12.20.2", "laravel-lang/lang@12.20.1", "laravel-lang/lang@12.20.0", "laravel-lang/lang@12.19.4", "laravel-lang/lang@12.19.3", "laravel-lang/lang@12.19.2", "laravel-lang/lang@12.19.1", "laravel-lang/lang@12.19.0", "laravel-lang/lang@12.18.6", "laravel-lang/lang@12.18.5", "laravel-lang/lang@12.18.4", "laravel-lang/lang@12.18.3", "laravel-lang/lang@12.18.2", "laravel-lang/lang@12.18.1", "laravel-lang/lang@12.18.0", "laravel-lang/lang@12.17.1", "laravel-lang/lang@12.17.0", "laravel-lang/lang@12.16.1", "laravel-lang/lang@12.16.0", "laravel-lang/lang@12.15.2", "laravel-lang/lang@12.15.1", "laravel-lang/lang@12.15.0", "laravel-lang/lang@12.14.2", "laravel-lang/lang@12.14.1", "laravel-lang/lang@12.14.0", "laravel-lang/lang@12.13.1", "laravel-lang/lang@12.13.0", "laravel-lang/lang@12.12.0", "laravel-lang/lang@12.11.5", "laravel-lang/lang@12.11.4", "laravel-lang/lang@12.11.3", "laravel-lang/lang@12.11.2", "laravel-lang/lang@12.11.1", "laravel-lang/lang@12.11.0", "laravel-lang/lang@12.10.0", "laravel-lang/lang@12.9.9", "laravel-lang/lang@12.9.8", "laravel-lang/lang@12.9.7", "laravel-lang/lang@12.9.6", "laravel-lang/lang@12.9.5", "laravel-lang/lang@12.9.4", "laravel-lang/lang@12.9.3", "laravel-lang/lang@12.9.2", "laravel-lang/lang@12.9.1", "laravel-lang/lang@12.9.0", "laravel-lang/lang@12.8.4", "laravel-lang/lang@12.8.2", "laravel-lang/lang@12.8.1", "laravel-lang/lang@12.8.0", "laravel-lang/lang@12.7.3", "laravel-lang/lang@12.7.2", "laravel-lang/lang@12.7.1", "laravel-lang/lang@12.7.0", "laravel-lang/lang@12.6.1", "laravel-lang/lang@12.6.0", "laravel-lang/lang@12.5.8", "laravel-lang/lang@12.5.7", "laravel-lang/lang@12.5.6", "laravel-lang/lang@12.5.5", "laravel-lang/lang@12.5.4", "laravel-lang/lang@12.5.3", "laravel-lang/lang@12.5.2", "laravel-lang/lang@12.5.1", "laravel-lang/lang@12.5.0", "laravel-lang/lang@12.4.0", "laravel-lang/lang@12.3.2", "laravel-lang/lang@12.3.1", "laravel-lang/lang@12.3.0", "laravel-lang/lang@12.2.3", "laravel-lang/lang@12.2.2", "laravel-lang/lang@12.2.1", "laravel-lang/lang@12.2.0", "laravel-lang/lang@12.1.5", "laravel-lang/lang@12.1.4", "laravel-lang/lang@12.1.3", "laravel-lang/lang@12.1.2", "laravel-lang/lang@12.1.1", "laravel-lang/lang@12.1.0", "laravel-lang/lang@12.0.10", "laravel-lang/lang@12.0.9", "laravel-lang/lang@12.0.8", "laravel-lang/lang@12.0.7", "laravel-lang/lang@12.0.6", "laravel-lang/lang@12.0.5", "laravel-lang/lang@12.0.4", "laravel-lang/lang@12.0.3", "laravel-lang/lang@12.0.2", "laravel-lang/lang@12.0.1", "laravel-lang/lang@12.0.0", "laravel-lang/lang@11.0.20", "laravel-lang/lang@11.0.19", "laravel-lang/lang@11.0.18", "laravel-lang/lang@11.0.17", "laravel-lang/lang@11.0.16", "laravel-lang/lang@11.0.15", "laravel-lang/lang@11.0.14", "laravel-lang/lang@11.0.13", "laravel-lang/lang@11.0.12", "laravel-lang/lang@11.0.11", "laravel-lang/lang@11.0.10", "laravel-lang/lang@11.0.9", "laravel-lang/lang@11.0.8", "laravel-lang/lang@11.0.7", "laravel-lang/lang@11.0.6", "laravel-lang/lang@11.0.5", "laravel-lang/lang@11.0.4", "laravel-lang/lang@11.0.3", "laravel-lang/lang@11.0.2", "laravel-lang/lang@11.0.1", "laravel-lang/lang@11.0.0", "laravel-lang/lang@10.9.6", "laravel-lang/lang@10.9.5", "laravel-lang/lang@10.9.4", "laravel-lang/lang@10.9.3", "laravel-lang/lang@10.9.2", "laravel-lang/lang@10.9.1", "laravel-lang/lang@10.9.0", "laravel-lang/lang@10.8.0", "laravel-lang/lang@10.7.2", "laravel-lang/lang@10.7.1", "laravel-lang/lang@10.7.0", "laravel-lang/lang@10.6.0", "laravel-lang/lang@10.5.2", "laravel-lang/lang@10.5.1", "laravel-lang/lang@10.5.0", "laravel-lang/lang@10.4.14", "laravel-lang/lang@10.4.13", "laravel-lang/lang@10.4.12", "laravel-lang/lang@10.4.11", "laravel-lang/lang@10.4.10", "laravel-lang/lang@10.4.9", "laravel-lang/lang@10.4.8", "laravel-lang/lang@10.4.7", "laravel-lang/lang@10.4.6", "laravel-lang/lang@10.4.5", "laravel-lang/lang@10.4.4", "laravel-lang/lang@10.4.3", "laravel-lang/lang@10.4.2", "laravel-lang/lang@10.4.1", "laravel-lang/lang@10.4.0", "laravel-lang/lang@10.3.0", "laravel-lang/lang@10.2.0", "laravel-lang/lang@10.1.12", "laravel-lang/lang@10.1.11", "laravel-lang/lang@10.1.10", "laravel-lang/lang@10.1.9", "laravel-lang/lang@10.1.8", "laravel-lang/lang@10.1.7", "laravel-lang/lang@10.1.6", "laravel-lang/lang@10.1.5", "laravel-lang/lang@10.1.4", "laravel-lang/lang@10.1.3", "laravel-lang/lang@10.1.2", "laravel-lang/lang@10.1.1", "laravel-lang/lang@10.1.0", "laravel-lang/lang@10.0.2", "laravel-lang/lang@10.0.1", "laravel-lang/lang@10.0.0", "laravel-lang/lang@9.1.3", "laravel-lang/lang@9.1.2", "laravel-lang/lang@9.1.1", "laravel-lang/lang@9.1.0", "laravel-lang/lang@9.0.1", "laravel-lang/lang@9.0.0", "laravel-lang/lang@8.1.3", "laravel-lang/lang@8.1.2", "laravel-lang/lang@8.1.1", "laravel-lang/lang@8.1.0", "laravel-lang/lang@8.0.3", "laravel-lang/lang@8.0.2", "laravel-lang/lang@8.0.1", "laravel-lang/lang@8.0.0", "laravel-lang/lang@7.0.9", "laravel-lang/lang@7.0.8", "laravel-lang/lang@7.0.7", "laravel-lang/lang@7.0.6", "laravel-lang/lang@7.0.5", "laravel-lang/lang@7.0.4", "laravel-lang/lang@7.0.3", "laravel-lang/lang@7.0.2", "laravel-lang/lang@7.0.1", "laravel-lang/lang@7.0.0", "laravel-lang/lang@6.1.4", "laravel-lang/lang@6.1.3", "laravel-lang/lang@6.1.2", "laravel-lang/lang@6.1.1", "laravel-lang/lang@6.1.0", "laravel-lang/lang@6.0.3", "laravel-lang/lang@6.0.2", "laravel-lang/lang@6.0.1", "laravel-lang/lang@6.0.0", "laravel-lang/lang@5.0.0", "laravel-lang/lang@4.0.11", "laravel-lang/lang@4.0.10", "laravel-lang/lang@4.0.9", "laravel-lang/lang@4.0.8", "laravel-lang/lang@4.0.7", "laravel-lang/lang@4.0.6", "laravel-lang/lang@4.0.5", "laravel-lang/lang@4.0.4", "laravel-lang/lang@4.0.3", "laravel-lang/lang@4.0.2", "laravel-lang/lang@4.0.1", "laravel-lang/lang@4.0.0", "laravel-lang/lang@3.0.62", "laravel-lang/lang@3.0.61", "laravel-lang/lang@3.0.60", "laravel-lang/lang@3.0.59", "laravel-lang/lang@3.0.58", "laravel-lang/lang@3.0.57", "laravel-lang/lang@3.0.56", "laravel-lang/lang@3.0.54", "laravel-lang/lang@3.0.53", "laravel-lang/lang@3.0.52", "laravel-lang/lang@3.0.51", "laravel-lang/lang@3.0.50", "laravel-lang/lang@3.0.49", "laravel-lang/lang@3.0.48", "laravel-lang/lang@3.0.47", "laravel-lang/lang@3.0.46", "laravel-lang/lang@3.0.45", "laravel-lang/lang@3.0.44", "laravel-lang/lang@3.0.43", "laravel-lang/lang@3.0.42", "laravel-lang/lang@3.0.41", "laravel-lang/lang@3.0.40", "laravel-lang/lang@3.0.39", "laravel-lang/lang@3.0.38", "laravel-lang/lang@3.0.37", "laravel-lang/lang@3.0.36", "laravel-lang/lang@3.0.35", "laravel-lang/lang@3.0.34", "laravel-lang/lang@3.0.33", "laravel-lang/lang@3.0.32", "laravel-lang/lang@3.0.31", "laravel-lang/lang@3.0.30", "laravel-lang/lang@3.0.29", "laravel-lang/lang@3.0.28", "laravel-lang/lang@3.0.27", "laravel-lang/lang@3.0.26", "laravel-lang/lang@3.0.25", "laravel-lang/lang@3.0.24", "laravel-lang/lang@3.0.23", "laravel-lang/lang@3.0.22", "laravel-lang/lang@3.0.21", "laravel-lang/lang@3.0.20", "laravel-lang/lang@3.0.19", "laravel-lang/lang@3.0.18", "laravel-lang/lang@3.0.17", "laravel-lang/lang@3.0.16", "laravel-lang/lang@3.0.15", "laravel-lang/lang@3.0.14", "laravel-lang/lang@3.0.13", "laravel-lang/lang@3.0.12", "laravel-lang/lang@3.0.11", "laravel-lang/lang@3.0.10", "laravel-lang/lang@3.0.9", "laravel-lang/lang@3.0.8", "laravel-lang/lang@3.0.7", "laravel-lang/lang@3.0.6", "laravel-lang/lang@3.0.5", "laravel-lang/lang@3.0.4", "laravel-lang/lang@3.0.3", "laravel-lang/lang@3.0.2", "laravel-lang/lang@3.0.1", "laravel-lang/lang@3.0.0", "laravel-lang/lang@2.0.43", "laravel-lang/lang@2.0.42", "laravel-lang/lang@2.0.41", "laravel-lang/lang@2.0.40", "laravel-lang/lang@2.0.39", "laravel-lang/lang@2.0.38", "laravel-lang/lang@2.0.37", "laravel-lang/lang@2.0.36", "laravel-lang/lang@2.0.35", "laravel-lang/lang@2.0.34", "laravel-lang/lang@2.0.33", "laravel-lang/lang@2.0.32", "laravel-lang/lang@2.0.31", "laravel-lang/lang@2.0.30", "laravel-lang/lang@2.0.29", "laravel-lang/lang@2.0.28", "laravel-lang/lang@2.0.27", "laravel-lang/lang@2.0.26", "laravel-lang/lang@2.0.25", "laravel-lang/lang@2.0.24", "laravel-lang/lang@2.0.23", "laravel-lang/lang@2.0.22", "laravel-lang/lang@2.0.21", "laravel-lang/lang@2.0.20", "laravel-lang/lang@2.0.19", "laravel-lang/lang@2.0.18", "laravel-lang/lang@2.0.17", "laravel-lang/lang@2.0.16", "laravel-lang/lang@2.0.15", "laravel-lang/lang@2.0.14", "laravel-lang/lang@2.0.13", "laravel-lang/lang@2.0.12", "laravel-lang/lang@2.0.11", "laravel-lang/lang@2.0.10", "laravel-lang/lang@2.0.9", "laravel-lang/lang@2.0.8", "laravel-lang/lang@2.0.7", "laravel-lang/lang@2.0.6", "laravel-lang/lang@2.0.5", "laravel-lang/lang@2.0.4", "laravel-lang/lang@2.0.3", "laravel-lang/lang@2.0.2", "laravel-lang/lang@2.0.1", "laravel-lang/lang@1.0.2", "laravel-lang/http-statuses@v3.4.5", "laravel-lang/http-statuses@v3.4.4", "laravel-lang/http-statuses@v3.4.3", "laravel-lang/http-statuses@v3.4.2", "laravel-lang/http-statuses@v3.4.1", "laravel-lang/http-statuses@v3.4.0", "laravel-lang/http-statuses@v3.3.1", "laravel-lang/http-statuses@v3.3.0", "laravel-lang/http-statuses@v3.2.2", "laravel-lang/http-statuses@v3.2.1", "laravel-lang/http-statuses@v3.2.0", "laravel-lang/http-statuses@v3.1.5", "laravel-lang/http-statuses@v3.1.4", "laravel-lang/http-statuses@v3.1.3", "laravel-lang/http-statuses@v3.1.2", "laravel-lang/http-statuses@v3.1.1", "laravel-lang/http-statuses@v3.1.0", "laravel-lang/http-statuses@v3.0.8", "laravel-lang/http-statuses@v3.0.7", "laravel-lang/http-statuses@v3.0.6", "laravel-lang/http-statuses@v3.0.5", "laravel-lang/http-statuses@v3.0.4", "laravel-lang/http-statuses@v3.0.3", "laravel-lang/http-statuses@v3.0.2", "laravel-lang/http-statuses@v3.0.1", "laravel-lang/http-statuses@v3.0.0", "laravel-lang/http-statuses@v2.1.3", "laravel-lang/http-statuses@v2.1.2", "laravel-lang/http-statuses@v2.1.1", "laravel-lang/http-statuses@v2.1.0", "laravel-lang/http-statuses@v2.0.1", "laravel-lang/http-statuses@v2.0.0", "laravel-lang/http-statuses@v1.0.10", "laravel-lang/http-statuses@v1.0.9", "laravel-lang/http-statuses@v1.0.8", "laravel-lang/http-statuses@v1.0.7", "laravel-lang/http-statuses@v1.0.6", "laravel-lang/http-statuses@v1.0.5", "laravel-lang/http-statuses@v1.0.4", "laravel-lang/http-statuses@v1.0.3", "laravel-lang/http-statuses@v1.0.2", "laravel-lang/http-statuses@v1.0.1", "laravel-lang/http-statuses@v1.0.0", "laravel-lang/http-statuses@3.13.1", "laravel-lang/http-statuses@3.13.0", "laravel-lang/http-statuses@3.12.1", "laravel-lang/http-statuses@3.12.0", "laravel-lang/http-statuses@3.11.1", "laravel-lang/http-statuses@3.11.0", "laravel-lang/http-statuses@3.10.5", "laravel-lang/http-statuses@3.10.4", "laravel-lang/http-statuses@3.10.3", "laravel-lang/http-statuses@3.10.2", "laravel-lang/http-statuses@3.10.1", "laravel-lang/http-statuses@3.10.0", "laravel-lang/http-statuses@3.9.0", "laravel-lang/http-statuses@3.8.5", "laravel-lang/http-statuses@3.8.4", "laravel-lang/http-statuses@3.8.3", "laravel-lang/http-statuses@3.8.2", "laravel-lang/http-statuses@3.8.1", "laravel-lang/http-statuses@3.8.0", "laravel-lang/http-statuses@3.7.0", "laravel-lang/http-statuses@3.6.3", "laravel-lang/http-statuses@3.6.2", "laravel-lang/http-statuses@3.6.1", "laravel-lang/http-statuses@3.6.0", "laravel-lang/http-statuses@3.5.0", "laravel-lang/http-statuses@2.1.4", "laravel-lang/http-statuses@1.0.11", "laravel-lang/actions@1.13.1", "laravel-lang/actions@1.13.0", "laravel-lang/actions@1.12.4", "laravel-lang/actions@1.11.1", "laravel-lang/actions@1.11.0", "laravel-lang/actions@1.10.2", "laravel-lang/actions@1.10.1", "laravel-lang/actions@1.10.0", "laravel-lang/actions@1.9.0", "laravel-lang/actions@1.8.10", "laravel-lang/actions@1.8.9", "laravel-lang/actions@1.8.8", "laravel-lang/actions@1.8.7", "laravel-lang/actions@1.8.6", "laravel-lang/actions@1.8.5", "laravel-lang/actions@1.8.4", "laravel-lang/actions@1.8.3", "laravel-lang/actions@1.8.2", "laravel-lang/actions@1.8.1", "laravel-lang/actions@1.8.0", "laravel-lang/actions@1.7.0", "laravel-lang/actions@1.6.1", "laravel-lang/actions@1.6.0", "laravel-lang/actions@1.5.6", "laravel-lang/actions@1.5.5", "laravel-lang/actions@1.5.4", "laravel-lang/actions@1.5.3", "laravel-lang/actions@1.5.2", "laravel-lang/actions@1.5.1", "laravel-lang/actions@1.5.0", "laravel-lang/actions@1.4.5", "laravel-lang/actions@1.4.4", "laravel-lang/actions@1.4.3", "laravel-lang/actions@1.4.2", "laravel-lang/actions@1.4.1", "laravel-lang/actions@1.4.0", "laravel-lang/actions@1.3.1", "laravel-lang/actions@1.3.0", "laravel-lang/actions@1.2.1", "laravel-lang/actions@1.2.0", "laravel-lang/actions@1.1.3", "laravel-lang/actions@1.1.2", "laravel-lang/actions@1.1.1", "laravel-lang/actions@1.1.0", "laravel-lang/actions@1.0.1", "laravel-lang/actions@1.0.0", "laravel-lang/attributes@v2.4.1", "laravel-lang/attributes@v2.4.0", "laravel-lang/attributes@v2.3.4", "laravel-lang/attributes@v2.3.3", "laravel-lang/attributes@v2.3.2", "laravel-lang/attributes@v2.3.1", "laravel-lang/attributes@v2.3.0", "laravel-lang/attributes@v2.2.0", "laravel-lang/attributes@v2.1.2", "laravel-lang/attributes@v2.1.1", "laravel-lang/attributes@v2.1.0", "laravel-lang/attributes@v2.0.9", "laravel-lang/attributes@v2.0.8", "laravel-lang/attributes@v2.0.7", "laravel-lang/attributes@v2.0.6", "laravel-lang/attributes@v2.0.5", "laravel-lang/attributes@v2.0.4", "laravel-lang/attributes@v2.0.3", "laravel-lang/attributes@v2.0.2", "laravel-lang/attributes@v2.0.1", "laravel-lang/attributes@v2.0.0", "laravel-lang/attributes@v1.1.3", "laravel-lang/attributes@v1.1.2", "laravel-lang/attributes@v1.1.1", "laravel-lang/attributes@v1.1.0", "laravel-lang/attributes@v1.0.11", "laravel-lang/attributes@v1.0.10", "laravel-lang/attributes@v1.0.9", "laravel-lang/attributes@v1.0.8", "laravel-lang/attributes@v1.0.7", "laravel-lang/attributes@v1.0.6", "laravel-lang/attributes@v1.0.5", "laravel-lang/attributes@v1.0.4", "laravel-lang/attributes@v1.0.3", "laravel-lang/attributes@v1.0.2", "laravel-lang/attributes@v1.0.1", "laravel-lang/attributes@v1.0.0", "laravel-lang/attributes@2.16.1", "laravel-lang/attributes@2.16.0", "laravel-lang/attributes@2.15.8", "laravel-lang/attributes@2.14.2", "laravel-lang/attributes@2.14.1", "laravel-lang/attributes@2.14.0", "laravel-lang/attributes@2.13.6", "laravel-lang/attributes@2.13.5", "laravel-lang/attributes@2.13.4", "laravel-lang/attributes@2.13.3", "laravel-lang/attributes@2.13.2", "laravel-lang/attributes@2.13.1", "laravel-lang/attributes@2.13.0", "laravel-lang/attributes@2.12.1", "laravel-lang/attributes@2.12.0", "laravel-lang/attributes@2.11.4", "laravel-lang/attributes@2.11.3", "laravel-lang/attributes@2.11.2", "laravel-lang/attributes@2.11.1", "laravel-lang/attributes@2.11.0", "laravel-lang/attributes@2.10.10", "laravel-lang/attributes@2.10.9", "laravel-lang/attributes@2.10.8", "laravel-lang/attributes@2.10.7", "laravel-lang/attributes@2.10.6", "laravel-lang/attributes@2.10.5", "laravel-lang/attributes@2.10.4", "laravel-lang/attributes@2.10.3", "laravel-lang/attributes@2.10.2", "laravel-lang/attributes@2.10.1", "laravel-lang/attributes@2.10.0", "laravel-lang/attributes@2.9.5", "laravel-lang/attributes@2.9.4", "laravel-lang/attributes@2.9.3", "laravel-lang/attributes@2.9.2", "laravel-lang/attributes@2.9.1", "laravel-lang/attributes@2.9.0", "laravel-lang/attributes@2.8.1", "laravel-lang/attributes@2.8.0", "laravel-lang/attributes@2.7.0", "laravel-lang/attributes@2.6.2", "laravel-lang/attributes@2.6.1", "laravel-lang/attributes@2.6.0", "laravel-lang/attributes@2.5.1", "laravel-lang/attributes@2.5.0", "laravel-lang/attributes@1.1.5", "laravel-lang/attributes@1.1.4", "laravel-lang/lang rewritten tags", "laravel-lang/http-statuses rewritten tags through v3.4.5", "laravel-lang/actions rewritten tags through 1.12.2", "laravel-lang/attributes rewritten tags" ], "affectedVersions": [], "fixedVersions": [], "files": [ "src/helpers.php", "composer.json autoload.files", "/tmp/.laravel_locale/.php", "/tmp/" ], "paths": [], "services": [], "domains": [ "flipboxstudio.info" ], "urls": [ "https://flipboxstudio.info/payload", "https://flipboxstudio.info/exfil" ], "ips": [], "hashes": [ "2f0ee073c6f29d66188a845592029c9b52528f04" ], "processPatterns": [ "php -r require vendor/autoload.php followed by orphaned php", "sh -c php /tmp/.laravel_locale/.php > /dev/null 2>&1 &", "nohup /tmp/" ], "networkPatterns": [ "GET flipboxstudio.info/payload", "POST flipboxstudio.info/exfil" ], "telemetrySelectors": [] } }, { "slug": "megalodon-github-actions-secret-exfiltration", "title": "Megalodon GitHub Actions Secret Exfiltration Campaign", "summary": "Megalodon added malicious GitHub Actions workflows to thousands of public repositories to collect environment variables, cloud credentials, source-control secrets, and runner tokens.", "date": "2026-05-24", "severity": "critical", "tags": [ "supply-chain", "github-actions", "ci-cd", "credential-theft", "workflow-injection" ], "sources_count": 1, "feed_url": "https://haltingproblems.com/analysis/megalodon-github-actions-secret-exfiltration/", "ioc_url": "https://haltingproblems.com/analysis/megalodon-github-actions-secret-exfiltration/ioc.json", "indicators": { "slug": "megalodon-github-actions-secret-exfiltration", "since": "2026-05-24T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "github actions github repositories", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [], "versions": [], "affectedVersions": [], "fixedVersions": [], "files": [ ".github/workflows/SysDiag.yml", ".github/workflows/Optimize-Build.yml" ], "paths": [], "services": [], "domains": [], "urls": [ "https://216.126.225.129:8443/collect" ], "ips": [ "216.126.225.129" ], "hashes": [ "1c9e803c80cc7fed000022d4c94f4b5bc2e90062", "7f6120bb10c870b9fde146961a18e5bf0b3d4401", "acac5a9854650c4ae2883c4740bf87d34120c038" ], "processPatterns": [ "workflow collects environment variables and credential files" ], "networkPatterns": [ "HTTPS POST to 216.126.225.129:8443/collect" ], "telemetrySelectors": [] } }, { "slug": "packagist-github-postinstall-hook-campaign", "title": "Packagist GitHub Postinstall Hook Malware Campaign", "summary": "A campaign inserted malicious package.json postinstall hooks into Packagist-linked GitHub repositories, causing npm install workflows to download and execute a GitHub Releases binary as /tmp/.sshd.", "date": "2026-05-24", "severity": "high", "tags": [ "supply-chain", "packagist", "github", "npm", "postinstall" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/packagist-github-postinstall-hook-campaign/", "ioc_url": "https://haltingproblems.com/analysis/packagist-github-postinstall-hook-campaign/ioc.json", "indicators": { "slug": "packagist-github-postinstall-hook-campaign", "since": "2026-05-24T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "composer/packagist with npm lifecycle execution packagist and github", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "moritz-sauer-13/silverstripe-cms-theme", "crosiersource/crosierlib-base", "devdojo/wave", "devdojo/genesis", "katanaui/katana", "elitedevsquad/sidecar-laravel", "r2luna/brain", "baskarcm/tzi-chat-ui" ], "versions": [ "dev-main", "dev-master", "3.x-dev", "moritz-sauer-13/silverstripe-cms-theme dev-master", "crosiersource/crosierlib-base dev-master", "devdojo/wave dev-main", "devdojo/genesis dev-main", "katanaui/katana dev-main", "elitedevsquad/sidecar-laravel 3.x-dev", "r2luna/brain dev-main", "baskarcm/tzi-chat-ui dev-main" ], "affectedVersions": [], "fixedVersions": [], "files": [ "package.json", "/tmp/.sshd" ], "paths": [], "services": [], "domains": [ "github.com" ], "urls": [ "https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network" ], "ips": [], "hashes": [], "processPatterns": [ "curl -skL ... -o /tmp/.sshd", "chmod +x /tmp/.sshd", "/tmp/.sshd running in background" ], "networkPatterns": [ "download of gvfsd-network from parikhpreyash4/systemd-network-helper-aa5c751f" ], "telemetrySelectors": [] } }, { "slug": "shopsprint-decimal-go-typosquat", "title": "shopsprint/decimal Go Module DNS Backdoor Typosquat", "summary": "The Go module github.com/shopsprint/decimal typosquatted github.com/shopspring/decimal and used an init-time DNS TXT command loop in v1.3.3.", "date": "2026-05-24", "severity": "high", "tags": [ "supply-chain", "go", "typosquatting", "dns", "backdoor" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/shopsprint-decimal-go-typosquat/", "ioc_url": "https://haltingproblems.com/analysis/shopsprint-decimal-go-typosquat/ioc.json", "indicators": { "slug": "shopsprint-decimal-go-typosquat", "since": "2023-08-19T09:27:21Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "go modules proxy.golang.org and pkg.go.dev", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "github.com/shopsprint/decimal" ], "versions": [ "v1.3.3", "github.com/shopsprint/decimal v1.3.3" ], "affectedVersions": [], "fixedVersions": [], "files": [ "go.mod", "go.sum", "decimal.go" ], "paths": [], "services": [], "domains": [ "dnslog-cdn-images.freemyip.com", "freemyip.com" ], "urls": [], "ips": [], "hashes": [ "f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c" ], "processPatterns": [ "Go application importing github.com/shopsprint/decimal" ], "networkPatterns": [ "TXT query to dnslog-cdn-images.freemyip.com every five minutes" ], "telemetrySelectors": [] } }, { "slug": "trapdoor-cross-ecosystem-crypto-stealer", "title": "TrapDoor Cross-Ecosystem Crypto Stealer Campaign", "summary": "TrapDoor is an active cross-registry supply-chain campaign using npm postinstall hooks, PyPI import-time execution, and Rust build scripts to steal developer, cloud, SSH, and crypto wallet secrets.", "date": "2026-05-24", "severity": "critical", "tags": [ "supply-chain", "npm", "pypi", "crates.io", "credential-theft", "crypto" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/trapdoor-cross-ecosystem-crypto-stealer/", "ioc_url": "https://haltingproblems.com/analysis/trapdoor-cross-ecosystem-crypto-stealer/ioc.json", "indicators": { "slug": "trapdoor-cross-ecosystem-crypto-stealer", "since": "2026-05-22T20:20:18Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "npm, pypi, crates.io npmjs.com, pypi.org, crates.io", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "async-pipeline-builder", "build-scripts-utils", "chain-key-validator", "crypto-credential-scanner", "defi-env-auditor", "defi-threat-scanner", "deployment-key-auditor", "dev-env-bootstrapper", "eth-wallet-sentinel", "llm-context-compressor", "mnemonic-safety-check", "model-switch-router", "node-setup-helpers", "project-init-tools", "prompt-engineering-toolkit", "solidity-deploy-guard", "token-usage-tracker", "wallet-backup-verifier", "wallet-security-checker", "web3-secrets-detector", "workspace-config-loader", "cryptowallet-safety", "data-pipeline-check", "defi-risk-scanner", "env-loader-cli", "eth-security-auditor", "git-config-sync", "solidity-build-guard", "move-analyzer-build", "move-compiler-tools", "move-project-builder", "sui-framework-helpers", "sui-move-build-helper", "sui-sdk-build-utils" ], "versions": [ "env-loader-cli@0.1.0", "env-loader-cli@0.1.1", "eth-security-auditor@0.1.0", "sui-framework-helpers@0.1.0", "PyPI/env-loader-cli 0.1.0", "PyPI/env-loader-cli 0.1.1", "PyPI/eth-security-auditor 0.1.0", "Crates.io/sui-framework-helpers 0.1.0" ], "affectedVersions": [], "fixedVersions": [], "files": [ "trap-core.js", ".cursorrules", "CLAUDE.md", "build.rs" ], "paths": [], "services": [], "domains": [ "ddjidd564.github.io" ], "urls": [ "https://ddjidd564.github.io/defi-security-best-practices/", "https://ddjidd564.github.io/defi-security-best-practices/config.json", "https://ddjidd564.github.io/defi-security-best-practices/payloads/compliance-scanner-light.js", "https://ddjidd564.github.io/defi-security-best-practices/payloads/risk-profiler.js" ], "ips": [], "hashes": [], "processPatterns": [ "npm -> node trap-core.js", "python -> node -e", "cargo -> build.rs" ], "networkPatterns": [ "developer or CI host egress to ddjidd564.github.io", "post-install GitHub or AWS credential validation" ], "telemetrySelectors": [] } }, { "slug": "mini-shai-hulud-worm", "title": "Mini Shai-Hulud Self-Propagating Software Supply Chain Worm", "summary": "Mini Shai-Hulud is a self-propagating npm/PyPI supply-chain worm. JFrog's May 12 and May 19 updates add a broader count of 170+ npm and 2 PyPI packages, a 323-package @antv wave, and a related @cap-js/openapi 1.4.1 variant.", "date": "2026-05-23", "severity": "critical", "tags": [ "npm", "pypi", "supply-chain", "worm", "teampcp", "slsa", "credentials-theft" ], "sources_count": 14, "feed_url": "https://haltingproblems.com/analysis/mini-shai-hulud-worm/", "ioc_url": "https://haltingproblems.com/analysis/mini-shai-hulud-worm/ioc.json", "indicators": { "slug": "mini-shai-hulud-worm", "since": "2026-04-20T00:00:00Z", "until": "2026-05-23T23:59:59Z", "ecosystem": "npm, pypi npm registry, pypi", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "@tanstack/react-router", "@tanstack/vue-router", "@tanstack/solid-router", "@tanstack/react-start", "@tanstack/router-core", "@antv/g2", "@antv/g6", "@antv/x6", "@antv/l7", "@antv/s2", "@antv/f2", "echarts-for-react", "timeago.js", "size-sensor", "canvas-nest.js", "@sap/cds", "@sap/cds-dk", "opensearch-py", "lite-llm", "nx-console" ], "versions": [ "@tanstack/react-router@1.169.5", "@tanstack/react-router@1.169.8", "@tanstack/vue-router@1.169.5", "@tanstack/vue-router@1.169.8", "@tanstack/solid-router@1.169.5", "@tanstack/solid-router@1.169.8", "@tanstack/react-start@1.167.68", "@tanstack/react-start@1.167.71", "@antv/g2@4.2.8", "@antv/g6@4.8.24", "nx-console@18.95.0", "@antv/* published 2026-05-19T01:39:00" ], "affectedVersions": [], "fixedVersions": [ "nx-console@18.95.1" ], "files": [ "router_init.js", "setup_bun.js", "bun_environment.js", "transformers.pyz", "gh-token-monitor" ], "paths": [], "services": [], "domains": [ "filev2.getsession.org", "api.masscan.cloud", "git-tanstack.com", "t.m-kosche.com", "www.endorlabs.com", "www.microsoft.com", "www.sentinelone.com" ], "urls": [ "https://filev2.getsession.org/upload", "https://api.masscan.cloud/ping", "https://www.endorlabs.com/blog/mini-shai-hulud-npm-worm-hits-sap-developer-packages", "https://tanstack.com/blog/postmortem-cve-2026-45321", "https://www.microsoft.com/en-us/security/blog/hunting-the-shai-hulud-supply-chain-worm", "https://www.sentinelone.com/blog/anatomy-of-cve-2026-45321" ], "ips": [], "hashes": [ "ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c" ], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "microsoft-durabletask-pypi-compromise", "title": "Microsoft DurableTask Python SDK PyPI Hijacking", "summary": "On May 19, 2026, the official Microsoft durabletask Python SDK was compromised on PyPI. Threat actors used hijacked publishing credentials to directly upload malicious versions containing a cloud credential-harvesting payload.", "date": "2026-05-19", "severity": "critical", "tags": [ "pypi", "package-compromise", "supply-chain", "credential-theft", "microsoft", "teampcp" ], "sources_count": 3, "feed_url": "https://haltingproblems.com/analysis/microsoft-durabletask-pypi-compromise/", "ioc_url": "https://haltingproblems.com/analysis/microsoft-durabletask-pypi-compromise/ioc.json", "indicators": { "slug": "microsoft-durabletask-pypi-compromise", "since": "2026-05-19T06:00:00Z", "until": "2026-05-19T23:59:59Z", "ecosystem": "pypi, python pypi registry", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "durabletask" ], "versions": [ "1.4.1", "1.4.2", "1.4.3" ], "affectedVersions": [], "fixedVersions": [ "1.4.4" ], "files": [], "paths": [], "services": [], "domains": [ "www.stepsecurity.io" ], "urls": [ "https://www.stepsecurity.io`" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "nx-console-extension-compromise", "title": "Nx Console VS Code Extension Compromise", "summary": "On May 18, 2026, the official Nx Console VS Code extension was compromised when attackers used an OAuth token stolen in the TanStack compromise to publish malicious version v18.95.0, resulting in the theft of 3,800 internal GitHub repositories.", "date": "2026-05-18", "severity": "critical", "tags": [ "vscode", "extension", "supply-chain", "compromise", "oauth", "teampcp" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/nx-console-extension-compromise/", "ioc_url": "https://haltingproblems.com/analysis/nx-console-extension-compromise/ioc.json", "indicators": { "slug": "nx-console-extension-compromise", "since": "2026-05-11T19:26:00Z", "until": "2026-05-19T09:00:00Z", "ecosystem": "vs-code-extension-marketplace, open-vsx visual studio marketplace, open vsx", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "nx-console" ], "versions": [ "18.95.0", "Nx Console v18.95.0" ], "affectedVersions": [], "fixedVersions": [ "18.100.0", "18.100.5" ], "files": [ "~/.local/share/kitty/cat.py", "~/Library/LaunchAgents/com.user.kitty-monitor.plist", "/var/tmp/.gh_update_state" ], "paths": [], "services": [], "domains": [ "sfrclak.com", "com.user.kitty-monitor.plist" ], "urls": [ "https://sfrclak.com/api/v1/beacon", "https://nx.dev" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "node-ipc-expired-domain-takeover", "title": "Node-IPC Expired Domain & Maintainer Account Hijacking", "summary": "On May 14, 2026, the highly popular Node.js library node-ipc was compromised in a major supply chain attack. Attackers re-registered the expired email domain of a dormant lead maintainer to reset their npm account password and publish credential-stealing updates.", "date": "2026-05-14", "severity": "critical", "tags": [ "package-compromise", "maintainer-hijacking", "supply-chain", "domain-takeover", "dns-exfiltration", "credential-theft" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/node-ipc-expired-domain-takeover/", "ioc_url": "https://haltingproblems.com/analysis/node-ipc-expired-domain-takeover/ioc.json", "indicators": { "slug": "node-ipc-expired-domain-takeover", "since": "2025-01-15T00:00:00Z", "until": "2026-05-14T23:59:59Z", "ecosystem": "npm, javascript, node.js npm registry", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "node-ipc" ], "versions": [ "9.1.6", "9.2.3", "12.0.1" ], "affectedVersions": [], "fixedVersions": [ "9.1.7", "9.2.4", "12.0.2" ], "files": [], "paths": [], "services": [], "domains": [], "urls": [ "https://snyk.io`" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "tanstack-pipeline-poisoning", "title": "TanStack CI/CD Release Pipeline Poisoning", "summary": "On May 11, 2026, the popular open-source project TanStack fell victim to a CI/CD release pipeline poisoning attack. Threat actors hijacked the release pipeline via a pull request exploitation vector and OIDC token theft to publish 84 backdoored versions across 42 packages.", "date": "2026-05-11", "severity": "critical", "tags": [ "npm", "supply-chain", "compromise", "github-actions", "oidc", "teampcp" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/tanstack-pipeline-poisoning/", "ioc_url": "https://haltingproblems.com/analysis/tanstack-pipeline-poisoning/ioc.json", "indicators": { "slug": "tanstack-pipeline-poisoning", "since": "2026-05-11T19:20:00Z", "until": "2026-05-11T23:59:59Z", "ecosystem": "npm npmjs.com", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "@tanstack/zod-adapter", "@tanstack/router", "@tanstack/react-router", "@tanstack/react-query", "@tanstack/table-core" ], "versions": [ "1.166.12", "1.166.15", "@tanstack/zod-adapter@1.166.12", "@tanstack/zod-adapter@1.166.15" ], "affectedVersions": [], "fixedVersions": [ "1.166.16", "1.166.17" ], "files": [ "router_init.js", "tanstack_runner.js" ], "paths": [], "services": [], "domains": [ "git-tanstack.com" ], "urls": [ "https://git-tanstack.com", "https://tanstack.com", "https://snyk.io" ], "ips": [], "hashes": [ "ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c" ], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "intercom-client-npm-shai-hulud", "title": "intercom-client npm Mini Shai-Hulud Compromise", "summary": "On April 30, 2026, `intercom-client@7.0.4` on npm introduced a first-ever `preinstall` hook that executed a Bun-launched obfuscated credential stealer and exfiltrated secrets through GitHub APIs.", "date": "2026-04-30", "severity": "critical", "tags": [ "npm", "package-compromise", "supply-chain", "credential-theft", "shai-hulud" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/intercom-client-npm-shai-hulud/", "ioc_url": "https://haltingproblems.com/analysis/intercom-client-npm-shai-hulud/ioc.json", "indicators": { "slug": "intercom-client-npm-shai-hulud", "since": "2026-04-30T00:00:00Z", "until": "2026-05-01T00:00:00Z", "ecosystem": "npm, javascript npm", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "intercom-client" ], "versions": [ "7.0.4", "intercom-client@7.0.4" ], "affectedVersions": [], "fixedVersions": [], "files": [ "setup.mjs", "router_runtime.js" ], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [ "npm preinstall launches Bun-backed loader files" ], "networkPatterns": [ "egress related to intercom-client 7.0.4" ], "telemetrySelectors": [] } }, { "slug": "lightning-pypi-bun-stealer", "title": "Lightning PyPI Bun-Based Credential Stealer", "summary": "On April 30, 2026, malicious `lightning` PyPI releases 2.6.2 and 2.6.3 shipped an import-time loader that bootstrapped Bun and executed a large obfuscated JavaScript credential stealer.", "date": "2026-04-30", "severity": "critical", "tags": [ "pypi", "package-compromise", "supply-chain", "credential-theft", "shai-hulud" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/lightning-pypi-bun-stealer/", "ioc_url": "https://haltingproblems.com/analysis/lightning-pypi-bun-stealer/ioc.json", "indicators": { "slug": "lightning-pypi-bun-stealer", "since": "2026-01-30T00:00:00Z", "until": "2026-05-01T00:00:00Z", "ecosystem": "pypi, python pypi", "cves": [ "CVE-2026-44484" ], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "lightning" ], "versions": [ "2.6.2", "2.6.3", "lightning==2.6.2", "lightning==2.6.3" ], "affectedVersions": [], "fixedVersions": [], "files": [ "setup.mjs", "router_runtime.js", "Bun launcher" ], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [ "Python import-time loader starts Bun and obfuscated JavaScript" ], "networkPatterns": [ "egress related to malicious lightning PyPI releases" ], "telemetrySelectors": [] } }, { "slug": "elementary-data-pypi-ghcr-compromise", "title": "elementary-data PyPI and GHCR GitHub Actions Compromise", "summary": "A malicious `elementary-data==0.23.3` release was pushed to PyPI and GHCR after attackers exploited a GitHub Actions script-injection path, adding an interpreter-startup `.pth` infostealer.", "date": "2026-04-25", "severity": "critical", "tags": [ "pypi", "github-actions", "ghcr", "supply-chain", "credential-theft" ], "sources_count": 5, "feed_url": "https://haltingproblems.com/analysis/elementary-data-pypi-ghcr-compromise/", "ioc_url": "https://haltingproblems.com/analysis/elementary-data-pypi-ghcr-compromise/ioc.json", "indicators": { "slug": "elementary-data-pypi-ghcr-compromise", "since": "2026-04-24T22:20:47Z", "until": "2026-04-28T00:00:00Z", "ecosystem": "pypi, python, container pypi github container registry", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "elementary-data" ], "versions": [ "0.23.3", "elementary-data==0.23.3", "ghcr.io/elementary-data/elementary:0.23.3", "ghcr.io/elementary-data/elementary:latest" ], "affectedVersions": [], "fixedVersions": [ "0.23.4" ], "files": [ "elementary.pth", "trin.tar.gz", "$TMPDIR/.trinny-security-update" ], "paths": [], "services": [], "domains": [ "igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud", "trin.tar.gz" ], "urls": [], "ips": [], "hashes": [ "sha256:31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255", "sha256:b3bbfafde1a0db3a4d47e70eb0eb2ca19daef4a19410154a71abee567b35d3d9", "31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255", "b3bbfafde1a0db3a4d47e70eb0eb2ca19daef4a19410154a71abee567b35d3d9" ], "processPatterns": [ "Python startup executes `elementary.pth`" ], "networkPatterns": [ "egress related to elementary-data 0.23.3 package or GHCR image" ], "telemetrySelectors": [] } }, { "slug": "bitwarden-cli-npm-compromised-action", "title": "Bitwarden CLI npm 2026.4.0 Credential Stealer", "summary": "Bitwarden confirmed that @bitwarden/cli@2026.4.0 was maliciously distributed through the npm CLI delivery path for a short April 22, 2026 window. JFrog and Socket analysis tied the package to bw_setup.js, bw1.js, Bun bootstrap, audit.checkmarx.cx exfiltration, GitHub fallback channels, and developer/CI credential theft.", "date": "2026-04-22", "severity": "critical", "tags": [ "npm", "supply-chain", "bitwarden", "github-actions", "credential-theft", "ci-cd" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/bitwarden-cli-npm-compromised-action/", "ioc_url": "https://haltingproblems.com/analysis/bitwarden-cli-npm-compromised-action/ioc.json", "indicators": { "slug": "bitwarden-cli-npm-compromised-action", "since": "2026-04-22T21:22:59Z", "until": "2026-04-22T23:59:59Z", "ecosystem": "npm", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [], "versions": [ "@bitwarden/cli@2026.4.0" ], "affectedVersions": [], "fixedVersions": [], "files": [ "bw_setup.js", "bw1.js", "/tmp/tmp.987654321.lock", "package-updated.tgz" ], "paths": [], "services": [], "domains": [ "audit.checkmarx.cx", "tmp.987654321.lock", "api.github.com" ], "urls": [ "https://audit.checkmarx.cx/v1/telemetry", "https://api.github.com/search/commits?q=LongLiveTheResistanceAgainstMachines&sort=author-date&order=desc&per_page=50", "https://api.github.com/search/commits?q=beautifulcastle%20&sort=author-date&order=desc", "https://github.com/oven-sh/bun/releases/download/bun-v1.3.13" ], "ips": [ "94.154.172.43" ], "hashes": [ "18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb", "8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14", "167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad" ], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "xinference-pypi-credential-hijack", "title": "Xinference PyPI 2.6.x Import-Time Credential Exfiltration", "summary": "JFrog reported that the legitimate PyPI package xinference shipped malicious versions 2.6.0, 2.6.1, and 2.6.2 with import-time code in xinference/__init__.py. The payload collected host and secret material into love.tar.gz and posted it to whereisitat.lucyatemysuperbox.space with header X-QT-SR: 14.", "date": "2026-04-22", "severity": "critical", "tags": [ "pypi", "supply-chain", "xinference", "ai-ml", "credential-theft" ], "sources_count": 2, "feed_url": "https://haltingproblems.com/analysis/xinference-pypi-credential-hijack/", "ioc_url": "https://haltingproblems.com/analysis/xinference-pypi-credential-hijack/ioc.json", "indicators": { "slug": "xinference-pypi-credential-hijack", "since": "2026-04-22T00:00:00Z", "until": "2026-04-23T23:59:59Z", "ecosystem": "pypi", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [], "versions": [ "xinference==2.6.0", "xinference==2.6.1", "xinference==2.6.2" ], "affectedVersions": [], "fixedVersions": [], "files": [ "xinference/__init__.py", "love.tar.gz", "f" ], "paths": [], "services": [], "domains": [ "whereisitat.lucyatemysuperbox.space", "love.tar.gz" ], "urls": [ "https://whereisitat.lucyatemysuperbox.space/" ], "ips": [], "hashes": [ "e1e007ce4eab7774785617179d1c01a9381ae83abfd431aae8dba6f82d3ac127", "077d49fa708f498969d7cdffe701eb64675baaa4968ded9bd97a4936dd56c21c", "fe17e2ea4012d07d90ecb7793c1b0593a6138d25a9393192263e751660ec3cd0" ], "processPatterns": [ "curl --data-binary", "subprocess.Popen" ], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "axios-npm-compromise", "title": "Axios npm Package Compromise (UNC1069)", "summary": "On March 31, 2026, the popular JavaScript HTTP client Axios was compromised when attackers hijacked a lead maintainer's npm account, publishing malicious versions containing a phantom dependency to drop a cross-platform Remote Access Trojan (RAT).", "date": "2026-03-31", "severity": "critical", "tags": [ "npm", "supply-chain", "compromise", "RAT", "waveshaper", "unc1069" ], "sources_count": 9, "feed_url": "https://haltingproblems.com/analysis/axios-npm-compromise/", "ioc_url": "https://haltingproblems.com/analysis/axios-npm-compromise/ioc.json", "indicators": { "slug": "axios-npm-compromise", "since": "2026-03-31T00:21:00Z", "until": "2026-03-31T23:59:59Z", "ecosystem": "npm", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "axios", "plain-crypto-js" ], "versions": [ "axios@1.14.1", "axios@0.30.4", "plain-crypto-js@4.2.1" ], "affectedVersions": [], "fixedVersions": [ "axios@1.14.0", "axios@0.30.3" ], "files": [ "/Library/Caches/com.apple.act.mond", "%PROGRAMDATA%\\\\wt.exe", "/tmp/ld.py" ], "paths": [], "services": [], "domains": [ "sfrclak.com", "com.apple.act.mond" ], "urls": [ "https://sfrclak.com/api/v1/beacon", "https://sfrclak.com/payloads/", "http://sfrclak.com:8000", "https://google.com", "https://elastic.co", "https://paloaltonetworks.com", "https://github.com/advisories/GHSA-fw8c-xr5c-95f9" ], "ips": [ "142.11.206.73" ], "hashes": [ "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09", "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a", "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101", "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf" ], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "crypto-key-stealer-typosquats", "title": "Crypto Private Key Stealer Solana/Ethereum Typosquats", "summary": "On March 24, 2026, threat actors targeted cryptocurrency developers on the npm registry by typosquatting common Solana and Ethereum libraries. The malicious packages silently harvested and exfiltrated wallet private keys to a Telegram Bot C2.", "date": "2026-03-24", "severity": "critical", "tags": [ "npm", "malicious-package", "typosquatting", "credential-theft", "crypto-stealer" ], "sources_count": 2, "feed_url": "https://haltingproblems.com/analysis/crypto-key-stealer-typosquats/", "ioc_url": "https://haltingproblems.com/analysis/crypto-key-stealer-typosquats/ioc.json", "indicators": { "slug": "crypto-key-stealer-typosquats", "since": "2026-03-24T00:00:00Z", "until": "2026-03-24T23:59:59Z", "ecosystem": "npm, javascript npm registry", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "raydium-bs58", "base-x-64", "bs58-basic", "ethersproject-wallet", "base_xd" ], "versions": [ "1.0.0" ], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [], "services": [], "domains": [ "api.telegram.org" ], "urls": [ "https://api.telegram.org/bot7231970337:AAExyV3dvbNs6xkMJB7S2hArUash9owd-bw/sendMessage`" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "litellm-pypi-hijacking", "title": "LiteLLM Python SDK PyPI Hijacking & Cascading Trust Failure", "summary": "On March 24, 2026, the popular LiteLLM Python package was compromised on PyPI. Attackers harvested PyPI publishing secrets from LiteLLM's CI/CD runner via a previously backdoored dependency, uploading malicious versions containing a python startup hook payload.", "date": "2026-03-24", "severity": "critical", "tags": [ "pypi", "package-compromise", "supply-chain", "credential-theft", "teampcp", "cascading-trust" ], "sources_count": 3, "feed_url": "https://haltingproblems.com/analysis/litellm-pypi-hijacking/", "ioc_url": "https://haltingproblems.com/analysis/litellm-pypi-hijacking/ioc.json", "indicators": { "slug": "litellm-pypi-hijacking", "since": "2026-03-19T08:00:00Z", "until": "2026-03-24T23:59:59Z", "ecosystem": "pypi, python pypi registry", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "litellm" ], "versions": [ "1.82.7", "1.82.8" ], "affectedVersions": [], "fixedVersions": [ "1.83.0" ], "files": [], "paths": [], "services": [], "domains": [ "www.litellm.ai" ], "urls": [ "https://www.litellm.ai`" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "trivy-pipeline-compromise", "title": "Aqua Security Trivy CI/CD Pipeline & Tag Poisoning", "summary": "On March 19, 2026, the widely adopted container vulnerability scanner Trivy was compromised in a major supply chain attack. Cybercrime group TeamPCP poisoned version tags to harvest and exfiltrate runner credentials.", "date": "2026-03-19", "severity": "critical", "tags": [ "ci-cd", "github-actions", "supply-chain", "tag-poisoning", "credential-theft" ], "sources_count": 7, "feed_url": "https://haltingproblems.com/analysis/trivy-pipeline-compromise/", "ioc_url": "https://haltingproblems.com/analysis/trivy-pipeline-compromise/ioc.json", "indicators": { "slug": "trivy-pipeline-compromise", "since": "2026-02-28T00:00:00Z", "until": "2026-03-20T09:00:00Z", "ecosystem": "github-actions, container-images, go github releases, docker hub", "cves": [ "CVE-2026-33634" ], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "aquasecurity/trivy-action", "aquasecurity/setup-trivy", "aquasec/trivy" ], "versions": [ "aquasecurity/trivy-action@v0.0.1..v0.34.2", "aquasecurity/setup-trivy@v0.2.0..v0.2.6", "trivy-binary@v0.69.4", "aquasec/trivy:0.69.5", "aquasec/trivy:0.69.6", "aquasecurity/trivy-action@v0.0.1-v0.34.2", "aquasecurity/setup-trivy@v0.2.0-v0.2.6", "aquasecurity/trivy@v0.69.4" ], "affectedVersions": [], "fixedVersions": [ "aquasecurity/trivy-action@v0.35.0", "aquasecurity/setup-trivy@v0.2.6", "trivy-binary@v0.69.7", "aquasec/trivy:0.69.7" ], "files": [], "paths": [], "services": [], "domains": [ "scan.aquasecurtiy.org", "www.legitsecurity.com" ], "urls": [ "https://scan.aquasecurtiy.org/exfil", "https://www.legitsecurity.com", "https://github.com/advisories/GHSA-69fq-xp46-6x23" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "spellcheckpy-typosquatting-rat", "title": "PyPI spellcheckpy Typosquatting RAT Campaign", "summary": "Attackers published typosquatted versions of the popular pyspellchecker library to deliver a Remote Access Trojan (RAT) hidden inside compressed Basque dictionary files.", "date": "2026-01-23", "severity": "critical", "tags": [ "pypi", "typosquatting", "rat", "malware" ], "sources_count": 4, "feed_url": "https://haltingproblems.com/analysis/spellcheckpy-typosquatting-rat/", "ioc_url": "https://haltingproblems.com/analysis/spellcheckpy-typosquatting-rat/ioc.json", "indicators": { "slug": "spellcheckpy-typosquatting-rat", "since": "2025-10-28T00:00:00Z", "until": "2026-01-23T23:59:59Z", "ecosystem": "pypi pypi", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "spellcheckerpy", "spellcheckpy" ], "versions": [ "spellcheckerpy@*", "spellcheckpy@1.2.0" ], "affectedVersions": [], "fixedVersions": [ "none" ], "files": [], "paths": [], "services": [], "domains": [ "www.aikido.dev", "eu.json.gz" ], "urls": [ "https://www.aikido.dev/blog/malicious-pypi-packages-spellcheckpy-and-spellcheckerpy-deliver-python-rat", "https://helixguard.ai/blog/malicious-spellcheckers-2025-11-19/", "https://updatenet.work/update1.php`", "https://updatenet.work/settings/history.php`" ], "ips": [], "hashes": [], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } }, { "slug": "semantic-types-pypi-solana-monkey-patch", "title": "semantic-types PyPI Solana Keypair Monkey Patch", "summary": "Socket reported that semantic-types became malicious at version 0.1.5 and 0.1.6, with five Solana-themed PyPI packages pulling it transitively. The payload monkey-patched solders.keypair.Keypair constructors, encrypted Solana private keys with an RSA-2048 public key, and exfiltrated ciphertext through Solana Devnet SPL memo transactions.", "date": "2025-01-26", "severity": "high", "tags": [ "pypi", "supply-chain", "solana", "cryptocurrency", "monkey-patching" ], "sources_count": 1, "feed_url": "https://haltingproblems.com/analysis/semantic-types-pypi-solana-monkey-patch/", "ioc_url": "https://haltingproblems.com/analysis/semantic-types-pypi-solana-monkey-patch/ioc.json", "indicators": { "slug": "semantic-types-pypi-solana-monkey-patch", "since": "2025-01-26T00:00:00Z", "until": "2025-05-29T23:59:59Z", "ecosystem": "pypi", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [], "versions": [ "0.1.5", "0.1.6", "semantic-types==0.1.5", "semantic-types==0.1.6", "solana-keypair", "solana-publickey", "solana-mev-agent-py", "solana-trading-bot", "soltrade" ], "affectedVersions": [], "fixedVersions": [], "files": [], "paths": [], "services": [], "domains": [ "api.devnet.solana.com", "solders.keypair.Keypair" ], "urls": [ "https://api.devnet.solana.com" ], "ips": [], "hashes": [ "5a4d8480c9d1e82ba102f200258882fb9e694e8fc0343b6982c5540beccdca62" ], "processPatterns": [], "networkPatterns": [], "telemetrySelectors": [] } } ] }