Vulnerability research, advisories, and technical analysis from Corgea.https://corgea.com/https://corgea.com/research/cifswitch-linux-cifs-spnego-upcall-root/https://corgea.com/research/cifswitch-linux-cifs-spnego-upcall-root/CIFSwitch is a Linux kernel and cifs-utils privilege escalation where an unprivileged process can forge a cifs.spnego key request, make request-key launch cifs.upcall as root, and force NSS code execution inside an attacker-controlled namespace.Mon, 01 Jun 2026 00:00:00 GMThttps://corgea.com/research/gitea-forgejo-private-container-registry-bypass/https://corgea.com/research/gitea-forgejo-private-container-registry-bypass/CVE-2026-27771 is a Gitea container registry authorization flaw where unauthenticated requests could pull private OCI image manifests and layers from affected self-hosted instances, exposing application code, dependencies, and secrets baked into images.Mon, 01 Jun 2026 00:00:00 GMThttps://corgea.com/research/roberts-leads-packagist-famous-chollima-loader/https://corgea.com/research/roberts-leads-packagist-famous-chollima-loader/The Packagist package roberts/leads exposed a poisoned development branch as dev-drewroberts/feature/test-case, where tailwind.js appended obfuscated JavaScript that resolved payload material through TRON, Aptos, and BNB Smart Chain before executing it in Node.js.Mon, 01 Jun 2026 00:00:00 GMThttps://corgea.com/research/oob-moika-npm-dependency-confusion-recon/https://corgea.com/research/oob-moika-npm-dependency-confusion-recon/Public reporting tied at least 179 malicious npm package-version records to an oob.moika.tech dependency-confusion campaign that abused internal-looking scopes, postinstall hooks, inflated versions, and detached JavaScript payloads to inventory developer and CI environments.Sun, 31 May 2026 00:00:00 GMThttps://corgea.com/research/vpmdhaj-opensearch-npm-cloud-ci-secrets/https://corgea.com/research/vpmdhaj-opensearch-npm-cloud-ci-secrets/A May 28 npm campaign published 14 OpenSearch, ElasticSearch, DevOps, and config lookalikes that executed during npm install, loaded a Bun-based credential harvester, and targeted cloud and CI/CD secrets.Sun, 31 May 2026 00:00:00 GMThttps://corgea.com/research/cve-2026-48864-libsolv-solv-page-decompression-overflow/https://corgea.com/research/cve-2026-48864-libsolv-solv-page-decompression-overflow/A high-severity libsolv flaw lets attacker-controlled .solv cache data reach unchecked decompression paths in repopagestore page loading, creating out-of-bounds memory access in tooling that parses untrusted package metadata caches.Fri, 29 May 2026 00:00:00 GMThttps://corgea.com/research/js-logger-pack-microsoftsystem64-huggingface-exfiltration/https://corgea.com/research/js-logger-pack-microsoftsystem64-huggingface-exfiltration/Recent js-logger-pack npm releases and related logger packages deliver MicrosoftSystem64, a cross-platform Node SEA implant that persists on Windows, macOS, and Linux, logs keystrokes, scans developer secrets, and uploads stolen data to private Hugging Face datasets.Fri, 29 May 2026 00:00:00 GMThttps://corgea.com/research/sicoob-sdk-nuget-pfx-certificate-exfiltration/https://corgea.com/research/sicoob-sdk-nuget-pfx-certificate-exfiltration/Malicious Sicoob.Sdk NuGet releases 2.0.0 through 2.0.4 impersonated an official Brazilian banking SDK, then exfiltrated client IDs, PFX passwords, base64-encoded PFX certificate archives, and boleto responses from the SicoobClient constructor.Fri, 29 May 2026 00:00:00 GMThttps://corgea.com/research/tinymce-47759-47762-stored-xss-sanitizer-bypass/https://corgea.com/research/tinymce-47759-47762-stored-xss-sanitizer-bypass/TinyMCE disclosed four high-severity stored-XSS vulnerabilities across npm, NuGet, and Composer packages, affecting data-mce-* attributes, nested SVG namespace handling, media plugin embeds, and forged mce:protected comments.Fri, 29 May 2026 00:00:00 GMThttps://corgea.com/research/codexui-android-openai-token-stealer/https://corgea.com/research/codexui-android-openai-token-stealer/The npm package codexui-android, also pulled by Android apps at runtime, added registry-only code that reads Codex auth.json, XOR-encodes the full OpenAI OAuth token blob, and posts it to sentry.anyclaw.store on every launch.Thu, 28 May 2026 00:00:00 GMThttps://corgea.com/research/velora-dex-sdk-npm-minirat-macos-backdoor/https://corgea.com/research/velora-dex-sdk-npm-minirat-macos-backdoor/JINX-0164's npm compromise of @velora-dex/sdk 9.4.1 appended three registry-only lines to dist/index.js, causing any require() or import of the DeFi SDK to fetch a macOS shell dropper and install a Go backdoor with launchctl persistence.Thu, 28 May 2026 00:00:00 GMThttps://corgea.com/research/cve-2026-48172-litespeed-cpanel-root-privilege-escalation/https://corgea.com/research/cve-2026-48172-litespeed-cpanel-root-privilege-escalation/CISA added CVE-2026-48172 to KEV after active exploitation of LiteSpeed's User-End cPanel Plugin. A vulnerable Redis enable/disable JSON API path exposed to cPanel users can execute attacker-controlled scripts with root privileges on shared Linux hosting servers.Wed, 27 May 2026 00:00:00 GMThttps://corgea.com/research/joomla-5-4-6-6-1-1-com-users-privilege-escalation/https://corgea.com/research/joomla-5-4-6-6-1-1-com-users-privilege-escalation/Joomla's 26 May security release fixes critical access-control failures in the com_users batch task and group-editing webservice endpoint. CVE-2026-48898 and CVE-2026-48904 affect Joomla CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0.Wed, 27 May 2026 00:00:00 GMThttps://corgea.com/research/snipe-it-8-4-1-api-privilege-escalation-xss-open-redirect/https://corgea.com/research/snipe-it-8-4-1-api-privilege-escalation-xss-open-redirect/Snipe-IT 8.4.1 fixes three newly published CVEs, led by CVE-2026-44832: an API permission-assignment bug where a user with users.edit could set permissions[admin]=1 on their own account.Wed, 27 May 2026 00:00:00 GMThttps://corgea.com/research/cve-2026-9082-drupal-postgresql-sql-injection-kev/https://corgea.com/research/cve-2026-9082-drupal-postgresql-sql-injection-kev/CVE-2026-9082 is a highly critical Drupal core SQL injection in the PostgreSQL database abstraction path where crafted anonymous requests can influence query construction, leading to information disclosure, privilege escalation, and possible remote code execution; CISA added it to KEV after exploit attempts were observed in the wild.Tue, 26 May 2026 00:00:00 GMThttps://corgea.com/research/laravel-lang-composer-tag-rewrite-credential-stealer/https://corgea.com/research/laravel-lang-composer-tag-rewrite-credential-stealer/The Laravel-Lang compromise rewrote trusted Composer tags across four community packages so that normal Laravel and Symfony bootstraps loaded a malicious src/helpers.php dropper through autoload.files, fetching a PHP stealer from flipboxstudio.info and targeting cloud, CI/CD, Kubernetes, Vault, browser, SSH, and developer secrets.Tue, 26 May 2026 00:00:00 GMThttps://corgea.com/research/trapdoor-npm-pypi-crates-crypto-stealer/https://corgea.com/research/trapdoor-npm-pypi-crates-crypto-stealer/TrapDoor is a coordinated multi-registry malware campaign affecting 34 package names across npm, PyPI, and Crates.io, with ecosystem-specific execution paths for postinstall hooks, Python import-time remote JavaScript execution, and Rust build.rs scripts targeting crypto, DeFi, AI, and security developers.Tue, 26 May 2026 00:00:00 GMThttps://corgea.com/research/weekly-briefing-26-05-2026/https://corgea.com/research/weekly-briefing-26-05-2026/Corgea's weekly briefing for 19-26 May 2026 covers the GitHub internal repository breach tied to the Nx Console compromise, TrapDoor's multi-registry package malware campaign, exploited Drupal and Langflow KEV vulnerabilities, Laravel-Lang tag rewrites, TensorRT-LLM deserialization flaws, the art-template browser exploit-chain compromise, and a Linux ptrace local privilege escalation.Tue, 26 May 2026 00:00:00 GMThttps://corgea.com/research/art-template-npm-coruna-ios-exploit-kit/https://corgea.com/research/art-template-npm-coruna-ios-exploit-kit/Compromised npm releases of art-template appended browser-side script loaders to lib/template-web.js, sending downstream site visitors through hidden iframes into a Safari/iOS exploit delivery framework instead of only stealing developer secrets at install time.Fri, 22 May 2026 00:00:00 GMThttps://corgea.com/research/cve-2025-34291-langflow-cors-refresh-token-rce/https://corgea.com/research/cve-2025-34291-langflow-cors-refresh-token-rce/CISA added CVE-2025-34291 to KEV after exploitation of a Langflow chain where wildcard credentialed CORS and a SameSite=None refresh-token cookie let a malicious webpage mint API tokens and reach authenticated code-execution endpoints.Fri, 22 May 2026 00:00:00 GMThttps://corgea.com/research/cve-2026-46333-linux-ptrace-pidfd-getfd-lpe/https://corgea.com/research/cve-2026-46333-linux-ptrace-pidfd-getfd-lpe/CVE-2026-46333 is a Linux kernel ptrace authorization flaw where pidfd_getfd can race a dying privileged process after it drops credentials, duplicating sensitive file descriptors such as /etc/shadow, SSH host keys, or authenticated system D-Bus sockets.Fri, 22 May 2026 00:00:00 GMThttps://corgea.com/research/cve-2025-33255-cve-2026-24142-nvidia-tensorrt-llm-deserialization/https://corgea.com/research/cve-2025-33255-cve-2026-24142-nvidia-tensorrt-llm-deserialization/CVE-2025-33255 and CVE-2026-24142 affect NVIDIA TensorRT-LLM before 1.2, where unsafe deserialization in MPI and serialized weight-handle paths could turn crafted control-plane data into code execution, data tampering, information disclosure, or denial of service.Thu, 21 May 2026 00:00:00 GMThttps://corgea.com/research/github-breach-vscode-extension-supply-chain-may-2026/https://corgea.com/research/github-breach-vscode-extension-supply-chain-may-2026/TeamPCP exploited a cascading supply chain attack from TanStack to Nx Console to a GitHub employee workstation to exfiltrate approximately 3,800 private GitHub repositories containing infrastructure configs, deployment scripts, staging credentials, and internal API schemas.Thu, 21 May 2026 00:00:00 GMThttps://corgea.com/research/nx-console-vscode-extension-credential-stealer-may-2026/https://corgea.com/research/nx-console-vscode-extension-credential-stealer-may-2026/A malicious 18.95.0 release of the Nx Console VS Code extension executed a hidden npx task on workspace activation, fetched an obfuscated Bun payload from a dangling nrwl/nx commit, harvested developer and cloud credentials, installed macOS persistence, and demonstrated the same auto-update path now tied to GitHub internal repository exposure.Wed, 20 May 2026 00:00:00 GMThttps://corgea.com/research/shopsprint-decimal-go-typosquat-dns-backdoor/https://corgea.com/research/shopsprint-decimal-go-typosquat-dns-backdoor/The typosquatted Go module github.com/shopsprint/decimal copied the popular shopspring/decimal API, then weaponized version 1.3.3 with an init() goroutine that polls DNS TXT records and executes returned commands.Wed, 20 May 2026 00:00:00 GMThttps://corgea.com/research/webdriverio-browserstack-service-branch-command-injection/https://corgea.com/research/webdriverio-browserstack-service-branch-command-injection/WebdriverIO BrowserStack Service versions through 9.23.2 interpolate attacker-controlled Git branch names into execSync() calls during test orchestration smart selection, allowing command injection on CI runners and developer machines.Wed, 20 May 2026 00:00:00 GMThttps://corgea.com/research/antv-mini-shai-hulud-npm-worm-may-2026/https://corgea.com/research/antv-mini-shai-hulud-npm-worm-may-2026/TeamPCP's Mini Shai-Hulud campaign expanded on May 19 with hundreds of malicious npm releases across the AntV data-visualization ecosystem and related packages including echarts-for-react, timeago.js, size-sensor, and jest-canvas-mock.Tue, 19 May 2026 00:00:00 GMThttps://corgea.com/research/durabletask-pypi-credential-stealer-teampcp-may-2026/https://corgea.com/research/durabletask-pypi-credential-stealer-teampcp-may-2026/Three malicious PyPI releases of Microsoft's durabletask Python SDK, versions 1.4.1 through 1.4.3, executed an import-time Linux dropper that fetched rope.pyz, harvested cloud and developer secrets, and attempted lateral movement through AWS SSM and Kubernetes.Tue, 19 May 2026 00:00:00 GMThttps://corgea.com/research/weekly-briefing-19-05-2026/https://corgea.com/research/weekly-briefing-19-05-2026/Corgea's weekly briefing for 12-19 May 2026 covers the durabletask PyPI compromise, the Mini Shai-Hulud expansion into AntV and related npm packages, the Nx Console extension compromise, WebdriverIO command injection, and other important supply-chain, kernel, and application-security research from the week.Tue, 19 May 2026 00:00:00 GMThttps://corgea.com/research/cemu-linux-release-assets-teampcp-malware/https://corgea.com/research/cemu-linux-release-assets-teampcp-malware/Cemu v2.6 Linux GitHub release assets were deleted and re-uploaded with a Python zipapp payload tied to the TanStack and Mistral TeamPCP supply-chain campaign, exposing users who ran the AppImage or Ubuntu ZIP to credential theft and possible destructive behavior.Sun, 17 May 2026 00:00:00 GMThttps://corgea.com/research/strapi-may-2026-admin-token-oracle-query-injection/https://corgea.com/research/strapi-may-2026-admin-token-oracle-query-injection/Five Strapi advisories published in mid-May affect npm packages across the Strapi CMS stack, including a critical unauthenticated admin reset-token oracle in @strapi/strapi and a critical Content-Type Builder SQL injection in @strapi/content-type-builder and @strapi/plugin-content-type-builder.Sun, 17 May 2026 00:00:00 GMThttps://corgea.com/research/node-ipc-npm-credential-stealer-dns-exfiltration/https://corgea.com/research/node-ipc-npm-credential-stealer-dns-exfiltration/Three npm releases of node-ipc, versions 9.1.6, 9.2.3, and 12.0.1, were published with an obfuscated CommonJS payload that steals developer and CI credentials and exfiltrates gzipped archives through DNS TXT queries.Fri, 15 May 2026 00:00:00 GMThttps://corgea.com/research/fragnesia-linux-esp-in-tcp-page-cache-lpe/https://corgea.com/research/fragnesia-linux-esp-in-tcp-page-cache-lpe/CVE-2026-46300, nicknamed Fragnesia, is a new Linux kernel XFRM ESP-in-TCP local privilege escalation that lets unprivileged local attackers corrupt read-only file contents in page cache and execute a root shell from a patched-in-memory system binary.Thu, 14 May 2026 00:00:00 GMThttps://corgea.com/research/gemstuffer-rubygems-registry-exfiltration-campaign/https://corgea.com/research/gemstuffer-rubygems-registry-exfiltration-campaign/GemStuffer is a RubyGems registry-abuse campaign that published 155 junk package artifacts containing scraped UK council portal data, using hardcoded RubyGems API keys and valid .gem archives as a public data drop.Wed, 13 May 2026 00:00:00 GMThttps://corgea.com/research/cve-2026-41242-protobufjs-schema-code-execution/https://corgea.com/research/cve-2026-41242-protobufjs-schema-code-execution/protobufjs before 7.5.5 and 8.0.1 can turn schema metadata into executable JavaScript through unsafe runtime code generation, exposing Node.js services that load attacker-influenced protobuf definitions or JSON descriptors.Tue, 12 May 2026 00:00:00 GMThttps://corgea.com/research/dirty-frag-linux-kernel-esp-rxrpc-lpe/https://corgea.com/research/dirty-frag-linux-kernel-esp-rxrpc-lpe/Dirty Frag chains CVE-2026-43284 in Linux kernel ESP/IPsec handling with CVE-2026-43500 in RxRPC to turn local access into root on many Linux distributions, with public proof-of-concept code available before broad vendor patch coverage.Tue, 12 May 2026 00:00:00 GMThttps://corgea.com/research/malicious-nuget-ir-packages-credential-stealer/https://corgea.com/research/malicious-nuget-ir-packages-credential-stealer/A NuGet campaign published five IR.* packages under the bmrxntfj account, using functional .NET library wrappers plus a Reactor-protected infostealer to target browser credentials, SSH keys, cloud secrets, and crypto wallets across developer workstations and CI systems.Tue, 12 May 2026 00:00:00 GMThttps://corgea.com/research/tanstack-supply-chain-attack-mini-shai-hulud/https://corgea.com/research/tanstack-supply-chain-attack-mini-shai-hulud/TeamPCP launched a coordinated supply-chain attack against the npm and PyPI ecosystems, compromising 373 malicious package versions across 169 package names including @tanstack/react-router, @mistralai/mistralai, and @uipath packages. TanStack's npm compromise is now tracked as CVE-2026-45321 after attackers used a misconfigured CI workflow, cache poisoning, and OIDC token theft to publish malware with trusted provenance.Tue, 12 May 2026 00:00:00 GMThttps://corgea.com/research/cve-2026-6907-django-vary-star-cache/https://corgea.com/research/cve-2026-6907-django-vary-star-cache/Django's UpdateCacheMiddleware could cache responses that explicitly declared themselves uncacheable for shared caches, creating a path for private data exposure.Wed, 06 May 2026 00:00:00 GMT