critical

CVE

CVE-2026-10796, CVE-2024-21182

CWE

CWE-506, CWE-494, CWE-829, CWE-522, CWE-78

Affected Surface

npm packages compromised in the Phantom Gyp Miasma wave, PyPI MCP and typo-squatted packages compromised in the Hades follow-on wave, nvm 0.40.4 and earlier configured to use custom mirrors, Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 exposing T3 or IIOP

Welcome to Corgea’s weekly briefing. The briefing covers the most important security findings and research from the week.

This edition covers research published from Tuesday, 2 June through Tuesday, 9 June 2026, excluding items already covered in the 2 June briefing.

Top Article

Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages

The most important story this week is the 3-4 June Phantom Gyp follow-on wave in the broader Miasma campaign. StepSecurity deserves first credit for documenting the binding.gyp execution trick in the wild, while Endor Labs independently confirmed the affected package set and the registry-artifact diff that added a tiny binding.gyp trigger plus a large obfuscated root index.js without changing the legitimate dist/ output. That makes this more than another package compromise: it is a direct demonstration that “no preinstall or postinstall script” is no longer a meaningful safety check for npm consumers.

This is why the story matters beyond the package count. The same operator pattern already showed up in the Red Hat Cloud Services compromise, and the trust-boundary lesson matches the earlier TanStack trusted-publisher breach and the downstream GitHub/Nx repository theft: reviewing source repos or provenance alone is not enough when the registry tarball is where the malicious execution edge lives. For teams that installed affected versions of @vapi-ai/server-sdk, ai-sdk-ollama, or the broader autotel, awaitly, executable-stories, and node-env-resolver families, response should start from the same assumption as the durabletask PyPI compromise: installation was code execution on a privileged workstation or CI runner.

More news

Hades PyPI follow-on hit MCP packages and Python typosquats

The most important PyPI development from 9 June is Hades pivoting from scientific-package lures into MCP and agent-adjacent tooling. Socket deserves credit for tying this follow-on wave to named MCP-focused packages such as openai-mcp, langchain-core-mcp, instructor-mcp, tiktoken-mcp, and ray-mcp-server, while StepSecurity deserves credit for reversing the multi-stage payload, including the .pth startup hooks, split staging, native-extension trigger paths, Bun-executed second stage, and cross-platform memory scraping behavior.

What changes the risk calculation is package placement. A poisoned research library is dangerous, but a poisoned MCP helper or typo-squatted everyday Python package is much more likely to land on the same high-trust developer environments targeted in the TrapDoor multi-registry campaign, the durabletask backdoor, and this week’s Phantom Gyp Miasma wave. That combination of AI-tool targeting, .pth startup execution, and Bun-based payload staging means defenders need to inspect Python wheels with the same registry-artifact skepticism they already learned from recent npm campaigns.

CVE-2026-10796 lets hostile mirrors turn nvm install into shell RCE

The most important developer-tooling vulnerability this week is CVE-2026-10796 in nvm <= 0.40.4. GitHub’s GHSA-3c52-35h2-gfmm credits @DavidCarliez with reporting the eval sink in nvm_download(), while ljharb handled the remediation and also identified the related awk-injection sink during the internal fix review. The result is unusually relevant to enterprise environments: a hostile or MITM’d custom mirror can turn ordinary nvm install and checksum resolution into shell command execution on workstations and CI runners.

This belongs in the same operational category as our earlier WebdriverIO BrowserStack command-injection coverage: developer convenience tooling often ends up sitting inside build pipelines with enough authority to become an initial-access path. It also complements the supply-chain lesson from the OpenSearch npm typosquat wave: even “just metadata” or “just a mirror” becomes part of the security boundary once build tooling trusts it enough to resolve versions, download artifacts, or construct commands.

Other news: