critical

CVE

CVE-2026-42305, CVE-2026-47712, CVE-2026-45783, CVE-2026-41840, CVE-2026-41842

CWE

CWE-506, CWE-22, CWE-20, CWE-400

Affected Surface

Developer workstations and CI runners that installed malicious dbmux npm releases tied to the Miasma / Phantom Gyp campaign, Python applications and internal tooling that use Dulwich to clone repositories or generate patches from untrusted input, JavaScript libp2p nodes exposing @libp2p/kad-dht in server mode to untrusted peers, Spring MVC and WebFlux applications running vulnerable Spring Framework lines

Welcome to Corgea’s weekly briefing. The briefing covers the most important security findings and research from the week.

This edition covers research published from Tuesday, 10 June through Tuesday, 16 June 2026, excluding items already covered in the 15 June briefing.

Top Article

dbmux npm package used Phantom Gyp to execute Miasma during install

The most important newly uncovered story from this window is dbmux, because it shows the Phantom Gyp Miasma wave did not stop at high-visibility packages. StepSecurity deserves first credit for publicly documenting the binding.gyp execution trick behind Phantom Gyp, while JFrog deserves credit for tying dbmux into the broader Miasma family and surfacing the malicious version cluster. That makes dbmux less of a one-off npm incident and more of a proof that the same operator behavior seen in the Red Hat Cloud Services compromise and the PyPI follow-on Hades wave is still spreading into ordinary developer tooling.

The key thing to remember is that dbmux reinforces the same lesson as Atomic Arch: install-time trust boundaries now cross package metadata, build helpers, and developer endpoints at once. Teams that still treat “no preinstall script” as a meaningful safety check are watching the wrong execution surface.

More news

CVE-2026-42305 and CVE-2026-47712: Dulwich 1.2.5 fixes Windows checkout abuse and format_patch path traversal

The most important Python tooling fix from the week is Dulwich 1.2.5, because it closes two different ways attacker-controlled Git metadata could become filesystem writes. GitHub’s advisories credit ctoth with reporting both flaws and jelmer with the remediation. The Windows issue is the headline risk: a malicious repository could plant files under .git/hooks/ or escape the work tree, which puts it in the same workstation-trust category as our earlier nvm mirror command injection coverage and the recent GlassWASM Open VSX extension attack.

What makes this more than a niche library update is that Dulwich is often embedded in automation, internal developer tooling, and repo-processing services rather than used directly by humans. That means repository names, path components, and commit subjects are crossing trust boundaries inside CI and platform workflows that may never run the system Git binary at all.

CVE-2026-45783: @libp2p/kad-dht lets unauthenticated peers fill disk with unvalidated PUT_VALUE records

The other important infrastructure story is CVE-2026-45783 in @libp2p/kad-dht, where a validator bypass plus an unbounded message loop let any remote peer turn a public DHT node into a disk-exhaustion target. The public js-libp2p advisory does not currently name an external reporter, so the safest credit is to the upstream maintainers for publishing the advisory, proof of concept, and 16.2.6 fix train. The reason it belongs beside this week’s developer-tooling issues is that it is another case where a library-level trust boundary failed open and untrusted input became durable state on disk.

For AppSec teams, the operational lesson lines up with this week’s Netty release train and the Spring fixes below: availability bugs in infrastructure libraries are still production incidents when they sit directly on request, peer, or protocol boundaries. If you run public libp2p nodes, storage isolation and version pinning are not optional hygiene here.

Other news: