Weekly Briefing - 19-05-2026

critical

CVE

CVE-2026-25244, CVE-2026-45321, CVE-2026-27886, CVE-2026-22599, CVE-2026-22707, CVE-2026-22706, CVE-2025-64526, CVE-2026-46300, CVE-2026-43284, CVE-2026-43500, CVE-2026-41242

CWE

CWE-506, CWE-78, CWE-123, CWE-89, CWE-94, CWE-200, CWE-307, CWE-434, CWE-693, CWE-943

Affected Surface

durabletask 1.4.1 through 1.4.3, nrwl.angular-console 18.95.0, @wdio/browserstack-service <= 9.23.2, github.com/shopsprint/decimal 1.3.3, npm packages, PyPI packages, NuGet packages, RubyGems registry workflows, GitHub Releases, Strapi CMS, Linux kernel, protobufjs

Welcome to Corgea’s weekly briefing. The briefing covers the most important security findings and research from the week.

This edition covers research published from Tuesday, 12 May through Tuesday, 19 May 2026, with a focus on the supply-chain, kernel, and application-security issues that materially change response priorities.

Top Article

durabletask PyPI releases backdoored with multi-cloud credential stealer

The most important late-breaking story is the May 19 PyPI compromise of Microsoft’s durabletask Python SDK. Malicious versions 1.4.1, 1.4.2, and 1.4.3 added import-time Linux droppers that fetched rope.pyz, harvested AWS, Azure, GCP, Kubernetes, Vault, Docker, SSH, package-registry, password-manager, and AI-tool credentials, and attempted lateral movement through AWS SSM and Kubernetes kubectl exec.

Public reporting from Aikido, Endor Labs, SafeDep, Kamil Mankowski’s bad-packages catalog, and Cyber Kendra shows a familiar but worsening TeamPCP pattern: trusted package artifacts, cloud-native secret collectors, encrypted exfiltration, GitHub dead drops, and worm behavior. Treat any Linux host that imported an affected durabletask version as compromised and rotate credentials from a known-clean machine.

More news

Mini Shai-Hulud npm worm hits AntV, echarts-for-react, and timeago.js

The May 19 Mini Shai-Hulud expansion into the AntV ecosystem and related npm packages remains the largest npm story of the week. The wave affected packages including echarts-for-react, timeago.js, size-sensor, jest-canvas-mock, and hundreds of @antv/* packages. This was not a typosquat: malicious releases were published through accounts with legitimate npm publish access, so projects using broad semver ranges could resolve to poisoned versions during clean installs.

Public reporting from Socket, Aikido, SafeDep, StepSecurity, OpenSource Malware, and package-advisory data shows a familiar pattern from the same TeamPCP supply-chain campaign covered in our TanStack analysis and Cemu release-asset compromise. The payload used install-time execution, GitHub dependency hooks, credential theft, GitHub API dead drops, and package-republishing logic to spread. Treat any developer workstation or CI runner that installed the affected versions as potentially compromised, not just as a dependency-inventory finding.

Mini Shai-Hulud Supply-Chain Worm Compromises TanStack, Mistral AI, UiPath, and 160+ npm Packages

TeamPCP’s May 11 wave remains one of the clearest examples of why package provenance is not a complete safety signal. Wiz, Socket, Aikido, TanStack, and Endor Labs documented how the TanStack compromise chained a privileged pull_request_target workflow, GitHub Actions cache poisoning, and OIDC token theft from runner process memory to publish malicious npm packages with valid trusted-publisher provenance. TanStack later tracked its portion as CVE-2026-45321.

The operational takeaway is urgent for teams that rely on GitHub Actions publishing: restrict OIDC permissions, review cache boundaries, pin third-party actions, and search for the Mini Shai-Hulud persistence paths in .claude, .vscode, and GitHub Actions workflows. This same campaign context helps explain why the AntV npm wave and Cemu GitHub Releases compromise matter beyond their individual package lists.

Strapi advisory cluster exposes admin token oracle and content-builder SQL injection

Strapi’s mid-May advisory cluster gives application teams a different kind of critical risk: production CMS request paths that can expose admin reset-token material, database-query injection, upload-policy bypasses, session-retention bugs, and rate-limit bypasses. Strapi’s advisories and the follow-on NVD records credit the project with publishing the fixes and affected package ranges for CVE-2026-27886, CVE-2026-22599, CVE-2026-22707, CVE-2026-22706, and CVE-2025-64526.

The highest-risk issue is CVE-2026-27886, where public Content API filtering could act as a boolean oracle against restricted admin-user fields such as reset-password tokens. Teams running Strapi should upgrade, review logs for relational-filter probing, revoke admin and users-permissions sessions, and remove unexpected uploaded active content.

Other news:

• Nx Console VS Code extension 18.95.0 shipped a developer credential stealer - A malicious nrwl.angular-console release executed a hidden npx -y github:nrwl/nx#558b09d7... task on workspace activation, fetched a Bun payload from a dangling GitHub commit, harvested GitHub, npm, AWS, Vault, Kubernetes, 1Password, SSH, and Claude Code credentials, and installed macOS persistence.
• CVE-2026-25244: WebdriverIO BrowserStack Service executes Git branch names in shell commands - @wdio/browserstack-service versions through 9.23.2 interpolated branch names into execSync() during smart test selection, letting attacker-controlled Git refs execute shell commands on CI runners and developer machines.
• shopsprint/decimal Go typosquat hides DNS TXT command backdoor - The malicious github.com/shopsprint/decimal@v1.3.3 module preserved the real shopspring/decimal API but added an init() goroutine that polled DNS TXT records and executed returned commands for the lifetime of any importing Go process.
• MAL-2026-3744: node-ipc npm releases backdoored with DNS exfiltration stealer - Three malicious node-ipc releases were documented after public analysis from Socket, Datadog Security Labs, SafeDep, and Chainguard. The payload ran when the CommonJS module loaded, not through an install script, and exfiltrated gzipped credential archives through DNS TXT queries.
• Backdoored Cemu Linux release assets reused TeamPCP credential-stealer payload - Datadog Security Labs linked swapped Cemu v2.6 Linux GitHub release assets to the Python payload family used in the broader TeamPCP campaign. The incident is a reminder to monitor release-asset deletion, uploaders, timestamps, and hashes, not just source tags.
• Fragnesia: Linux ESP-in-TCP bug revives page-cache root escalation - Wiz disclosed CVE-2026-46300, a Linux kernel ESP-in-TCP local privilege escalation that can corrupt page-cache-backed privileged binaries in memory. The mitigation overlaps with our earlier Dirty Frag coverage: patch kernels, restrict exposed networking primitives, and disable esp4, esp6, and rxrpc where safe.
• Dirty Frag: Linux kernel ESP and RxRPC flaws enable local root escalation - Wiz’s Dirty Frag research, with additional detection guidance from Sysdig and public advisory coverage from the Canadian Centre for Cyber Security, showed how CVE-2026-43284 and CVE-2026-43500 can turn local code execution into root on exposed Linux hosts.
• CVE-2026-41242: protobufjs can execute code from attacker-controlled schemas - The protobufjs advisory and Endor Labs’ analysis explain how unsafe runtime code generation can turn attacker-influenced protobuf schemas or JSON descriptors into JavaScript execution inside Node.js services.
• Five malicious IR.* NuGet packages impersonate Chinese .NET libraries - Socket disclosed five malicious IR.* NuGet packages published by bmrxntfj, using functional .NET wrappers plus a Reactor-protected infostealer that targets browser credentials, SSH keys, cloud secrets, and crypto wallets.
• GemStuffer abuses RubyGems as a data-exfiltration channel - Socket’s GemStuffer research shows package registries can be abused as outbound data drops, not only inbound dependency channels. Monitor unexpected RubyGems publishing from hosts and CI jobs that should never run gem push.