Skip to dossier
Archived issue · 06-05-2026
View latest issue
fruition.net
verified 1w ago
The Perimeter · Issue 06-05-2026

npm supply chain keeps burning; Drupal core SQLi joins KEV

This week's signal concentrates in two places: the npm/Composer supply chain (TanStack and Nx Console added to CISA KEV after credential-stealing republishes, Laravel Lang historical releases backdoored, a 176-package npm campaign targeting internal dependency confusion) and authoritative content/identity stacks (Drupal core SQL injection added to KEV, authentik SAML Source signature wrapping, Palo Alto PAN-OS auth bypass on KEV). WordPress operators get a concrete unauth admin-creation bug in WP Maps Pro, and Mandiant published a real-world ViewState/machine-key RCE chain in Japanese LMS KnowledgeDeliver that's a useful template for anyone auditing .NET shared-secret defaults. If you run Composer or npm installs against production, recalculate your trust assumptions on historical package versions — not just latest — and confirm your build pipelines pin and verify.
Published
Friday, June 5, 2026
Entries
12
Cadence
Weekly · Fridays
Curator
Brad Anderson
Wire
cisa.gov New addition to the Known Exploited Vulnerabilities catalog ·
github.com GHSA: critical npm package compromise affecting CI pipelines ·
wordfence.com WordPress plugin vulnerability with active exploitation ·
drupal.org Highly critical core security advisory published ·
aws.amazon.com AWS security bulletin: IAM policy evaluation update ·
unit42.paloaltonetworks.com Threat actor expands toolkit targeting public-facing PHP apps ·
krebsonsecurity.com Breach disclosure with named victim and confirmed initial vector ·
snyk.io Composer dependency advisory affecting production framework versions ·
cisa.gov New addition to the Known Exploited Vulnerabilities catalog ·
github.com GHSA: critical npm package compromise affecting CI pipelines ·
wordfence.com WordPress plugin vulnerability with active exploitation ·
drupal.org Highly critical core security advisory published ·
aws.amazon.com AWS security bulletin: IAM policy evaluation update ·
unit42.paloaltonetworks.com Threat actor expands toolkit targeting public-facing PHP apps ·
krebsonsecurity.com Breach disclosure with named victim and confirmed initial vector ·
snyk.io Composer dependency advisory affecting production framework versions ·
01

Web Application

frameworks · browsers · authentication flows

no entries this week

02

Supply Chain

packages · build systems · dependency attacks

sonatype.com 1w

176-package npm campaign targets internal dependency-confusion names

Sonatype documented a coordinated campaign of 176 malicious npm packages, many published with version 99.99.99 to win semver resolution against internal packages. Names mimic typical private scopes used inside enterprises, fitting the long-running dependency-confusion playbook. Payloads target build-time credential exfiltration.

npm registry
Fruition take

Confirm your npm registry config scopes private packages to your internal registry (`@yourorg:registry=`) and that public-registry installs cannot satisfy those names. CI logs showing a 99.99.99 resolution for any internal-looking package should be treated as a build compromise until proven otherwise.

nvd.nist.gov 1w KEV

Nx Console and TanStack added to KEV after credential-stealing package republishes

CISA added CVE-2026-48027 (Nx Console) and CVE-2026-45321 (TanStack) to KEV. Both were compromised package distributions: malicious Nx Console versions fetched obfuscated payloads to harvest credentials from disk and memory, and TanStack saw malicious npm versions published under trusted maintainer identity. Both fit the post-Shai-Hulud pattern of trusted-publisher compromise targeting developer machines.

CVE-2026-48027 CVE-2026-45321 Nx Console TanStack npm
Fruition take

Audit any developer workstation or CI runner that installed Nx Console or TanStack packages in the affected window — rotate npm tokens, GitHub PATs, and any cloud credentials present in shell environment or ~/.aws. Pin both packages to known-good versions in lockfiles before re-enabling installs.

snyk.io 2w

Laravel Lang Packagist releases republished with credential-stealing malware

Snyk reported that hundreds of historical Laravel Lang releases on Packagist were republished with malicious code designed to steal credentials and exfiltrate secrets during Composer install. Because the malicious code was inserted into back-versions, simply pinning to an older tag did not protect installs. Laravel Lang is a translation pack used across many Laravel applications.

laravel-lang on Packagist Composer
Fruition take

Re-resolve composer.lock on any Laravel project that pulled laravel-lang/* in the last two weeks and compare hashes to the new clean releases. Scan CI runners and developer machines for outbound calls from PHP processes during install, and rotate any tokens that lived in those environments.

03

Infrastructure

kubernetes · cloud · network · ingress

nvd.nist.gov 1w KEV

LiteSpeed cPanel Plugin local privilege escalation added to KEV

CISA added CVE-2026-48172 to KEV: a privilege escalation flaw in the LiteSpeed cPanel Plugin that lets any cPanel user account execute arbitrary scripts as root via the user-end plugin. Common in shared hosting and small-tenant deployments where LiteSpeed accelerates WordPress and other PHP workloads.

CVE-2026-48172 LiteSpeed cPanel Plugin
Fruition take

If any client is hosted on cPanel + LiteSpeed (common with reseller hosting), confirm with the provider that the plugin has been patched. Treat any tenant on a shared cPanel box as compromised-until-proven-otherwise if the host hasn't updated.

cloud.google.com 1w

Mandiant: KnowledgeDeliver LMS RCE via shared ASP.NET ViewState machine keys

Mandiant attributed a late-2025 web server compromise to CVE-2026-5426 in KnowledgeDeliver, a Japanese LMS. Multiple customer deployments shipped with identical pre-shared ASP.NET machine keys, enabling unauthenticated ViewState deserialization RCE. The attacker injected malicious code into the LMS to compromise visitors. A clean reminder that shared cryptographic defaults across tenants is a single-point break.

CVE-2026-5426 KnowledgeDeliver LMS ASP.NET
Fruition take

If you operate any ASP.NET application — bespoke or vendor-shipped — verify `machineKey` is unique per environment and not the vendor default. Mandiant's writeup is a good template for an internal hunt across .NET assets you may have inherited from acquisitions.

04

PHP & CMS

wordpress · drupal · plugins · php frameworks

drupal.org 2w KEV
▲ headline

Drupal core SQL injection (SA-CORE-2026-004) on PostgreSQL added to CISA KEV

Drupal core's database abstraction API contains an SQL injection flaw exploitable by anonymous users on PostgreSQL-backed sites, leading to information disclosure and potentially privilege escalation or RCE. Affects Drupal 8.9.0 through 11.3.x prior to 11.3.10 across the 10.5, 10.6, 11.0, 11.2, 11.3 branches. CISA added CVE-2026-9082 to the KEV catalog this week; Drupal rates the issue 23/25 highly critical with known exploit activity.

CVE-2026-9082 Drupal core 8.9–11.3 PostgreSQL backends
Fruition take

If you run any Drupal site on PostgreSQL, patch this week — anonymous exploitation and KEV listing mean scanners and opportunistic actors are already moving. Sites on MySQL/MariaDB are not in scope per Drupal's advisory, but confirm your DB driver in settings.php before standing down.

wordfence.com 1w

WP Maps Pro: unauthenticated administrator account creation (15,000 sites)

Wordfence disclosed an unauthenticated administrator account creation vulnerability in the WP Maps Pro WordPress plugin, sold to over 15,000 sites. Exploitation results in full site takeover with no authentication required. Reported March 24, 2026; patched version available.

WP Maps Pro (WordPress plugin)
Fruition take

Grep wp-content/plugins for wp-maps-pro across managed WordPress fleets and patch or disable today — unauthenticated admin creation is the worst-case primitive and a favorite of opportunistic mass scanners.

drupal.org 1w

Drupal AlternativeCommerce Basket: unauthenticated PHP object injection RCE

The Drupal Basket (AlternativeCommerce) contrib module passes user-supplied data to PHP `unserialize()` without sanitization, enabling PHP Object Injection. With a viable gadget chain, this yields arbitrary PHP code execution. Drupal rates it highly critical (22/25). Affected versions <2.1.17; fixed in 2.1.17.

CVE-2026-9726 Drupal AlternativeCommerce (Basket) <2.1.17
Fruition take

If any Drupal commerce site you operate has Basket installed, upgrade to 2.1.17 immediately and pull web logs for POST bodies containing serialized PHP markers (`O:`, `a:`) at suspicious endpoints. Contrib RCEs on commerce modules are catnip for skimmer crews.

wordfence.com 2w

Wordfence: CyberPanel SnappyMail log file abused as persistent root webshell

Wordfence forensics describe an attacker abusing CyberPanel's SnappyMail webmail logging to write attacker-controlled content into a PHP-executable log path, producing a root-level webshell that survived repeated WordPress cleanups. Useful pattern recognition for incident responders dealing with reinfection on hosts running CyberPanel as the control plane.

CyberPanel SnappyMail
Fruition take

On any CyberPanel-managed host, audit SnappyMail and webmail log paths for .php extensions and writable-by-web directories. WordPress-only cleanup misses control-plane persistence — scope IR to the full host when CyberPanel is in the picture.

05

Identity & Auth

oauth · saml · iam · session attacks

github.com 1w CVSS 8.5

authentik SAML Source vulnerable to XML Signature Wrapping

authentik's SAML Source ACS endpoint mis-validates signed upstream SAML responses, allowing XML Signature Wrapping. Any user with an account at the upstream IdP can reuse a valid signed assertion to authenticate as any other federated user. Fixed in authentik 2026.5.1, 2026.2.4, and 2025.12.6. Only deployments using SAML Source for upstream federation are affected.

CVE-2026-47201 authentik SAML Source
Fruition take

If a client portal uses authentik as a SAML SP in front of an enterprise IdP, upgrade this week and audit the IdP's login logs for federated sessions that don't match expected user agents or geos. Deployments using only OIDC sources are out of scope.

06

Threat Intel

active exploitation · breaches · ransomware

nvd.nist.gov 1w KEV
▲ headline

Palo Alto PAN-OS authentication bypass added to CISA KEV

CISA added CVE-2026-0257 to KEV: a PAN-OS authentication bypass that lets attackers establish an unauthorized VPN connection. Federal agencies are required to apply vendor mitigations under BOD 22-01. No CVSS published in the KEV entry, but unauthenticated VPN access on a perimeter device is the worst class of bug for this product family.

CVE-2026-0257 Palo Alto Networks PAN-OS GlobalProtect
Fruition take

If PAN-OS terminates client VPN or GlobalProtect in front of any client environment you operate, apply Palo Alto's fix or mitigation now and pull GlobalProtect auth logs for unexpected sessions. Treat any unfamiliar VPN session since the advisory as suspect until proven otherwise.

therecord.media 1w

Carnival confirms breach of ~6M records via compromised employee account

Carnival disclosed that an attacker accessed a limited portion of its IT environment in April 2026 after compromising an employee account, copying personal information of nearly 6 million people. The named initial-access vector — a single employee account — fits the pattern of session/identity theft via infostealers feeding extortion crews.

Carnival Corporation
Fruition take

Re-check whether VPN and admin portals for your client environments require phishing-resistant MFA, not push or SMS. A single stolen session cookie remains the most common path into a multi-million-record breach.