High
JetBrains TeamCity Path Traversal — Actively Exploited, CISA KEV
CVE-2024-27199 · CISA KEV · Unauthenticated path traversal
An unauthenticated path traversal vulnerability in JetBrains TeamCity CI/CD server is being actively exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog. Attackers are using the flaw to read sensitive configuration files — including agent authentication tokens and internal API credentials — without requiring any login. The vulnerability affects TeamCity versions prior to 2023.11.4.
Action: Upgrade TeamCity to 2023.11.4+, rotate agent tokens, restrict external access.
High
Apache ActiveMQ RCE via Jolokia Bridge
CVE-2026-34197 · Affects <5.19.4 and 6.0.0–6.2.2 · Patched: 5.19.4 / 6.2.3
A remote code execution vulnerability exists in Apache ActiveMQ's Jolokia JMX-HTTP bridge. An attacker with network access to the Jolokia endpoint can invoke arbitrary MBean operations to execute code on the broker host. The Jolokia interface is enabled by default in many ActiveMQ deployments and is often inadvertently exposed. Affects all ActiveMQ versions below 5.19.4 and the 6.0.0–6.2.2 range.
Action: Upgrade ActiveMQ to 5.19.4 / 6.2.3 or disable Jolokia immediately.
High
CrowdStrike LogScale Unauthenticated Path Traversal
CVE-2026-40050 · SaaS: auto-patched · Self-hosted: manual patch required
An unauthenticated path traversal vulnerability in CrowdStrike LogScale (Humio) allows an attacker to read arbitrary files from the server filesystem. CrowdStrike's SaaS-hosted instances were automatically patched. However, organizations running self-hosted LogScale clusters must apply the patch manually. The vulnerability can expose log data, configuration files, and internal credentials stored on the LogScale host.
Action: Self-hosted LogScale only — apply patch from CrowdStrike advisory portal.
High
Axios npm Compromise — Sapphire Sleet (DPRK) RAT Deployment
Threat Actor: Sapphire Sleet (DPRK) · Malicious: axios@1.14.1, axios@0.30.4 · CISA KEV adjacent
North Korean threat actor Sapphire Sleet published malicious versions of the widely-used axios npm package (versions 1.14.1 and 0.30.4) bundled with plain-crypto-js@4.2.1 which installs a Remote Access Trojan. These typosquat or version-hijack packages blend in with legitimate axios installs and establish persistent C2 channels. Any developer whose environment ran npm install axios during the window these packages were live is potentially compromised.
Action: Audit lock files for malicious axios versions, rotate all secrets if found.
High
GitHub Copilot VS Code Extension — Command Injection
CVE-2026-23653 · CVSS: Pending · Tool: GitHub Copilot (VS Code)
A command injection vulnerability in the GitHub Copilot VS Code extension allows a malicious repository to craft inputs that escape the extension's shell invocation context and execute arbitrary commands in the developer's local environment. The flaw is triggered when Copilot processes certain inline code suggestions from a repository containing specially crafted comments or docstrings. CVSS score is pending official assignment.
Action: Update GitHub Copilot VS Code extension immediately.
High
Vercel / Context.ai OAuth Supply Chain Breach via Lumma Stealer
Actor: Lumma Stealer (initial access broker) · Scope: Vercel developer accounts
Attackers used Lumma Stealer malware to harvest OAuth tokens from developers' machines, then leveraged those tokens to gain lateral access to Vercel projects and Context.ai integrations. The breach exposed deployment tokens, environment variable secrets, and in some cases production API keys stored in Vercel project settings. The attack chain demonstrates how credential-stealing malware targeting developer endpoints can propagate into production infrastructure via OAuth trust relationships.
Action: Revoke Vercel OAuth tokens, rotate all env secrets, audit OAuth app grants.
-
01
Do Now
Audit npm lock files for malicious axios versions (Sapphire Sleet DPRK RAT)
Run grep -r "axios" package-lock.json across all projects. Verify checksum against official registry. If axios@1.14.1 or 0.30.4 found: treat machine as compromised and rotate all secrets.
-
02
Do Now
Update GitHub Copilot VS Code extension — CVE-2026-23653
Extensions marketplace → GitHub Copilot → Update. Disable Copilot on untrusted repos until confirmed patched.
-
03
Do Now
Upgrade JetBrains TeamCity to 2023.11.4+ — CISA KEV actively exploited
Rotate all agent tokens after upgrade. If upgrade is delayed, restrict TeamCity to internal network only — do not expose externally.
-
04
Today
Upgrade Apache ActiveMQ to 5.19.4 / 6.2.3 — disable Jolokia if unpatched
Jolokia bridge is enabled by default. Disable it or firewall port 8161 to trusted management hosts only. Patch is available now.
-
05
Today
Revoke Vercel OAuth tokens + rotate env secrets + audit OAuth apps
Lumma Stealer lateral movement via OAuth. Revoke all Vercel tokens, regenerate environment variable secrets, remove any unrecognized OAuth app authorizations from GitHub and Vercel accounts.
// biggest risk this period
Axios DPRK RAT + Copilot CVE = developer toolchain is the dominant attack surface.
The combination of a nation-state supply chain attack targeting the most-downloaded HTTP library in npm (axios) and an unpatched command injection flaw in GitHub Copilot means the developer environment itself is the primary threat vector this period. Attackers no longer need to breach production infrastructure — they're compromising developers directly, then pivoting to production through CI/CD pipelines, OAuth grants, and deployment tokens.