Deserialization of untrusted data in Mirasvit Full Page Cache Warmer for Magento enabling unauthenticated RCE via crafted CacheWarmer cookie. CVSS score 9.8. Active exploitation targeting gaming and business sites globally.
Update to Mirasvit version 1.11.12 or later (released May 25, 2026) immediately. Federal deadline June 6, 2026. Review web server logs for exploitation indicators.
Source: CISA • Published: 2026-06-05
Authenticated local command injection in Cisco Catalyst SD-WAN Manager CLI allowing arbitrary commands as root. Seventh SD-WAN vulnerability exploited in wild in 2026. Reported by Mandiant with no patches currently available.
No workaround available. Monitor Cisco security advisories for patches. Implement Cisco-provided IoCs and restrict CLI access to trusted administrators only.
Source: CISA • Published: 2026-06-05
Supply chain attack compromising 32 npm packages under @redhat-cloud-services namespace (80,000 weekly downloads) via compromised Red Hat employee GitHub account. Malware named Miasma bypassed code review and carries authentic provenance signatures.
Audit all npm installs from June 1, 2026. Remove malicious @redhat-cloud-services packages. Rotate all credentials including cloud access tokens, GitHub PATs, and npm tokens. Review GitHub Actions OIDC workflows.
Source: GTIG • Published: 2026-06-01
TeamPCP threat actor compromised LiteLLM PyPI publishing credentials (95M monthly downloads) via Trivy scanner compromise in CI/CD pipeline. Malicious versions 1.82.7 and 1.82.8 deployed three-stage attack harvesting credentials, attempting Kubernetes lateral movement, and installing systemd backdoor.
Immediately uninstall litellm versions 1.82.7 and 1.82.8. Use version 1.82.6 or earlier, or 1.83.0 and later. Rotate all cloud credentials including AWS/GCP/Azure IAM keys and Kubernetes tokens. Audit CI/CD security scanning tools.
Source: GTIG • Published: 2026-03-24
North Korean APT Sapphire Sleet compromised Axios npm versions 1.14.1 and 0.30.4 with multi-platform RAT payloads (macOS, Windows, Linux). Auto-update mechanisms caused widespread compromise of projects using version ranges ^1.14.0 or ^0.30.0.
Downgrade Axios to safe versions (below 1.14.0 or 0.30.0, or latest patched version). Clear package lockfiles and reinstall. Rotate all credentials and API keys. Monitor for connections to Sapphire Sleet C2 infrastructure.
Source: GTIG • Published: 2026-03-31
Multiple RCE vulnerabilities in Claude Code including code injection via user consent bypass (CVSS 8.7), configuration override via .mcp.json (CVE-2025-59536), and API key theft without user interaction (CVE-2026-21852). Exploitation via untrusted project hooks and MCP server configurations.
Update Claude Code to latest patched versions. Audit all untrusted repositories before opening in Claude Code. Review and restrict MCP server configurations. Rotate Anthropic API keys if exposed to untrusted repositories.
Source: GTIG • Published: 2026-06-05
Vulnerability in GitHub Codespaces allowing repository takeover via malicious Copilot instructions in GitHub issues. Passive prompt injection leaks GitHub tokens through crafted pull requests with symbolic links to internal files and remote JSON schema exfiltration.
Ensure GitHub Codespaces updated to patched version. Audit GitHub Actions workflows for suspicious activity. Review GitHub issue content for hidden prompt injections. Rotate GitHub tokens if Codespaces used with untrusted repositories.
Source: GTIG • Published: 2026-06-05
Threat actor using Cursor and Claude Opus AI agents to build ransomware toolkit automating Active Directory discovery and EDR evasion. Includes Cobalt Strike profiles, Telegram bot C2, Python shellcode injectors, and Cloudflare Worker redirectors tested against major EDR vendors.
Enhance EDR detection rules for AI-assisted malware patterns. Monitor for Telegram-based C2 traffic and Cloudflare Worker abuse. Implement behavioral analysis for shellcode injection techniques. Review Active Directory security posture and segmentation.
Source: GTIG • Published: 2026-06-05
CVE-2026-45247: Deserialization of untrusted data in Mirasvit Full Page Cache Warmer for Magento enabling unauthenticated RCE via crafted CacheWarmer cookie. CVSS score 9.8. Active exploitation targeting gaming and business sites globally.