npm worm that spreads itself across ecosystems

Namastex npm CanisterWorm: 16 Packages, Recursive Token Theft, Cross-Ecosystem Spread

• 16 Namastex Labs npm packages confirmed compromised — including @automagik/genie, pgserve, and @fairwords/websocket — with malicious versions first published April 21 at 22:14 UTC; attack techniques match TeamPCP's CanisterWorm in credential theft, exfiltration, and self-propagation, though attribution is unconfirmed. Packages target AI agent tooling and database operations — prioritizing high-value credential access over volume infection.
• The malware harvests npm publish tokens and self-propagates: it identifies all packages the stolen token can publish, injects the payload, and republishes at an incremented version, enabling recursive spread across the victim's entire package portfolio, per StepSecurity's incident write-up.
• If PyPI credentials are found, the worm deploys a .pth-based Python payload for cross-ecosystem spread — the same persistence mechanism used in the LiteLLM compromise (previously: .pth survived pip uninstall and exfiltrated ~300 GB).
• Targeted secrets: LLM API keys (OpenAI, Anthropic), npm/PyPI tokens, SSH keys, cloud credentials, CI/CD tokens, K8s configs, Chrome/Firefox data, and crypto wallets (MetaMask, Exodus, Atomic, Phantom). Remove all listed malicious versions, rotate all credentials, and audit for packages sharing the same public.pem file or webhook host.

---

Mythos: Contractor Credentials Breached on Day One; Open-Weights Models Closing the Gap

• A Discord group gained unauthorized access to Claude Mythos Preview on April 7 — the day of announcement — using a contractor's credentials combined with API endpoint knowledge obtained from the Mercor breach (previously: Mercor confirmed 4TB exfiltration including cloud secrets and SSH keys). Anthropic confirmed "unauthorized access through one of our third-party vendor environments"; other unreleased Anthropic models were reportedly also accessed.
• Mozilla received early Glasswing access and reports Mythos found 271 vulnerabilities in Firefox; however, flyingpenguin.com analysis documents significant ambiguity in the count — credible interpretations of the same data range from 3 validated exploitables to 271 raw findings. Per Cybernews, Mozilla has fixed the confirmed issues.
• Vidoc Security Lab and Aisle startup report that publicly available open-weights models — GPT-OSS-120b, DeepSeek R1, Qwen3, Gemma 4, and Claude Opus 4.6 — reproduce much of Mythos' zero-day discovery output when run inside agentic scanning workflows; researchers conclude "the moat is moving up the stack from model access to validation, prioritization, and remediation."
• The UK AI Safety Institute found exploitable weaknesses in every frontier model it red-teamed, including Mythos, per AISI CTO Jade Leung — indicating the autonomous vulnerability discovery capability is not unique to Anthropic's restricted offering.

---

Critical Patches: ASP.NET Core OOB (CVSS 9.1), Atlassian CVSS 10.0 Jira mXSS, Spring Auth Server

• Microsoft released an out-of-band patch for CVE-2026-40372 (CVSS 9.1) in ASP.NET Core 10.0.0–10.0.6: a regression in Microsoft.AspNetCore.DataProtection computed HMAC over the wrong payload bytes, enabling attackers to forge authentication cookies, antiforgery tokens, and API keys — achieving SYSTEM privilege escalation on Linux/macOS. Fixed in ASP.NET Core 10.0.7; rotate the DataProtection key ring post-upgrade, as tokens legitimately issued during the vulnerable window remain valid.
• Atlassian's April 21 Security Bulletin (38 vulns total) includes CVE-2024-47875 (CVSS 10.0) — mutation XSS in Jira Software and Jira Service Management Data Center; CVE-2026-21571 (CVSS 9.4) in Bamboo Data Center/Server — OS command injection via third-party dependency allowing authenticated RCE across versions 9.6.x–12.1.x, fixed in 12.1.6/10.2.18/9.6.25; and CVE-2022-1471 (CVSS 9.8) — SnakeYAML deserialization RCE in Confluence and Jira Service Management. No confirmed exploitation yet.
• CVE-2026-22752 in Spring Security 7.0.0–7.0.4 and Spring Authorization Server 1.3.0–1.5.6 allows an attacker with a valid Initial Access Token to register a malicious OAuth client via the Dynamic Client Registration endpoint, yielding stored XSS, SSRF into backend infrastructure, and privilege escalation over all downstream OAuth-protected services. Patched April 21: Spring Security → 7.0.5; Spring Auth Server → 1.3.11/1.4.10/1.5.7. Disable Dynamic Client Registration as an interim workaround if not required.

---

GitHub Actions Issue-Body Injection in Microsoft Repo; Softr in Phishing; Crimson Collective; Oracle CPU

• Tenable disclosed a CVSS 9.3 RCE in Microsoft's public Windows-driver-samples repository (~7,700 stars): a workflow inserted raw github.event.issue.body into a Python here-doc without sanitization, allowing any free GitHub account to inject and execute arbitrary Python in the runner — exposing the GITHUB_TOKEN. Fixed March 13 via PR #1355. Audit all workflows for direct interpolation of github.event.issue.body, github.event.pull_request.title, or similar untrusted inputs into script execution contexts.
• Cisco Talos Q1 2026 Incident Response Report documents the first confirmed use of a vibe coding platform in an attack: threat actors used Softr (AI no-code builder) to construct an OWA credential harvesting page with zero custom code, capturing submissions to Google Sheets. Phishing returned to the #1 initial access vector (35%+ of engagements); MFA weaknesses — including bypasses via new device enrollment — appeared in 35% of engagements.
• Crimson Collective used TruffleHog to scan thousands of GitHub repos after obtaining initial access via an accidentally published PAT; discovered client secrets enabled Azure cloud storage access via Microsoft Graph API; attacker injected credential-harvesting code into multiple repos before containment — a live example of open-source secret-scanning tooling repurposed for offense.
• Oracle's April 2026 Critical Patch Update patches 450 unique CVEs across 28 product families in 481 security updates; 34 issues (7.1%) carry CVSS 9.0+. Prioritize Database, Fusion Middleware, and WebLogic components.

---

Wiz AI-BOM at Google Cloud Next; Moltbook's 1.5M Token Breach; SOC Agents Now Rewrite Firewall Rules

• Google Cloud Next 2026 shipped Wiz AI-BOM, Agent Gateway, and cryptographic agent identity: AI-BOM dynamically inventories all AI frameworks, models, MCP servers, and IDE extensions across an environment to surface shadow AI; Agent Gateway enforces A2A/MCP connection policies with Model Armor; Gemini Enterprise Agent Platform assigns unique cryptographic identities to agents for access governance. Wiz scanning integrates directly inside Lovable, AWS Agentcore, Azure Copilot Studio, and Salesforce Agentforce. Google Security Operations adds Threat Hunting, Detection Engineering, and Third-Party Context agents — the existing Triage agent has processed 5M+ alerts, compressing 30-minute manual analysis to ~60 seconds.
• Moltbook (social network for AI agents) was breached, exposing 35,000 emails and 1.5M API tokens including plaintext OpenAI API keys and agent hijack tokens found in private messages — illustrating "toxic combinations": cross-app OAuth/API chains where each individual grant appears benign but the combined trust relationship (IDE → Slack → CRM → email) was never explicitly authorized. Recommended control: treat all AI agents and MCP servers as non-human identities requiring owners, review dates, and scope audits.
• Adversaries hijacked AI security tools at 90+ organizations in the past year; autonomous SOC agents now shipping can rewrite firewall rules and modify IAM policies, outpacing the governance frameworks designed to contain them, per VentureBeat analysis. CSA separately finds AI agents caused cybersecurity incidents at two-thirds of firms in the past 12 months, with data exposure and financial losses among confirmed outcomes.
• Mondoo launched a free AI Skills Security Checker — an agent-agnostic scanner covering AI skill registries across platforms — and Operant AI launched CodeInjectionGuard for runtime interception of malicious code at the point of AI agent execution, directly targeting the MemoryTrap and ToolJack attack classes disclosed in Issue #13.