3 ecosystems breached in 48 hours, rotate now

Three Ecosystems Hit in 48 Hours: Checkmarx KICS, Bitwarden CLI, xinference

• TeamPCP compromised Checkmarx KICS Docker Hub and VS Code extensions (April 22): malicious tags v2.1.20 and alpine plus VS Code extension versions cx-dev-assist 1.17.0/1.19.0 and ast-results 2.63.0/2.66.0 harvest GitHub tokens, AWS/Azure/GCP creds, SSH keys, npm configs, and MCP configs — exfiltrating to audit.checkmarx[.]cx/v1/telemetry, then injecting rogue .github/workflows/format-check.yml workflows that siphon CI/CD secrets before self-deleting. This is TeamPCP's second Checkmarx attack in two months.
• @bitwarden/cli@2026.4.0 was compromised via GitHub Actions and published to npm today — Socket found the malicious code in bw1.js; JFrog confirmed it steals GitHub/npm tokens, .ssh, .env, shell history, and cloud secrets, exfiltrating via private domains and as GitHub commits. Researcher Adnan Khan: "the first time a package using npm trusted publishing has been compromised." The malicious version is pulled from npm; rotate all secrets on any system that ran it.
• xinference on PyPI saw three consecutive malicious releases on April 22 carrying a credential stealer targeting SSH keys, cloud credentials, env vars, and crypto wallets; StepSecurity attributes the pattern to TeamPCP though the unencrypted C2 exfil leaves some researchers flagging a possible copycat.
• GitGuardian's 48-hour campaign synthesis links all three campaigns — Checkmarx KICS, Namastex CanisterSprawl (Issue #14), and xinference — as sharing one objective: credential exfiltration from CI/CD pipelines. CanisterSprawl adds ICP canister-based C2 for decentralized resilience. Any team running KICS, @bitwarden/cli@2026.4.0, or xinference in the April 21–23 window should treat all accessible secrets as compromised.

---

CISA Adds BlueHammer to KEV (May 7 Deadline); RedSun and UnDefend Still Unpatched on Day 9

• CISA added CVE-2026-33825 (BlueHammer) to KEV on April 22, ordering FCEB agencies to patch by May 7. (Previously: patched in April Patch Tuesday — KEV addition confirms ongoing exploitation requiring a formal federal deadline.)
• RedSun and UnDefend remain unpatched on Day 9 of confirmed active exploitation with no out-of-band advisory from Microsoft; Security Affairs confirms attacker timeline: BlueHammer exploitation began April 10; RedSun/UnDefend PoCs dropped April 16 after the dispute with Microsoft. Public PoCs remain live on GitHub. (Previously: Day 5 in Issue #13 — no patch timeline has emerged.)

---

Glasswing's Patch Gap: <1% of Findings Fixed; IPI Payloads Confirmed in the Wild

• THN analysis of Project Glasswing quantifies the remediation crisis: fewer than 1% of vulnerabilities Mythos identified have been patched since launch. Median time from disclosure to weaponized exploit dropped from 771 days in 2018 to single-digit hours by 2024; Mythos's 72.4% autonomous exploit-chain rate (previously reported) compounds a finding-to-patch gap the industry has no structural answer for. Recommended shift: signal-driven validation over scheduled testing; environment-specific exploitability context over generic CVSS; closed-loop automated remediation.
• A HackerNoon analysis frames the problem as AI solving the discovery half of the security problem while the remediation half remains at human speed — defenders on "calendar speed" against attackers on "machine speed."
• Forcepoint researcher Mayur Sewani documented 10 indirect prompt injection payloads found actively deployed on the public web — not in lab conditions — targeting agents that browse or summarize pages. Payloads include Unix rm -rf command injection targeting IDE-integrated agents (Copilot, Cursor, Claude Code, CI/CD reviewers), API key exfiltration with hidden exfil channels, and a weaponized PayPal payment instruction for $5,000 targeting agents with payment access.
• The attack chain requires no exploit code: poison web content → agent ingests during research or RAG indexing → agent ignores prior instructions → executes payload. Impact scales with agent privilege — a summarizer is low risk; an agent with shell, payment, or email-send access is a high-impact target.

---

Firefox 150: 271 CVEs Patched with Mythos; IndexedDB Fingerprint Flaw Fixed; LogScale CVSS 9.8

• Mozilla released Firefox 150 patching 271 security vulnerabilities — 40+ as CVEs — using Claude Mythos Preview in early access; confirmed CVEs include CVE-2026-6746 (high), CVE-2026-6757/6758 (medium). Mozilla states Mythos identified "any category or level of vulnerability that humans can identify" but has not found bugs an elite human researcher couldn't find. (Previously: Issue #14 flagged ambiguous count between 3 and 271 — Mozilla's release confirms the 271 figure, all fixed.) Update immediately.
• A separate IndexedDB cross-session fingerprinting flaw is also patched in Firefox 150: private browsing mode returned databases in a consistent internal-state-dependent order, creating a persistent cross-site fingerprint across origins until browser restart. With 16 database names, over 20 trillion unique orderings are possible. Tor Browser (based on ESR 140.10.0) is also patched.
• CVE-2026-40050 (CVSS 9.8) in CrowdStrike LogScale Self-Hosted 1.224.0–1.234.0 allows unauthenticated attackers to retrieve arbitrary files via directory traversal on a cluster API endpoint — missing auth combined with improper path restriction exposes config files, logs, credential material, internal IP structures, and IR trace data. Cloud/SaaS customers already mitigated; fix in self-hosted versions 1.235.1+, 1.234.1+, 1.233.1+, and 1.228.2 LTS+. No active exploitation confirmed; patch immediately and audit for suspicious API calls on the cluster endpoint.