36 hours from advisory to exploit

LiteLLM Pre-Auth SQLi Exploited in 36 Hours; GitHub git-Push RCE Left 88% of GHES Unpatched

• CVE-2026-42208 (CVSS 9.3) — distinct from the March supply chain attack — is a pre-auth SQL injection in LiteLLM's proxy API key check path: the Authorization header is interpolated directly into a query via the error-handling route. Affects versions ≥1.81.16 and <1.83.7; patch to 1.83.7-stable or set disable_error_logs: true under general_settings as an interim workaround.
• Sysdig recorded the first exploitation at 16:17 UTC on April 26 — 36 hours after the advisory was indexed, no public PoC required; the attacker used only the open-source schema and advisory text. Two-phase attack from IPs 65.111.27[.]132 and 65.111.25[.]67 targeted litellm_credentials.credential_values and litellm_config tables while skipping litellm_users and litellm_team, indicating foreknowledge of which tables hold secrets.
• Sysdig notes a single compromised litellm_credentials row typically holds an OpenAI org key, an Anthropic workspace-admin API key, and AWS Bedrock IAM credentials simultaneously — making the blast radius closer to cloud-account compromise than a typical web-app SQLi.
• Wiz disclosed CVE-2026-3854 (CVSS 8.7) in GitHub's internal git infrastructure using Claude Code and IDA MCP for binary analysis of closed-source compiled services: user-supplied push option values are packaged into internal X-Stat headers with a null-byte delimiter that is injectable, allowing any authenticated user with push access to a single repository to execute arbitrary commands on backend servers with one git push.
• On GitHub.com the flaw gave RCE on shared storage nodes with read access to millions of private repositories across tenants. 88% of GHES instances were unpatched at public disclosure on April 28; apply GHES patches 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, or 3.20.0+. GitHub.com was patched within 2 hours of Wiz's March 4 report; no exploitation confirmed in the wild.
• Wiz noted the process would have taken months manually; AI-augmented tooling compressed it to under 48 hours from idea to working exploit — the same acceleration is available to attackers targeting any closed-source service's internal binary protocols.

---

VECT 2.0 Is an Accidental Wiper; Checkmarx Mandiant Confirmed; Vimeo via Anodot

• Check Point Research found that VECT 2.0 permanently destroys files >128 KB across all variants (Windows, Linux, ESXi): four encryption chunks each generate a new nonce, but only the final chunk's nonce is saved — the first three-quarters of every large file are irrecoverable even with the decryption key. Present in all public VECT versions. Do not pay VECT ransom demands — decryption of VM disks, databases, and document files is cryptographically impossible.
• CPR found additional code quality failures consistent with AI-assisted or legacy-codebase construction: the ransomware misidentifies its own cipher as ChaCha20-Poly1305 while using raw ChaCha20-IETF without Poly1305 MAC, speed mode flags are parsed but silently ignored on Linux/ESXi, string obfuscation routines cancel each other out leaving strings in plain text, and Ukraine is mistakenly included in the CIS geofence exclusion list.
• Checkmarx confirmed Mandiant has been engaged and law enforcement notified; root cause is that TeamPCP retained or reacquired GitHub access after the March 23 initial compromise and cleanup, enabling the April 22 KICS second wave from the same credential foothold. (Previously: Issue #17 confirmed the Lapsus$ data dump — Mandiant engagement and the retained-access root cause are new detail.)
• Ars Technica quotes Socket CEO Feross Aboukhadijeh: "Attackers are treating security tools as both a target and a delivery mechanism — attacking the products that are supposed to protect the supply chain, then using those same products to steal credentials and move to the next victim." Security scanners and password managers wired into CI grant downstream access to GitHub tokens, npm publish rights, and cloud credentials at scale.
• Vimeo confirmed attackers accessed its Snowflake and BigQuery instances through a compromised Anodot analytics integration — the same Anodot/Snowflake supply chain breach that previously hit Rockstar Games and Zara (first reported: Issue #3). Video metadata and customer emails were exfiltrated; video content, credentials, and payment data were not. Vimeo has disabled Anodot credentials and removed the integration. Audit all third-party analytics integrations for Snowflake OAuth tokens with database-level read access.

---

APT28 NTLM Zero-Click on CISA KEV (May 12); Nickel Alley Targets Freelance Developer Platforms

• CISA added CVE-2026-32202 to KEV with a May 12 FCEB deadline: a zero-click NTLM hash leak left by Microsoft's incomplete February patch for CVE-2026-21510; APT28 exploited both flaws in a chained pass-the-hash campaign against Ukraine and EU targets in December 2025, requiring only that the victim open a malicious file. Apply April 2026 Patch Tuesday updates immediately.
• Sophos Counter Threat Unit attributed a new campaign to Nickel Alley (North Korea), separate from Contagious Interview: fake job listings on Upwork and Fiverr target fintech and blockchain developers, directing them to clone a malicious GitHub repo and run npm install && npm start to deliver PyLangGhost and GoLangGhost RATs.
• Nickel Alley is separately using ClickFix-style browser error pages requiring victims to run a terminal command locally; primary objectives are cryptocurrency theft and initial access for supply chain compromise. Developers are individually profiled, not mass-phished. Monitor Node.js processes spawning unexpected shell execution or outbound connections; train developers to report unsolicited freelance recruitment outreach regardless of platform legitimacy.

---

LeRobot Unauthenticated gRPC RCE via Pickle; Miggo Pulse Generates WAF Rules at Advisory Speed

• CVE-2026-25874 in Hugging Face LeRobot ≤v0.4.3 is an unauthenticated RCE via pickle.loads() in the async inference PolicyServer: both SendPolicyInstructions() and SendObservations() gRPC handlers deserialize raw client bytes with no authentication, and type checks run after deserialization — too late to prevent __reduce__()-based code execution. Requires only network reach to port 50051. PolicyServer instances typically run on GPU machines in privileged network segments with access to proprietary datasets and physical robotics hardware.
• A # nosec comment next to pickle.loads() explicitly suppressed Bandit's B301 warning rather than fixing the root cause — the same pattern seen in SGLang CVE-2026-5760 and vLLM CVE-2025-61620 (Issue #13). Mitigate: replace pickle.loads() with Protobuf or safetensors; add gRPC TLS and mutual authentication; block public access to port 50051.
• Miggo Security launched Miggo Pulse, combining a Predictive Vulnerability Database enriched with exploit primitives, eBPF DeepTracing sensors that validate exploitability in production, and a WAF Copilot that generates environment-specific WAF rules deployable in one click — designed for the window between advisory publication and vendor patch. Directly relevant given LiteLLM's 36-hour exploitation window (above) and NVD's deprioritization of non-KEV CVE enrichment (Issue #10).