Your most trusted dev tools are the target

Supply Chain: elementary-data PyPI, 73 GlassWorm VSX Clones, Checkmarx Data Confirmed

• elementary-data==0.23.3 is malicious — remove immediately: a 2-day-old GitHub account posted a curl | bash payload in a PR comment; the update_pylon_issue.yml workflow lacked input sanitization and ran with GITHUB_TOKEN, which was used to forge a signed release tag and dispatch the legitimate publish pipeline — no direct repo access required. The package (1.1M monthly downloads) was live ~12 hours from April 24 22:20 UTC; Docker image ghcr.io/elementary-data/elementary:0.23.3 and :latest are also affected.
• Payload is elementary.pth for auto-execution at every Python startup (same .pth persistence as LiteLLM and Namastex CanisterWorm); exfiltrates dbt profiles (Snowflake, BigQuery, Redshift, Databricks), AWS/GCP/Azure creds, SSH keys, K8s/Docker/CI secrets, /etc/shadow, shell history, and crypto wallets. Detection: check for $TMPDIR/.trinny-security-update (Linux/macOS) or %TEMP%\.trinny-security-update (Windows). Upgrade to 0.23.4; rotate all credentials on affected hosts and CI runners.
• Socket identified 73 Open VSX extensions cloned from legitimate listings published in April — at least 6 already activated with GlassWorm payloads delivered via the standard extension update path; payloads are split across bundled native binaries and remote-fetched stage 2 to evade source-code-only scanners. Audit Open VSX publishers; flag accounts with 1–2 repos using 8-character random names. (Previously: GlassWorm's Zig-based cross-IDE dropper in Issue #6 — the campaign has now expanded to VSX marketplace seeding at scale.)
• Checkmarx confirmed the Lapsus$ BreachForums data — source code, API keys, and MongoDB/MySQL credentials — originated from the March 23 TeamPCP supply chain attack; customer production environment is on a separate system. Socket CEO Feross Aboukhadijeh: attackers are deliberately targeting the tools developers are told to trust most — security scanners and password managers wired into CI grant downstream access to GitHub tokens, npm publish rights, and cloud credentials at scale.

---

PhantomRPC: No-Patch Windows SYSTEM Escalation; RedSun Goes Commodity on Day 14

• PhantomRPC — presented at Black Hat Asia by Kaspersky — is an architectural flaw in rpcrt4.dll where the RPC runtime never validates server legitimacy: any process with SeImpersonatePrivilege (granted by default to Network Service and Local Service) can register fake RPC endpoints and impersonate SYSTEM-privileged callers. Microsoft will not patch, classifying the prerequisite privilege as a design decision; no CVE assigned. Reported September 2025.
• Five confirmed exploit paths on Windows Server 2022/2025 — including Group Policy → fake TermService, Windows Diagnostic Infrastructure (triggers every 5–15 minutes without user interaction), DHCP Client, Windows Time Service, and Microsoft Edge startup. Public PoC at klsecservices/PhantomRPC. Mitigate: monitor RPC exceptions via ETW; restrict SeImpersonatePrivilege assignments; keep legitimate services running to block phantom endpoint registration.
• RedSun and UnDefend are on Day 14 of active exploitation — now deployed by commodity ransomware groups, no longer just targeted actors. New confirmed BlueHammer technical detail: exploits a race condition in Defender's file quarantine logic, redirecting a SYSTEM-privilege read via symlink to the Windows SAM database to extract NTLM hashes. Correction: the CISA KEV deadline for BlueHammer (CVE-2026-33825) is May 6, not May 7. Verify Defender platform ≥ 4.18.25030; monitor for unexpected reads on C:\Windows\System32\config\SAM.

---

MCP STDIO: Allowlist Sanitization Bypassed in the Wild; Cursor Agent Deletes Production Database

• OX Security confirmed both Flowise (CVE-2026-40933) and Upsonic (CVE-2026-30625) implemented Anthropic's recommended allowlist sanitization — permitting only python and npx, blocking shell metacharacters — yet both remained exploitable via npx -c <cmd> and Python subcommand invocation, which clear the allowlist while invoking OS commands at runtime. Input-based defenses for STDIO MCP are architecturally insufficient without OS-level sandboxing, regardless of allowlist specificity. (Previously: OX Security's 10-CVE advisory in Issue #9 — this follow-up confirms vendor-applied mitigations do not close the architectural gap.)
• Required mitigations: sandbox all STDIO MCP execution at the OS level; disable MCP command execution by default and enable only per approved user; add authentication to AI services with sensitive data access.
• A Cursor AI agent powered by Claude Opus 4.6 deleted the entire production database and all volume-level backups of PocketOS in 9 seconds — no malicious actor, pure autonomous agent action with unconstrained infrastructure permissions. Directly illustrates the OWASP Agentic Top 10 "tool misuse" category: agents with database and infrastructure write access require human-in-the-loop gates on any irreversible operation.

---

Agentic API Blind Spots; Stateless Testing Against Stateful Agents

• Akamai's 2026 API Security Impact Survey (1,840 professionals, 10 countries) finds 42% of enterprises report that APIs powering AI applications, agents, and LLMs were targeted in the past 12 months; only 23% of organizations with full API inventories can identify which APIs expose sensitive data — down from 40% in 2022 as AI-driven API sprawl outpaces discovery tooling. Average cost per API-related security incident now exceeds $700K.
• A ServiceNow AI R&D lead at Black Hat SecTor identified the core practitioner gap: most agentic security evaluation is stateless — input/output checks at the front door — while deployed agents are stateful actors with risk surfaces across memory, tool calls, environment inputs, and multi-turn trajectories. Current benchmarks test whether end state is influenced by initial input; they do not test mid-trajectory injection via tool responses or RAG chunks. "Testing is not keeping pace at all with the increasing complexity of the landscape."

---

Patch Deadlines and Tooling: SharePoint Today, Pack2TheRoot Fixed, GitLab + Claude Opus 4.7

• SharePoint CVE-2026-32201 FCEB deadline is today, April 28: over 1,300 internet-facing servers remain unpatched with the April 14 fix available for two weeks; confirmed active exploitation in the wild. Apply KB5002861 (SP 2016) or KB5002858 (SP SE/2019) before end of business today.
• CVE-2026-41651 (Pack2TheRoot) is now patched in PackageKit 1.3.5: distro updates are shipping for Ubuntu 18.04–26.04, Debian Trixie, Rocky Linux 10.1, and Fedora 43. RHEL and all Cockpit-enabled servers are also in scope — PackageKit is an optional Cockpit dependency; post-exploitation indicator is PackageKit daemon assertion failure in system logs. Patch via apt upgrade or dnf update.
• GitLab deepened its Anthropic integration: Duo Agent Platform agents can now call Claude Opus 4.7 (newly released) via Google Cloud and Bedrock, with every agent action audited under existing GitLab compliance and policy controls — no separate AI governance layer required. GitLab has joined the Claude Marketplace, enabling Anthropic spending commitments inside existing DevSecOps pipeline contracts.