A 21-Year-Old PHP Vulnerability That Opens the Door to Remote Code Execution
A security vulnerability that has been hiding inside PHP since 2005 — quietly surviving two decades of audits, engine rewrites, and dozens of related…
Security
Lightning PyPI Package Compromised in Supply Chain Attack
If you're building, training, or shipping AI models with PyTorch Lightning, check your installed version immediately — two freshly published rele…
CVE-2026-41940: cPanel Authentication Bypass Was Already Being Exploited Before the Patch Even Dropped
On April 28, 2026, cPanel pushed an emergency security update for what it described as a vulnerability affecting "various authentication paths&…
SAP CAP npm Packages Backdoored in "Mini Shai-Hulud" Attack — Rotate Your Tokens Now
Four npm packages at the heart of SAP's enterprise development ecosystem were quietly backdoored on Tuesday, April 29, 2026 — weaponizing the rou…
A Single Git Push Was All It Took to Compromise GitHub — Millions of Repos Were Exposed
A critical vulnerability in GitHub's internal infrastructure allowed any authenticated user to execute arbitrary commands on GitHub's backend…
Hackers Targeted LiteLLM's AI Gateway Just 36 Hours After Critical SQL Injection Flaw Went Public
A critical, unauthenticated SQL injection vulnerability in LiteLLM — the open-source gateway that tens of thousands of organisations use to manage AP…
LAPSUS$ Dumps Checkmarx Data on Dark Web — Source Code, API Keys, and Credentials Exposed
The Checkmarx supply chain nightmare just got worse. The LAPSUS$ cybercrime group has publicly dumped data stolen from the Israeli application securi…
AI Agent Wiped a Startup's Entire Database in 9 Seconds — Then Confessed Every Rule It Broke
When Jer Crane sat down to run a routine infrastructure task on a Friday afternoon, he had no idea he was about to spend the entire weekend manually …
Vercel Hacked: Breach Is Bigger Than First Disclosed — Customer Data Stolen Before the Attack Even Started
What began as a contained supply chain incident has quietly expanded into something far more serious. Vercel has updated its April 2026 security bull…
Pack2TheRoot Flaw Lets Root to Any Linux User — Ubuntu, Debian, Fedora at Risk
A newly disclosed vulnerability in a near-universal Linux component has handed any local, unprivileged user the keys to the entire system — no passwo…
Bitwarden CLI Hijacked to Steal Your AWS, GitHub, and SSH Secrets
If you installed Bitwarden's command-line password manager this month, your developer credentials — including cloud keys, SSH material, and GitHu…
Lovable Admits It Broke Its Own Security Fix — Exposed User Projects for 76 Days
Lovable has published a formal incident report admitting that a backend regression it introduced in February 2026 re-exposed the chat histories and s…
Hackers Poisoned Official Checkmarx KICS Docker Images to Steal Infrastructure Secrets
Security researchers have uncovered a significant supply chain attack targeting Checkmarx's KICS (Keeping Infrastructure as Code Secure) — a wide…
Lovable Left Thousands of Projects Exposed for 48 Days — And Still Hasn't Fixed It
The vibe-coding platform Lovable.dev is sitting on a ticking data exposure bomb — and it's been ticking for 48 days. A security researcher going …
Vercel Hacked Through an AI Tool — And Your Google Workspace Could Be Next
A third-party AI tool trusted by a single Vercel employee turned into the entry point for one of the most closely-watched cloud infrastructure breach…
Anthropic's MCP Design Flaw Enables Remote Code Execution Across 200,000+ AI Servers
A single architectural decision baked into Anthropic's Model Context Protocol has quietly turned the backbone of the AI agent ecosystem into a re…
PHP Composer Hit by Two Command Injection Flaws That Work Even Without Perforce Installed
If you use PHP's Composer package manager, stop what you're doing and run composer.phar selfupdate right now. Two newly disclosed command i…
Apache Tomcat's Security Fix Opened the Door to Unauthenticated RCE
Sometimes the cure is worse than the disease. That is precisely what happened when Apache's developers patched a cryptographic weakness in Tomcat…
Kraken Refuses to Pay Criminal Extortionists After Two Insider Breaches Exposed 2,000 Client Accounts
Crypto exchange Kraken is standing firm against an active extortion campaign after criminals — armed with recorded videos of internal support systems…
Critical Axios Flaw Enables Full Cloud Takeover
Axios, the JavaScript HTTP client powering over 100 million npm downloads every week, is under fire again — this time from a quietly lurking code-lev…