P • lefou

🚨 UPDATE: 19 MILLION exposed NGINX instances hit by the 18-year-old NGINX RCE found by AI. Top exposure by country: - United States: 5,340,011 - China: 2,540,008 - Germany: 1,871,780 Note on ASLR as added security: not all of these instances will have ASLR disabled, but every one of them is running a version inside the vulnerable band. The vulnerability is a heap buffer overflow. ASLR randomizes memory layout, which makes reliable RCE much harder because the attacker cannot predict where their payload or useful gadgets land. But the overflow itself still happens. The corrupted memory still causes the NGINX worker process to crash. ASLR-enabled hosts are still trivially DoS-able. ASLR-disabled or non-PIE builds are RCE-able. Either way, patch ASAP!

‼️🚨 BREAKING: A new npm supply-chain attack uses a dead-man's switch. The payload plants a watcher on your machine that nukes your home directory the second you revoke the GitHub token it stole from you. The compromise happened today, across 42 official tanstack npm packages, 84 malicious versions in total. tanstack/react-router alone pulls more than 12 million weekly downloads. The attacker forked TanStack's repository and pushed a single hidden commit. From there, they tricked TanStack's own release system into signing the malicious packages as if they were the real thing. To npm, and to anyone checking the cryptographic proof of origin (SLSA provenance), the poisoned versions looked 100% legitimate. Maintainer Tanner Linsley confirmed the whole team had 2FA enabled. It didn't matter. This is the first documented npm worm in history that ships with a valid, signed certificate of authenticity, the same one defenders rely on to know a package wasn't tampered with.

‼️🚨 CRITICAL: Palo Alto Networks has disclosed CVE-2026-0300, a buffer overflow in PAN-OS that is already being exploited in the wild. CVSS 4.0 score: 9.3. Unauthenticated attackers can hit the User-ID Authentication Portal (the Captive Portal service) with crafted packets and pop a root shell on the firewall. The flaw is an out-of-bounds write (CWE-787) in PA-Series and VM-Series firewalls. Prisma Access, Cloud NGFW, and Panorama are not affected. The vulnerability only triggers when the User-ID Authentication Portal is enabled and reachable from untrusted networks. Affected branches: - PAN-OS 10.2 below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6 - PAN-OS 11.1 below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15 - PAN-OS 11.2 below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12 - PAN-OS 12.1 below 12.1.4-h5, 12.1.7 Patches roll out between May 13 and May 28, 2026. A Threat Prevention signature for PAN-OS 11.1 and above shipped on May 5. Mitigations before patches roll out: - Restrict Authentication Portal access to trusted internal IPs only - Disable the User-ID Authentication Portal entirely if not needed Compromising a perimeter firewall as root opens the door to lateral movement, traffic interception, credential harvesting, and full network takeover. Audit Device > User Identification > Authentication Portal Settings and treat any internet-exposed portal as an emergency.