Brought to you by Nigel Douglas, Head of Developer Relations at Cloudsmith.
The recent compromise of the axios NPM package by North Korean-linked threat actors serves as a stark reminder of the fragility of our foundational dependencies, and how we securely consume libraries from open-source registries. As NIST signals its inability to keep pace with the record-breaking surge in CVE submissions, the industry is forced to move beyond traditional scanning.
The CSA also released a whitepaper on building a “Mythos-ready” security program. It’s essential at this point to prioritize robust dependency management to reduce vulnerabilities in third-party and open-source components. This month’s briefing focuses on the hardened standards and software engineering workflows required to achieve compliance and resilience in an increasingly volatile ecosystem.
VULN ROUND UP
Common Vulnerabilities & Exposures
X number of days since the last OpenClaw CVE Intruder.io Since it was released on 24th November 2025, OpenClaw has averaged almost 2 CVEs per day. The software is so flawed from a security perspective, the team at Intruder built an interactive website to help users understand the OpenClaw threat landscape.
Hackers exploit known vulnerability to breach 766 Next.js hosts and steal credentials NVD: CVE-2025-55182
Attackers are exploiting a critical Next.js RCE vulnerability to deploy the NEXUS Listener framework (UAT-10608), harvesting cloud credentials, SSH keys, Kubernetes tokens, and API keys from compromised systems.
Flowize has a CVSS 10.0 RCE flaw now under active attack NVD: CVE-2025-59528 Attackers are exploiting a max-severity code injection flaw in Flowize's CustomMCP node, enabling remote code execution, data exfiltration, and full system compromise via unvalidated JavaScript execution.
Actively exploited nginx-ui flaw enables full Nginx takeover NVD: CVE-2026-33032 The critical auth bypass dubbed MCPwn (CVSS 9.8) lets attackers hijack nginx-ui by sending crafted requests to an unsecured MCP endpoint. Frequently chained with CVE-2026-27944 to extract sensitive node_secret keys from unauthenticated backups.
Marimo weaponized to deploy a blockchain botnet via HuggingFace NVD:CVE-2026-39987
A pre-auth RCE in marimo notebooks was weaponized within ten hours to harvest credentials, move laterally, and deploy NKAbuse - a Go-based RAT using the NKN blockchain for C2 - hosted on a typosquatted HuggingFace Space to evade detection.
IN THE NEWS
Supply Chain Security
Axios NPM distribution compromised Source:Cloudsmith
UNC1069 compromised axios versions 1.14.1 and 0.30.4 by hijacking a maintainer account and introducing a malicious dependency that deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux - enabling file theft, process execution, and credential harvesting.
High-impact node.js maintainers targeted in social engineering campaign Source:Socket
A UNC1069-linked campaign is targeting Node.js maintainers by posing as recruiters, building rapport over weeks, then luring victims into spoofed video calls where they're tricked into running malware.
Attackers exploited a dependency in LiteLLM and telnyx to steal API tokens and inject credential-harvesting malware into legitimate updates, exposing developers who installed unpinned versions during a brief window before PyPI remediated the threat.
The industry is shifting toward using SBOMs as dynamic assets - continuously correlating deployed system metadata against real-time vulnerability databases like OSV.dev - to replace costly, periodic rescanning with near-instant automated detection.
Why is PURL so important for software security? Source:Tom Alrich Blog
The NVD's reliance on CPE codes is failing, leaving over half of new vulnerabilities unenriched and invisible to automated tools. Tom advocates for PURL - a decentralized, machine-readable package identifier - as the fix.
While Kubernetes excels at isolating and scheduling containerized workloads, it remains blind to the unique security risks of LLMs, which operate on probabilistic logic rather than deterministic code. Running an LLM creates an app-layer vulnerability where untrusted user input can bypass traditional infrastructure controls, leading to risks like prompt injection, sensitive data disclosure, unverified supply chains, & excessive agency.
Rendering OCI Images the right way with ocirender Source:Edera
To solve the persistent whack-a-mole bugs of OCI image assembly, Edera developed ocirender, a Rust library that replaces traditional layer extraction with a high-performance streaming merge engine. By shifting to a newest-first processing model, the tool can immediately identify authoritative file versions and whiteouts, streaming data directly from compressed layer blobs into a final output (like SquashFS) without intermediate disk extraction.
RAXE-2026-045: The TeamPCP supply chain campaign Source:Raxe.ai
The TeamPCP supply chain campaign compromised several high-profile security tools (including Trivy and LiteLLM) to execute aggressive lateral movement within Kubernetes environments. The attack specifically deployed privileged pods into the kube-system namespace, mounting host filesystems and gaining full network/PID access to every node.
idle: The chillest container you'll ever run Source:Github (@spurin)
If you’re not familiar with idle, the premise is simple. It’s an ultra-lightweight container that does nothing - reliably. Perfect for Kubernetes workloads where you need a running container without the memory and CPU overhead of nginx, busybox, or alpine.
AI, MLLs & MCP
Claude Code source leaked via npm packaging error Source: The Hacker News
Anthropic confirmed that a packaging error inadvertently leaked the source code for Claude Code via a map file in an npm registry, exposing nearly 2,000 TypeScript files. While the company stated no customer data was compromised, the leak revealed significant internal project designs, including a self-healing memory architecture, a persistent agent feature called KAIROS, and an Undercover Mode for stealthy open-source contributions.
Google has released Gemma 4 (up to 31B parameters) under the Apache 2.0 license - a significant shift from previous restrictive terms that gives developers full freedom to modify, redistribute, and deploy models privately without legal friction.
MCP is alive, but faces challenges Source:AI Business
Now under the Linux Foundation, Anthropic's MCP is the de facto standard for connecting AI agents to data - but context bloat, sync issues, and security concerns are causing friction, with some vendors stepping back while Uber and AWS double down on centralised gateways.
Anthropic blocks OpenClaw from Claude subscriptions Source:The Tech Buzz
Effective April 4th, Anthropic removed OpenClaw integration from its standard Claude subscriptions, forcing users onto a separate pay-as-you-go billing model. This strategic shift appears to be a response to OpenClaw creator Peter Steinberger joining rival OpenAI, signaling a move toward a more closed ecosystem.
Hugging Face introduces Kernels on the hub Source:Hugging Face
Hugging Face Kernels standardizes how GPU kernels are built, distributed, and loaded - fetching the right build for your system automatically and eliminating hours-long local compilation times.
A live panel with Cloudsmith CEO Glenn Weinstein, VP of Product Alison Sickelka, and CTO Lee Skillen - hosted by Meghan McGowan, Cloudsmith’s Principal Product Marketer - exploring the key findings from this year's 2026 Artifact Management Report.
In this upcoming Platform Engineering hosted webinar, myself and James Matchett (Head of Security, Cloudsmith), will explore how platform teams can turn CRA compliance into automated, developer-friendly workflows. We'll cover key CRA deadlines, embedding requirements into your IDP, and enriching SBOMs with threat intelligence to hit tight reporting windows.
Myself and Jenn Gile (Co-Founder, OpenSourceMalware) break down how UNC1069 compromised axios - a package with 100M+ weekly downloads - and share practical steps to reduce your exposure.
Signed, sealed, and delivered - see you next issue.
