Mini Shai-Hulud-class npm hijacks live for 3-12 hours before takedown. pnpm 11.0 ships minimumReleaseAge=1440 (1 day) by default, Yarn 4.10 ships npmMinimalAgeGate=3d, npm v11.10 needs explicit min-release-age. Working .npmrc / pnpm-workspace.yaml / .yarnrc.yml configs and what breaks when ignore-scripts=true (esbuild, sharp, node-gyp, Cypress).
Next.js CVE-2026-44578: WebSocket upgrades on self-hosted Node.js can SSRF to internal HTTP endpoints. Vercel unaffected. Fix is 15.5.16 / 16.2.5+, or 15.5.18 / 16.2.6 for May rollup.
Composer 2.9.8/2.2.28 fix CVE-2026-45793: GitHub's new GITHUB_TOKEN includes hyphens that Composer's old regex rejects, leaking the token into CI logs as plaintext.
Fragnesia (CVE-2026-46300) overwrites the Linux page cache via XFRM ESP-in-TCP. The Dirty Frag workaround still applies, but IPsec hosts need to check side effects first.
137 CVEs, no zero-days. Netlogon and DNS Client RCEs (both CVSS 9.8) lead — compared against ZeroLogon/SIGRed, with patch priority tiers and detection notes for SOC teams.
CVE-2026-42945 hits nginx 0.6.27–1.30.0 rewrite module with heap overflow. CVSS 9.2 but only fires on specific rewrite+capture+set patterns. How to check with nginx -T and what to patch.
Verdict on GTIG's May 11, 2026 report: the first confirmed AI-generated zero-day, a Python 2FA bypass for an OSS admin tool, was caught by a hallucinated CVSS score and textbook Pythonic code structure.
RubyGems.org halted new signups after DDoS and 500+ malicious gem uploads. Existing install/push unaffected — check lockfiles for gems added around May 12 2026.
NVD API queries: kernel CVEs return Analyzed but SuperAGI CVE-2026-6584 stays Deferred with no CPE. Maps Snyk, Trivy, Grype, Dependabot, OSV-Scanner reliance on NVD vs GHSA/OSV.
TanStack npm compromise (42 pkgs / 84 versions, CVE-2026-45321 CVSS 9.6) on May 11, 2026 UTC spread across UiPath (60+), Mistral, OpenSearch, guardrails-ai, Checkmarx Jenkins. Covers token-revoke wipe ordering, first valid SLSA provenance on malicious npm, and Vect ransomware secondary wave (wiper, not real ransomware). Live tracking.
CreateFileW dwShareMode=0 locks 500K SMB files in 8 min with no encryption. Detection key: NAS session exclusive handle counts, not write-based indicators.
PA-Series and VM-Series with User-ID Authentication Portal exposed to untrusted traffic. CL-STA-1132 achieved root RCE, wiped crash logs, enumerated AD, and deployed EarthWorm and ReverseSocks5. Patches start May 13; interim mitigations and forensic indicators for exposed portals.
