Today, May 27, 2026, we've identified 12 critical security threats across npm, PyPI, and supply-chain ecosystems. These vulnerabilities, detected in the past 24 hours, pose significant risks to software development.

FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection

Ecosystem: npm CVE: CVE-2026-43945 Severity: CRITICAL This vulnerability chain in FUXA (v.1.3.0-2706) allows unauthenticated remote attackers to achieve Full Remote Code Execution (RCE) as root, even in secure configurations. Action Required: Upgrade to a version that addresses this vulnerability. Source

FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass

Ecosystem: npm CVE: CVE-2026-43947 Severity: CRITICAL A vulnerability in FUXA's POST /api/runscript endpoint allows unauthenticated attackers to execute arbitrary code via test mode if a server-side script exists. Action Required: Upgrade to a version that addresses this vulnerability. Source

Laravel Lang Supply Chain Advisory

Ecosystem: Composer Severity: CRITICAL Hundreds of historical Laravel Lang Packagist releases were republished with malicious code, risking credential theft and secret exfiltration. Action Required: Remove or audit any Laravel Lang packages installed from Packagist. Use trusted sources for dependencies. Source

The AntV Supply Chain Campaign Expands: Microsoft's durabletask PyPI Package Compromised

Ecosystem: PyPI Severity: CRITICAL The AntV supply chain attack campaign has compromised durabletask, a Microsoft-associated Python package on PyPI, potentially exposing users to malicious code. Action Required: Remove or audit any durabletask packages installed from PyPI. Use trusted sources for dependencies. Source

Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account

Ecosystem: npm Severity: CRITICAL A compromised npm maintainer account led to the automated release of over 300 malicious package versions in the AntV ecosystem as part of the Mini Shai-Hulud campaign. Action Required: Audit your dependencies for any AntV packages. Remove or revert to known good versions. Source

Malicious node-ipc versions published to npm in suspected maintainer account compromise

Ecosystem: npm Severity: CRITICAL Multiple malicious versions of the popular node-ipc npm package were published to the npm registry, posing a risk to users. Action Required: Audit your dependencies for node-ipc. Remove or revert to known good versions. Source

TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack

Ecosystem: npm Severity: CRITICAL The Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 /* packages, chaining GitHub Actions vulnerabilities to achieve supply chain attacks with valid SLSA Build Level 3 attestations. Action Required: Audit your dependencies for u/tanstack* packages. Remove or revert to known good versions. Source

lightning PyPI Compromise: A Bun-Based Credential Stealer in Python

Ecosystem: PyPI Severity: CRITICAL A malicious release of the lightning PyPI package includes a credential-stealing Bun payload that runs on import, potentially compromising user credentials. Action Required: Remove or audit any lightning packages installed from PyPI. Use trusted sources for dependencies. Source

FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue

Ecosystem: npm CVE: CVE-2026-43946 Severity: HIGH An authorization bypass in FUXA's /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist. Action Required: Upgrade to a version that addresses this vulnerability. Source

yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Ecosystem: npm CVE: CVE-2026-42089 Severity: HIGH yeoman-environment versions >= 2.9.0 and < 6.0.1 can install arbitrary packages without confirmation, leading to potential code execution during CLI bootstrap. Action Required: Upgrade to version 6.0.1 or later. Source

CVE-2023-2065 - Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authent

Ecosystem: Cargo CVE: CVE-2023-2065 Severity: HIGH An authorization bypass vulnerability in Armoli Technology Cargo Tracking System allows for authentication abuse and bypass. Action Required: Upgrade to a version that addresses this vulnerability. Source

CVE-2022-23302 - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write acce

Ecosystem: Maven CVE: CVE-2022-23302 Severity: HIGH Log4j 1.x's JMSSink is vulnerable to deserialization of untrusted data, potentially leading to remote code execution if configured with an attacker-accessible LDAP service. Action Required: Upgrade to Log4j 2.x or migrate away from JMSSink. Source

CVE-2025-34291 - Langflow Origin Validation Error Vulnerability

Ecosystem: PyPI CVE: CVE-2025-34291 Severity: HIGH Langflow contains an origin validation error vulnerability due to permissive CORS configuration, allowing malicious webpages to perform cross-origin requests with credentials and potentially achieve system compromise. Action Required: Upgrade to a version that addresses this vulnerability. Source

Lessons learned from the Argo CD zero-day vulnerability (CVE-2022-24348)

Ecosystem: GitHub Actions CVE: CVE-2022-24348 Severity: HIGH This vulnerability in Argo CD highlights the risks of supply chain attacks and the importance of securing CI/CD pipelines. Action Required: Upgrade Argo CD to a patched version. Source

Automated daily digest — feedback welcome. Repo: https://github.com/Deam0on/wakellm