Cybersecurity
$20 Zero-Days: WordPress Plugins Are Now AI Hunting Grounds
A three-day AI pipeline found 300+ WordPress plugin zero-days at $20 each. The disclosure infrastructure isn't ready, and attackers are already running the same playbook.
GitHub Breach via Nx Console Extension Exposes 3,800 Repos
TeamPCP exfiltrated 3,800 GitHub internal repos through a poisoned Nx Console extension live for 18 minutes. The real story is how platform teams price developer tooling risk.
Drupal CVE-2026-9082 Forces PostgreSQL Shops Into Patch Triage
A highly critical Drupal Core flaw, CVE-2026-9082, lets anonymous attackers hit PostgreSQL-backed sites with SQL injection that can escalate to remote code execution.
Exchange Zero-Day CVE-2026-42897 Under Attack, No Patch in Sight
A spoofing zero-day in Exchange OWA is being actively exploited, CISA has it on KEV, and Microsoft has no patch ETA. The boring bugs keep winning.
Next.js SSRF Flaw Lets Attackers Steal Cloud Credentials
CVE-2026-44578 turns the Next.js WebSocket upgrade path into an attacker's proxy. Self-hosted apps are exposed, Vercel deployments are not. Patch now.
NGINX Rift: 18-Year-Old Rewrite Flaw Enables Unauth RCE
A heap overflow in NGINX's rewrite module sat undisturbed for 18 years. Now CVE-2026-42945 lets an unauthenticated attacker land RCE with a single HTTP request.
Foxconn Confirms Nitrogen Ransomware Hit on North American Plants
Nitrogen claims 8TB and 11 million files from Foxconn's North American plants, including network topology maps for Intel, Google, and AMD. The supply chain bill comes due.