Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets

A supply chain attack on Laravel-Lang involved rewriting all git tags across four Composer packages to inject a secret-stealing payload that triggers during the PHP autoload process.

**If your project uses any Laravel-Lang Composer packages (laravel-lang/lang, http-statuses, actions, or attributes), do not run `composer update` and check whether your lockfile points to a tag pulled on or after May 22, 2026. If you did, assume every secret reachable from that build environment (CI tokens, cloud keys, GitHub PATs, deploy keys, database credentials) is stolen and rotate them all immediately. Block the domain flipboxstudio.info at your DNS and firewall, and only restore builds by pinning to a pre-attack commit SHA you've verified against a local clone.**
#cybersecurity #infosec #advisory #databreach
https://beyondmachines.net/event_details/laravel-lang-supply-chain-attack-every-tag-across-multiple-composer-packages-rewritten-to-steal-ci-secrets-l-n-i-d-r/gD2P6Ple2L

Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks

NGINX has disclosed a critical heap buffer overflow vulnerability (CVE-2026-9256) in its rewrite module that allows unauthenticated attackers to cause denial-of-service or execute arbitrary code. The flaw, known as nginx-poolslip, affects both Open Source and Plus versions and requires immediate patching or configuration changes.

**If you're running NGINX (Open Source or Plus), upgrade immediately to a patched version (1.30.2, 1.31.1, NGINX Plus R36 P5, R32 P7, or R37.0.1.1). If you can't patch right away, edit your config files to replace unnamed numeric capture groups (like $1, $2) in rewrite directives with named captures (like $user_id) as a temporary workaround.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/nginx-poolslip-vulnerability-enables-dos-and-code-execution-attacks-c-4-k-x-4/gD2P6Ple2L

Ubiquiti Patches Three Critical CVSS 10.0 Vulnerabilities in UniFi OS

Ubiquiti patched five vulnerabilities in UniFi OS, including three critical flaws (CVSS 10.0) that allow unauthenticated remote attackers to execute commands, access files, and take over management consoles.

**Make sure all your UniFi devices (UDM, UNVR, UCG gateways, Cloud Keys, etc.) are isolated from the internet and accessible only from trusted networks. Then immediately update UniFi OS to the latest patched version for your model (5.1.12+ for most hardware, 5.0.8 for UniFi OS Server, 4.0.14 for Express) to fix critical flaws that let attackers fully take over your devices without any credentials.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/ubiquiti-patches-three-critical-cvss-10-0-vulnerabilities-in-unifi-os-g-s-1-t-m/gD2P6Ple2L

Google Releases Emergency Chrome Update, Patches 16 Flaws, Two Critical

Google released Chrome version 148.0.7778.178/179 to patch 16 security vulnerabilities, including two critical flaws in WebRTC and the UI component.

**One more huge patch for Chrome and Chromium based browsers (Edge, Opera, Brave, Vivaldi...). Don't delay, it has 2 critical flaws and a whole list bunch of others. Don't debate the severity, it's pointless. Updating the browser is easy, all your tabs reopen after the patch.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/google-releases-emergency-chrome-update-patches-16-flaws-two-critical-5-s-g-0-r/gD2P6Ple2L