$148,337
#BugBounty paid by Google to a researcher (@brutecat) who found debug endpoints on Google Cloud allowing to configure privileged workflows leading to full
#RCE in Google Cloud production (CVE-2026-2031)
#CloudSecurity #BugBountyTipsπ
https://brutecat.com/articles/google-cloud-rce/
StubZero: $148,337 RCE in Google Cloud Production
A chance Discord message, two missing pieces, and one hour before the window closed: From info leak to RCE on Google Cloud. Three months later, it happened again.
#Laravel-lang: Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer #Malware
Attackers injected a credential stealer into 200+ Laravel-lang package versions by pushing tags tied to attacker-controlled forks:
#SoftwareSupplyChain
π
https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer
Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer
Attackers injected a credential stealer into 200+ versions of popular Laravel-Lang packages, delivering a credential stealer targeting cloud keys, SSH keys, browsers, crypto wallets and more.
#WhatsApp: Texas Attorney General Sues #Meta Claiming WhatsApp and Meta are continuing to willfully deceive Texans by misrepresenting that their private communications are encrypted when when "in fact Meta employees have access to all WhatsApp messages":
https://arstechnica.com/security/2026/05/texas-ag-sues-meta-over-claims-that-whatsapp-doesnt-provide-end-to-end-encryption/
Texas AG sues Meta over claims that WhatsApp doesn't provide end-to-end encryption
Critics note a lack of factual support in lawsuit filed by US Senate candidate.
Another mini-#ShaiHulud worm attack last night impacted over 639 versions of packages in
#NPM '@ antv' ecosystem. The full Mini Shai-Hulud campaign now impacts 1000+ versions across 500+ unique packages. The campaign spans npm,
#PyPI, and
#Composer:
π
https://socket.dev/blog/antv-packages-compromised
Active Supply Chain Attack Compromises @antv Packages on npm
Active npm supply chain attack compromises @antv packages in a fast-moving malicious publish wave tied to Mini Shai-Hulud.
#NPM: Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS #Malware:
The malicious packages are:
* chalk-tempalte
* @deadcode09284814/axios-util
* axois-utils
* color-style-utils
π
https://thehackernews.com/2026/05/four-malicious-npm-packages-deliver.html
Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware
4 malicious npm packages with 3,006 downloads spread stealers and Phantom Bot, forcing removals and secret rotation.
#NGINX: An 18-year-old RCE vulnerability CVE-2026-42945 in the rewrite module enables server takeover. Update to NGINX 1.31.0 or 1.30.1 immediately!
π
https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html 
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
NGINX Rift CVE-2026-42945 scores 9.2 after 18 years, enabling unauthenticated RCE or DoS via crafted HTTP requests.
Official CheckMarx Jenkins package compromised with infostealer
Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace.
#npm: TanStack npm packages (84 in total) compromised in a supply chain hack utilising a malicious payload designed to destroy files on developer machines if a stolen GitHub token is revoked ("dead-man's swithch"):
#SoftwareSupplyChainSecurity
π
https://snyk.io/blog/tanstack-npm-packages-compromised/
TanStack npm Packages Hit by Mini Shai-Hulud | Snyk
On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistralai/* packages, and others) by chaining a GitHub Actions "Pwn Request," cache poisoning, and OIDC token extraction from runner memory β producing the first npm supply chain attack with valid SLSA Build Level 3 attestations. Here's what happened, what was stolen, and what you need to do right now.
The video recording of my talk: βAutomated Security Testing with OWASP Nettackerβ from NDC Security 2026 Conference in Oslo is now available on YouTube: π₯
#Nettackerπ
https://www.youtube.com/watch?v=pGkagJWAMKw
Automated Security Testing with OWASP Nettacker - Sam Stepanyan - NDC Security 2026
π