VYPR
AI Brief2026-05-31· generated May 31, 2026

TanStack Supply-Chain Worm Added to KEV

CISA flags a TanStack npm supply-chain worm as actively exploited, while critical flaws hit Dokploy, Chrome, and industrial IoT converters.

The TanStack npm supply-chain attack (CVE-2026-45321) has been elevated to CISA's Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. On May 11, 2026, an attacker published 84 malicious versions across 42 @tanstack/* npm packages over a six-minute window, authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding. As The Hacker News reported, this campaign — dubbed "Mini Shai-Hulud" by Tenable — also compromised Mistral AI, Guardrails AI, and other packages, spreading as a worm that harvested npm tokens from infected CI/CD environments. Tenable's detailed FAQ notes the attacker leveraged the stolen tokens to publish additional malicious packages, creating a self-propagating supply-chain infection. With a CVSS 9.6 and a risk score of 0.82, this is the highest-signal event in today's window. Organizations using TanStack packages should immediately audit their npm lockfiles for the malicious versions published between 19:20 and 19:26 UTC on May 11, rotate any exposed npm tokens, and review CI/CD pipeline trust configurations.

Two critical-severity vulnerabilities in Dokploy (CVE-2026-45629, CVE-2026-45632) expose self-hosted PaaS instances to unauthenticated schedule manipulation and authenticated remote code execution. CVE-2026-45632 (CVSS 9.9) allows any authenticated user to create, update, run, or delete schedules belonging to any organization due to missing role checks in the schedule router. CVE-2026-45629 (CVSS 9.9) is an authenticated OS command injection in the /listen-deployment WebSocket endpoint, enabling any organization member to execute arbitrary system commands on remote servers. As Vypr Intelligence reported, these are part of a broader disclosure of 10 critical flaws in Dokploy, including path traversal and hardcoded secrets. Dokploy versions 0.28.8 and earlier are affected; administrators should upgrade immediately and review organization membership for unauthorized accounts.

Google Chrome 148 patches 151 vulnerabilities, including CVE-2026-9874, a critical use-after-free in Dawn that could enable sandbox escape. CVE-2026-9874 (CVSS 9.6) allows a remote attacker to escape Chrome's sandbox via a crafted HTML page, bypassing one of the browser's primary security boundaries. SecurityWeek and Cyber Security News both report that 22 of the 151 patches address critical-severity issues. Given Chrome's ubiquity in enterprise environments, this update should be treated as urgent — sandbox escape vulnerabilities are frequently weaponized in exploit chains for initial access and lateral movement. Users should ensure browsers auto-update or apply the patch via enterprise management tools.

CISA published an ICS advisory for the Jinan USR IOT USR-W610 converter (CVE-2026-7786), which contains plaintext administrative credentials embedded in firmware. CVE-2026-7786 (CVSS 9.8) affects the USR-W610 RS232/485 to Wi-Fi/Ethernet converter, a device commonly used in industrial and small-business environments to bridge serial equipment to IP networks. The embedded credentials can be extracted through firmware analysis, granting an attacker full administrative access to the device. As CISA's advisory and Vypr Intelligence's analysis note, this is part of a broader batch of nine ICS vulnerabilities spanning maritime, medical, and surveillance equipment. Organizations using PUSR converters should change default credentials immediately, restrict network access to the management interface, and monitor for firmware updates from the vendor.

Gladinet Triofox Cloud Server Agent (CVE-2026-8364, CVE-2026-8363, CVE-2026-8362) exposes three critical unauthenticated vulnerabilities, including remote code execution via stack-based buffer overflows. The Triofox Cloud Server Agent Service listens on TCP port 7878 and processes HTTP messages. CVE-2026-8364 (CVSS 9.8) allows unauthenticated attackers to access multiple endpoints including /resources, /status, /sysinfo, and /Settings. CVE-2026-8363 (CVSS 9.8) is a stack-based buffer overflow in WOSDeviceDropFolder.dll triggered by a long URL path starting with /resources. CVE-2026-8362 (CVSS 9.8) is a similar overflow in WOSDefaultHttpModule.dll via a long /woshome path. These vulnerabilities can be chained for unauthenticated remote code execution on the server. Organizations running Triofox should immediately restrict access to TCP 7878 to trusted networks and apply any available vendor patches.

Several other critical vulnerabilities warrant attention, including Oracle E-Business Suite flaws, a Microsoft Planetary Computer Pro deserialization issue, and an OpenSSH X11 forwarding weakness. Oracle disclosed three critical-severity vulnerabilities: CVE-2026-46824 (CVSS 9.9) in Oracle Universal Work Queue, CVE-2026-46822 (CVSS 9.9) in Oracle iAssets, and CVE-2026-34311 (CVSS 9.8) in Oracle Hospitality OPERA 5 — all affecting versions 12.2.3-12.2.15 of E-Business Suite and requiring low-privileged network access. Microsoft's CVE-2026-41104 (CVSS 10.0) involves deserialization of untrusted data in Planetary Computer Pro, allowing unauthorized information disclosure. The OpenSSH client vulnerability CVE-2016-1908 (CVSS 9.8) — dating back to before version 7.2 — mishandles failed cookie generation for untrusted X11 forwarding, potentially allowing remote X11 clients to obtain trusted access. While some of these are older or lower-risk (EPSS scores of 0.00-0.02), their critical CVSS scores and broad deployment make them relevant for comprehensive vulnerability management.

Synthesized by Vypr AI
TanStack Supply-Chain Worm Added to KEV · VYPR