May 23, 2026 by sig9

Hacker Wars - May 23, 2026

bulletin-feature-image

Your daily dose of infosec chaos

AI is now finding vulnerabilities at a scale that would make a room full of pentesters weep, cPanel servers are getting popped via a CVSS 10.0, and the supply chain attack du jour has hit Laravel developers. Meanwhile, someone figured out how to hide C2 traffic behind 88 million trusted domains. Happy Saturday.

Claude Mythos AI Unearths 10,000 High-Severity Vulnerabilities

Anthropic’s Project Glasswing, a defensive cybersecurity initiative, has discovered over 10,000 high- or critical-severity flaws in systemically important open-source software since launching last month. The AI-powered vulnerability research program is essentially doing at machine speed what thousands of human researchers do manually - and finding bugs in software that underpins critical infrastructure worldwide.

What to do: If you maintain critical open-source projects, brace yourself for a wave of CVE disclosures. Start reviewing your dependency tree now.

LiteSpeed cPanel Plugin CVSS 10.0 Under Active Exploitation

A maximum-severity vulnerability (CVE-2026-48172) in the LiteSpeed User-End cPanel Plugin is being actively exploited in the wild, allowing attackers to run arbitrary scripts as root on affected servers. The flaw is a textbook privilege assignment mistake with a perfect CVSS score - because of course it is. If you’re running LiteSpeed with cPanel, assume compromise until proven otherwise.

What to do: Patch the LiteSpeed cPanel plugin immediately. If you can’t patch right now, disable the plugin and audit your servers for signs of unauthorized script execution.

Underminr Bug Lets Attackers Camouflage C2 Traffic Behind Trusted Domains

A newly disclosed vulnerability dubbed “Underminr” affects roughly 88 million domains and allows attackers to hide command-and-control communications behind legitimate, trusted domain names. This effectively blinds DNS-based filtering solutions, making malicious traffic look like normal browsing to your favorite CDN or cloud provider.

What to do: Review your DNS filtering and network monitoring rules. Consider adding anomaly-based detection that correlates traffic patterns rather than relying solely on domain reputation lists.

Laravel Lang Supply Chain Attack Delivers Cross-Platform Credential Stealer

Attackers hijacked multiple Laravel Lang localization packages by abusing GitHub version tags to push malicious code through Composer. The payload is a sophisticated credential stealer targeting developer environments across platforms. The affected packages are widely used in the Laravel ecosystem, meaning a lot of developers may have pulled malware without realizing it.

What to do: Audit your Composer dependencies immediately. If you use laravel-lang packages, check for unexpected version bumps and rotate any credentials that may have been exposed in your dev environment.

npm Introduces 2FA-Gated Publishing To Fight Supply Chain Attacks

GitHub has rolled out staged publishing for npm, requiring maintainers to explicitly approve releases before packages go live. The feature adds a critical gate against compromised maintainer accounts pushing malicious updates automatically. It’s a welcome defensive move in an ecosystem that has been rocked by supply chain attacks.

What to do: Enable staged publishing on your npm packages. If you maintain popular libraries, set up 2FA and review your publish workflow to ensure no single compromised token can push to production.

Catch you tomorrow. In the meantime, go check your attack surface.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.