Skip to content
← All insights
Security & Trust

Security & Trust

Building digital trust starts with infrastructure. The security posture of your framework is the foundation.

Weak Randomness, Not Malware, Drained $3.1M in Crypto

431 wallets, five blockchains, one root cause: recovery phrases generated from a keyspace small enough to brute-force.

July 10, 2026 · 4 min read

25 CVEs in One Ubiquiti Bulletin, 100,000 UniFi Panels Already Indexed

Ubiquiti's July 8 advisory patches seven critical and eighteen high-severity UniFi OS vulnerabilities — against a backdrop of 100,000 previously indexed internet-facing instances.

July 8, 2026 · 4 min read

China-Aligned Hackers Chained Two Roundcube Flaws Against University Webmail. Both Were Patched Over a Year Ago.

A suspected China-aligned campaign chained an XSS flaw patched in August 2024 with an RCE patched in mid-2025 to compromise physics and engineering departments at U.S. and Canadian universities. The gap is not disclosure — it is deployment.

July 8, 2026 · 5 min read

BeyondTrust Auth Bypass Flaws Leave ~2,000 Instances Internet-Reachable

Two critical authentication bypasses in BeyondTrust RS and PRA join a cPanel/WHM KEV entry from the same month — both granting privileged infrastructure control via a web-accessible login.

July 8, 2026 · 4 min read

An AI Agent Builder Just Landed on CISA's Exploited-Vulnerability List

Langflow, a visual builder for AI agents, joins CISA's KEV catalog after attackers used a broken authorization flaw to harvest LLM credentials and hijack compute.

July 8, 2026 · 4 min read

Joomla Page Builder Flaw Lands on CISA's Actively Exploited Vulnerability List

CVE-2026-56290 allows unauthenticated file uploads on Joomla sites — CISA confirms active exploitation.

July 8, 2026 · 5 min read

Gitea Docker Flaw: From Disclosure to Active Probing in 13 Days

A CVSS 9.8 authentication bypass in Gitea Docker images was under active probing within 13 days of disclosure. The flaw requires a non-default configuration — but the Docker image ships with that configuration enabled.

July 8, 2026 · 4 min read

ColdFusion's 3-Day Federal Patch Order Exposes a Blind Spot in Web Intelligence

A maximum-severity, actively exploited ColdFusion flaw triggered the harshest tier of CISA's new standing directive — on a platform most monitoring tools never see coming.

July 8, 2026 · 5 min read

The Ghost Certificate: ADFS Signing Keys Survive Password Rotations, Reboots, and Every Credential Dump Detector.

Mandiant recovered active ADFS token-signing keys from Machine DPAPI without touching LSASS or the live service process. The forged SAML token granted Global Administrator access to a federated Microsoft 365 tenant. MFA, Conditional Access, and all identity controls were bypassed.

July 8, 2026 · 6 min read

FBI and Google Shut Down a 2M-Device Smart TV Botnet

NetNut enrolled smart TVs and streaming boxes into a residential proxy network via pre-installed SDKs. 316 distinct threat clusters used it in a single week. Google disabled the C2 infrastructure. The supply chain was the infection vector.

July 5, 2026 · 5 min read

New Malware Steals AI Coding Tool Credentials

A new cross-platform infostealer deployed through a SimpleHelp authentication bypass explicitly targets AI development assistant tokens, cloud platform credentials, and package registry keys. The attack surface is not the code — it is the developer.

July 5, 2026 · 5 min read

Two Cursor IDE Flaws Let Attackers Escape the Sandbox

CVE-2026-50548 and CVE-2026-50549 — dubbed DuneSlide — let a prompt injection escape Cursor's sandbox and execute arbitrary commands with developer privileges. More than half the Fortune 500 use Cursor. Every version before 3.0 was vulnerable.

July 4, 2026 · 5 min read

28 CVEs in Claude Code: AI Coding Tools as Attack Surface

Anthropic's Claude Code has accumulated 28 CVEs in its first year, including two CVSS 10.0 critical sandbox escapes. CVE-2026-46406, the latest, let any local user read secrets from a predictable temp file path. When the security tool becomes the attack surface, every assumption changes.

July 4, 2026 · 6 min read

The Zero-CVE Cohort Is Growing. Hugo, Astro, and HTMX Are Gaining Share Where It Matters.

Frameworks with zero or near-zero critical CVEs hold 3.5% of the Tranco top 10K — and all of them are growing. Hugo, Astro, and HTMX share a trait: minimal attack surface by design.

July 3, 2026 · 5 min read

STOCKSTAY: Turla's .NET Backdoor and the Expanding Nation-State Arsenal

Google Threat Intelligence Group documents a modular .NET implant that Turla has been developing since 2022 — one more tool in an apparatus that has compromised victims across 50+ countries.

July 2, 2026 · 5 min read

Three Path Traversal CVEs Hit the Libraries That Move Every OCI Artifact

ORAS Go and Java SDKs — used by Azure ACR, AWS ECR, Docker Hub, Helm, and Notation — disclosed symlink and hardlink escape flaws that let a malicious artifact write files outside the extraction directory.

July 2, 2026 · 5 min read

goshs WebDAV Bug: Access Controls That Never Worked

CVE-2026-50138 reveals that goshs --read-only, --upload-only, and --no-delete flags are silently ignored when WebDAV is enabled. Configuration theater in a tool used by developers and red teamers.

July 2, 2026 · 4 min read

A Serverless Escape Bug Shows What the AI Web Actually Runs On

A container isolation flaw in a serverless platform reveals what infrastructure sits beneath AI agent workloads.

July 1, 2026 · 5 min read

Mandiant: ViewState Deserialization Compromised Enterprise LMS in 2025

A Mandiant breach response finds ViewState deserialization actively exploited in enterprise learning systems.

June 30, 2026 · 5 min read

Logged In Is Not Authorized: Subsonic API IDOR Exposes All User Data

In gonic's Subsonic API, any authenticated user can read or delete any other user's data — BOLA confirmed as API risk #1

June 30, 2026 · 5 min read

Two Attack Surfaces: The Compound Risk Your Framework Audit Cannot See

Framework intelligence covers one layer. The management plane beneath your stack is an untracked second variable.

June 30, 2026 · 5 min read

pnpm Token Leak: Registry Config Forwards npm Credentials

GHSA-cjhr-43r9-cfmw catalogs how repository .npmrc redirects developer credentials to attacker-controlled registries.

June 30, 2026 · 5 min read

The Filesystem Write That Framework Scanners Cannot See

A self-hosted music server flaw illustrates the gap between web perimeter scores and host-level risk

June 30, 2026 · 4 min read

pnpm configDependencies Creates Repository-Controlled Install Engine Path

GHSA-gj8w-mvpf-x27x: Repository-level settings can redirect pnpm to a native install engine without contributor awareness

June 29, 2026 · 5 min read

pnpm Lockfile Flaw Puts Next.js Build Pipelines at Execution Risk

GHSA-w466-c33r-3gjp: a crafted lockfile can redirect which pnpm binary runs before a dependency is installed

June 29, 2026 · 5 min read

pnpm Leaks Developer Secrets Before Scripts Execute

A config-phase flaw expands environment secrets into registry requests — before any lifecycle script runs

June 29, 2026 · 5 min read

Decompilation AI Matures: Closed-Source Plugin Opacity Collapses

Techniques that rebuilt GameCube games from binary are now trained on the web's encrypted plugin ecosystem

June 29, 2026 · 5 min read

WordPress Invoice Generator: Unauthenticated Visitors Can Become Admin. CVSS 9.8. No Exploit Kit Required.

CVE-2026-12415: wp_ajax_nopriv_pravel_invoice_edit_account requires no capability check. Any unauthenticated request escalates to administrator. Plugin Roulette claims another round.

June 28, 2026 · 4 min read

Node.js TLS Hostname Bypass: NVD Says CVSS 9.8. HackerOne Says 5.6. Every Framework Built on Node Is Caught in the Middle.

CVE-2026-48930: embedded nul-bytes in hostnames cause silent authority rebinding via C-string truncation. Node.js 22, 24, and 26 affected. The severity dispute exposes a scoring system failure.

June 28, 2026 · 6 min read

Nezha Monitoring: Pre-Auth Config Leak + Cross-Tenant Terminal Hijack. The Observability Pattern Continues.

CVE-2026-53519 (CVSS 9.1) leaks jwt_secret_key via path traversal. A second flaw (CVSS 9.9) lets any authenticated user hijack another's live terminal. 10K-star self-hosted monitoring platform.

June 28, 2026 · 5 min read

One Login, Any Resource: IDOR Hits the Subsonic API Layer

GHSA-hmgp-w9jm-vp95 shows how authenticated-not-authorized gaps become systemic when machine clients hold the credentials

June 28, 2026 · 5 min read

Gonic Music Server: Any Logged-In User Can Write Arbitrary Files to the Host

The createPlaylist endpoint in gonic accepts unconstrained file paths. Authentication gates the door; nothing gates the filesystem behind it.

June 28, 2026 · 5 min read

One Valid Login, Every Resource: The IDOR Gap That Scales with AI Agents

Authentication passed. Authorization was absent. How a gonic Subsonic API flaw illustrates the gap AI agents exploit at scale.

June 28, 2026 · 4 min read

A Python .pth File Ran Before Import. AI Routing Library semantic-router Shipped Compromised Credentials Harvester.

semantic-router pulled a compromised wheel via its AI dependency chain. A .pth file executed on Python startup — no import needed — exfiltrating AWS, GCP, Azure creds, SSH keys, and Kubernetes configs.

June 27, 2026 · 6 min read

pnpm Discloses 8 CVEs in One Day. Your Lockfile Is the Exploit.

Path traversal, manifest spoofing, hoisted alias escapes, arbitrary deletion — 8 distinct vulnerabilities in the package manager that Next.js, Nuxt, and Astro depend on. The supply chain attack surface just moved from packages to package managers.

June 27, 2026 · 6 min read

Fluentd RCE via Tag Injection (CVE-2026-44024, CVSS 9.8): The Observability Stack Just Became the Attack Surface

A ${tag} placeholder in Fluentd's output path enables arbitrary file write on the host. The CNCF-graduated log collector running in millions of Kubernetes pods is the vulnerability.

June 27, 2026 · 5 min read

Cursor AI Editor: Two CVSS 9.8 Sandbox Escapes Let a Malicious Agent Write Anywhere on Disk

CVE-2026-50548 and CVE-2026-50549: working directory manipulation and symlink canonicalization bypass in Cursor pre-3.0. The AI coding tool that developers trust with filesystem access had no real sandbox.

June 27, 2026 · 5 min read

North Korea Hijacked an AI Agent Framework With 8M Weekly Downloads. It Took 88 Minutes.

Sapphire Sleet compromised 141 packages in the @mastra npm scope — a TypeScript framework for building AI agents and RAG pipelines. Any CI/CD pipeline running npm install was owned. The supply chain target has shifted from legacy CMS to AI tooling.

June 26, 2026 · 5 min read

The Cybersecurity Industry Got Breached Through a Sales Tool. OAuth Tokens Are the New Skeleton Keys.

Attackers compromised Klue's Salesforce integration using a legacy credential, harvested OAuth tokens, and exfiltrated data from HackerOne, Snyk, Huntress, Recorded Future, BeyondTrust, and LastPass in 15 minutes.

June 26, 2026 · 5 min read

Netflix's Lemur Shows Why JWT Algorithm Pinning Is Non-Negotiable

CVE-2026-55165 exposes a textbook auth bypass in a Flask-based certificate manager trusted by enterprises

June 26, 2026 · 4 min read

i18next Prototype Pollution: The Translation Layer Nobody Thought to Secure.

CVE-2026-48713 and CVE-2026-48714 hit the npm ecosystem's dominant internationalisation library. Both scored CVSS 9.1. The second vulnerability bypassed the fix for the first using dotted __proto__ variants. Every Next.js, React, Angular, and Vue app using i18next was exposed.

June 26, 2026 · 5 min read

A Permission Callback That Returns True. 100,000 WordPress Sites Leaked Live API Keys. 17 Million Attacks Followed.

CVE-2026-4020 in Gravity SMTP exposes a REST endpoint that dumps 365KB of live credentials — Amazon SES, Google, Mailjet, Zoho OAuth tokens. Patched in March. Mass exploitation started in June. 17M+ attempts blocked.

June 26, 2026 · 4 min read

Go's SSH Library Just Dropped 10 CVEs in One Day. One Is a Perfect 10.0.

CVE-2026-46595 bypasses public key authentication entirely. CVE-2026-39831 defeats hardware security keys without physical touch. Go was supposed to be the memory-safe alternative. Its cryptographic foundation just cracked in ten places at once.

June 26, 2026 · 7 min read

FortiBleed: 86,000 Firewalls Compromised, 110 Million Credentials Harvested. Your Perimeter Just Became the Attack.

A Russian-speaking broker brute-forced 430,000 FortiGate devices. 86,644 fell. Custom sniffers harvested 110M+ credentials passing through compromised firewalls — including Chevron, Samsung, AT&T, Mercedes-Benz.

June 26, 2026 · 5 min read

Cordyceps: 300+ GitHub Repos at Microsoft, Google, Cloudflare Exploitable via CI/CD Flaws. Your Framework Is Only as Secure as Its Build Pipeline.

Novee Security scanned 30,000 high-impact repositories and found 300+ fully exploitable CI/CD pipelines — including Azure Sentinel, Google AI Agent Dev Kit, and Cloudflare Workers SDK. Any free GitHub account could forge approvals, push code, or steal credentials.

June 26, 2026 · 5 min read

Cisco SD-WAN Logs Its Seventh Zero-Day of 2026. CISA Deadlines Are Piling Up.

CVE-2026-20245 gives attackers root access via a crafted file upload. CVE-2026-20262 was exploited for months before patching. Mandiant traced one chain to a malicious CSV that opened a root shell. Seven zero-days in six months is not a vulnerability trend — it is an architectural failure.

June 26, 2026 · 6 min read

87% of Organisations Suffered an API Security Incident. The Worse Number Is the One That Went Down.

Akamai's 2026 study of 1,840 security leaders reveals that only 23% know which APIs return sensitive data — down from 40% in 2022. Organisations are spending more on API security and understanding less. AI is accelerating the gap.

June 26, 2026 · 7 min read

WordPress Has a 98% Exploit Probability Score. No Other Framework Comes Close.

EPSS — the model that predicts which vulnerabilities will actually be exploited — gives WordPress's worst CVE a 0.98 out of 1.0. Drupal is at 0.85. Magento at 0.97. The frameworks powering 80% of the web are also the most likely to be attacked.

June 25, 2026 · 5 min read

Three CVSS 9.5 Vulnerabilities in Ubiquiti UniFi. CISA Says Patch by Tomorrow. Ransomware Operators Are Already Inside.

CVE-2026-34908, 34909, 34910: access control bypass, path traversal, and command injection in UniFi OS. All CVSS 9.5. Active exploitation confirmed. CISA deadline: June 26.

June 25, 2026 · 4 min read

TrapDoor Plants Instructions Inside Your AI Coding Assistant. It Follows Them.

34 packages across npm, PyPI, and Crates.io hide zero-width Unicode instructions in .cursorrules and CLAUDE.md files. When Cursor or Claude Code opens the project, the AI runs a fake security scan that exfiltrates your secrets.

June 25, 2026 · 5 min read

30 Critical CVEs Disclosed in 24 Hours. Zero Patches Available. The Gap Is Getting Worse.

June 24-25: Rocket.Chat (4 auth bypasses), Cacti (4 unauthenticated SQLi), Gogs (CVSS 10.0 RCE), Chrome (2 sandbox escapes). None had patches at disclosure time. 76% spike from the prior period.

June 25, 2026 · 5 min read

100+ npm and PyPI Packages Compromised. Zero CVEs Filed. The Supply Chain Is Outrunning the Vulnerability System.

The Shai-Hulud, Miasma, and Hades campaigns have backdoored over 100 packages since June 1. None have CVE identifiers. No scanner catches what the system does not track.

June 25, 2026 · 5 min read

ShapedPlugin Backdoor: 400K WordPress Sites Exposed Through a Compromised Build Pipeline.

Attackers infiltrated ShapedPlugin's release process, injecting credential-stealing malware into Pro plugin updates distributed through official channels. CVE-2026-10735, CVSS 9.8.

June 25, 2026 · 5 min read

Gemini CLI Scored CVSS 10.0. A GitHub Issue Could Execute Arbitrary Commands on Your Build Server.

Google's own AI coding tool had a maximum-severity command injection flaw. In --yolo mode — commonly used in CI/CD — all tool allowlists were ignored. A malicious GitHub issue became an RCE.

June 25, 2026 · 4 min read

3 Frameworks Ship Zero GitHub Releases. 8 Ship 50+. The Release Transparency Divide Is a Security Signal.

WordPress, Django, and Drupal publish no GitHub releases. Next.js, Angular, and Laravel ship 50 per year. The difference determines how fast your team can patch.

June 24, 2026 · 5 min read

Spring's 6.82 Average CVSS: Enterprise Java's Severity Problem

Spring has only 46 total CVEs. Django has 294. Laravel has 218. But 54% of Spring's vulnerabilities are high or critical severity, its average CVSS is 6.82, and its security score just dropped 13.6 points in two months. Fewer CVEs does not mean safer.

June 24, 2026 · 6 min read

Magento: 6,767 Commits/Year, 288 CVEs. The Most Active Framework Is Still Losing.

Adobe pours more engineering hours into Magento than Google pours into Angular. The vulnerability count keeps climbing anyway.

June 24, 2026 · 5 min read

Flask: 56 Commits/Year, 71K Stars. 'Lightweight' Pushes Risk Where Nobody Is Looking.

Flask core is stable and patched. But nobody runs bare Flask. The real risk lives in the 10–20 community extensions every production app depends on — and no dashboard is watching them.

June 24, 2026 · 5 min read

Five Eyes: AI-Powered Cyber Attacks Are Months Away. Legacy Systems Are the First Target.

All five Five Eyes intelligence agencies issued a joint warning on June 23: frontier AI models will transform offensive cyber capabilities on a timeline of months, not years. Their first recommendation? Isolate or remove legacy systems.

June 24, 2026 · read

Three VPN Vendors Breached in One Month. The Perimeter Has Collapsed.

FortiNet, Palo Alto, Check Point: three vendors, three vectors, one structural conclusion in June 2026.

June 23, 2026 · 7 min read

Prinz Eugen Ransomware Encrypts Your Most Recent Files First

Go-based ransomware prioritizes recent files, drops no ransom note, uses RMM tools. Five victims incl. Standard Bank.

June 23, 2026 · 6 min read

Dashlane Vaults Stolen via TOTP Brute-Force. 2FA Has a Ceiling.

TOTP brute-force compromised ~20 Dashlane vaults. 1M combinations per 30-second window is a ceiling, not a wall.

June 23, 2026 · 6 min read

CVSS 9.8: Contact Form 7 HubSpot Plugin Allows Unauthenticated RCE

CVE-2026-49763: unauthenticated PHP Object Injection in the CF7-HubSpot bridge. Neither vendor caught it.

June 23, 2026 · 6 min read

Check Point VPN Zero-Day: Qilin Ransomware Had the Key Before the Patch

CVE-2026-50751 (CVSS 9.3): IKEv1 bypass in Check Point gateways. Qilin exploited before advisory. CISA KEV June 8.

June 23, 2026 · 7 min read

React Source Code Scan: 659 Security Issues, One Leaked GitHub Token

Security scan of React's repo surfaces a leaked GitHub token and 659 issues. Supply chain risk.

June 22, 2026 · 5 min read

Network-AI ApprovalInbox: No Authentication on AI Agent Approvals

GHSA-mxjx-28vx-xjjj: anyone on the network can approve AI agent actions. The approval layer is the gap.

June 22, 2026 · 5 min read

Gravity SMTP: One WordPress Plugin, 17 Million Exploit Attempts

CVE-2026-4020 exposes an unauthenticated REST API endpoint in Gravity SMTP that leaks email API keys for Amazon SES, Google, Mailjet, and Zoho. 100,000 sites affected. Attackers peaked at 4 million requests per day.

June 22, 2026 · 5 min read

EPSS Extremes: Four Frameworks Above 90% Exploitation Probability

React, Magento, Laravel, and WordPress carry CVEs with near-certain exploitation scores

June 22, 2026 · 5 min read

Cloudflare Quiche Use-After-Free: A CDN Flaw Is Everyone's Flaw

Use-after-free in Cloudflare's QUIC implementation affects the transport layer that proxies 20% of global web traffic.

June 22, 2026 · 4 min read

React Has 2 KEV Entries. One Scores 1.00 on EPSS. Frontend Isn't Safe.

React has 2 KEV entries, one with EPSS 1.00. Server-side rendering broke the frontend safety assumption.

June 21, 2026 · 4 min read

React Server Components Carry a DoS Flaw. Every RSC Framework Inherits It.

CVE-2026-23869 scores CVSS 7.5. A cyclic payload in React Flight protocol exhausts CPU for 60 seconds per request.

June 21, 2026 · 5 min read

Miasma Worm Hit 73 Microsoft Repos. The Target Was AI Coding Agents.

Malicious config files planted in Azure repos harvest credentials when opened in AI coding agents. 105-second sweep.

June 21, 2026 · 5 min read

Laravel's Core Email Handling Has a CRLF Injection Flaw. It's Not a Plugin.

CVE-2026-48019 allows email header manipulation via unsanitized CRLF sequences. A second CVE compounds the risk.

June 21, 2026 · 5 min read

CVE-2026-47291: The Invisible Layer Under Every Windows Web Server Just Got a CVSS 9.8.

HTTP.sys is the kernel-mode HTTP driver that underlies IIS, WCF, WinRM, ASP.NET, and every Windows web service. A specially crafted request exceeding 65,535 bytes triggers an integer overflow, heap buffer overflow, and arbitrary code execution with kernel privileges. No authentication. No user interaction. One HTTP request.

June 20, 2026 · 5 min read

Ghost CMS Hacked: 700+ Sites Hijacked for ClickFix Attacks. Harvard, Oxford, DuckDuckGo Among Victims.

CVE-2026-26980 is a CVSS 9.4 SQL injection in Ghost's Content API. Attackers extract admin API keys without authentication, inject malicious JavaScript into every article, and turn corporate blogs into malware distribution points. The 'modern WordPress alternative' has its own critical flaw.

June 20, 2026 · 6 min read

Drupal's 'Highly Critical' PostgreSQL Vulnerability: Unauthenticated RCE for the 5% Nobody Patches First.

CVE-2026-9082 enables unauthenticated information disclosure, privilege escalation, and remote code execution on Drupal sites using PostgreSQL. Drupal says less than 5% of sites use PostgreSQL. That 5% includes government agencies, universities, and enterprises that chose PostgreSQL for its reliability. They are now the target.

June 20, 2026 · 4 min read

One URL Parameter Turns a Craft CMS Editor Into an Admin. CVE-2026-32267 Is Authentication Design at Its Worst.

An editor creates a blog post. Clicks 'Preview.' Appends one URL parameter. They are now the admin. CVE-2026-32267 exposes a privilege escalation flaw in Craft CMS where preview tokens can be reused to impersonate any user — including the site administrator.

June 20, 2026 · 4 min read

Supply Chain Attacks in H1 2026: 4.5x the Volume of All 2025. The Attacks Now Spread Themselves.

May 2026 was the busiest month on record — 14 campaigns, 346 malicious packages in 31 days. Three campaigns hit npm, PyPI, and Docker Hub within 48 hours. The Shai-Hulud worm propagates through build systems. Package-level attacks are now automated.

June 19, 2026 · 6 min read

WordPress Plugins Bought, Then Backdoored: The Acquisition Supply Chain Attack

An unknown actor purchased popular WordPress plugins for hundreds of thousands of dollars, then injected backdoors into their codebases. A supply chain attack that money can buy.

June 18, 2026 · 5 min read

WordPress Breeze Cache Plugin Exploited: Unauthenticated File Upload, 170+ Attacks Observed

CVE-2026-3844 allows unauthenticated arbitrary file uploads through the Breeze caching plugin. This is not a cosmetic plugin — it is infrastructure. Exploitation is active.

June 18, 2026 · 4 min read

Shai-Hulud Defeated SLSA Provenance: The Supply Chain Defense Everyone Trusted Just Failed

The TanStack attack compromised 42 packages with 12 million weekly downloads. Malicious packages were indistinguishable from legitimate ones by provenance attestation. OpenAI confirmed two employee devices hit.

June 18, 2026 · 7 min read

Record-Breaking June 2026 Patch Tuesday: The Maintenance Burden That Never Ends

Microsoft, Spring, Node.js, and Oracle all shipped critical patches in one week. Organizations running legacy infrastructure face a patching treadmill with no exit.

June 18, 2026 · 4 min read

Open WebUI Vulnerabilities: The AI Tools We Depend On Have Their Own Security Holes

SSRF protection bypass and path traversal in Open WebUI. The tools organizations use to interact with AI models are themselves attack surfaces.

June 18, 2026 · 4 min read

Node.js June 17 Security Release Affects Every Modern JavaScript Framework

Critical patches across Node.js LTS lines. Next.js, Nuxt, Remix, Astro, SvelteKit — every Node-based framework inherits the vulnerability window.

June 18, 2026 · 4 min read

Miasma: RedHat npm Scope Hijacked to Target CI/CD, Cloud Credentials, and AI Dev Tooling

32 packages under @redhat-cloud-services compromised. A 4.2MB obfuscated payload executes on install, targeting GitHub credentials, npm tokens, cloud identities, and AI developer tools specifically.

June 18, 2026 · 5 min read

Kirki WordPress Plugin: CVSS 9.8 Flaw Exposes 500,000 Sites to Unauthenticated Takeover

A broken password reset mechanism in Kirki versions 6.0.0 through 6.0.6 lets unauthenticated attackers escalate privileges and take over WordPress admin accounts.

June 18, 2026 · 4 min read

Joomla JCE Scores a Perfect 10: CISA KEV, PHP Web Shells, Zero Authentication Required

CVE-2026-48907 is a CVSS 10.0 flaw in the Joomla Content Editor plugin. Attackers upload PHP web shells through unauthenticated profile imports. CISA orders federal agencies to patch by June 19.

June 18, 2026 · 5 min read

CISA Lost One-Third of Its Staff. The Agency That Tracks Exploited Vulnerabilities Is Being Hollowed Out.

The Stakeholder Engagement Division lost 96 of 189 staff since January 2025. CISA partnerships face 'standstill.' The government's central cybersecurity coordination capability is shrinking as attack surface expands.

June 18, 2026 · 5 min read

CISA Adds LiteSpeed cPanel Flaw to KEV Catalog: Root Escalation on Shared Hosting

CVE-2026-54420 lets attackers with FTP access escalate to root on shared hosting servers. Federal agencies must patch by June 18. Millions of WordPress sites run on affected infrastructure.

June 18, 2026 · 4 min read

Chrome Zero-Day CVE-2026-11645 Actively Exploited: The Browser Is the New Server

Out-of-bounds memory access in Chrome's V8 engine is being exploited in the wild. CVSS 8.8. When the browser is the runtime, browser vulnerabilities are application vulnerabilities.

June 18, 2026 · 4 min read

TanStack Supply Chain Attack: 84 Compromised Versions, 42 Packages, SLSA Provenance Defeated.

Attackers published 84 malicious versions of 42 TanStack npm packages in a 6-minute window. The packages carried valid SLSA provenance attestations. 160+ secondary victims including OpenAI and Mistral AI. 2 OpenAI employee devices compromised.

June 17, 2026 · 7 min read

Red Hat's Own npm Packages Compromised: 32 Packages, 96 Versions

Self-propagating npm worm 'Miasma' hijacked @redhat-cloud-services packages via stolen GitHub OIDC tokens.

June 17, 2026 · 6 min read

Phantom Gyp: AI SDK With 408K Downloads Targeted by Miasma Variant

Miasma variant uses node-gyp build hooks to evade monitoring, hitting @vapi-ai/server-sdk and 57 packages in under 2 hours.

June 17, 2026 · 6 min read

Palo Alto GlobalProtect Auth Bypass: The VPN Guarding Your Legacy Web Stack Is Compromised.

CVE-2026-0257 bypasses authentication on PAN-OS GlobalProtect gateways. CVSS 7.8, CISA KEV listed, actively exploited across 'numerous customers' per Rapid7. FCEB agencies had until June 1 to remediate.

June 17, 2026 · 6 min read

Nginx UI Ships Encryption Keys in HTTP Headers: CVSS 9.8

CVE-2026-27944: Nginx UI backup endpoint returns AES-256 key in response header, no authentication required.

June 17, 2026 · 5 min read

Magento Cache Plugin Gives Attackers Full Server Control via Cookie

CVE-2026-45247: Unauthenticated RCE in Mirasvit Full Page Cache Warmer. CISA KEV listed, actively exploited.

June 17, 2026 · 5 min read

Malicious Open-Source Packages Surged 73% Year-Over-Year. Dependency Count Is Attack Surface.

ReversingLabs' 2026 Software Supply Chain Security Report documents a 73% increase in malicious packages across npm, PyPI, and other registries. Frameworks with 1,000+ transitive dependencies face exponential exposure. Minimal-dependency stacks avoid this risk entirely.

June 17, 2026 · 6 min read

LiteLLM Proxy: Default Account Chains 3 Vulnerabilities to Root. AI Infrastructure Is the New Attack Surface.

ReconShield disclosed a privilege escalation chain in LiteLLM Proxy: a default low-privilege account chains three vulnerabilities to achieve root access on the AI serving infrastructure. Organizations deploying AI-enhanced web frameworks need to audit the entire stack.

June 17, 2026 · 6 min read

Hades: PyPI Supply Chain Attack Harvests MCP Configs, Fights AI Scanners

19+ poisoned PyPI packages deploy a Bun-based credential stealer targeting AI developer configurations. The malware sends decoy traffic to Anthropic servers and uses prompt injection to evade AI-based security tools.

June 17, 2026 · 6 min read

Fortinet FortiSandbox Hit With 3-CVE Exploit Chain. The Security Appliance Is the Attack Surface.

Three chained vulnerabilities in FortiSandbox allow unauthenticated remote command execution at CVSS 9.1. Active exploitation confirmed. The devices purchased to protect legacy web infrastructure are now the entry point.

June 17, 2026 · 6 min read

RoguePlanet Exploits a Microsoft Defender Zero-Day to Disable Endpoint Protection. The Security Software Is the Attack Surface.

A threat group dubbed RoguePlanet leveraged a zero-day vulnerability in Microsoft Defender for Endpoint to disable EDR protections on target machines before deploying ransomware. The tool designed to detect attacks became the entry point for one. When your security infrastructure is built on vulnerable software, the protection is the problem.

June 16, 2026 · 5 min read

PromptSnatcher Malware Steals AI Chatbot Conversations in Real Time. Your Claude and ChatGPT Sessions Are Being Exfiltrated.

A new malware family harvests complete conversation histories from Claude, ChatGPT, Gemini, Copilot, and Perplexity by hooking browser API calls. Unlike keyloggers, PromptSnatcher captures the AI's responses too — including code reviews, security analyses, and strategic recommendations. The intellectual property loss is exponential.

June 16, 2026 · 5 min read

208 CVEs in One Patch Tuesday. Microsoft's Largest Ever. Including a Wormable Kernel Flaw Compared to EternalBlue. Your Web Server Has 72 Hours.

June 2026 Patch Tuesday delivered 208 CVEs (571 with Chromium bundled), 37 Critical. CVE-2026-45657 (CVSS 9.8) is a use-after-free in Windows Kernel TCP/IP that requires no authentication and can self-propagate. CVE-2026-47291 (CVSS 9.8) hits HTTP.sys directly — a web server RCE. CISA's 3-day mandate means patching is no longer optional.

June 16, 2026 · 6 min read

One Cookie. Full Remote Code Execution. CVE-2026-45247 Hits Magento E-Commerce Sites and CISA Added It to the KEV Catalog.

A PHP object injection vulnerability in Mirasvit Full Page Cache Warmer for Magento 2 allows unauthenticated RCE via a single crafted cookie. CVSS 9.3. Actively exploited. Federal patch deadline already passed. Every unpatched Magento store is overdue.

June 16, 2026 · 5 min read

LiteLLM AI Gateway: CVSS 9.9. Four Chained Vulnerabilities Let a Low-Privilege User Hijack Claude Code Responses.

Auth bypass → admin privilege escalation → Python sandbox escape via unfiltered exec() → MCP callback injection. The open-source AI gateway used to route requests between Claude, GPT, and Gemini had a kill chain from viewer to root. Patched in v1.83.14.

June 16, 2026 · 6 min read

IronWorm: The First npm Supply Chain Worm with a Kernel Rootkit. 37 Packages Compromised. It Steals Your Claude, OpenAI, and AWS Credentials. And This Was a Rehearsal.

JFrog researchers found a 976KB Rust-compiled worm hiding in 37 npm packages across 9 organizations. It carries an eBPF rootkit that hides from the OS, steals 86 categories of credentials including every major AI provider key, and self-propagates by minting npm Trusted Publishing tokens. A hardcoded skip-list suggests this was practice. The production version has not been found.

June 16, 2026 · 7 min read

CISA's New Directive: 3 Days to Patch the Worst Vulnerabilities. Not 30. Not 14. Three.

Binding Operational Directive 26-04 replaces the old 30-day patch window with risk-based timelines. Publicly exposed, auto-exploitable vulnerabilities in the KEV catalog get a 3-day deadline. The directive cites AI-accelerated exploitation as the reason. WordPress sites with 18,210 CVEs just became a compliance crisis.

June 16, 2026 · 6 min read

Fifth Chrome Zero-Day of 2026. CVE-2026-11645 Hits V8 — the Engine Running Every Web Application and Every AI Agent's Browser. Actively Exploited in the Wild.

CVSS 8.8. Out-of-bounds read/write in V8's JavaScript and WebAssembly engine. Arbitrary code execution via a crafted HTML page. All Chromium-based browsers affected — Chrome, Edge, Brave, Opera. Google confirmed active exploitation before the patch. The web's runtime engine has been actively compromised five times this year.

June 16, 2026 · 5 min read

175 Chrome Extensions Are Bot Traffic Factories. 863,000 Users Generating Fake Clicks, Injecting Ads, and Harvesting Credentials. Google Hasn't Removed Them.

DomainTools researchers found 152 extensions using browser-level access to redirect searches, inject affiliate codes, exfiltrate cookies, and track browsing. Separately, 23 extensions from the 'AstroForge' campaign steal AI chatbot conversations including Claude, ChatGPT, and Gemini sessions. The Chrome Web Store's review process missed all of them.

June 16, 2026 · 6 min read

WordPress Plugin CDN Backdoor: OptinMonster, PushEngage, and TrustPulse Compromised. 1.2 Million Sites. Hidden Admin Accounts Created.

Attackers didn't need the WordPress plugin repository. They tampered with CDN-served JavaScript files, creating invisible administrator accounts, installing backdoor plugins named 'Content Delivery Helper' and 'Database Optimizer,' and opening web shells. Credentials exfiltrated to a typosquatted domain.

June 15, 2026 · 7 min read

Next.js Authorization Bypass: A Crafted Query Parameter Changes Your Route Without Changing the URL. CVE-2026-44574.

Specially crafted query parameters alter dynamic route values while leaving the visible URL path unchanged, bypassing middleware-based authorization in Next.js 13.0 through 15.5.15 and 16.x before 16.2.5. A separate CVE-2026-23869 enables memory exhaustion DoS via React Server Components. Astro, Svelte, and Hugo are not affected.

June 15, 2026 · 6 min read

ShinyHunters Claims 297 GB From the Council of Europe. Payroll Records for 10,000 Employees. Medical Data. Tax Numbers. Deadline: June 16.

429,000 files allegedly exfiltrated from HR, the Parliamentary Assembly, the Secretariat, and the European Directorate for Quality of Medicines. The Council of Europe has not acknowledged the incident. The deadline to negotiate is tomorrow.

June 15, 2026 · 6 min read

Agentjacking: One Sentry Error Can Hijack Your AI Agent

Tenet Security disclosed a new attack class on June 12. Attackers inject prompts into Sentry error events using publicly discoverable DSNs. AI coding agents retrieve the events via MCP and execute attacker-controlled code. Sentry called it 'technically not defensible.'

June 15, 2026 · 7 min read

WordPress Just Admitted Its Plugin Ecosystem Needs AI to Police It. They Call It 'Protect The Shire.'

A 24-hour cooldown on all plugin releases. AI-assisted code review scanning 78,000 plugins. WordPress.org is building the security infrastructure it should have had a decade ago — because the alternative is losing the web.

June 14, 2026 · 7 min read

The Miasma Worm Source Code Was Leaked on GitHub. The npm Supply Chain Attack Is Now Open Source.

The credential-stealing worm that compromised Red Hat's npm packages and 73 Microsoft Azure repositories was briefly published on GitHub on June 10. Copycat attacks are now a matter of when, not if.

June 14, 2026 · 7 min read

CVE-2026-48710 'BadHost': The Vulnerability That Hit FastAPI, vLLM, LiteLLM, and 325 Million Weekly Downloads.

A malformed Host header bypasses authentication in Starlette — the ASGI framework underneath FastAPI and most of Python's AI agent infrastructure. Modern frameworks are not immune. The difference is how fast they patch.

June 14, 2026 · 6 min read

Atomic Arch: 1,500 Packages Backdoored Through Legitimate Adoption. No Exploit Required.

Attackers adopted 400 orphaned Arch Linux packages through official workflows, injected malicious npm dependencies, and deployed a Rust credential stealer with an eBPF rootkit. By June 12, 1,500 packages were compromised. They never broke a single rule.

June 14, 2026 · 7 min read

UpdraftPlus: 3 Million WordPress Sites. Unauthenticated Admin RCE. No Login Required.

The most popular WordPress backup plugin gave unauthenticated attackers full admin access. Wordfence blocked 8,172 exploit attempts in 24 hours. The plugin supply chain strikes again.

June 13, 2026 · 6 min read

Shai-Hulud Source Code Is Public. The Worm Era Has Begun.

On May 12, 2026, TeamPCP open-sourced Mini Shai-Hulud — a self-propagating npm supply chain worm. Twenty days later, Miasma hit Red Hat and Microsoft. The barrier to supply chain attacks just dropped to zero.

June 13, 2026 · 6 min read

Laravel-Lang: 5,561 Repos Backdoored in 90 Minutes via Git Tag Rewrite

An attacker rewrote every version tag across 4 Composer packages in a single window. composer update triggered credential theft. 5,561 downstream repositories backdoored within 6 hours. The PHP supply chain joins the worm era.

June 13, 2026 · 6 min read

WordPress CVEs Surpass 18,000 in 2026

June 2026 data reveals critical vulnerabilities across content management frameworks

June 13, 2026 · 6 min read

IronWorm: The npm Worm Written in Rust, Hidden by an eBPF Rootkit, Controlled via Tor

36 npm packages. A compiled Rust binary that hides behind a kernel rootkit. Command and control over the Tor network. Targets 86 environment variables and 20 credential files. Supply chain attacks just went military-grade.

June 13, 2026 · 7 min read

At 10 Million Sites Scanned, WordPress Is 74.3% of Everything We Detect

The largest independent framework scan ever conducted shows a web even more concentrated than W3Techs suggests.

June 12, 2026 · 5 min read

The Web Has a Monoculture Problem. The Math Proves It.

A Herfindahl-Hirschman Index of 0.56 means the detected web is more concentrated than most regulated industries.

June 12, 2026 · 5 min read

TrapDoor: The First Supply Chain Attack That Targets Your AI Coding Assistant

34 packages across npm, PyPI, and Crates.io. Zero-width Unicode in .cursorrules and CLAUDE.md files. When a developer opens the project, the AI assistant exfiltrates secrets. The attack surface just moved from human to machine.

June 12, 2026 · 7 min read

Six Frameworks Have Zero CVEs. Here's What They Have in Common.

Hugo, Eleventy, Remix, SvelteKit, HTMX, and Astro — the clean security record club shares architectural DNA.

June 12, 2026 · 4 min read

The Most Popular Frameworks Are the Least Secure. The Data Is Unambiguous.

Plot detection volume against CVE count. The line goes one direction.

June 12, 2026 · 5 min read

Meta's MCP Server Had an Unauthenticated Execution Flaw. Every AI Tool Chain Should Check.

GHSA-2026-0612: the Meta Ads MCP tool allowed unauthenticated HTTP execution. The AI tool supply chain is the new attack surface.

June 12, 2026 · 5 min read

Hugo 0.163: 11 Years, Zero CVEs. The Security Record Nobody Can Match.

The Go-based static site generator has never had a single CVE in the National Vulnerability Database.

June 12, 2026 · 4 min read

Laravel Is the Best PHP Framework. It Still Got a High-Severity CVE This Week.

CVE-2026-48019 lets attackers inject headers into outbound emails — no authentication required. Laravel patched it in days. WordPress plugins with similar flaws take months.

June 12, 2026 · 5 min read

React Query Got Wormed. OpenAI Got Hit. The npm Supply Chain Has a Predator.

The Mini Shai-Hulud worm compromised TanStack, Mistral AI, and 160+ packages. It steals tokens, publishes poisoned versions of more packages, and can wipe developer machines. OpenAI confirmed 2 employee devices were compromised.

June 12, 2026 · 8 min read

Chrome V8 Has an Actively Exploited RCE. Your Framework Decides How Much V8 Your Users Run.

CVE-2026-11645 is an out-of-bounds read/write in Chrome's JavaScript engine. Astro ships 9KB of JS. Next.js ships 463KB. The attack surface isn't equal.

June 11, 2026 · 5 min read

220 Million Monthly Downloads. Six Vulnerabilities. The protobuf.js Supply Chain.

A critical RCE chain in protobuf.js — used across Node.js frameworks — turns schema definitions into arbitrary code execution. Exploit code is public.

June 11, 2026 · 6 min read

The HTTP/2 Bomb: One Client, 32GB of Server Memory, 20 Seconds.

A new denial-of-service technique exploits how every major web server handles HTTP/2 headers. Legacy CMS servers running on tight memory budgets are the easiest targets.

June 11, 2026 · 6 min read

The Malware That Fights Back: Hades Uses Prompt Injection Against AI Security Scanners

The Hades variant of the Shai-Hulud worm family includes adversarial prompt injection in its payload — fake JavaScript comments designed to confuse AI-powered security tools. Supply chain malware is now attacking the scanners, not just the developers.

June 9, 2026 · 6 min read

Buy the Plugin, Own the Sites: 30 WordPress Plugins Bought on Flippa and Backdoored

An attacker purchased 30+ WordPress plugins with 400,000 combined installations on a digital marketplace. Dormant for 8 months. Activated April 2026. WordPress has no mechanism to review plugin ownership transfers.

June 9, 2026 · 7 min read

Drupal Was the Safe One. Then CVE-2026-9082 Hit CISA KEV.

CVSS 9.8. Unauthenticated SQL injection in Drupal Core. Added to CISA KEV two days after disclosure. 15,000 attacks across 65 countries. The CMS governments chose for security just got its own critical core flaw.

June 9, 2026 · 7 min read

WordPress 7.0 Shipped an AI Agent Platform. Hackers Got the Keys on Day Two.

WordPress 7.0 'Armstrong' added a Connectors API that stores Anthropic, Google, and OpenAI keys in wp_options. Patchstack's founder called it 'free AI tokens for hackers.' AI scanning found 300+ zero-days at $20 each in 72 hours. SiteGround pushed 1M+ installs automatically.

June 9, 2026 · 8 min read

June 2026: Six CVSS 9.8 Vulnerabilities. 1.14 Million WordPress Sites.

Six critical vulnerabilities actively exploited at the same time. 29,300+ attacks per day on one plugin alone. A premium plugin supply-chain compromised. The WordPress security model hit a wall.

June 9, 2026 · 8 min read

The Worm That Learned to Jump: npm → PyPI → Your IDE in 9 Days

June 1: npm packages. June 3: new evasion technique. June 5: IDE config poisoning. June 7: PyPI. The Shai-Hulud supply chain worm crossed three attack surfaces in nine days. 448 artifacts. The security industry couldn't keep up.

June 9, 2026 · 9 min read

TrustFall, SymJack, Clinejection: Every AI Coding Agent Is Hackable

TrustFall: one-click RCE. SymJack: symlink hijack installs attacker MCP servers. Clinejection: a GitHub issue title compromised 4,000 developers. Claude Code leaked its source — three CVEs fell out. The tools building the web are its newest attack surface.

June 9, 2026 · 13 min read

The npm Worm Wave: 30+ Supply Chain Attacks in 6 Months

One supply chain attack is an incident. Thirty in six months is a market condition. The worm crossed to PyPI. The source code went public. Here's the timeline.

June 9, 2026 · 7 min read

Both Supply Chains Are Broken: WordPress Plugins vs. npm Packages in 2026

WordPress has 18,005 catalogued CVEs and six CVSS 9.8 vulnerabilities exploited simultaneously. The npm ecosystem had 30+ supply chain attacks in 6 months — and the worm jumped to PyPI. Neither is safe. The difference is how the risk kills you.

June 9, 2026 · 8 min read

200,000 Open Doors: The Protocol Connecting AI Agents Has No Security Model

MCP — the Model Context Protocol — is the TCP/IP of agentic AI. 200,000+ vulnerable instances. 150 million package downloads. The Pentagon designated its creator a supply chain risk. The NSA published an advisory. The infrastructure of the machine web is wide open.

June 8, 2026 · 9 min read

SLSA Can't Save You: Miasma Forged the Gold Standard for Supply Chain Integrity

SLSA provenance was supposed to be the answer to supply chain attacks. Miasma forged it. 32 Red Hat packages, 90+ malicious versions, perfect provenance attestations. The trust framework is broken.

June 8, 2026 · 6 min read

The CI/CD Kill Chain: From npm Install to Cloud Admin in 72 Hours

A single compromised npm package gave attackers AWS admin access in three days. The deployment pipeline that makes modern frameworks possible is the attack surface nobody secured.

June 7, 2026 · 6 min read

Nation-States Are in Your node_modules

North Korean group UNC1069 compromised Axios — downloaded 40 million times per week. When intelligence agencies target your build pipeline, npm audit is not a security strategy.

June 7, 2026 · 6 min read

The Supply Chain Map. WordPress Has 60,000 Plugins. Each One Is a Trust Decision.

WordPress: 60,000 plugins, ~40% abandoned. npm (React/Next.js): millions of packages but lockfile-controlled and auditable. The supply chain model is fundamentally different — and our country data shows who bears the deepest exposure.

June 2026 · 5 min read

The Compliance Cost Multiplier. Legacy Frameworks Correlate With Higher Regulatory Fines.

GDPR fines: EUR4.5B+ cumulative. Healthcare breach cost: $10.9M average. The sectors with the highest fines are the sectors with the most legacy infrastructure. Correlation isn't causation — but the pattern demands attention.

June 2026 · 5 min read

The Website That Outlives the Business. Legacy Infrastructure Without an Owner.

How many of the 7.4M WordPress sites are for businesses that no longer exist? Domains persist, plugins accumulate CVEs, and nobody patches. The web's biggest security problem isn't active sites — it's ghost sites.

June 2026 · 5 min read

Russia at 238,000 Detections: Our Deepest Country Dataset. Next.js at 5.7% — Higher Than Germany.

.ru: 238,055 detected. WordPress 68%, Joomla 11.5% (27,374 sites), Drupal 5.9%, Next.js 5.7%, Angular 3.3%, Vue 1.4%. Russia's Joomla count alone exceeds most countries' total detections.

June 2026 · 5 min read

Uruguay: 21% Drupal. Latin America's Development Funding Outlier.

Brazil 86% WP, Argentina 86% WP, Colombia 55% WP. Uruguay breaks the LATAM WordPress pattern with 21% Drupal — the development funding corridor extends to Latin America.

June 2026 · 4 min read

The Balkans Run Joomla. The Rest of Europe Forgot It Existed.

Croatia 9%, Serbia 9%, Slovenia 7%, North Macedonia 6%, Bosnia 3%. While Western Europe moved past Joomla years ago, the Balkans still carry significant Joomla infrastructure.

June 2026 · 4 min read

Kenya vs Nigeria: Same Continent, Different Web. Kenya Has Shopify. Nigeria Has Only WordPress.

Kenya: 1,849 detected, WP 82%, Shopify 7.5%. Nigeria: 2,954 detected, WP 97%. Same continent, opposite digital paths.

June 2026 · 4 min read

The Development Dollar Framework: How UNDP and World Bank Shaped South Asia and Africa's Web.

Nepal 64% Drupal. Bangladesh 63%. Libya 42%. Ecuador 40%. Ivory Coast 37%. Uganda 31%. The framework map is the aid map.

June 2026 · 5 min read

Nepal Is 66% Drupal. Not WordPress. The South Asia Outlier Nobody Expected.

India is 83% WordPress. Pakistan is 63% WordPress. Nepal chose Drupal. 351 Drupal sites vs 165 WordPress. Something institutional happened here.

June 2026 · 4 min read

Nigeria Is 97% WordPress. 2,954 Sites. Essentially Zero Alternatives.

Africa's largest economy, 220 million people, the continent's biggest tech ecosystem. 97% of detected sites run WordPress. Not 93% like Turkey. Near-total monoculture at scale.

June 2026 · 4 min read

.edu at 58,182 Detections: Drupal 35.7%, Rails 16.4%. Academia Fully Mapped.

The largest .edu dataset ever published. Education remains the most framework-diverse sector. Rails at 16.4% — 9,568 sites — is the finding nobody expected.

June 2026 · 4 min read

.gov Is 49% Drupal. Government's Framework Choice Confirmed at 12,467 Sites.

The most comprehensive .gov framework survey ever. Drupal dominates at 49%. WordPress is 24%. Rails is 11%. Next.js is emerging at 6%.

June 2026 · 4 min read

Iran Is 93% WordPress. The Same Pattern as Turkey, but With Sanctions.

174 detected .ir sites. 93% WordPress. Isolation — economic and technological — produces digital monoculture.

June 2026 · 4 min read

Joomla: 352,042 Detections. More Than Astro, SvelteKit, Remix, and Gatsby Combined.

Among 10M+ sites scanned, the 'dead' framework has more detections than four of the most-hyped modern alternatives combined.

June 2026 · 4 min read

Joomla Outnumbers Astro and SvelteKit Combined. The 'Dead' Framework Isn't Dead.

176,344 Joomla sites vs 20,338 Astro + SvelteKit combined. Developer Twitter doesn't reflect the actual web.

May 2026 · 4 min read

.edu Domains Chose Differently: Drupal 35.7%, Rails 16.4%. Education Didn't Follow the WordPress Playbook.

58,182 .edu domains analyzed. WordPress leads at 38.5% but Drupal (35.7%) and Rails (16.4%) make education the most diverse sector.

May 2026 · 4 min read

Russia Has 7,189 Joomla Detections — The Largest Joomla Concentration in Our Data.

In our Common Crawl scan of 61,005 detected .ru sites, Joomla concentrates heavily in Russian domains. The rest of the world moved on. Russia didn't.

May 2026 · 4 min read

Healthcare's Web Problem Isn't WordPress. It's Fragmentation.

Among 17 healthcare sites we scanned: Drupal, WordPress, Next.js, Vue, Angular — no dominant framework. A small sample, but the fragmentation pattern is the finding.

May 2026 · 5 min read

Government Runs Drupal More Than WordPress. That's a Different Problem.

Among 49 government sites we scanned across 6 regions, Drupal dominates — not WordPress. A directional finding from a small but curated sample.

May 2026 · 6 min read

US Nonprofits: Defending Digital Rights on Digital Legacy

ACLU on WordPress. EFF on Drupal. The organizations defending digital rights are running on legacy infrastructure.

May 2026 · 4 min read

Grab Serves Millions of Users. Our Scanner Says It Runs WordPress.

Southeast Asia's largest super-app — ride-hailing, food delivery, payments — has a marketing site on legacy CMS. The infrastructure divide runs inside companies too.

May 2026 · 4 min read

GDPR Was a Data Law. It Became an Infrastructure Law.

Europe's data protection regulation is forcing infrastructure decisions. Legacy CMS was never built for data subject rights at scale.

May 2026 · 7 min read

APRA CPS 234: How Australian Financial Regulation Is Forcing Infrastructure Decisions

Australia's prudential regulator requires financial entities to maintain security capability commensurate with threats. Legacy infrastructure makes that harder every year.

May 2026 · 5 min read

American Healthcare on WordPress: The HIPAA Reckoning is Coming

Thousands of US medical practices run patient-facing services on WordPress. The OCR is increasing enforcement. The math doesn't work.

May 2026 · 6 min read

Australia's Census Failure: What Legacy Infrastructure Costs a Nation

The 2016 census failure cost A$30M+ and damaged public trust. It was a legacy infrastructure event with national consequences.

May 2026 · 5 min read

COBOL, Java 8, Python 2: The Three Horsemen of Legacy

Three technology generations that still run critical infrastructure. One has no new developers. One stopped receiving updates. One was officially sunset in 2020.

May 2026 · 7 min read

Healthcare Websites on WordPress: Patient Data Behind 18,005 CVEs

Medical practices, hospitals, and health systems running patient-facing services on the web's most-attacked framework.

May 2026 · 6 min read

Government Sites: Running a Nation's Web on 18,005 CVEs

The White House runs WordPress. So do thousands of government agencies worldwide. Public infrastructure on a legacy foundation.

May 2026 · 7 min read

Plugin Roulette: 27 Doors, and You Don't Know Which Ones Are Locked

The average WordPress site runs 27 plugins. Each one is an independent attack surface with its own update cycle, its own maintainer, and its own risk profile.

May 2026 · 6 min read

Year 1, Year 3, Year 5: What Happens to Sites That Don't Migrate

The compounding cost of staying on legacy frameworks. A timeline of escalating risk.

May 2026 · 7 min read

WordPress Powers 43% of the Web (W3Techs). It Scores 45 Out of 100.

The most widely deployed framework (W3Techs) is also one of its most vulnerable. Here's what the data says.

May 2026 · 6 min read