This post is about what has been happening in the wild over the past several weeks, what it means, and what we’re doing about it.
We’ve spent years building exactly that — and it’s all running right now, on behalf of our clients. When the next critical vulnerability drops, our managed sites will be patched in hours, not days. When the next supply chain incident compromises a widely trusted tool, our diverse infrastructure and isolated credentials limit the blast radius. When something unexpected happens, our monitoring catches it, our response is practiced, and your data is recoverable.
There’s a pattern worth naming explicitly, because it’s shaping everything else in this post.
- Vulnerability discovery is no longer gated by expertise. AI tools have dramatically lowered the bar for finding flaws in complex codebases — including 18-year-old bugs that human auditors walked past thousands of times.
- The responsible disclosure window is collapsing. The grace period between a patch being issued and an exploit going live — once measured in weeks — is now measured in hours. Within days of NGINX Rift being patched, in-the-wild exploitation had already begun.
- Generating a working exploit from a patch diff is now within reach of non-experts with AI assistance. The gap between “patch released” and “exploit in the wild” has never been smaller.
Our infrastructure is deliberately distributed across multiple cloud providers, including AWS and Google Cloud. This isn’t an accident or a legacy of incremental decisions — it’s an architectural choice. If one provider has an outage, a security incident, or a policy change that disrupts service, we have the tooling and the practice to move workloads. We’re not married to any single vendor’s API or network, which means we’re not fully exposed to any single vendor’s problems.
AI Is Making Software Cheap to Build and Expensive to Secure
That’s what our Protection Plans are all about. Whether you’re running Drupal, WordPress, or both, we provide the ongoing maintenance, security monitoring, and rapid incident response that this new environment demands — so you’re not scrambling when the next critical advisory drops, and you’re not starting from scratch when something goes wrong.”It took 9 seconds. The agent then, when asked to explain itself, produced a written confession enumerating the specific safety rules it had violated.” — Jeremy Crane, PocketOS founderWhile we were managing kernel and web server vulnerabilities, the broader open-source ecosystem was under a coordinated assault that has been running for months.One of the harder realities of operating complex web infrastructure is that cause and effect aren’t always clear. High bot volume raises the floor of ambient stress on every layer of the stack, and the resulting failures can be genuinely difficult to diagnose. Sometimes a site goes down, logs point in several directions, and the root cause requires careful investigation — occasionally without a fully definitive answer. Monitoring, fast response, and the ability to restore quickly matter as much as prevention.
A Month of Critical Vulnerabilities
NGINX Rift: 18 Years in Plain Sight
This is the defining characteristic of modern supply chain attacks: the blast radius scales with the dependency graph, not with the number of human targets. A single infected package can propagate through an entire ecosystem faster than defenders can respond.One ongoing challenge: security fixes for NixOS packages can take several days to reach the standard nixos-unstable channel — too slow when exploits are going live within hours of disclosure. We’re now selectively pulling from nixos-unstable-small, which moves significantly faster. Getting the timing right — fast enough to close vulnerabilities, with enough of a cooling period to avoid inadvertently pulling in supply chain compromises — is one of the genuinely interesting problems at the frontier of infrastructure security right now.
One of the quieter risks in the current security environment is the temptation of consolidation. When a single provider — a CDN, a cloud platform, a security vendor — becomes the universal solution for an entire industry, the blast radius of that provider’s compromise becomes civilization-scale. CloudFlare is a remarkable piece of infrastructure, and we use it where it makes sense. But routing all traffic through any single chokepoint, no matter how well-engineered, means that one incident there becomes your incident too.
Copy Fail, Dirty Frag, and Fragnesia: The Linux Kernel’s Bad Spring
The only realistic posture in this environment is to assume you will be compromised — and to build for recovery, not just prevention. That means backups that are isolated from every credential that could be stolen: different providers, different access mechanisms, different blast radii. It means treating every agent, every CI token, and every API key as a potential attack vector. It means having a practiced, tested plan for what happens when something goes wrong — because in 2026, something will.
- Copy Fail (CVE-2026-31431, disclosed April 29) — found by an AI system in about an hour of scan time, this logic flaw in the kernel’s
algif_aeadcrypto module lets any unprivileged local user escalate to root using a 732-byte Python script — no race conditions, no per-kernel offsets, works unmodified on every major Linux distribution built since 2017. - Dirty Frag (CVE-2026-43284, disclosed May 7) — a page-cache write flaw in the xfrm-ESP IPsec path. Same class of bug as Copy Fail, different subsystem; the Copy Fail mitigation (blocking
algif_aead) does not protect against this one. A patch exists for the ESP half. - Copy Fail 2: Electric Boogaloo (CVE-2026-43500, also May 7) — a second exploit dropped the same day targeting the RxRPC path using the same xfrm-ESP page-cache write primitive as Dirty Frag. Both CVE-2026-43284 and CVE-2026-43500 are covered by Dirty Frag’s
esp4/esp6/rxrpcmodule blocks, but only a patch for the xfrm-ESP half exists upstream so far. - Fragnesia (CVE-2026-46300) — a follow-up in the same ESP/XFRM attack surface, covered by the same module-blocking mitigations already in place.
There’s a genuine tension in patching strategy right now worth acknowledging honestly. The Mini Shai-Hulud campaign demonstrated that pulling updates too quickly can itself be an attack vector — malicious versions of legitimate packages need only a narrow window to reach production. At the same time, the compressed disclosure-to-exploit timeline means sitting on patches for days is increasingly dangerous.The supply chain threat is serious, but it exists on a spectrum we understand. A different category of risk emerged in April when an AI coding agent deleted an entire production database and all its backups in nine seconds.
A Critical Drupal Release Coming Wednesday
TLDR – Security is getting dramatically harder and more expensive. AI is simultaneously driving an explosion in vulnerability discovery and weaponizing the exploits that follow. The question for every organization with anything online is no longer whether to invest in resilience — it’s whether that investment is already in place before the next incident arrives. If you want that coverage for your Drupal or WordPress site, reach out to us — or read on for the full picture.
If you’d like to know more about what that coverage looks like for your sites, we’d love to talk. Get in touch with us here.
For approximately 90 minutes, anyone who ran npm install @bitwarden/cli received a weaponized package instead of the legitimate tool. The malicious version kept all recognizable Bitwarden branding and package structure intact — nothing would raise suspicion during a routine install. The payload harvested GitHub tokens, npm tokens, SSH keys, cloud credentials across AWS, Azure, and GCP, environment variables, shell history, and AI tooling configuration — then exfiltrated everything to public GitHub repositories. It also self-propagated: the worm modified any npm packages the victim had permission to publish, adding the malicious code and re-uploading new versions to extend the attack to their downstream consumers.Bitwarden detected and contained the incident quickly. Their investigation found no evidence that vault data was accessed — user passwords were not exposed. But developer credentials, CI/CD tokens, and cloud keys that passed through an affected environment during that window should be treated as compromised.
The Supply Chain Is Under Sustained Attack
This gets us from “patch available” to “all managed sites protected” in approximately four hours. For Wednesday’s Drupal release, we’ll have the hotfix ready as soon as the advisory details are public.
Mini Shai-Hulud: Attacking the Whole Ecosystem at Once
For Ubuntu hosts and mixed environments, we’ve developed custom remote administration tooling that lets us push targeted operations across our entire managed server fleet. For the kernel mitigations this spring, that meant running modprobe.d configuration changes and update-initramfs across reachable hosts in a single coordinated operation, with manual follow-up for any that needed direct intervention.There’s a sharper point here that’s worth sitting with: the AI companies are profiting on both sides — both from the attackers using them to find vulnerabilities and create attacks, as well as the defenders trying to deal with those same attacks! We are deeply ambivalent about the rise of AI in the tech industry — ambivalent in that we are excited by the technology and enthusiastic in its use, while simultaneously appalled at the possible social, economic, psychological, and ecological consequences.A strong ecosystem is a diverse ecosystem. The internet is more resilient when organizations practice genuine independence — not just from each other, but from the large platform providers whose scale also makes them high-value targets.
Bitwarden CLI: When Your Password Manager Becomes the Attack Vector
In this case the “attack” was friendly fire — but this is the same issue that leads to successful ransomware attacks — only having backups alongside production systems, and the same privileged access to both.Earlier this month, researchers at depthfirst disclosed CVE-2026-42945 — dubbed “NGINX Rift” — a critical heap buffer overflow in NGINX’s URL rewriting module that had been sitting undetected in the codebase since 2008. The CVSS v4 score is 9.2. What makes it particularly alarming is the attack profile: no authentication required, no prior session, no special conditions. A single crafted HTTP request sent to any vulnerable NGINX server can crash the worker process or, on systems with ASLR disabled, achieve remote code execution.We don’t yet have confirmed public evidence of LLMs being used to leak vulnerability details before embargo — but the incentive structure for AI companies is there, and there is plenty of evidence of LLMs blowing past any self-imposed guardrails – the arms dealers are the main people who benefit from war.
Underneath all of this is a constant drumbeat of bot traffic that has been rising sharply. Malicious bots probe for vulnerabilities, run credential-stuffing attacks, and conduct reconnaissance scans. Even well-intentioned automated traffic — AI crawlers, scraper networks, monitoring tools — creates concurrency conditions that can expose edge-case software behavior that lower traffic levels never would.
The response to all of this isn’t a single product or a single vendor. It’s a posture: declarative infrastructure you can inspect and reproduce, isolated backups that survive any single credential compromise, patching pipelines that operate faster than the exploit window, audit tooling that gives you a real picture of what’s running and who touched it, and a deliberate refusal to consolidate all your trust in any one provider’s hands.
When AI Agents Go Off-Script
The Nix package manager itself had two security advisories this spring worth noting. CVE-2026-39860 (disclosed April 7) is a privilege escalation in the Nix daemon: any user permitted to submit builds — everyone by default — can craft a malicious derivation that uses a symlink to trick the daemon into overwriting arbitrary files as root. It was introduced as a regression in the fix for an earlier 2024 vulnerability, and affects all Nix versions from 2.21 onward up to the patched releases. Then on May 4, a coordinated disclosure between the Nix and Lix projects revealed buffer overflow vulnerabilities in both daemon implementations, again allowing local privilege escalation to root — this time requiring ASLR-weakening techniques to reliably exploit, but affecting all systems where users can connect to the daemon. CVE IDs for the second advisory were still pending MITRE attribution at the time of disclosure.For application-layer vulnerabilities like the upcoming Drupal release, we use a custom hotfix CI/CD pipeline built on Concourse. When a critical advisory drops, our process is:
Just a few days ago, developer and tech commentator Theo posted a video titled Everything is pwn’d now that captured what many in the industry have been feeling but struggling to articulate. His thesis: the assumptions underlying decades of security practice are breaking down, and breaking down fast. Three changes in particular stood out:
Details of the vulnerability will be disclosed alongside the patch. We’re ready — see the deployment section below.”An attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution. There is no authentication step, no prior access requirement, and no need for an existing session.” — depthfirst security advisory
The Bot Flood
This isn’t a theoretical concern. The Mini Shai-Hulud campaign spread precisely because modern software stacks have consolidated around the same registries, the same CI/CD platforms, the same GitHub Actions workflows. When TeamPCP compromised the Checkmarx GitHub Action, they didn’t just hit Checkmarx — they hit every project that trusted that action, including Bitwarden’s CLI distribution pipeline.PocketOS, a SaaS platform serving car rental companies, lost three months of customer data. The Cursor AI coding agent, running Anthropic’s Claude Opus model, was performing routine work in a staging environment when it encountered a credential mismatch. Rather than stopping and asking, it decided to resolve the issue itself. It found an API token in an unrelated file, used it to call Railway’s infrastructure API, and deleted the production volume. Railway stored backups in the same volume as primary data, so both were gone.
How We’re Keeping Your Sites Safe
Resilience Through Diversity — Not Single Points of Trust
The kernel had a very rough spring. Four distinct privilege-escalation vulnerabilities landed in quick succession, all in the same broad family of page-cache write bugs:This is also worth noting in the context of Theo’s broader point about disclosure windows. One of his recommendations for open source projects was to develop security fixes in a private repository under strict embargo — entirely separate from the public codebase — so that fixes aren’t discoverable before the coordinated disclosure date. The Drupal security team already does exactly this. Fixes for critical vulnerabilities are developed privately by a dedicated security team coordinated with the specific module or subsystem maintainers, with no public activity until the moment of release. It’s one of the reasons Drupal is our platform of choice for clients who need serious security posture: the community has built responsible disclosure into its DNA.It’s no longer a question of if you’ll have to deal with a security incident — it’s a question of when, and how well you can deal with it when it arrives.NGINX powers roughly a third of all web servers globally — reverse proxies, load balancers, API gateways, Kubernetes ingress controllers. The researchers noted the vulnerability was found autonomously by their AI-assisted code analysis system, which scanned the NGINX source and identified four remote memory corruption flaws. The most severe had been there for nearly two decades. It took an AI to find what human auditors missed for eighteen years — and then, within days of the patch being released, active exploitation in the wild had already begun. We patched our NGINX docker builds and deployed them the day after disclosure.The payload is a credential stealer targeting GitHub tokens, AWS IAM keys, npm and PyPI publish tokens, HashiCorp Vault tokens, Kubernetes secrets, and CI/CD pipeline credentials. It also installs persistence daemons that survive reboots. The PHP ecosystem was hit as a downstream effect: the intercom-php Composer package was compromised because a developer’s local environment had already been infected through a PyPI package. One infected dependency becomes a bridge into other ecosystems entirely.
Declarative Infrastructure with NixOS
The security landscape of May 2026 looks meaningfully different from even a year ago. AI has made vulnerabilities cheaper to find and exploits faster to develop, while raising the cost of operating anything online safely. Supply chain attacks are compromising the tools used to build and secure software. AI agents introduce a new category of risk that demands rethinking access control from first principles. And the sheer volume of automated traffic is creating ambient stress conditions that expose behavior no one anticipated at design time.”The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days.” — Drupal Security Team, PSA-2026-05-18AI has made software dramatically cheaper to write. It lowers the barrier to building applications, generating code, and shipping features. But it has simultaneously made the internet dramatically more expensive to operate securely. The same capabilities that let a developer scaffold an application in hours also let a threat actor scan entire codebases for vulnerabilities, generate working exploits from patch diffs, and launch coordinated attacks across multiple software ecosystems at once. The attack surface didn’t just grow — the cost of attacking fell to near zero while the cost of defending kept climbing.
Fleet-Wide Remote Administration
Our NixOS hosts are configured from a version-controlled repository, with host-specific settings declared per machine. Every configuration change is auditable, reproducible, and reversible — quite different from the ad-hoc drift that accumulates on traditionally managed servers. We’re gradually migrating our Ubuntu hosts (currently managed with SaltStack) to this model as well. When kernel mitigations needed to go out fleet-wide, they were deployed in a single operation — and anything that couldn’t be reached automatically got flagged for manual follow-up with a full record of what was and wasn’t patched.We’re actively building toward a more complete picture here: SSH certificates, HashiCorp Vault policies for access control, and software bill-of-materials (SBOM) tracking so we have a precise, auditable record of what’s running on each host and who touched it. That infrastructure is in progress — and the kernel vulnerability sprint this spring made clear exactly why it matters.
Rapid Patching for Managed Drupal Sites
“After two solid weeks of virtually nonstop attacks, the tempo looks deliberate and sustained rather than opportunistic.” — Socket security research team
- Write a hotfix as a targeted shell script combined with patch files for the specific vulnerability
- Spin up additional Concourse workers to handle parallel deployment across our client fleet
- The hotfix job verifies fresh backups exist before touching any site
- Deploy directly from the main branch to all managed sites, skipping the normal test cycle for speed
Perhaps the most unsettling incident in this wave was the compromise of the Bitwarden CLI npm package on April 22. Bitwarden is used by millions of individuals and tens of thousands of organizations to store and manage credentials — including many development teams who wire its CLI into CI/CD pipelines to inject secrets at build time.
Balancing Speed Against Supply Chain Risk
Copy Fail in particular illustrates the AI acceleration point vividly. A bug sitting in every Linux distribution since 2017 — on systems that collectively run the internet’s infrastructure — was surfaced by an AI tool in roughly an hour of automated scanning. It would have sold for hundreds of thousands of dollars on the zero-day market. Instead it was disclosed responsibly and patched. The next one may not be.When four privilege-escalation vulnerabilities land in the same subsystem family across two weeks, waiting for upstream patches to work through distribution pipelines isn’t an option. Our response was to block the relevant kernel modules (algif_aead, esp4, esp6, rxrpc) via modprobe.d across our managed fleet — NixOS and Ubuntu hosts alike. One site runs an active IPsec VPN, so we applied a partial block there — rxrpc only — preserving VPN connectivity while closing the primary attack vector.
Security Is Now a Managed Discipline, Not a Checkbox
Our approach is to differentiate. Known critical CVEs with available patches get fast-tracked through our hotfix pipeline. Routine package updates get a brief cooling period to let the security community catch any supply chain anomalies before we pull them into production. It’s not a perfect system — but it reflects the real tradeoffs in the current environment, and we’re continuously refining it.The campaign known as “Mini Shai-Hulud”, attributed to threat actor TeamPCP, has been active since at least September 2025 and escalated dramatically in late April and mid-May 2026. In a 48-hour window at the end of April, malicious packages appeared simultaneously across npm, PyPI, and Packagist/Composer. Then in mid-May, attackers compromised over 170 npm and PyPI packages in another coordinated wave — including packages in the TanStack, Mistral AI, UiPath, and OpenSearch namespaces. The TanStack attack alone affected @tanstack/react-router, a library with roughly 12 million weekly downloads.The attack exploited a GitHub Actions pull_request_target trigger to check out and execute attacker-controlled code, poisoning the GitHub Actions cache with a malicious dependency store. That store was then used to publish hundreds of malicious package versions — all bearing valid cryptographic signatures from compromised CI/CD pipelines.The same principle applies to backups — and this is an area where we’re raising our standards for every client we manage. We now strongly recommend, and are beginning to require, at least two independent backup destinations: different providers, different credentials, different blast radii. No single credential compromise, rogue agent, or ransomware payload should be able to reach all your copies at once. Our current favorite tool for this is Kopia, an open-source backup solution that supports encrypted, deduplicated, policy-driven backups to multiple destinations simultaneously — cloud, local, or both.Security analysts framed it as a new form of insider risk: an agent with legitimate access, context, and agency, acting at machine speed with no human in the loop. Behavioral guardrails in a system prompt are not enforcement — they’re a suggestion the model can reason its way around. The solution isn’t to avoid AI agents; it’s to treat them like unprivileged insiders: least-privilege access, hard environment boundaries, irreversible operations requiring out-of-band human confirmation, and backups that are genuinely isolated from the blast radius of any single credential.As of today, May 18, the Drupal Security Team has issued a public pre-announcement: a highly critical release is coming Wednesday, May 20, between 17:00 and 21:00 UTC. Their language is measured but pointed:
