In this episode

• Mini Shai-Hulud worm hits 170+ npm and PyPI packages with valid SLSA provenance — On May 11, attackers chained a pull_request_target cache-poisoning bug with in-memory OIDC token extraction to publish 84 malicious @tanstack versions in six minutes, then self-propagated to 170+ npm and PyPI packages including Mistral AI, UiPath, OpenSearch, and guardrails-ai — all carrying valid SLSA Build Level 3 attestations. The payload harvests AWS/GCP/Vault/K8s creds and Claude/Cursor config files, persists via .claude/ and .vscode/ hooks, exfiltrates over Session P2P, and arms a dead-man's switch that runs rm -rf $HOME if the stolen GitHub token gets revoked within 24 hours. ELI15: the build robot's badge of authenticity got stamped on a poisoned package — the stamp is real, the contents are not.
• urllib3 ships two CVEs and PgBouncer 1.25.2 patches four SCRAM bugs — patch your transitive deps — urllib3 disclosed CVE-2026-44431 (low-level ProxyManager forwarding Authorization/Cookie/Proxy-Authorization headers across origins on redirects when assert_same_host=False) and CVE-2026-44432 (decompression-bomb safeguards bypassed in the streaming response path, memory-exhaustion DoS). Both reach you transitively through requests, boto3, and pip. Separately, PgBouncer 1.25.2 fixes four remote-exploitable SCRAM authentication bugs triggered by malformed packets plus an admin-console command that let unauthenticated callers terminate sessions.
• BSI flags three Django CVEs (5.3 medium) — Django <6.0.5 and <5.2.14 affected — Germany's BSI issued an advisory on May 5 covering CVE-2026-35192, CVE-2026-5766, and CVE-2026-6907 against Django <6.0.5 and <5.2.14, all rated CVSS 5.3 with remote attackers able to disclose information or trigger DoS. Three distinct CVEs in one advisory suggests three different flaw classes rather than one root cause — read the Django security release notes before patching to understand which surfaces (URL parsing, form handling, etc.) you actually expose.
• Every AI agent failure in 2026 is an idempotency problem — Two independent writeups this week catalog the same pattern across five production incidents — 14-email retry storms, duplicate Stripe charges, triplicated orders, oversold inventory, cascading support tickets — all caused by non-idempotent tool calls colliding with at-least-once retries from agent frameworks, webhooks, and brokers. Tool-call volume in agent traces jumped from 0.5% to 21.9% in a year, a 44x expansion of the retry surface, and the fix is the boring 25-year-old one: idempotency keys in tool contracts, deterministic key synthesis, and a dedup store at the boundary. ELI15: if you tell a forgetful robot to 'press the charge button' and it can't remember whether it already pressed it, it presses again — give it a sticky note with the order ID and a 'done' list.
• Cursor May changelog: Bugbot effort levels, parallel agents, admin model blocklists (June 1 deadline) — Cursor's May release ships customizable Bugbot review effort levels with published catch rates (0.7 bugs/run default, 0.95 at high effort; 79% resolved at merge), parallel async subagents that can split a plan file across worktrees, Teams integration for cloud agents, and granular model/provider blocklists for admins with a June 1 migration deadline. Stability fixes hit MCP auth, terminal interaction, and cloud agent hydration.
• The review bottleneck: AI-generated PRs wait 4.6x longer and merge at 32.7% — LinearB's analysis of 8.1M PRs found AI-generated code waits 4.6x longer for review than human code and merges only 32.7% of the time, versus 84.4% for manual PRs — code writing is 16% of dev time, so 'faster generation' just moves the constraint to review. A separate MERT randomized trial of 16 experienced devs across 246 tasks measured a 19% slowdown when using AI in familiar codebases, against a self-reported 24% speedup (a 43-point perception gap).
• Three fresh SSRF CVEs (Gotenberg, FireFighter, Budibase) — same allowlist failure pattern — Three SSRF CVEs landed this week with the same underlying shape: Gotenberg's Chromium URL-to-PDF endpoint only blocks file:// and follows 302 redirects without re-validation; FireFighter's /api/v2/firefighter/raid/jira_bot is unauthenticated (permission_classes=[AllowAny]) and fetches arbitrary URLs, hitting CVSS 9.9 by stealing AWS IMDS credentials; Budibase's plugin URL allowlist is bypassed by a trivial .tar.gz substring injection. All three share the same root cause — no consistent default-deny on RFC 1918, 169.254.0.0/16, 127.0.0.0/8 — and the same fix shape: re-check the boundary on every fetcher, including redirect targets.
• Real-world XSS via Django mark_safe() on f-strings — and a Semgrep rule to catch it — A writeup walks through a reflected XSS where a developer wrapped mark_safe() around an f-string interpolating untrusted query params, bypassing autoescape and leading to session theft when SESSION_COOKIE_HTTPONLY was disabled. The fix is the standard one — format_html() escapes arguments while preserving template structure — and the post ships a copy-pasteable Semgrep rule plus test patterns for CI. ELI15: mark_safe() tells Django 'trust me, I've already cleaned this' — wrapping it around an f-string with user input is lying to the framework on the user's behalf.

Read the full briefing with sources →

Generated with AI from public sources — verify before acting on anything important.