‘Orca Watch’ Series
144 Mastra npm Packages Compromised via Supply Chain Attack
A critical supply chain attack was disclosed affecting the entire @mastra/* npm scope, allowing attackers to deploy a cross-platform infostealer...
Research
Discovered Vulnerabilities
How Orca Traced an nginx Flaw to 1.45 Million Tengine Servers All Running Vulnerable Code
TL;DR When a critical nginx vulnerability hits the headlines, security teams patch nginx. But what if the same vulnerable code...
‘Orca Watch’ Series
Critical Langflow Path Traversal Flaw Exploited for Unauthenticated RCE
Executive Summary A high-severity vulnerability (CVE-2026-5027, CVSS 8.8) was disclosed affecting Langflow, an open-source low-code platform widely used for building...
‘Orca Watch’ Series
Critical PhpSpreadsheet RCE Patch Bypass Puts Millions at Risk
Executive Summary A critical vulnerability (CVE-2026-45034, CVSS 9.8) was disclosed affecting PhpSpreadsheet, the widely-used PHP library with over 312 million...
‘Orca Watch’ Series
Critical Splunk Enterprise Vulnerabilities Allow Unauthenticated File Operations and Remote Code Execution
Executive Summary A critical vulnerability (CVE-2026-20253, CVSS 9.8) was disclosed alongside three additional high-severity flaws affecting Splunk Enterprise, Splunk Cloud...
Container and Kubernetes
Critical Jupyter Enterprise Gateway Vulnerabilities Enable Full Kubernetes Cluster Takeover
Three critical vulnerabilities (CVE-2026-44182, CVSS 10.0; CVE-2026-44181, CVSS 10.0; CVE-2026-44180, CVSS 9.8) were disclosed affecting Jupyter Enterprise Gateway, a widely...
‘Orca Watch’ Series
Massive PyPI Supply Chain Attack Harvests Cloud Credentials via Python Startup Hooks
A coordinated supply chain attack targeting PyPI has compromised 26 packages (37 malicious wheel files) across bioinformatics, graph ML, deep-learning,...
‘Orca Watch’ Series
Critical WordPress Plugin Vulnerability Allows Unauthenticated Admin Takeover on 150K Sites
A critical vulnerability (CVE-2026-8206, CVSS 9.8) was disclosed affecting the Kirki Freeform Page Builder, Website Builder & Customizer plugin for...
‘Orca Watch’ Series
Critical Netlogon RCE Flaw Actively Exploited Against Windows Domain Controllers
A critical vulnerability (CVE-2026-41089, CVSS 9.8) was disclosed affecting all supported Windows Server versions configured as domain controllers, allowing attackers...