Over 40 CVEs in four months, a 43% command-injection rate, and a self-replicating worm targeting your agent configs - here is what is breaking in MCP server deployments and how to harden it.
CVE-2026-45321 entered CISA's KEV on May 27, 2026. Here is exactly how TeamPCP hijacked TanStack's CI pipeline to publish 84 malicious npm packages, plus concrete steps JS/TS shops need now.
A malicious Nx Console extension was live for 18 minutes on May 18 — long enough to steal credentials and exfiltrate around 3,800 GitHub repos. A post-mortem of the year's biggest dev-tooling breach.
TeamPCP poisoned a Checkmarx Jenkins plugin using credentials from an earlier breach, while Datadog found 87% of organizations run known-exploitable vulnerabilities. A look at the attacks, the data, and the defenses that work.