互联网搬💩集散地BGP 分频: @bakanetwork内频：https://t.me/+KeNZttiOmFtlZjE1「愿你在未来与我的既往重逢」https://broadcastchannel-95o.pages.devhttps://broadcastchannel-95o.pages.dev/posts/2239https://broadcastchannel-95o.pages.dev/posts/2239Thu, 14 May 2026 18:05:13 GMT<a href="/search/%23%E5%AE%89%E5%85%A8%E9%A2%84%E8%AD%A6">#安全预警</a> NPM包 node-ipc 出现供应链攻击，请暂停安装。<br /><br />发生时间:5月14日23:30左右https://broadcastchannel-95o.pages.dev/posts/2230https://broadcastchannel-95o.pages.dev/posts/2230Thu, 14 May 2026 14:24:37 GMT<div> <img src="https://cdn5.telesco.pe/file/J5wyT94ea9YyWIE2AjvteHEDK8p2CY7X6jJGj1TlpZvStmMR0EYYIfLlU6ouv8ThbAtE2T4Q5TvLdB1ZXG_2qG9Pm709aF4A5l5Ag-lx7TBUOjz4as8FVXPlNA5Ep4RUoUIoXKuII3yiQwVCeZJom9ihDUHC17px51a2Atn2lsYMC83uhayBvLn6iLUI0dUAT30t62eTW9otYt1zOkJLq02Rkv1BLrXmZYxeApWncMB0SfqRlGtnI8iE_lM26pZJxVqTvlxodJVxrBjsn_Pnf62w9y8I48VOqr-ReAPFwanAkK6ObuplHGhWpg_WUOkKw4vKTQnN07zu-JbfI2xdBg.jpg" alt="#碎碎念 #前端 #安全 #新动态看乐了，还好我已经远离 Next.js 了CVE-2026-44578 CVE-2026-44578 ⚠️ Next.js – WebSocket Upgrade SSRF (CVSS 8.6) A server-side request forgery vulnerability in Next.js allows unauthenticated attackers to force self-hosted instances to make internal HTTP requests via the WebSocket upgrade handler. By sending a crafted absolute-form HTTP request with Upgrade: websocket headers, attackers can access internal services, cloud metadata endpoints, admin panels, and internal APIs reachable from the Next.js server on port 80. Successful exploitation may expose cloud credentials, API keys, secrets, and configuration data. Affected: Next.js 13.4.13+, 14.x, 15.x &lt;15.5.16, 16.0.0–16.2.4 Mitigation: Upgrade immediately to 15.5.16 or 16.2.5.  Modat Magnify Query: technology=" loading="lazy" /> </div><a href="/search/%23%E7%A2%8E%E7%A2%8E%E5%BF%B5">#碎碎念</a> <a href="/search/%23%E5%89%8D%E7%AB%AF">#前端</a> <a href="/search/%23%E5%AE%89%E5%85%A8">#安全</a> <a href="/search/%23%E6%96%B0%E5%8A%A8%E6%80%81">#新动态</a><br />看乐了，还好我已经远离 Next.js 了<br /><br /><a href="https://x.com/modat_magnify/status/2054848379339837850" target="_blank">CVE-2026-44578 </a><br /><blockquote>CVE-2026-44578 <br /><i><b>⚠️</b></i> Next.js – WebSocket Upgrade SSRF (CVSS 8.6) <br /><br />A server-side request forgery vulnerability in Next.js allows unauthenticated attackers to force self-hosted instances to make internal HTTP requests via the WebSocket upgrade handler. <br />By sending a crafted absolute-form HTTP request with Upgrade: websocket headers, attackers can access internal services, cloud metadata endpoints, admin panels, and internal APIs reachable from the Next.js server on port 80. Successful exploitation may expose cloud credentials, API keys, secrets, and configuration data. <br /><br />Affected: Next.js 13.4.13+, 14.x, 15.x &lt;15.5.16, 16.0.0–16.2.4 <br /><br />Mitigation: Upgrade immediately to 15.5.16 or 16.2.5.  <br /><br />Modat Magnify Query: <br />technology="Next.js" <br /><br />The platform: <br /><a href="https://magnify.modat.io/" target="_blank">https://magnify.modat.io/</a> <br /><br /><a href="/search/%23threatintel">#threatintel</a> <a href="/search/%23vulnerability">#vulnerability</a> <a href="/search/%23CVE202644578">#CVE202644578</a> <a href="/search/%23Nextjs">#Nextjs</a> <a href="/search/%23SSRF">#SSRF</a> <a href="/search/%23WebSocket">#WebSocket</a> <a href="/search/%23CloudSecurity">#CloudSecurity</a> <a href="/search/%23infosec">#infosec</a> <a href="/search/%23Critical">#Critical</a> <a href="/search/%23ModatMagnify">#ModatMagnify</a></blockquote><br /><br />最近 CVE 好 热 闹 啊https://broadcastchannel-95o.pages.dev/posts/2193https://broadcastchannel-95o.pages.dev/posts/2193Wed, 13 May 2026 07:58:17 GMT<div> <img src="https://cdn5.telesco.pe/file/Xc-tHruVlfqbIuPMVs7o-SX-bukcExq6m7tbojEcVMFYuJ6ckweEnffaFKHgHhY0qDnCtfRKBsTyyVtSDKjwgk5E9K4C4BVkWlXXsuvGrfqUHtGa6Lg7fvgHAGIyItAFl2xadQISsW0pi38lhSeqFRIymwCJfCu1aCegglDQBCCgRCA-V51Lc_OoTqL9EbcpzCck2yVVPXLdO1Fl2Qh5hv3W1eTTE1is54lzEIgFYKrxIuQhDtZeuaRkk7PAlXnscuHLbrmlPg-YWdbPOsK50A9FSLfyCsfGC3Gux2ogqQVdJRJnY_wXmn0HfV0y6r3e97ZC5rhY7OsyKRKNZHOWOQ.jpg" alt="#安全资讯 病毒开源也是开源？致力于供应链攻击的 TeamPCP 团队在 GitHub 开源蠕虫病毒 Shai-Hulud，随后还有好心人贡献代码让蠕虫支持 FreeBSD (用户：我可谢谢你)" loading="lazy" /> <img src="https://cdn5.telesco.pe/file/r4FY6ssnHFbMYXpDwFDSFSwh-tYgBczQICmUuBA1P6ekvQJ_Af37phcFPAb-kR8ra_xQKoc_uPb6aHjbM3cPbrpkDkx1xGtoCyfu_UMcGGMuMb-b9pikwvRV3ZUNww9FDEeYCAzlunns3sB1D2Q18TF7LwGkKO4j1c39bgSIeiJ_LIuHYb726qpYdqEZwIKPIg6R19UjctkdibvwhzrUFpnxeowQgPOUSAQ0XE1KMuPZku9Qs8kcHEpXuIy1SdwFeGZ4HXkBgYIT9xGISfiqbV4kWUVlZ0Ypueqf5qVLGL4rm7YKUKy0WHP0_9nVxnS01SJs_iHzS3DTS5BCSzjRdw.jpg" alt="#安全资讯 病毒开源也是开源？致力于供应链攻击的 TeamPCP 团队在 GitHub 开源蠕虫病毒 Shai-Hulud，随后还有好心人贡献代码让蠕虫支持 FreeBSD (用户：我可谢谢你)" loading="lazy" /> </div><a href="/search/%23%E5%AE%89%E5%85%A8%E8%B5%84%E8%AE%AF">#安全资讯</a> <b>病毒开源也是开源？致力于供应链攻击的 TeamPCP 团队在 GitHub 开源蠕虫病毒 Shai-Hulud，随后还有好心人贡献代码让蠕虫支持 FreeBSD (用户：我可谢谢你)。</b><br /><br />这个蠕虫病毒只需要简单修改即可部署使用，OX 分析师也确认代码是有效的，与黑客此前发起攻击使用的代码相同。<br /><br />查看详情：<a href="https://ourl.co/112919" target="_blank">https://ourl.co/112919</a><br /><br /><i><b>🤪</b></i><a href="https://t.me/landiansub" target="_blank">订阅</a> <i><b>❓</b></i><a href="https://t.me/id7371" target="_blank">解封</a> <i><b>😁</b></i><a href="https://x.com/intent/follow?screen_name=landiantech" target="_blank">推特</a> <i><b>👍</b></i><a href="https://t.me/landiansub/12423" target="_blank">CN2VPS</a>