Weekly Threat Intelligence: MCP Server Hijacks, Compressed PDF Exfiltration, and CI Install-Hook Abuse

This catch-up run covered May 2 through May 18, 2026 and processed 250 high and critical vulnerabilities across CISA KEV, NVD, the Go Vulnerability Database, and 10 editorial security sources. The pattern was not subtle. Attackers are no longer satisfied with exploiting only the application payload path. They are going after the systems that tell modern software what tools it can use, what documents it can trust, and what code it is allowed to execute during build and deployment.

That showed up in three especially important ways. First, agent frameworks are being targeted through dynamic MCP server registration and tool-routing abuse, where a compromised workflow pushes the agent toward an attacker-controlled remote server. Second, indirect prompt injection is moving deeper into documents, including compressed PDF streams that basic visible-text scanners never inspect. Third, supply-chain abuse is increasingly hiding in install-time behavior rather than the package name alone, with preinstall and postinstall hooks pulling and executing remote payloads inside CI/CD pipelines.

We responded with a narrow, architecture-respecting hardening pass. Same single binary. Same 16 modules. No new cloud services, no auxiliary scanners, no extra runtime dependencies. The goal was to close the most immediate gaps the report surfaced without drifting away from the core operating model.

After the first pass, we tightened the two deepest coverage paths instead of leaving them as roadmap language. Runtime Watcher now has a Linux real-time file monitor for short-lived artifacts in /dev/shm, /tmp, /var/tmp, /run, and /run/user, with high and critical alerts for transient execution and privilege-escalation indicators. The Rust sidecar now streams large event fields in overlapping chunks, including the normalized scan path, so deeply buried payloads are inspected without building an unbounded transformed buffer.

For customers, that means the same engine now watches more of the attack window. Short-lived runtime artifacts are no longer dependent on the next polling interval, and large payloads are no longer treated as too deep to inspect.

The bigger lesson from this period is that the trusted surfaces keep shrinking. Tool registries are not automatically trustworthy. Documents are not automatically passive. Package installation is not automatically just package installation. More and more of the modern attack chain happens in places teams still mentally categorize as setup, metadata, or automation glue.

That is exactly why behavioral coverage matters. You do not need a giant new subsystem every time attacker tradecraft shifts by one layer. You need the existing engine to understand the behavior of those layers well enough to say, "this is not normal, and it should not be allowed to pass quietly." This round of changes pushed 1-SEC further in that direction.

The report found zero matching Go dependency advisories for the current engine dependencies. That is the kind of result we want: the pressure this cycle came from architecture and workflow abuse, not from a stale third-party library quietly rotting underneath the binary.

The vulnerability intelligence pipeline itself remains available in the main repository. It introspects the Go modules, Rust sidecar, and core engine, scrapes 12 live sources, cross-references them against real detection coverage, and produces both a markdown report and a structured action manifest. This run produced 5 action items. We implemented the MCP registration hardening, the PDF FlateDecode inspection path, install-hook plus package-baseline improvements, real-time runtime artifact monitoring, and Rust sidecar deep-buffer streaming in the same hardening cycle.