This Week in Security: XRP Poisoned, MCP Bypassed, and More

Researchers at Aikido have identified repeated, rapid releases of the xrpl package on NPM, releasing updates that sent a user’s seed - the root of trust for a cryptocurrency wallet - to a remote URL, effectively stealing the wallet and its contents.
The releases were made via a Ripple developer account, and whilst the total number of downloads was low at 452, users are advised to audit and rotate their keys.
Zyxel USG FLEX H series firewall/routers have been found to have a privilege escalation vulnerability, allowing authenticated users with VPN access to take complete control of the device.
The flaw lies in how the device handles SSH access for unprivileged users, permitting SSH traffic forwarding and internal port access.
An unprivileged PostgreSQL user can be leveraged to achieve root access, whilst a system Recovery Manager can be used to upload and execute a custom binary which can also provide root access.
Anvil Secure has discovered that power glitching can be used to breach read out protection in STM32 microcontrollers.
By crashing the chip whilst it is reading its memory protection settings, they can be glitched to enable the reading of protected memory.

Fast Feed