BlueNoroff npm supply chain attack; WordPress Gravity SMTP exploited on 100k sites

TL;DR: Multiple high-severity incidents reported — a North Korean-linked supply-chain compromise of 140+ npm packages via Mastra AI, active exploitation of Gravity SMTP (CVE-2026-4020) exposing API keys across many WordPress sites, Microsoft-disclosed AutoJack RCE against AI browsing agents, a Klue OAuth breach leaking Salesforce tokens, and a multinational disruption of SocGholish; urgent actions recommended include patching/removing vulnerable plugins, auditing dependencies, rotating tokens, and tightening network/local service controls.