Seedworm DLL Attack, Gitea Image Leak Bug, Starlette ASGI

Three security stories from the last week of May 2026 sit on three different layers of the stack and they all share a single ugly pattern: trust in a label that the code doesn't enforce. An APT group trusted that signed binaries would stay signed. A container registry trusted that "private" meant private. An HTTP framework trusted that the size of a multipart header was bounded. None of those trusts survived contact with the implementation.

What You Need to Know: Symantec disclosed a Seedworm (Iran-linked MOIS) espionage campaign that hit nine organizations across four continents in Q1 2026, abusing legitimately-signed Fortemedia and SentinelOne binaries via DLL sideloading. Noscope's autonomous pentester found CVE-2026-27771, a four-year-old Gitea bug that let anonymous users pull "private" container images from an estimated 31,750 deployments. CVE-2026-42561 is a python-multipart DoS flaw that affects Starlette, FastAPI, and any other ASGI framework that parses multipart form data with unbounded header sizes.

Why It Matters

• Signed binaries are a host for malware now, not a defense against it. Seedworm is using legitimate Fortemedia and SentinelOne executables as the launch vehicle for the actual implant. If your EDR trusts signed binaries, your EDR is the attacker's best friend.
• "Private" in a self-hosted UI is a UI label, not an access control. If you ran a Gitea registry marked private before May 20, 2026, your images were public for the duration of the four-year exposure window. There is no way to retroactively know who pulled them.
• Container image leaks aren't source leaks. A leaked image includes environment variables, build-time secrets, internal dependency versions, .npmrc/.pip.conf credentials, and the SBOM of every internal service that ever built against it.
• AI-driven vulnerability discovery is the story of 2026. Noscope's autonomous pentester, DepthFirst AI's NGINX heap overflow, and the Exim use-after-free were all found by automated AI scanning of old code. The cadence of new disclosures is going to accelerate.
• Multipart DoS in your Python web framework is one dependency away. If you ship a FastAPI or Starlette service that accepts file uploads from the public internet, you need to verify you're on python-multipart 0.0.27 or later, today.

What Actually Happened

Seedworm: When the Signed Binary Is the Loader

Symantec's Threat Hunter team disclosed on May 13, 2026 that Iran-linked APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten, attributed to the Iranian Ministry of Intelligence and Security, MOIS) compromised nine organizations across four continents in Q1 2026. Sectors hit: industrial and electronics manufacturing, education, financial services, professional services, and government. Victims included a Middle Eastern international airport, Southeast Asian industrial manufacturers, a Latin American financial services provider, and educational institutions in multiple countries.

The tradecraft is the story. The attackers used DLL sideloading against legitimately-signed third-party binaries:

• fmapp.exe, a Fortemedia audio-driver utility, was used to load a malicious fmapp.dll.
• sentinelmemoryscanner.exe, a legitimate SentinelOne endpoint security component, was used to load a malicious sentinelagentcore.dll.

Both malicious DLLs contained ChromElevator, a publicly available post-exploitation tool that steals browser-stored passwords, cookies, and payment-card data from Chromium-based browsers. In both cases the parent process was node.exe, meaning the DLL sideloading was orchestrated through a Node.js script, not a user clicking an icon.

The intrusion at the major South Korean electronics manufacturer (initial access February 20, 2026) stayed inside the network for nearly a week. The attackers used a Node.js runtime already on the host to drive automated reconnaissance (enumerating users, domain groups, and AV products within minutes), downloaded additional payloads via PowerShell and curl, established persistence through a registry Run key, and exfiltrated data through sendit.sh, a public file-transfer service. VirusTotal flags sendit.sh as having a long history of association with malicious activity.

The cadence — 90-second beacons, gaps of 36 hours between operator sessions, fresh tooling restaged under random directory names — is consistent with implant-driven activity rather than hands-on operator presence. That's the model Seedworm has been running for years. (Source)

CVE-2026-27771: Four Years of Leaked Container Images

On May 25, 2026, UK security firm Noscope disclosed CVE-2026-27771, a critical flaw in Gitea that lets an unauthenticated remote attacker pull container images from repositories marked private, no account, no password, no token required. The bug was discovered by Noscope's autonomous pentester running automated probes against public Gitea instances. The fix shipped in Gitea 1.26.2 on May 20, 2026 — the four-year exposure window didn't.

The bug is as simple as it is bad. The access control check that gates source code on Gitea never ran on container manifest and blob requests. A docker pull against a private repository on an unpatched Gitea instance returned the bytes. The UI said "private." The registry said "sure."

Noscope's Shodan-based survey found ~31,750 internet-exposed Gitea deployments, with 93% running an unpatched version at disclosure. Geographic concentration: China, the US, Germany, France, and the UK. Sector breakdown includes healthcare, aerospace, industrial manufacturing, retail, software development, social media, SaaS, and ISPs. Forgejo, the community-governed Gitea fork, ships the same container registry implementation and is vulnerable to the same flaw.

Why this is worse than a code leak: a modern container image is a snapshot of an entire runtime. Engineers routinely bake database passwords, API keys, signing keys, internal SBOM data, and configuration files with internal hostnames into the build layers. Container layer caching means a secret added in an early Dockerfile instruction and removed later still exists in the intermediate layer. For an organization that used Gitea's registry for the past four years, the question is not whether something sensitive leaked — it's what.

Patch: Gitea 1.26.2 or later. Workaround if you can't patch immediately: set [service].REQUIRE_SIGNIN_VIEW=true in app.ini. (Source)

CVE-2026-42561: The Multipart Header That Ate Your CPU

CVE-2026-42561 is a denial-of-service vulnerability in python-multipart's MultipartParser. The parser had no limit on the number of part headers or the size of an individual part header. An attacker can send a multipart request with either many repeated headers or a single very large header value, and the parser will do unbounded CPU work before request rejection or completion.

The downstream impact: any ASGI application that uses python-multipart — which is essentially every Starlette, FastAPI, and many other Python web frameworks that accept file uploads — can be pinned into a CPU-exhaustion state by a single attacker request. Worker and event-loop delays, queue starvation, the usual DoS pattern.

The fix is in python-multipart 0.0.27, which enforces default parser limits for maximum header count and maximum header size. The mitigation if you can't upgrade: enforce request body size limits at the server, proxy, or framework layer. That's a mitigation, not a fix — affected versions still parse multipart headers without limits, and a large but sub-body-limit request can still trigger it. (Source)

The Take

These three stories share a common shape: the security guarantee was in the label, not in the code. "Signed binary" was a label the OS loader trusted. "Private" was a label the UI showed. "Bounded request" was a label the framework's documentation implied. None of those were properties of the actual systems.

The Seedworm campaign is the most strategically interesting of the three because it doesn't just exploit a bug — it exploits the entire concept of "trust based on signing." The loader for the malicious DLL is a real, signed, vendor-distributed binary. The DLL is loaded by that binary's normal mechanism. The malicious payload is a publicly available tool that, by itself, isn't on any IOC list. Defenders have to start modeling signed binaries as a threat surface, not a trust anchor. If you run SentinelOne or Fortemedia, you should be looking for unexpected child processes of sentinelmemoryscanner.exe and fmapp.exe right now. The fact that those are your own security products is precisely the cover.

The Gitea bug is a master class in why "private" is a UI feature, not a security feature. The right way to test whether your private repository is actually private is to attempt access from a network that shouldn't be able to reach it. Noscope's autonomous pentester is what good security looks like in 2026: broad, automated, and constantly running. If you're a CISO with self-hosted Gitea, you should assume compromise of every image that lived in a private registry before May 20, rotate every secret that may have been baked into a layer, and never trust a "private" label in a self-hosted UI again. The Gitea team also needs to do a public postmortem on why the access-control regression existed for four years — that's a process failure, not a code failure.

The python-multipart DoS is the easy one to fix and the one most likely to be ignored. If you ship a public-facing FastAPI or Starlette service, you have a single-line upgrade to do. The blast radius of the bug is real but bounded; the blast radius of not upgrading is asymmetric — you lose CPU to a single attacker request, and a sophisticated adversary turns that into a wedge for follow-on attacks against the parts of your service that don't gracefully handle worker exhaustion.

The meta-lesson for 2026: AI-driven vulnerability discovery is now the dominant pipeline for finding old bugs in old code. Noscope's Gitea disclosure came alongside DepthFirst AI's NGINX rewrite heap overflow, an Exim use-after-free, and the second Linux ptrace flaw of the year — all found by automated AI scanning. The implication for the maintainers of widely-deployed open-source projects is that bugs that have been sitting in the codebase for years are going to be found and disclosed on a much shorter timeline. Plan accordingly.

Quick Summary

Seedworm used DLL sideloading against Fortemedia and SentinelOne signed binaries to hit nine orgs across four continents; CVE-2026-27771 left ~31,750 Gitea instances leaking "private" container images for four years (patch to 1.26.2); CVE-2026-42561 lets a single multipart request DoS any Starlette or FastAPI service on python-multipart < 0.0.27.

Sources

• Industrial Cyber — Symantec uncovers Iran-linked Seedworm espionage campaign
• gblock — Gitea CVE-2026-27771: Private Container Images Exposed for 4 Years
• Noscope — Gitea Instances Exposing Private Container Images
• GitHub Advisory — CVE-2026-42561: python-multipart DoS
• Security.com — Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software