Mastra npm hijack exposes 1.1M weekly downloads; JetBrains plugins ran a stolen-API-key resale scheme since October; OpenClaw studies expose AI agent trust-boundary failures; CISA KEVs a max-severity Joomla flaw; Microsoft formally acknowledges RoguePlanet Defender zero-day.