appsec 48
- SymJack Attack Weaponizes AI Coding Agents as Supply Chain Delivery Systems
- Gitea CVE-2026-27771: Unauthenticated Attackers Can Pull Private Container Images
- Microsoft Defender for Endpoint Tests Automatic Isolation of Compromised Hosts to Block Lateral Movement
- Discord Migrates All Users to End-to-End Encryption by Default
- 1Password and OpenAI Introduce Just-in-Time Credentials for AI Coding Agents
- Anthropic Silently Patches Claude Code Sandbox Bypass
- Drupal Warns of Critical Core Patch on May 20 — Exploits Expected Within Hours
- Critical SEPPMail Gateway Vulnerabilities Enable RCE and Full Mail Traffic Read
- Compromised Nx Console 18.95.0 Delivers Credential Stealer to 2.2M VS Code Users
- node-ipc npm Package Compromised in Supply Chain Attack to Steal Credentials
- TanStack Supply Chain Attack Compromised Two OpenAI Employee Devices, Credentials Stolen
- TanStack npm Supply Chain Attack Hits Multiple AI Companies
- 18-Year-Old NGINX Rewrite Module Bug Enables Unauthenticated RCE
- Fortinet Patches Critical RCE Flaws in FortiSandbox and FortiAuthenticator
- OpenAI Launches Daybreak: AI-Powered Vulnerability Detection and Automated Patch Validation
- Official Checkmarx Jenkins AST Plugin Backdoored with Infostealer
- Unit 42 Unpacks AD CS Escalation: Template Misconfigs, Shadow Credentials, and Detection Guidance
- cPanel and WHM Patch Three Vulnerabilities Including RCE and Privilege Escalation
- Prompt Injection Flaw in Claude Chrome Extension Allows AI Agent Takeover
- VoidStealer Trojan Bypasses Chrome App-Bound Encryption to Steal Credentials
- Researchers Bypass Claude Safety Guardrails via 'Gaslighting' Technique
- Trellix Confirms Source Code Breach via Unauthorized Repository Access
- WordPress Redirect Plugin Hid Dormant Backdoor for Five Years Across 70,000 Sites
- Wiz Used AI Reverse Engineering to Uncover High-Severity GitHub Vulnerability
- 38 Vulnerabilities in OpenEMR Allow Access to and Modification of Patient Data
- Unit 42 Maps npm Attack Surface: Wormable Malware, CI/CD Persistence, and Multi-Stage Chains
- Hackers Actively Exploiting Unauthenticated File Upload Bug in Breeze Cache WordPress Plugin
- Bitwarden npm Supply Chain Attack Attributed to TeamPCP; Shai-Hulud Worm Component Identified
- LMDeploy CVE-2026-33626 SSRF Exploited in the Wild Within 13 Hours of Disclosure
- Cisco Discovers Memory Vulnerability in Anthropic AI Agent Framework
- Checkmarx Supply Chain Attack Compromises Bitwarden CLI and KICS Analysis Tool
- Unit 42 Zealot PoC Demonstrates AI Agents Autonomously Attacking Cloud Environments
- Vercel Expands Breach Scope: More Accounts Compromised in Context.ai-Linked Incident
- Google Antigravity AI IDE: Prompt Injection Chained to Sandbox Escape and Code Execution
- Cisco Talos Documents macOS Living-Off-the-Land Techniques Using Native OS Primitives
- Comment and Control: Claude Code, Gemini CLI, and GitHub Copilot Vulnerable to Prompt Injection via Code Comments
- 30+ EssentialPlugin WordPress Plugins Backdoored in Supply Chain Compromise
- Critical wolfSSL Vulnerability Allows ECDSA Signature Forgery and Certificate Bypass
- Adobe Patches Actively Exploited Acrobat Reader RCE — CVE-2026-34621
- Google Extends Gmail End-to-End Encryption to Android and iOS for Enterprise Users
- Smart Slider 3 Pro Update System Hijacked to Deliver Backdoored WordPress and Joomla Versions
- Apple Intelligence Guardrails Bypassed via Neural Exect and Unicode Manipulation
- Hardcoded Google API Keys in Android Apps Expose Gemini AI Endpoints
- Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025
- Trail of Bits Releases C/C++ Security Testing Handbook Chapter with LLM Bug-Finding Prompts
- SVG Pixel Trick Hides Credit Card Skimmer Across Nearly 100 Magento Stores
- HackerOne Pauses Bug Bounties as AI-Driven Discovery Creates Remediation Backlog
- CVE-2026-1337 — RCE in Widely-Used Python ORM