{
  "generated": "2026-07-05",
  "advisories": [
    {
      "id": "2026-07-rollup-polyfill-npm-lazarus",
      "title": "Rollup polyfill impersonation \u2014 6 npm packages deliver full RAT, tentatively linked to Lazarus (July 2026)",
      "description": "JFrog disclosed six malicious npm packages \u2014 led by rollup-packages-polyfill-core and rollup-runtime-polyfill-core \u2014 that impersonate the popular rollup-plugin-polyfill-node (~295,000\u2026",
      "severity": "high",
      "status": "contained",
      "date_disclosed": "2026-07-04",
      "last_updated": "2026-07-04",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "rollup",
        "rollup-plugin-polyfill-node"
      ],
      "tags": [
        "supply-chain",
        "typosquat",
        "credential-theft",
        "rat",
        "npm",
        "dprk"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-rollup-polyfill-npm-lazarus.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-rollup-polyfill-npm-lazarus.md"
    },
    {
      "id": "2026-07-claude-desktop-personalization-sync-rce",
      "title": "Claude Desktop personalization-sync prompt injection \u2192 reverse shell \u2014 Anthropic calls it expected functionality (July 2026)",
      "description": "Pentera Labs red teamers showed that Claude Desktop's account-wide personalization/preferences feature \u2014 which syncs across every device signed into a Claude account \u2014 is an unsandboxed\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-07-01",
      "last_updated": "2026-07-04",
      "ecosystems": [
        "claude-code",
        "anthropic",
        "mcp"
      ],
      "tools_affected": [
        "claude-desktop"
      ],
      "tags": [
        "prompt-injection",
        "rce",
        "mcp",
        "lethal-trifecta",
        "wont-fix",
        "account-takeover"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-claude-desktop-personalization-sync-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-claude-desktop-personalization-sync-rce.md"
    },
    {
      "id": "2026-06-amazon-q-mcp-workspace-rce",
      "title": "Amazon Q Developer CVE-2026-12957 + CVE-2026-12958 \u2014 auto-loading .amazonq/mcp.json runs attacker code with live cloud credentials on repo open (June 2026)",
      "description": "On April 20, 2026, Wiz Research reported two vulnerabilities to AWS:",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-06-26",
      "last_updated": "2026-06-27",
      "ecosystems": [
        "mcp",
        "aws",
        "ide-extensions"
      ],
      "tools_affected": [
        "Amazon Q Developer",
        "AWS Language Server",
        "VS Code",
        "JetBrains",
        "Eclipse",
        "Visual Studio"
      ],
      "tags": [
        "rce",
        "mcp",
        "workspace-trust",
        "cloud-credentials",
        "credential-theft",
        "aws",
        "malicious-repo"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-amazon-q-mcp-workspace-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-amazon-q-mcp-workspace-rce.md"
    },
    {
      "id": "2026-06-0din-dns-setup-trap",
      "title": "Mozilla 0DIN DNS Setup Trap \u2014 clean GitHub repos trick Claude Code into reverse shell via DNS-TXT record command injection (no CVE; no patch as of 2026-06-28)",
      "description": "Mozilla's Zero Day Investigative Network (0DIN) demonstrated that a clean GitHub repository containing no malicious code can trick Claude Code into executing an attacker-controlled reverse shell\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-06-25",
      "last_updated": "2026-06-28",
      "ecosystems": [
        "claude-code",
        "github",
        "python"
      ],
      "tools_affected": [
        "Claude Code",
        "any AI coding agent that auto-resolves setup errors"
      ],
      "tags": [
        "prompt-injection",
        "dns-exfil",
        "ai-agent",
        "supply-chain",
        "reverse-shell",
        "error-recovery",
        "indirect-injection"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-0din-dns-setup-trap.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-0din-dns-setup-trap.md"
    },
    {
      "id": "2026-06-cursor-duneslide-zeroclick-rce",
      "title": "Cursor DuneSlide \u2014 two CVSS 9.8 zero-click prompt-injection-to-RCE flaws (CVE-2026-50548, CVE-2026-50549)",
      "description": "Cato AI Labs disclosed DuneSlide: two CVSS 9.8 zero-click flaws in Cursor IDE (CVE-2026-50548, CVE-2026-50549) that let attacker-controlled content read by the agent \u2014 an MCP tool response or a\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-06-25",
      "last_updated": "2026-07-02",
      "ecosystems": [
        "cursor"
      ],
      "tools_affected": [
        "cursor"
      ],
      "tags": [
        "prompt-injection",
        "sandbox-escape",
        "rce",
        "zero-click",
        "mcp",
        "ai-ide"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cursor-duneslide-zeroclick-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cursor-duneslide-zeroclick-rce.md"
    },
    {
      "id": "2026-06-operation-navy-ghost-pyrogram",
      "title": "Operation Navy Ghost \u2014 8 fake pyrogram packages on PyPI target Telegram bot developers with full-server backdoor using Telegram as C2 (Jun 2026)",
      "description": "A threat actor published 8 fake pyrogram forks to PyPI over 6 months (November 2025 \u2013 June 2026), planting a hidden backdoor that grants full remote shell and file-system access to any server\u2026",
      "severity": "high",
      "status": "unconfirmed",
      "date_disclosed": "2026-06-25",
      "last_updated": "2026-06-30",
      "ecosystems": [
        "pypi",
        "python"
      ],
      "tools_affected": [
        "pyrogram",
        "vlifegram",
        "vlife-gram",
        "kelragram",
        "pyrogram-navy",
        "pyrogram-styled",
        "sepgram",
        "pyrogram-zeeb",
        "pyrogram-kelra"
      ],
      "tags": [
        "supply-chain",
        "backdoor",
        "credential-theft",
        "telegram",
        "pypi",
        "typosquat",
        "c2",
        "fake-package"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-operation-navy-ghost-pyrogram.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-operation-navy-ghost-pyrogram.md"
    },
    {
      "id": "2026-06-cordyceps-cicd-github-actions",
      "title": "Cordyceps \u2014 CI/CD misconfiguration class in GitHub Actions enables PR-based code execution and credential theft at 300+ major repos",
      "description": "The Cordyceps class has three forms:",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-06-24",
      "last_updated": "2026-06-25",
      "ecosystems": [
        "github-actions",
        "ci-cd",
        "npm",
        "pypi"
      ],
      "tools_affected": [
        "GitHub Actions",
        "CI/CD pipelines",
        "any repo with pull_request-triggered workflows using excessive permissions"
      ],
      "tags": [
        "ci-cd",
        "supply-chain",
        "credential-theft",
        "github-actions",
        "pull-request",
        "code-execution",
        "class"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cordyceps-cicd-github-actions.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cordyceps-cicd-github-actions.md"
    },
    {
      "id": "2026-06-miasma-leoplatform-go-wave",
      "title": "Miasma LeoPlatform + Go ecosystem wave \u2014 20 npm packages + Go module + GitHub Actions compromise (June 24 2026)",
      "description": "On 2026-06-24 at 23:04:55 UTC, a compromised npm maintainer account (czirker) published 20 malicious versions of LeoPlatform / RStreams npm packages in a 3-second burst, using the Phantom Gyp\u2026",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-06-24",
      "last_updated": "2026-06-26",
      "ecosystems": [
        "npm",
        "go",
        "github-actions"
      ],
      "tools_affected": [
        "leo-sdk",
        "leo-aws",
        "leo-cli",
        "leo-auth",
        "rstreams-metrics",
        "serverless-leo",
        "claude-code",
        "cursor",
        "codfish-semantic-release-action"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "phantom-gyp",
        "binding-gyp",
        "miasma",
        "shai-hulud-lineage",
        "ci-cd",
        "github-actions",
        "go",
        "npm-worm"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-leoplatform-go-wave.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-leoplatform-go-wave.md"
    },
    {
      "id": "2026-06-dify-difytap-cross-tenant-exfil",
      "title": "Dify DifyTap \u2014 4 CVEs allow cross-tenant AI conversation exfiltration (1M+ apps affected; patched 1.14.2)",
      "description": "Zafran Security disclosed 4 CVEs in Dify (the open-source LLM app builder powering 1M+ applications across 50+ industries) that allow authenticated attackers to read private AI conversations from\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-06-22",
      "last_updated": "2026-06-26",
      "ecosystems": [
        "mcp",
        "python",
        "api"
      ],
      "tools_affected": [
        "dify",
        "langchain",
        "supabase",
        "claude-code",
        "cursor"
      ],
      "tags": [
        "cve",
        "cross-tenant",
        "data-exposure",
        "prompt-injection",
        "plugin-daemon",
        "authorization-bypass",
        "ai-agent-platform"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-dify-difytap-cross-tenant-exfil.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-dify-difytap-cross-tenant-exfil.md"
    },
    {
      "id": "2026-06-idessaster-ai-ide-cve-cluster",
      "title": "IDEsaster \u2014 30+ security flaws (24 CVEs) in Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed, Roo Code, Junie, Cline (June 2026)",
      "description": "Security researchers disclosed 30+ flaws (24 assigned CVEs) across 8 AI coding tools simultaneously \u2014 Cursor, Windsurf, Kiro.dev, GitHub Copilot (VS Code), Zed.dev, Roo Code, Junie, and Cline \u2014 in\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-06-17",
      "last_updated": "2026-06-18",
      "ecosystems": [
        "cursor",
        "windsurf",
        "vscode",
        "ide-extensions",
        "github-copilot",
        "zed"
      ],
      "tools_affected": [
        "Cursor",
        "Windsurf",
        "Kiro.dev (Amazon)",
        "GitHub Copilot (VS Code)",
        "Zed.dev",
        "Roo Code",
        "Junie (JetBrains)",
        "Cline"
      ],
      "tags": [
        "cve",
        "rce",
        "prompt-injection",
        "ide",
        "localhost-rce",
        "ai-coding-tools",
        "credential-theft",
        "cluster"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-idessaster-ai-ide-cve-cluster.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-idessaster-ai-ide-cve-cluster.md"
    },
    {
      "id": "2026-06-jetbrains-ide-plugins-ai-key-theft",
      "title": "15 malicious JetBrains Marketplace plugins steal AI provider API keys on entry (70K+ installs)",
      "description": "Security researchers reported 15 malicious plugins on the JetBrains Marketplace targeting developers who configure AI provider credentials inside their IDE. The plugins mimic legitimate AI coding\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-06-17",
      "last_updated": "2026-06-19",
      "ecosystems": [
        "jetbrains-marketplace",
        "ide-extensions"
      ],
      "tools_affected": [
        "IntelliJ IDEA",
        "PyCharm",
        "WebStorm",
        "GoLand",
        "Rider",
        "CLion",
        "DataGrip",
        "RubyMine",
        "PhpStorm",
        "and other JetBrains IDEs"
      ],
      "tags": [
        "credential-theft",
        "ide-extension",
        "ai-api-keys",
        "supply-chain",
        "jetbrains-marketplace"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-jetbrains-ide-plugins-ai-key-theft.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-jetbrains-ide-plugins-ai-key-theft.md"
    },
    {
      "id": "2026-06-mastra-ai-npm-compromise",
      "title": "Mastra AI npm namespace compromise \u2014 145 @mastra/* packages carry easy-day-js typosquat RAT via hijacked contributor account `ehindero` (June 2026)",
      "description": "A hijacked npm contributor account (ehindero) was used to inject easy-day-js \u2014 a typosquat of the popular dayjs date library \u2014 as a dependency across 145 packages (corrected from\u2026",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-06-17",
      "last_updated": "2026-06-25",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "mastra",
        "@mastra/*",
        "easy-day-js"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "typosquat",
        "postinstall",
        "ai-agents",
        "crypto-stealer",
        "miasma-lineage",
        "dependency-injection"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-mastra-ai-npm-compromise.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-mastra-ai-npm-compromise.md"
    },
    {
      "id": "2026-06-langflow-cve-2026-5027-path-traversal",
      "title": "Langflow CVE-2026-5027 \u2014 unauthenticated path traversal \u2192 RCE via file upload endpoint (distinct from CVE-2026-33017)",
      "description": "In June 2026, researchers disclosed CVE-2026-5027: a path traversal vulnerability in the POST /api/v2/files endpoint. The filename field in the multipart upload request was not sanitized \u2014 an\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-06-16",
      "last_updated": "2026-06-19",
      "ecosystems": [
        "pypi",
        "ai-agents",
        "langchain"
      ],
      "tools_affected": [
        "langflow",
        "langflow-backend"
      ],
      "tags": [
        "cve",
        "path-traversal",
        "rce",
        "pre-auth",
        "ai-agents",
        "file-upload",
        "actively-exploited"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-langflow-cve-2026-5027-path-traversal.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-langflow-cve-2026-5027-path-traversal.md"
    },
    {
      "id": "2026-06-copilot-searchleak-cve-2026-42824",
      "title": "Microsoft 365 Copilot SearchLeak (CVE-2026-42824) \u2014 1-click exfil of emails, MFA codes, and OneDrive files via parameter-to-prompt injection + CSP bypass",
      "description": "The Copilot Enterprise Search URL accepts a q= parameter. When a user clicks a link containing a malicious q= value, Copilot processes the injected text as a high-trust user prompt rather than a\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-06-15",
      "last_updated": "2026-06-24",
      "ecosystems": [
        "microsoft-365",
        "saas",
        "ai-agents"
      ],
      "tools_affected": [
        "microsoft-365-copilot",
        "copilot-enterprise-search"
      ],
      "tags": [
        "cve",
        "prompt-injection",
        "parameter-to-prompt-injection",
        "data-exfil",
        "one-click-attack",
        "microsoft",
        "copilot",
        "bing-ssrf",
        "csp-bypass"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-copilot-searchleak-cve-2026-42824.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-copilot-searchleak-cve-2026-42824.md"
    },
    {
      "id": "2026-06-promptsnatcher-chrome-ai-chat-stealer",
      "title": "PromptSnatcher \u2014 malicious Chrome ad-blocker extensions intercept AI chatbot conversations from 900K users across 8 platforms",
      "description": "Security researchers named PromptSnatcher: at least two malicious Chrome browser extensions masquerading as ad-blockers have been silently intercepting full AI chatbot conversations \u2014 including\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-06-14",
      "last_updated": "2026-06-19",
      "ecosystems": [
        "browser-extensions",
        "chrome",
        "ai-tools"
      ],
      "tools_affected": [
        "ChatGPT",
        "Claude",
        "Gemini",
        "Microsoft Copilot",
        "Perplexity",
        "DeepSeek",
        "Grok",
        "Meta AI"
      ],
      "tags": [
        "credential-theft",
        "browser-extension",
        "prompt-injection",
        "ai-chatbot",
        "chrome",
        "conversation-exfil",
        "supply-chain"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-promptsnatcher-chrome-ai-chat-stealer.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-promptsnatcher-chrome-ai-chat-stealer.md"
    },
    {
      "id": "2026-06-autojack-autogen-studio-mcp-rce",
      "title": "AutoJack \u2014 Microsoft Research AutoGen Studio 3-flaw chain: browsing agent renders attacker page \u2192 localhost MCP WebSocket \u2192 unauthenticated RCE",
      "description": "Microsoft Research's AutoGen Studio \u2014 the visual IDE for AutoGen multi-agent systems \u2014 contains a 3-flaw chain discovered by independent security researchers and named \"AutoJack\": (1) the AutoGen\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-06-13",
      "last_updated": "2026-06-19",
      "ecosystems": [
        "pypi",
        "mcp",
        "ai-agents"
      ],
      "tools_affected": [
        "autogen-studio",
        "autogenstudio",
        "microsoft-autogen"
      ],
      "tags": [
        "cve",
        "localhost-rce",
        "mcp",
        "websocket",
        "browsing-agent",
        "ai-agents",
        "prompt-injection",
        "microsoft",
        "no-wild-exploitation"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-autojack-autogen-studio-mcp-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-autojack-autogen-studio-mcp-rce.md"
    },
    {
      "id": "2026-06-agentjacking-sentry-mcp-injection",
      "title": "Agentjacking \u2014 Sentry DSN injection via MCP poisons AI coding agent context (2,388 orgs exposed)",
      "description": "Tenet Security disclosed Agentjacking on 2026-06-12: attackers inject malicious instructions into Sentry error data (DSN-routed issue bodies, breadcrumbs, stack-frame locals), which AI coding\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-06-12",
      "last_updated": "2026-06-17",
      "ecosystems": [
        "mcp",
        "claude-code",
        "cursor",
        "codex",
        "npm"
      ],
      "tools_affected": [
        "claude-code",
        "cursor",
        "codex",
        "any AI coding agent that reads MCP tool output"
      ],
      "tags": [
        "prompt-injection",
        "mcp",
        "indirect-prompt-injection",
        "sentry",
        "agentjacking",
        "ai-agents",
        "credential-theft"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-agentjacking-sentry-mcp-injection.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-agentjacking-sentry-mcp-injection.md"
    },
    {
      "id": "2026-06-klue-icarus-oauth-breach",
      "title": "Klue AI integration breach \u2014 Icarus extortion group steals Salesforce/HubSpot/Slack OAuth tokens from CRM data via AI productivity tool (June 2026)",
      "description": "The Icarus extortion group breached Klue, an AI-powered competitive intelligence platform, on 2026-06-11 to 2026-06-12 by exploiting OAuth tokens Klue held on behalf of customers. Attackers used\u2026",
      "severity": "high",
      "status": "contained",
      "date_disclosed": "2026-06-12",
      "last_updated": "2026-06-28",
      "ecosystems": [
        "oauth",
        "saas-integrations",
        "ai-productivity-tools"
      ],
      "tools_affected": [
        "Klue",
        "Salesforce",
        "HubSpot",
        "SharePoint",
        "Zoom",
        "Gong",
        "Chorus",
        "Clari",
        "Google Drive",
        "Slack"
      ],
      "tags": [
        "oauth-pivot",
        "credential-theft",
        "ai-tool-breach",
        "crm-data",
        "extortion",
        "third-party-breach",
        "salesforce",
        "hubspot"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-klue-icarus-oauth-breach.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-klue-icarus-oauth-breach.md"
    },
    {
      "id": "2026-06-arch-linux-aur-supply-chain",
      "title": "Atomic Arch \u2014 AUR supply-chain attack: 1,500+ community packages hijacked via orphaned-package takeover; eBPF rootkit for persistence (June 2026)",
      "description": "The campaign now called \"Atomic Arch\" hijacked 1,500+ packages in the Arch Linux AUR (Arch User Repository) \u2014 up from the initially-reported 400+, as researchers expanded their scope. Attackers\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-06-11",
      "last_updated": "2026-06-19",
      "ecosystems": [
        "aur",
        "npm"
      ],
      "tools_affected": [
        "arch-linux",
        "AUR",
        "yay",
        "paru",
        "pamac"
      ],
      "tags": [
        "supply-chain",
        "linux",
        "malware-delivery",
        "developer-workstation",
        "new-ecosystem",
        "ebpf-rootkit",
        "orphaned-package-takeover"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-arch-linux-aur-supply-chain.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-arch-linux-aur-supply-chain.md"
    },
    {
      "id": "2026-06-onering-rust-crate-compromise",
      "title": "onering Rust crate compromised \u2014 build.rs exfiltrates your source code as fake Sentry telemetry (June 2026)",
      "description": "On 2026-06-10, Aikido Security detected malicious behavior in onering v1.4.1 \u2014 a Rust synchronous queue/channels library (~18K Crates.io downloads). The malicious version injected a build.rs\u2026",
      "severity": "high",
      "status": "unconfirmed",
      "date_disclosed": "2026-06-10",
      "last_updated": "2026-06-13",
      "ecosystems": [
        "crates"
      ],
      "tools_affected": [
        "onering",
        "any project with onering in its Cargo.toml"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "crates-io",
        "rust",
        "build-rs",
        "code-exfiltration",
        "account-compromise"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-onering-rust-crate-compromise.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-onering-rust-crate-compromise.md"
    },
    {
      "id": "2026-06-solana-fakefix-campaign",
      "title": "Solana FakeFix Campaign \u2014 25 malicious npm + PyPI packages steal wallet keys and developer secrets via GitHub issue spam (June 2026)",
      "description": "The \"Solana FakeFix\" campaign planted 25 malicious packages (16 npm + 4 PyPI + 5 additional CMS-loader variants) that impersonate Solana Web3 SDK tooling, promoted via fake GitHub issue spam on\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-06-10",
      "last_updated": "2026-06-13",
      "ecosystems": [
        "npm",
        "pypi"
      ],
      "tools_affected": [
        "Solana SDK",
        "any project using @solana-labs/web3.js",
        "solana-web3-stable",
        "solana-rpc-client",
        "solana-mev-bot",
        "Claude Code",
        "Cursor",
        "Codex"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "social-engineering",
        "npm",
        "pypi",
        "crypto-wallet",
        "github-issue-spam",
        "cross-ecosystem"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-solana-fakefix-campaign.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-solana-fakefix-campaign.md"
    },
    {
      "id": "2026-06-streamlit-ssrf-windows",
      "title": "Streamlit CVE-2026-33682 \u2014 unauthenticated SSRF on Windows leaks NTLMv2 credentials (June 2026)",
      "description": "Streamlit's static-file serving resolves filesystem paths using os.path.realpath() or Path.resolve() before validating the supplied path. On Windows, supplying a UNC path (e.g.,\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-06-10",
      "last_updated": "2026-06-12",
      "ecosystems": [
        "pypi",
        "streamlit"
      ],
      "tools_affected": [
        "Streamlit Open Source < 1.54.0 on Windows hosts"
      ],
      "tags": [
        "ssrf",
        "ntlm",
        "credential-theft",
        "windows",
        "streamlit",
        "unauthenticated",
        "vibe-platform"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-streamlit-ssrf-windows.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-streamlit-ssrf-windows.md"
    },
    {
      "id": "2026-06-symjack-ai-coding-agent-mcp-symlink",
      "title": "SymJack \u2014 symlink hijacking tricks AI coding agents into registering attacker-controlled MCP servers (June 2026)",
      "description": "On 2026-06-10, Adversa AI published research on SymJack \u2014 a symlink-based attack that exploits a fundamental gap between what AI coding agents display to developers for approval and what the\u2026",
      "severity": "high",
      "status": "mitigated",
      "date_disclosed": "2026-06-10",
      "last_updated": "2026-06-16",
      "ecosystems": [
        "mcp",
        "claude-code",
        "cursor",
        "copilot",
        "ai-agents"
      ],
      "tools_affected": [
        "claude-code",
        "cursor",
        "github-copilot",
        "google-antigravity",
        "grok-build",
        "windsurf"
      ],
      "tags": [
        "symlink",
        "mcp",
        "agent-config-poisoning",
        "filesystem-attack",
        "supply-chain",
        "one-click-rce"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-symjack-ai-coding-agent-mcp-symlink.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-symjack-ai-coding-agent-mcp-symlink.md"
    },
    {
      "id": "2026-06-langgraph-rce-chain",
      "title": "LangGraph RCE chain \u2014 SQLite SQL injection + msgpack deserialization \u2192 arbitrary code execution (June 2026)",
      "description": "Security researcher Yarden Porat discovered a two-CVE chain in LangGraph that allows any attacker who can supply a filter query to a self-hosted LangGraph deployment to achieve arbitrary code\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-06-09",
      "last_updated": "2026-06-12",
      "ecosystems": [
        "pypi",
        "ai-agents"
      ],
      "tools_affected": [
        "langgraph",
        "langgraph-checkpoint-sqlite",
        "langgraph-checkpoint-redis",
        "LangSmith self-hosted",
        "any app built on LangGraph with user-controlled filter input"
      ],
      "tags": [
        "rce",
        "sql-injection",
        "deserialization",
        "ai-agents",
        "langchain",
        "self-hosted",
        "credential-theft"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-langgraph-rce-chain.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-langgraph-rce-chain.md"
    },
    {
      "id": "2026-06-hades-campaign-pypi-mcp-attack",
      "title": "Hades Campaign \u2014 19 PyPI bioinformatics + MCP-developer packages poisoned with Bun credential stealer (June 2026)",
      "description": "On 2026-06-08, StepSecurity identified a sophisticated supply-chain campaign \u2014 dubbed \"Hades\" \u2014 that poisoned 19 PyPI packages across 37 malicious wheel artifacts in two distinct target\u2026",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-06-08",
      "last_updated": "2026-06-13",
      "ecosystems": [
        "pypi",
        "npm"
      ],
      "tools_affected": [
        "ensmallen",
        "dynamo",
        "spateo",
        "coolbox",
        "u-fish",
        "napari-ufish",
        "langchain-core-mcp",
        "openai-mcp",
        "instructor-mcp",
        "tiktoken-mcp",
        "ray-mcp-server",
        "claude-code",
        "cursor",
        "openhands"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "pypi",
        "pth-file",
        "bun-runtime",
        "mcp-targeting",
        "shai-hulud-lineage",
        "miasma-lineage",
        "bioinformatics"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-hades-campaign-pypi-mcp-attack.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-hades-campaign-pypi-mcp-attack.md"
    },
    {
      "id": "2026-06-gluestack-react-native-aria-rat",
      "title": "Gluestack @react-native-aria RAT via compromised contributor token (June 2026)",
      "description": "A compromised npm contributor token let attackers publish 17 of the 20 @react-native-aria packages plus @gluestack-ui/utils (~960K weekly downloads) with a hidden Remote Access Trojan (RAT)\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2026-06-06",
      "last_updated": "2026-06-04",
      "ecosystems": [
        "npm",
        "react-native"
      ],
      "tools_affected": [
        "React Native",
        "Gluestack UI",
        "Expo",
        "any mobile/web project using @react-native-aria/*"
      ],
      "tags": [
        "supply-chain",
        "rat",
        "credential-theft",
        "compromised-token"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-gluestack-react-native-aria-rat.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-gluestack-react-native-aria-rat.md"
    },
    {
      "id": "2026-06-miasma-wave5-microsoft-azure-github",
      "title": "Miasma Wave 5 \u2014 73 Microsoft Azure GitHub repos + mantine-datatable compromised; payload auto-fires via Claude Code / Cursor / Gemini CLI (June 2026)",
      "description": "On 2026-06-05, attackers leveraged a previously compromised contributor account (a credential stolen during the Phantom Gyp / binding.gyp wave 4 campaign from June 3\u20134) to push malicious commits\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2026-06-05",
      "last_updated": "2026-06-12",
      "ecosystems": [
        "npm",
        "github"
      ],
      "tools_affected": [
        "Claude Code",
        "Cursor",
        "Gemini CLI",
        "VS Code",
        "any project repo open in an AI coding assistant; npm packages in icflorescu/mantine-datatable family; Azure",
        "Azure-Samples",
        "Microsoft",
        "MicrosoftDocs GitHub orgs"
      ],
      "tags": [
        "supply-chain",
        "worm",
        "credential-theft",
        "miasma-lineage",
        "github-repo-poisoning",
        "ai-tool-config",
        "self-propagating"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-wave5-microsoft-azure-github.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-wave5-microsoft-azure-github.md"
    },
    {
      "id": "2026-06-claude-code-github-actions-bot-bypass",
      "title": "Claude Code GitHub Actions [bot] trust bypass \u2014 supply chain risk on any repo using claude-code-action (June 2026)",
      "description": "checkWritePermissions() in Claude Code's GitHub Actions workflow trusted any actor whose username ends in [bot] regardless of actual permissions. Combined with prompt injection, an unauthenticated\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-06-04",
      "last_updated": "2026-06-04",
      "ecosystems": [
        "github-actions",
        "claude-code"
      ],
      "tools_affected": [
        "Claude Code GitHub Actions (anthropics/claude-code-action)",
        "any repo using the official Anthropic CI/CD workflow"
      ],
      "tags": [
        "supply-chain",
        "github-actions",
        "prompt-injection",
        "privilege-escalation",
        "bot-trust"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-claude-code-github-actions-bot-bypass.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-claude-code-github-actions-bot-bypass.md"
    },
    {
      "id": "2026-06-ironworm-npm-rust-ebpf",
      "title": "IronWorm \u2014 Rust-based npm worm with eBPF rootkit + Tor C2 (June 2026)",
      "description": "A new self-propagating npm supply-chain worm called IronWorm hit 36 packages in June 2026, deploying a Rust ELF binary that hides behind an eBPF kernel rootkit and exfiltrates credentials over Tor\u2026",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-06-04",
      "last_updated": "2026-06-05",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "any Node.js project; specifically targets OpenAI Codex",
        "Anthropic",
        "AWS",
        "GitHub",
        "npm",
        "Exodus wallet credentials"
      ],
      "tags": [
        "supply-chain",
        "worm",
        "credential-theft",
        "self-propagating",
        "rust",
        "ebpf",
        "tor"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-ironworm-npm-rust-ebpf.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-ironworm-npm-rust-ebpf.md"
    },
    {
      "id": "2026-06-phantom-gyp-miasma-wave4",
      "title": "Phantom Gyp \u2014 Miasma wave 4: self-propagating npm worm via binding.gyp (June 2026)",
      "description": "A fourth wave of the Miasma / Shai-Hulud worm lineage hit npm on June 3\u20134, 2026, using binding.gyp instead of preinstall/postinstall scripts to run malicious code at install time \u2014 a technique\u2026",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-06-04",
      "last_updated": "2026-06-14",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "any project that npm-installs a node-gyp-dependent package; notably @vapi-ai/server-sdk (408K+ monthly downloads)"
      ],
      "tags": [
        "supply-chain",
        "worm",
        "credential-theft",
        "self-propagating",
        "miasma-lineage",
        "provenance-forgery"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-phantom-gyp-miasma-wave4.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-phantom-gyp-miasma-wave4.md"
    },
    {
      "id": "2026-06-cline-cve-2026-44211-websocket-rce",
      "title": "Cline CVE-2026-44211 \u2014 cross-origin WebSocket hijack \u2192 RCE (June 2026)",
      "description": "Cline versions \u2264 2.13.0 launch a local WebSocket server (the Kanban board server) on port 3484 when the VS Code extension activates. This server:",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-06-01",
      "last_updated": "2026-06-04",
      "ecosystems": [
        "vscode-extension",
        "npm"
      ],
      "tools_affected": [
        "Cline (VS Code extension)",
        "any developer with Cline \u2264 2.13.0 installed"
      ],
      "tags": [
        "localhost-attacker",
        "websocket-hijack",
        "rce",
        "missing-origin-validation",
        "1-click"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cline-cve-2026-44211-websocket-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cline-cve-2026-44211-websocket-rce.md"
    },
    {
      "id": "2026-06-codexui-android-codex-token-stealer",
      "title": "codexui-android npm \u2014 OpenAI Codex auth-token stealer (June 2026)",
      "description": "On or around 2026-06-01, Aikido Security flagged codexui-android as a malicious npm package. The package presents a clean GitHub source repository \u2014 the attack lives entirely in the pre-built\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-06-01",
      "last_updated": "2026-06-03",
      "ecosystems": [
        "npm",
        "android"
      ],
      "tools_affected": [
        "openai-codex",
        "codex-cli"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "npm",
        "android",
        "ai-coding-tool",
        "token-theft",
        "openai"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-codexui-android-codex-token-stealer.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-codexui-android-codex-token-stealer.md"
    },
    {
      "id": "2026-06-miasma-redhat-cloud-services-compromise",
      "title": "Miasma \u2014 @redhat-cloud-services npm scope compromised by Mini-Shai-Hulud-derived worm (June 2026)",
      "description": "On 2026-06-01, Wiz Research and others identified a supply-chain compromise of the @redhat-cloud-services npm scope \u2014 Red Hat's official client libraries used by the Hybrid Cloud Console,\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2026-06-01",
      "last_updated": "2026-06-11",
      "ecosystems": [
        "npm",
        "github-actions"
      ],
      "tools_affected": [
        "any-redhat-cloud-services-consumer",
        "openshift-frontend-apps",
        "any-react-frontend-using-redhat-ui",
        "ci-cd",
        "claude-code",
        "cursor",
        "openhands"
      ],
      "tags": [
        "supply-chain",
        "worm",
        "credential-theft",
        "mini-shai-hulud",
        "teampcp-derivative",
        "oidc",
        "github-actions",
        "cloud-credential-theft",
        "anthropic-camouflage"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-redhat-cloud-services-compromise.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-redhat-cloud-services-compromise.md"
    },
    {
      "id": "2026-05-npm-dependency-confusion-recon-campaign",
      "title": "Dependency-confusion recon campaign \u2014 4 waves, 9+ corporate-scope impersonations, escalated to full credential theft (May\u2013Jul 2026)",
      "description": "Microsoft Threat Intelligence disclosed a dependency-confusion campaign: a single operator, publishing under three npm aliases (mr.4nd3r50n, ce-rwb, t-in-one), published 33 malicious packages in\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-05-29",
      "last_updated": "2026-07-04",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "any npm-based project resolving packages from public + internal scopes without registry pinning"
      ],
      "tags": [
        "dependency-confusion",
        "supply-chain",
        "reconnaissance",
        "credential-theft",
        "postinstall",
        "npm"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-npm-dependency-confusion-recon-campaign.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-npm-dependency-confusion-recon-campaign.md"
    },
    {
      "id": "2026-05-cargo-symlink-sparse-url-cves",
      "title": "Cargo May 2026 security release \u2014 symlink-override + sparse-URL credential leak (CVE-2026-5223, CVE-2026-5222)",
      "description": "On 2026-05-25 the Rust Security Response Team disclosed two Cargo CVEs, both fixed in Rust 1.96.0 (released 2026-05-28):",
      "severity": "medium",
      "status": "patched",
      "date_disclosed": "2026-05-25",
      "last_updated": "2026-05-27",
      "ecosystems": [
        "crates",
        "rust",
        "registry",
        "supply-chain"
      ],
      "tools_affected": [
        "cargo",
        "rust",
        "third-party-cargo-registries"
      ],
      "tags": [
        "supply-chain",
        "registry-hygiene",
        "symlink",
        "sparse-registry",
        "cargo",
        "rust"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-cargo-symlink-sparse-url-cves.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-cargo-symlink-sparse-url-cves.md"
    },
    {
      "id": "2026-05-composio-ai-agent-platform-breach",
      "title": "Composio AI-agent platform breach \u2014 LLM-augmented attacker registered malicious tool definitions in the execution sandbox (May 2026)",
      "description": "On 2026-05-21 (01:05 \u2013 09:15 PT), an attacker compromised Composio \u2014 a popular AI-agent infrastructure platform that brokers ~100 MCP toolkits (GitHub, Gmail, Jira, Notion, Slack, Linear, HubSpot,\u2026",
      "severity": "high",
      "status": "contained",
      "date_disclosed": "2026-05-22",
      "last_updated": "2026-05-27",
      "ecosystems": [
        "ai-agents",
        "mcp",
        "third-party-ai",
        "github",
        "oauth"
      ],
      "tools_affected": [
        "composio",
        "mcp-toolkits",
        "github",
        "gmail",
        "jira",
        "hubspot",
        "linear",
        "notion",
        "slack",
        "google-calendar",
        "vercel",
        "sentry",
        "google-drive"
      ],
      "tags": [
        "oauth",
        "third-party-ai",
        "ai-agent-platform",
        "mcp",
        "sandbox-escape",
        "llm-augmented-attacker",
        "magic-link",
        "credential-theft",
        "supply-chain"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-composio-ai-agent-platform-breach.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-composio-ai-agent-platform-breach.md"
    },
    {
      "id": "2026-05-megalodon-github-actions-mass-campaign",
      "title": "Megalodon \u2014 mass GitHub-Actions workflow poisoning of 5,561 repos (May 2026)",
      "description": "On 2026-05-18, an automated campaign codenamed \"Megalodon\" pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window, injecting GitHub Actions workflows that exfiltrate CI\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2026-05-22",
      "last_updated": "2026-05-31",
      "ecosystems": [
        "github",
        "github-actions",
        "npm"
      ],
      "tools_affected": [
        "any-github-repo",
        "ci-cd",
        "claude-code",
        "cursor",
        "openhands",
        "any-ai-agent-with-gh-tokens"
      ],
      "tags": [
        "supply-chain",
        "github-actions",
        "credential-theft",
        "infostealer-cascade",
        "mass-campaign",
        "ci-cd",
        "workflow-injection"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-megalodon-github-actions-mass-campaign.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-megalodon-github-actions-mass-campaign.md"
    },
    {
      "id": "2026-05-starlette-badhost-host-header-bypass",
      "title": "BadHost \u2014 Starlette host-header auth bypass blasts FastAPI, vLLM, LiteLLM, MCP servers (CVE-2026-48710)",
      "description": "Starlette reconstructs request.url by concatenating the HTTP Host header with the request path and re-parsing the result. The Host value is not validated against RFC 9112 \u00a7 3.2 / RFC 3986 \u00a7 3.2.2\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-05-22",
      "last_updated": "2026-05-28",
      "ecosystems": [
        "pypi",
        "fastapi",
        "mcp",
        "ai-agents"
      ],
      "tools_affected": [
        "starlette",
        "fastapi",
        "vllm",
        "litellm",
        "mcp-python-sdk",
        "text-generation-inference",
        "openai-compatible-proxies"
      ],
      "tags": [
        "cve",
        "authentication-bypass",
        "host-header",
        "two-parsers-one-string",
        "framework-level",
        "mcp",
        "fastapi"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-starlette-badhost-host-header-bypass.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-starlette-badhost-host-header-bypass.md"
    },
    {
      "id": "2026-05-trapdoor-cross-ecosystem-stealer",
      "title": "TrapDoor \u2014 cross-ecosystem stealer poisons .cursorrules / CLAUDE.md (May 2026)",
      "description": "Socket flagged TrapDoor on 2026-05-24/25 as a single actor publishing in timed waves from a cluster of accounts across three registries simultaneously. The packages use deceptive,\u2026",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-05-22",
      "last_updated": "2026-05-25",
      "ecosystems": [
        "npm",
        "pypi",
        "crates",
        "cursor",
        "claude-code"
      ],
      "tools_affected": [
        "any-node-project",
        "any-python-project",
        "any-rust-project",
        "cursor",
        "claude-code",
        "codex"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "prompt-injection",
        "crypto-stealer",
        "zero-width-unicode",
        "cursorrules",
        "npm",
        "pypi",
        "crates"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-trapdoor-cross-ecosystem-stealer.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-trapdoor-cross-ecosystem-stealer.md"
    },
    {
      "id": "2026-05-claude-code-sandbox-socks5-bypass",
      "title": "Claude Code network-sandbox SOCKS5 null-byte allowlist bypass (May 2026)",
      "description": "Claude Code's network sandbox (the allowlist that's supposed to confine the agent to, say, .google.com) could be bypassed with a SOCKS5 hostname null-byte injection: a host like\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-05-20",
      "last_updated": "2026-05-21",
      "ecosystems": [
        "claude-code",
        "anthropic"
      ],
      "tools_affected": [
        "claude-code"
      ],
      "tags": [
        "claude-code",
        "sandbox-escape",
        "allowlist-bypass",
        "credential-theft",
        "data-exfiltration",
        "silent-patch"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claude-code-sandbox-socks5-bypass.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claude-code-sandbox-socks5-bypass.md"
    },
    {
      "id": "2026-05-teampcp-github-breach",
      "title": "TeamPCP breaches GitHub's internal repos via poisoned VS Code extension (May 2026)",
      "description": "On 2026-05-20, GitHub confirmed that attackers exfiltrated ~3,800 of its own internal repositories after a GitHub employee installed a poisoned VS Code extension on their device. As of 2026-05-21\u2026",
      "severity": "high",
      "status": "contained",
      "date_disclosed": "2026-05-20",
      "last_updated": "2026-05-21",
      "ecosystems": [
        "vscode",
        "github",
        "npm",
        "pypi"
      ],
      "tools_affected": [
        "vscode",
        "cursor",
        "windsurf",
        "github",
        "any-ide-extension-user"
      ],
      "tags": [
        "supply-chain",
        "ide-extension",
        "credential-theft",
        "source-code-theft",
        "teampcp",
        "dev-tool"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-teampcp-github-breach.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-teampcp-github-breach.md"
    },
    {
      "id": "2026-05-mini-shai-hulud-may19-wave",
      "title": "Mini Shai-Hulud May 19 wave \u2014 @antv npm + Microsoft durabletask PyPI (May 2026)",
      "description": "On 2026-05-19, threat actor TeamPCP (aka PCPcat / DeadCatx3 / UNC6780) ran two more arms of the Mini Shai-Hulud worm in the same window: a compromised npm maintainer account pushed ~637 malicious\u2026",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-05-19",
      "last_updated": "2026-05-20",
      "ecosystems": [
        "npm",
        "pypi"
      ],
      "tools_affected": [
        "any-react-project",
        "any-node-project",
        "azure-durable-functions",
        "cursor",
        "claude-code",
        "lovable",
        "bolt",
        "v0",
        "llm-tooling",
        "ci-cd"
      ],
      "tags": [
        "supply-chain",
        "worm",
        "ci-cd",
        "credential-theft",
        "sigstore-provenance",
        "teampcp",
        "docker-escape",
        "multi-cloud"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-mini-shai-hulud-may19-wave.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-mini-shai-hulud-may19-wave.md"
    },
    {
      "id": "2026-05-nx-console-vscode-compromise",
      "title": "Nx Console VS Code extension compromised \u2014 nrwl.angular-console 18.95.0 (May 2026)",
      "description": "On 2026-05-18, a trojanized build of the Nx Console VS Code extension (nrwl.angular-console v18.95.0, ~2.2M installs) was published to the Visual Studio Marketplace and was live for only ~18\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2026-05-18",
      "last_updated": "2026-05-31",
      "ecosystems": [
        "vscode",
        "npm",
        "github"
      ],
      "tools_affected": [
        "vscode",
        "cursor",
        "windsurf",
        "nx-console",
        "claude-code",
        "any-ide-extension-user"
      ],
      "tags": [
        "supply-chain",
        "ide-extension",
        "credential-theft",
        "teampcp",
        "mini-shai-hulud",
        "dev-tool",
        "provenance-abuse",
        "cisa-kev",
        "cve"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-nx-console-vscode-compromise.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-nx-console-vscode-compromise.md"
    },
    {
      "id": "2026-05-shai-hulud-copycat-wave",
      "title": "Shai-Hulud copycats after the worm source went public (May 2026)",
      "description": "On 2026-05-12 TeamPCP open-sourced the fully weaponized Mini Shai-Hulud worm to public GitHub and announced a paid \"biggest supply-chain attack\" competition on BreachForums. Within days, low-skill\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-05-18",
      "last_updated": "2026-06-02",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "any-node-project",
        "cursor",
        "claude-code"
      ],
      "tags": [
        "supply-chain",
        "worm",
        "credential-theft",
        "npm",
        "copycat",
        "ddos",
        "infostealer",
        "teampcp"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-shai-hulud-copycat-wave.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-shai-hulud-copycat-wave.md"
    },
    {
      "id": "2026-05-node-ipc-compromise",
      "title": "node-ipc compromise (3 malicious versions, May 2026)",
      "description": "Three malicious versions of node-ipc (~822K weekly downloads) were published to npm on 2026-05-14: 9.1.6, 9.2.3, and 12.0.1, each carrying an identical ~80 KB obfuscated payload that exfiltrates\u2026",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-05-14",
      "last_updated": "2026-05-18",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "any-node-project",
        "cursor",
        "claude-code",
        "replit",
        "lovable",
        "bolt"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "npm",
        "transitive-dependency",
        "dns-exfiltration"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-node-ipc-compromise.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-node-ipc-compromise.md"
    },
    {
      "id": "2026-05-svelte-dom-clobbering-xss",
      "title": "Svelte CVE-2026-42573 \u2014 DOM clobbering of internal framework state leads to XSS (May 2026)",
      "description": "Svelte attaches internal reactivity/framework state directly to DOM elements at runtime rather than keeping it fully isolated in JavaScript objects. According to the GitHub Security Advisory\u2026",
      "severity": "medium",
      "status": "patched",
      "date_disclosed": "2026-05-14",
      "last_updated": "2026-07-01",
      "ecosystems": [
        "npm",
        "svelte"
      ],
      "tools_affected": [
        "Svelte <= 5.55.6"
      ],
      "tags": [
        "xss",
        "dom-clobbering",
        "svelte",
        "frontend",
        "unauthenticated"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-svelte-dom-clobbering-xss.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-svelte-dom-clobbering-xss.md"
    },
    {
      "id": "2026-05-openclaw-claw-chain",
      "title": "OpenClaw 'Claw Chain' \u2014 4 chainable sandbox-escape flaws (May 2026)",
      "description": "Cyera Research disclosed four chainable vulnerabilities in OpenClaw \u2014 the autonomous AI agent that rocketed to 135K+ GitHub stars in early 2026 \u2014 collectively dubbed \"Claw Chain.\" The chain\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-05-13",
      "last_updated": "2026-05-18",
      "ecosystems": [
        "ai-agents"
      ],
      "tools_affected": [
        "openclaw"
      ],
      "tags": [
        "cve",
        "sandbox-escape",
        "race-condition",
        "allowlist-bypass",
        "ai-agent",
        "claw-chain",
        "cyera"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-openclaw-claw-chain.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-openclaw-claw-chain.md"
    },
    {
      "id": "2026-05-claude-code-deeplink-rce",
      "title": "Claude Code claude-cli:// deeplink RCE (May 2026)",
      "description": "Anthropic's Claude Code CLI shipped a naive command-line argument parser (eagerParseCliFlag in main.tsx) that scanned the whole argv for any string beginning with --settings=, without tracking\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-05-12",
      "last_updated": "2026-05-19",
      "ecosystems": [
        "claude-code"
      ],
      "tools_affected": [
        "claude-code"
      ],
      "tags": [
        "rce",
        "deeplink",
        "settings-injection",
        "cli-parser",
        "eager-parse"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claude-code-deeplink-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claude-code-deeplink-rce.md"
    },
    {
      "id": "2026-05-praisonai-auth-bypass",
      "title": "PraisonAI authentication bypass \u2014 CVE-2026-44338 + platform CVEs (May 2026)",
      "description": "On 2026-05-11 at 13:56 UTC, GitHub published advisory GHSA-6rmh-7xcm-cpxj for PraisonAI, an open-source multi-agent orchestration framework. The legacy Flask entrypoint shipped with two\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-05-11",
      "last_updated": "2026-06-17",
      "ecosystems": [
        "pypi",
        "ai-agents"
      ],
      "tools_affected": [
        "praisonai",
        "praisonai-platform"
      ],
      "tags": [
        "cve",
        "authentication-bypass",
        "ai-agent-framework",
        "rapid-exploitation",
        "missing-auth",
        "idor",
        "privilege-escalation"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-praisonai-auth-bypass.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-praisonai-auth-bypass.md"
    },
    {
      "id": "2026-05-tanstack-mini-shai-hulud",
      "title": "Mini Shai-Hulud wave \u2014 TanStack, Mistral, UiPath, OpenSearch (May 2026)",
      "description": "Over a 48-hour window on 2026-05-11 \u2192 2026-05-12, the Mini Shai-Hulud worm \u2014 operated by threat actor group TeamPCP \u2014 compromised 172 unique packages across 403 malicious versions on npm and PyPI.\u2026",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-05-11",
      "last_updated": "2026-06-11",
      "ecosystems": [
        "npm",
        "pypi"
      ],
      "tools_affected": [
        "any-react-project",
        "cursor",
        "claude-code",
        "lovable",
        "bolt",
        "v0",
        "llm-tooling"
      ],
      "tags": [
        "supply-chain",
        "worm",
        "ci-cd",
        "github-actions",
        "oidc",
        "credential-theft",
        "slsa-provenance",
        "teampcp",
        "cve",
        "cisa-kev"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-tanstack-mini-shai-hulud.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-tanstack-mini-shai-hulud.md"
    },
    {
      "id": "2026-05-cursor-open-folder-autorun",
      "title": "Cursor 'Open-Folder' autorun + Git-hook RCE (CVE-2026-26268, CVE-2026-22708, CVE-2026-32202, May 2026)",
      "description": "A cluster of Cursor IDE vulnerabilities disclosed in May 2026 turn the act of opening \u2014 or just cloning \u2014 a repo into silent RCE on the developer's machine. CVE-2026-26268 (Novee, high severity) \u2014\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-05-08",
      "last_updated": "2026-05-23",
      "ecosystems": [
        "cursor",
        "vscode"
      ],
      "tools_affected": [
        "cursor"
      ],
      "tags": [
        "cve",
        "rce",
        "workspace-trust",
        "git-hooks",
        "autorun",
        "cursor",
        "vscode-task"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-cursor-open-folder-autorun.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-cursor-open-folder-autorun.md"
    },
    {
      "id": "2026-05-semantic-kernel-rce",
      "title": "Microsoft Semantic Kernel \u2014 prompt injection to RCE (CVE-2026-25592, CVE-2026-26030, May 2026)",
      "description": "On 2026-05-07, Microsoft disclosed two RCE flaws in Semantic Kernel, its open-source agent framework. CVE-2026-25592 (.NET SDK, CVSS 10.0) \u2014 an internal DownloadFileAsync helper was accidentally\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-05-07",
      "last_updated": "2026-05-18",
      "ecosystems": [
        "pypi",
        "dotnet",
        "ai-agents"
      ],
      "tools_affected": [
        "semantic-kernel-dotnet",
        "semantic-kernel-python"
      ],
      "tags": [
        "cve",
        "prompt-injection",
        "rce",
        "sandbox-escape",
        "microsoft",
        "ai-agent-framework",
        "kernelfunction"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-semantic-kernel-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-semantic-kernel-rce.md"
    },
    {
      "id": "2026-05-trustfall-mcp-auto-execute",
      "title": "TrustFall \u2014 AI coding CLIs auto-execute MCP servers on folder trust (Claude Code, Cursor, Gemini CLI, Copilot CLI, Codex CLI)",
      "description": "Adversa AI published TrustFall on 2026-05-07 after testing all four major agentic coding CLIs: Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI. A follow-up confirmed the same behavior\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-05-07",
      "last_updated": "2026-06-25",
      "ecosystems": [
        "claude-code",
        "cursor",
        "mcp",
        "ide-extensions",
        "ci-cd"
      ],
      "tools_affected": [
        "Claude Code",
        "Cursor CLI",
        "Gemini CLI",
        "GitHub Copilot CLI",
        "OpenAI Codex CLI"
      ],
      "tags": [
        "mcp",
        "rce",
        "trust-boundary",
        "ci-cd",
        "supply-chain",
        "won't-fix",
        "agentic-tools",
        "claude-code",
        "cursor"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-trustfall-mcp-auto-execute.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-trustfall-mcp-auto-execute.md"
    },
    {
      "id": "2026-05-claudebleed-chrome-extension",
      "title": "ClaudeBleed \u2014 Claude in Chrome extension hijack (May 2026)",
      "description": "Anthropic's \"Claude in Chrome\" extension exposes an externallyconnectable message handler that lets any other Chrome extension \u2014 even a zero-permission one \u2014 issue commands to the Claude agent in\u2026",
      "severity": "high",
      "status": "mitigated",
      "date_disclosed": "2026-05-06",
      "last_updated": "2026-05-19",
      "ecosystems": [
        "claude-code",
        "browser-extension"
      ],
      "tools_affected": [
        "claude-in-chrome"
      ],
      "tags": [
        "trust-boundary",
        "prompt-injection",
        "extension-to-extension",
        "gmail",
        "google-drive",
        "github"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claudebleed-chrome-extension.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claudebleed-chrome-extension.md"
    },
    {
      "id": "2026-05-nextjs-react-security-release",
      "title": "Next.js + React May 2026 security release \u2014 13 CVEs, including unauth SSRF (CVE-2026-44578)",
      "description": "On 2026-05-06 \u2192 05-07, Vercel published Next.js 15.5.18 and 16.2.6, rolling up 13 advisories \u2014 7 high, 4 moderate, 2 low, including one upstream React Server Components vuln (CVE-2026-23870). The\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-05-06",
      "last_updated": "2026-06-11",
      "ecosystems": [
        "npm",
        "javascript"
      ],
      "tools_affected": [
        "nextjs",
        "react",
        "vercel",
        "netlify",
        "cloudflare-pages",
        "any-react-project"
      ],
      "tags": [
        "cve",
        "ssrf",
        "dos",
        "middleware-bypass",
        "xss",
        "cache-poisoning",
        "react-server-components",
        "nextjs"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-nextjs-react-security-release.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-nextjs-react-security-release.md"
    },
    {
      "id": "2026-05-mcp-stdio-systemic-rce",
      "title": "Systemic MCP stdio RCE class \u2014 200,000+ servers exposed (May 2026)",
      "description": "OX Security disclosed a systemic, class-level vulnerability in the Model Context Protocol's stdio transport in May 2026. Audit of public-facing instances found 7,000 vulnerable MCP servers on\u2026",
      "severity": "high",
      "status": "mitigated",
      "date_disclosed": "2026-05",
      "last_updated": "2026-05-26",
      "ecosystems": [
        "mcp",
        "anthropic-mcp"
      ],
      "tools_affected": [
        "any-mcp-server-using-stdio",
        "claude-code",
        "cursor",
        "windsurf",
        "gemini-cli"
      ],
      "tags": [
        "mcp",
        "rce",
        "stdio",
        "systemic",
        "ox-security",
        "supply-chain"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-mcp-stdio-systemic-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-mcp-stdio-systemic-rce.md"
    },
    {
      "id": "2026-05-pcpjack-counter-worm",
      "title": "PCPJack \u2014 credential-stealing counter-worm that removes TeamPCP infections (May 2026)",
      "description": "SentinelLabs identified PCPJack as a new malware framework distinct from TeamPCP, possibly developed by a former TeamPCP affiliate or member who started an independent operation. The\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-05",
      "last_updated": "2026-06-07",
      "ecosystems": [
        "npm",
        "cloud",
        "kubernetes",
        "docker"
      ],
      "tools_affected": [
        "kubernetes clusters",
        "Docker hosts",
        "Redis instances",
        "MongoDB deployments",
        "RayML environments",
        "Next.js apps (CVE-2025-29927)",
        "React RSC apps (CVE-2025-55182)"
      ],
      "tags": [
        "worm",
        "credential-theft",
        "cloud",
        "kubernetes",
        "supply-chain",
        "teampcp",
        "lateral-movement",
        "cve-chaining"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-pcpjack-counter-worm.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-pcpjack-counter-worm.md"
    },
    {
      "id": "2026-05-windsurf-zero-click-mcp-rce",
      "title": "Windsurf zero-click MCP prompt-injection RCE (CVE-2026-30615)",
      "description": "OX Security audited the MCP write-paths in major AI coding tools and found a class-wide vulnerability \u2014 prompt-injectable content read by the agent could trigger writes to the user's MCP\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-05",
      "last_updated": "2026-05-17",
      "ecosystems": [
        "windsurf",
        "mcp"
      ],
      "tools_affected": [
        "windsurf"
      ],
      "tags": [
        "windsurf",
        "mcp",
        "prompt-injection",
        "rce",
        "cve",
        "zero-click"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-windsurf-zero-click-mcp-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-windsurf-zero-click-mcp-rce.md"
    },
    {
      "id": "2026-04-pytorch-lightning-compromise",
      "title": "PyTorch Lightning + intercom-client compromise (Mini Shai-Hulud, April\u2013May 2026)",
      "description": "On 2026-04-30, attackers \u2014 the same TeamPCP / Mini Shai-Hulud crew behind the TanStack wave and SAP packages \u2014 published trojanized PyPI builds of pytorch-lightning 2.6.2 and 2.6.3 (Lightning AI\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2026-04-30",
      "last_updated": "2026-05-18",
      "ecosystems": [
        "pypi",
        "npm"
      ],
      "tools_affected": [
        "any-pytorch-project",
        "any-ml-pipeline",
        "claude-code",
        "cursor",
        "vscode"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "mini-shai-hulud",
        "teampcp",
        "postinstall",
        "ai-ml",
        "pypi"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-pytorch-lightning-compromise.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-pytorch-lightning-compromise.md"
    },
    {
      "id": "2026-04-claude-code-action-procfs-credential-leak",
      "title": "Claude Code GitHub Action's unsandboxed Read tool leaks CI/CD secrets via /proc/self/environ (patched in Claude Code 2.1.128)",
      "description": "Microsoft Threat Intelligence found that Claude Code's Read tool did not get the same sandboxing as the Bash tool, so a prompt-injected instruction hidden in a GitHub issue, PR, or comment could\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-04-29",
      "last_updated": "2026-04-29",
      "ecosystems": [
        "github-actions",
        "claude-code",
        "anthropic"
      ],
      "tools_affected": [
        "Claude Code GitHub Actions (anthropics/claude-code-action)",
        "any CI/CD pipeline running Claude Code on untrusted GitHub content"
      ],
      "tags": [
        "claude-code",
        "github-actions",
        "prompt-injection",
        "credential-theft",
        "ci-cd",
        "sandbox-bypass"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-claude-code-action-procfs-credential-leak.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-claude-code-action-procfs-credential-leak.md"
    },
    {
      "id": "2026-04-elementary-data-pypi-ghcr-compromise",
      "title": "elementary-data PyPI + GHCR compromise \u2014 malicious .pth auto-exec (April 2026)",
      "description": "On 2026-04-24, attackers published a malicious elementary-data==0.23.3 to PyPI (uploaded 22:20:47 UTC) and poisoned the matching Docker images on GHCR (ghcr.io/elementary-data/elementary). The\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2026-04-24",
      "last_updated": "2026-05-23",
      "ecosystems": [
        "pypi",
        "docker"
      ],
      "tools_affected": [
        "elementary-data",
        "dbt",
        "data-engineering",
        "ci-cd",
        "any-python-project"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "github-actions",
        "script-injection",
        "pth-execution",
        "docker-poisoning",
        "forged-release"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-elementary-data-pypi-ghcr-compromise.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-elementary-data-pypi-ghcr-compromise.md"
    },
    {
      "id": "2026-04-litellm-sql-injection",
      "title": "LiteLLM proxy pre-auth SQL injection \u2014 CVE-2026-42208 (April 2026, CISA KEV) + CVE-2026-42271 (June 2026, actively exploited)",
      "description": "LiteLLM is an open-source LLM gateway/proxy widely used in vibe-coding stacks as the OpenAI-compatible front-end for Anthropic, AWS Bedrock, Azure OpenAI, Google Vertex, Cohere, and dozens of\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-04-24",
      "last_updated": "2026-06-22",
      "ecosystems": [
        "pypi",
        "ai-agents",
        "llm-proxy"
      ],
      "tools_affected": [
        "litellm",
        "berriai-litellm"
      ],
      "tags": [
        "cve",
        "sql-injection",
        "pre-auth",
        "ai-proxy",
        "cisa-kev",
        "rapid-exploitation",
        "credential-theft"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-litellm-sql-injection.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-litellm-sql-injection.md"
    },
    {
      "id": "2026-04-bitwarden-cli-shai-hulud-third-coming",
      "title": "Bitwarden CLI backdoored \u2014 first supply-chain attack to hunt AI-coding-tool creds (April 2026)",
      "description": "On 2026-04-22, a malicious @bitwarden/cli v2026.4.0 (the package has ~70K weekly / ~250K monthly downloads) was published to npm and stayed live for ~90 minutes (\u224817:57\u201319:30 ET) before takedown \u2014\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2026-04-22",
      "last_updated": "2026-05-23",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "bitwarden-cli",
        "claude-code",
        "cursor",
        "codex-cli",
        "any-mcp-user",
        "any-node-project",
        "ci-cd"
      ],
      "tags": [
        "supply-chain",
        "worm",
        "credential-theft",
        "ai-tool-targeting",
        "mcp",
        "teampcp",
        "shai-hulud",
        "dead-drop-c2"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-bitwarden-cli-shai-hulud-third-coming.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-bitwarden-cli-shai-hulud-third-coming.md"
    },
    {
      "id": "2026-04-vercel-context-ai-breach",
      "title": "Vercel breach via Context.ai OAuth supply chain (April 2026)",
      "description": "On 2026-04-19 Vercel published a security bulletin disclosing that an attacker had pivoted from a third-party AI productivity tool (Context.ai) into a Vercel employee's Workspace, then into\u2026",
      "severity": "high",
      "status": "contained",
      "date_disclosed": "2026-04-19",
      "last_updated": "2026-05-19",
      "ecosystems": [
        "vercel",
        "nextjs",
        "third-party-ai"
      ],
      "tools_affected": [
        "vercel",
        "context.ai"
      ],
      "tags": [
        "oauth",
        "third-party-ai",
        "infostealer",
        "lumma",
        "environment-variables",
        "vibe-platform"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-vercel-context-ai-breach.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-vercel-context-ai-breach.md"
    },
    {
      "id": "2026-06-claude-code-mcp-oauth-hijack",
      "title": "Claude Code MCP OAuth token hijack via malicious npm postinstall hook \u2014 Anthropic won't fix",
      "description": "Mitiga Labs disclosed a 5-step attack chain where a malicious npm package's postinstall hook modifies ~/.claude.json to intercept MCP OAuth bearer tokens (Jira, Confluence, GitHub, and any other\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-04-10",
      "last_updated": "2026-06-15",
      "ecosystems": [
        "npm",
        "claude-code",
        "mcp",
        "oauth"
      ],
      "tools_affected": [
        "claude-code"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "mcp",
        "oauth",
        "postinstall",
        "config-poisoning",
        "claude-code",
        "no-patch"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-claude-code-mcp-oauth-hijack.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-claude-code-mcp-oauth-hijack.md"
    },
    {
      "id": "2026-04-marimo-notebook-rce",
      "title": "Marimo notebook pre-auth RCE (CVE-2026-39987) \u2014 exploited in under 10 hours (April 2026)",
      "description": "Marimo exposes several WebSocket endpoints. The general /ws endpoint correctly calls validateauth() before accepting a connection. The /terminal/ws endpoint does not \u2014 it only checks whether the\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-04-08",
      "last_updated": "2026-05-23",
      "ecosystems": [
        "pypi",
        "ai-data-tools"
      ],
      "tools_affected": [
        "marimo",
        "python-notebooks",
        "data-apps",
        "ml-tooling"
      ],
      "tags": [
        "rce",
        "missing-auth",
        "websocket",
        "cisa-kev",
        "fast-exploit",
        "credential-theft"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-marimo-notebook-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-marimo-notebook-rce.md"
    },
    {
      "id": "2026-04-flowise-rce-cluster",
      "title": "Flowise RCE cluster \u2014 CVE-2025-59528 actively exploited + April 2026 Agent-node cluster (CVE-2026-41265 et al.)",
      "description": "Flowise stores upstream-provider API keys for OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, Cohere, Mistral, and similar \u2014 the same \"central credentials cache\" problem as LiteLLM, but for\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-04-07",
      "last_updated": "2026-05-30",
      "ecosystems": [
        "npm",
        "ai-agents",
        "llm-workflow"
      ],
      "tools_affected": [
        "flowise",
        "flowiseai"
      ],
      "tags": [
        "cve",
        "rce",
        "prompt-injection",
        "ai-agent-framework",
        "active-exploitation",
        "decorator-as-documentation"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-flowise-rce-cluster.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-flowise-rce-cluster.md"
    },
    {
      "id": "2026-04-vite-dev-server-file-read",
      "title": "Vite dev-server WebSocket arbitrary file read + fs.deny bypasses (CVE-2026-39363, CVE-2026-39364, CVE-2026-39365)",
      "description": "Three related flaws in Vite's dev server let an attacker who can reach it over the network (e.g. it was started with --host or otherwise exposed) read arbitrary files on the machine \u2014 including\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-04-06",
      "last_updated": "2026-07-02",
      "ecosystems": [
        "vite",
        "npm"
      ],
      "tools_affected": [
        "vite"
      ],
      "tags": [
        "file-read",
        "dev-server",
        "websocket",
        "path-traversal",
        "access-control-bypass"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-vite-dev-server-file-read.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-vite-dev-server-file-read.md"
    },
    {
      "id": "2026-04-claude-code-subcommand-deny-bypass",
      "title": "Claude Code deny-rule bypass via 50-subcommand parser cap (silently patched in v2.1.90)",
      "description": "Adversa AI found that Claude Code's bash-command permission checker (bashPermissions.ts) stopped enforcing configured deny rules entirely on any compound shell command with more than 50\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-04-02",
      "last_updated": "2026-07-02",
      "ecosystems": [
        "claude-code",
        "anthropic"
      ],
      "tools_affected": [
        "claude-code"
      ],
      "tags": [
        "claude-code",
        "permission-bypass",
        "deny-rule",
        "silent-patch",
        "source-leak"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-claude-code-subcommand-deny-bypass.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-claude-code-subcommand-deny-bypass.md"
    },
    {
      "id": "2026-04-comment-and-control-pr-injection",
      "title": "'Comment and Control' \u2014 prompt injection via GitHub PRs/issues hits Claude Code Security Review, Gemini CLI Action, Copilot Agent (April 2026)",
      "description": "Researcher Aonan Guan (with JHU's Zhengyu Liu and Gavin Zhong) disclosed \"Comment and Control\" in April 2026: a class of prompt-injection attack where a payload in a GitHub PR title, issue body,\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-04",
      "last_updated": "2026-05-22",
      "ecosystems": [
        "claude-code",
        "gemini-cli",
        "github-copilot",
        "github-actions"
      ],
      "tools_affected": [
        "claude-code-security-review",
        "gemini-cli-action",
        "github-copilot-agent"
      ],
      "tags": [
        "prompt-injection",
        "indirect-prompt-injection",
        "github-actions",
        "cve",
        "exfiltration",
        "comment-and-control"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-comment-and-control-pr-injection.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-comment-and-control-pr-injection.md"
    },
    {
      "id": "2026-04-mini-shai-hulud-sap",
      "title": "Mini Shai-Hulud \u2014 SAP-related npm packages (April\u2013May 2026)",
      "description": "A Mini Shai-Hulud variant targeting the SAP ecosystem compromised mbt, @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite, and related packages starting in April 2026. The payload harvests local\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-04",
      "last_updated": "2026-05-16",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "enterprise-node",
        "sap-cap",
        "any-node-with-sap-deps"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "npm",
        "mini-shai-hulud",
        "enterprise"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-mini-shai-hulud-sap.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-mini-shai-hulud-sap.md"
    },
    {
      "id": "2026-03-axios-compromise",
      "title": "Axios npm package compromise (March 2026)",
      "description": "On 2026-03-31, two malicious versions of axios (70M+ weekly downloads) were published. They connected to a C2 owned by the Sapphire Sleet threat actor to pull a remote access trojan. Because Axios\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2026-03-31",
      "last_updated": "2026-05-22",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "any-node-project",
        "any-frontend-with-http-client",
        "usebruno-cli"
      ],
      "tags": [
        "supply-chain",
        "rat",
        "c2",
        "npm",
        "auto-update",
        "cve"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-axios-compromise.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-axios-compromise.md"
    },
    {
      "id": "2026-03-claude-code-source-map-leak",
      "title": "Claude Code source-map leak \u2014 512K lines of internal TypeScript shipped in npm package (March 2026)",
      "description": "On 2026-03-31, Anthropic published a release of the @anthropic-ai/claude-code npm package that included a 59.8 MB source-map file exposing ~512,000 lines of unobfuscated TypeScript across roughly\u2026",
      "severity": "medium",
      "status": "contained",
      "date_disclosed": "2026-03-31",
      "last_updated": "2026-05-18",
      "ecosystems": [
        "claude-code",
        "npm"
      ],
      "tools_affected": [
        "claude-code"
      ],
      "tags": [
        "information-disclosure",
        "source-disclosure",
        "npmignore",
        "source-map",
        "supply-chain-hygiene"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-claude-code-source-map-leak.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-claude-code-source-map-leak.md"
    },
    {
      "id": "2026-03-openhands-git-diff-rce",
      "title": "OpenHands git-diff command injection \u2014 CVE-2026-33718 (March 2026)",
      "description": "GitHub advisory GHSA-7h8w-hj9j-8rjw (published 2026-03-27) describes the bug: the filepath argument supplied to the git-diff API endpoint is directly interpolated into a shell command string and\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-03-27",
      "last_updated": "2026-05-20",
      "ecosystems": [
        "pypi",
        "ai-agents"
      ],
      "tools_affected": [
        "openhands"
      ],
      "tags": [
        "cve",
        "command-injection",
        "ai-agent-framework",
        "agent-sandbox",
        "authenticated"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-openhands-git-diff-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-openhands-git-diff-rce.md"
    },
    {
      "id": "2026-03-claudy-day-claude-ai-exfiltration",
      "title": "Claudy Day \u2014 three chained Claude.ai flaws exfiltrate conversation history via hidden URL-parameter prompt injection (March 2026)",
      "description": "Oasis Security disclosed \"Claudy Day\": three chainable flaws in Claude.ai / claude.com that together let an attacker deliver a single crafted link and silently exfiltrate a victim's Claude\u2026",
      "severity": "high",
      "status": "mitigated",
      "date_disclosed": "2026-03-18",
      "last_updated": "2026-07-01",
      "ecosystems": [
        "claude-ai"
      ],
      "tools_affected": [
        "Claude.ai / claude.com web app"
      ],
      "tags": [
        "prompt-injection",
        "data-exfiltration",
        "claude-ai",
        "open-redirect",
        "anthropic"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-claudy-day-claude-ai-exfiltration.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-claudy-day-claude-ai-exfiltration.md"
    },
    {
      "id": "2026-03-langflow-rce",
      "title": "Langflow unauthenticated RCE \u2014 CVE-2026-33017 (March 2026)",
      "description": "Langflow disclosed CVE-2026-33017 on 2026-03-17. The root cause is unsafe handling of user-controlled input in the public flow-build endpoint (buildpublictmp): the input is evaluated within a\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-03-17",
      "last_updated": "2026-05-20",
      "ecosystems": [
        "pypi",
        "ai-agents"
      ],
      "tools_affected": [
        "langflow"
      ],
      "tags": [
        "cve",
        "rce",
        "ai-agent-framework",
        "unauthenticated",
        "cisa-kev",
        "rapid-exploitation",
        "incomplete-fix"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-langflow-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-langflow-rce.md"
    },
    {
      "id": "2026-03-trivy-litellm-supply-chain",
      "title": "TeamPCP breaches Trivy GitHub Actions \u2192 LiteLLM 1.82.7\u20131.82.8 backdoored (March 2026)",
      "description": "TeamPCP force-pushed malicious tags across 75 of 76 aquasecurity/trivy-action release tags, injecting a malicious entrypoint.sh. Any CI pipeline running an unpinned uses:\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2026-03-12",
      "last_updated": "2026-06-03",
      "ecosystems": [
        "pypi",
        "ci-cd",
        "github-actions"
      ],
      "tools_affected": [
        "litellm",
        "trivy",
        "aquasecurity-trivy-action"
      ],
      "tags": [
        "supply-chain",
        "ci-cd",
        "github-actions",
        "credential-theft",
        "pypi",
        "security-scanner-as-vector",
        "teamPCP",
        "litellm"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-trivy-litellm-supply-chain.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-trivy-litellm-supply-chain.md"
    },
    {
      "id": "2026-03-supabase-auth-oidc-bypass",
      "title": "Supabase Auth OIDC issuer-validation bypass \u2014 CVE-2026-31813 (March 2026)",
      "description": "GitHub published advisory GHSA-v36f-qvww-8w8m on 2026-03-11 (rated Moderate by GitHub; high-impact in practice because it's an authentication bypass). The bug: when Supabase Auth processes an ID\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-03-11",
      "last_updated": "2026-05-20",
      "ecosystems": [
        "supabase",
        "auth"
      ],
      "tools_affected": [
        "supabase",
        "gotrue",
        "lovable",
        "bolt",
        "v0",
        "any-supabase-auth-app"
      ],
      "tags": [
        "cve",
        "authentication-bypass",
        "oidc",
        "account-takeover",
        "vibe-platform",
        "self-hosted"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-supabase-auth-oidc-bypass.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-supabase-auth-oidc-bypass.md"
    },
    {
      "id": "2026-03-msagent-cve-2026-2256-shell-injection",
      "title": "ModelScope ms-agent OS command injection via Shell tool (CVE-2026-2256) \u2014 unpatched, public PoC, CERT/CC advisory",
      "description": "ModelScope's ms-agent is a Python-based open-source framework for building AI agents capable of executing OS commands, running code, analyzing data, and interacting with tools via the Model\u2026",
      "severity": "medium",
      "status": "active",
      "date_disclosed": "2026-03-02",
      "last_updated": "2026-06-22",
      "ecosystems": [
        "pypi",
        "ai-agents"
      ],
      "tools_affected": [
        "ms-agent",
        "modelscope"
      ],
      "tags": [
        "cve",
        "command-injection",
        "ai-agent-framework",
        "unpatched",
        "shell-tool",
        "regex-blacklist",
        "prompt-injection-rce"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-msagent-cve-2026-2256-shell-injection.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-msagent-cve-2026-2256-shell-injection.md"
    },
    {
      "id": "2026-03-polinrider-multi-ecosystem-dprk-campaign",
      "title": "PolinRider \u2014 ongoing DPRK-linked campaign backdoors npm, Packagist, Go, and a Chrome extension via maintainer-account takeover (Mar 2026\u2013ongoing)",
      "description": "First flagged by the OpenSourceMalware team around 2026-03, PolinRider involves DPRK-linked threat actors \u2014 tied to the broader Contagious Interview / Famous Chollima developer-targeting cluster \u2014\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-03-01",
      "last_updated": "2026-07-04",
      "ecosystems": [
        "npm",
        "packagist",
        "go",
        "chrome-extension"
      ],
      "tools_affected": [
        "multiple compromised maintainer accounts/repos across npm",
        "Packagist",
        "Go",
        "Chrome Web Store"
      ],
      "tags": [
        "supply-chain",
        "dprk",
        "account-takeover",
        "git-history-rewrite",
        "credential-theft",
        "wallet-theft",
        "cross-ecosystem"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-polinrider-multi-ecosystem-dprk-campaign.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-polinrider-multi-ecosystem-dprk-campaign.md"
    },
    {
      "id": "2026-03-sglang-unauth-rce",
      "title": "SGLang unauth RCE cluster \u2014 CVE-2026-3059 / CVE-2026-3060 (pickle ZMQ, CVSS 9.8) + CVE-2026-5760 (GGUF model RCE)",
      "description": "Three critical unauthenticated RCE vulnerabilities in SGLang (the fast LLM inference and serving framework, ~1M monthly PyPI downloads) form a cluster: CVE-2026-3059 and CVE-2026-3060 (CVSS 9.8\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-03",
      "last_updated": "2026-06-14",
      "ecosystems": [
        "pypi",
        "ai-agents"
      ],
      "tools_affected": [
        "sglang",
        "any LLM inference server using SGLang's multi-node ZMQ broker"
      ],
      "tags": [
        "rce",
        "unauth",
        "deserialization",
        "pickle",
        "ai-infrastructure",
        "llm-inference",
        "gguf",
        "supply-chain"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-sglang-unauth-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-sglang-unauth-rce.md"
    },
    {
      "id": "2026-02-langflow-cve-2026-27966-csv-agent-rce",
      "title": "Langflow CVE-2026-27966 \u2014 CSV Agent hardcodes allow_dangerous_code=True \u2192 unauthenticated prompt-injection RCE (CVSS 9.8)",
      "description": "The CSV Agent node's source code contained the line:",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-02-25",
      "last_updated": "2026-06-23",
      "ecosystems": [
        "pypi",
        "ai-agents",
        "langchain"
      ],
      "tools_affected": [
        "langflow"
      ],
      "tags": [
        "cve",
        "rce",
        "prompt-injection",
        "ai-agents",
        "decorator-as-documentation",
        "langchain",
        "csv-agent",
        "eval-on-llm-output",
        "pre-auth"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-langflow-cve-2026-27966-csv-agent-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-langflow-cve-2026-27966-csv-agent-rce.md"
    },
    {
      "id": "2026-02-sandworm-mode-npm-worm",
      "title": "SANDWORM_MODE \u2014 Shai-Hulud-style npm worm with MCP injection, CI implant, and 48-hour delayed activation (Feb 2026)",
      "description": "Socket's Threat Research Team identified at least 19 malicious npm packages across two publisher aliases (confirmed; number may grow). The campaign name comes from SANDWORM environment-variable\u2026",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-02-17",
      "last_updated": "2026-06-06",
      "ecosystems": [
        "npm",
        "mcp",
        "github-actions",
        "ai-agents"
      ],
      "tools_affected": [
        "claude-code",
        "openclaw",
        "any npm package using the compromised accounts",
        "CI pipelines using GitHub Actions"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "worm",
        "mcp-injection",
        "ai-toolchain",
        "ci-cd",
        "github-actions",
        "prompt-injection"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-sandworm-mode-npm-worm.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-sandworm-mode-npm-worm.md"
    },
    {
      "id": "2026-02-claude-desktop-extensions-rce",
      "title": "Claude Desktop Extensions (DXT) zero-click RCE \u2014 Anthropic declines to fix (Feb 2026)",
      "description": "LayerX disclosed (report dated 2026-02-09, with renewed coverage around RSAC in May 2026) that DXT extensions are not sandboxed and execute with the user's full local privileges. Claude can\u2026",
      "severity": "critical",
      "status": "active",
      "date_disclosed": "2026-02-09",
      "last_updated": "2026-05-21",
      "ecosystems": [
        "claude-code",
        "anthropic",
        "mcp"
      ],
      "tools_affected": [
        "claude-desktop",
        "claude-desktop-extensions",
        "mcp"
      ],
      "tags": [
        "prompt-injection",
        "rce",
        "zero-click",
        "mcp",
        "dxt",
        "lethal-trifecta",
        "wont-fix"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-claude-desktop-extensions-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-claude-desktop-extensions-rce.md"
    },
    {
      "id": "2026-02-cline-clinejection",
      "title": "Cline 'Clinejection' \u2014 AI triage bot \u2192 npm publish supply chain (February 2026)",
      "description": "On 2026-02-09, security researcher Adnan Khan publicly disclosed \"Clinejection\" \u2014 a chain in the Cline AI coding agent's GitHub repo that let a maliciously titled issue tell Cline's own triage bot\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2026-02-09",
      "last_updated": "2026-05-19",
      "ecosystems": [
        "npm",
        "ai-agents",
        "cline"
      ],
      "tools_affected": [
        "cline",
        "openclaw"
      ],
      "tags": [
        "supply-chain",
        "prompt-injection",
        "cache-poisoning",
        "github-actions",
        "openclaw",
        "postinstall"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-cline-clinejection.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-cline-clinejection.md"
    },
    {
      "id": "2026-02-clawhavoc-clawhub-skills",
      "title": "ClawHavoc \u2014 mass malicious-skill poisoning of OpenClaw's ClawHub marketplace (February 2026)",
      "description": "Koi Security found that ClawHub \u2014 the open-by-default skill marketplace for the self-hosted OpenClaw AI agent (formerly Clawdbot / Moltbot) \u2014 was flooded with malicious \"skills\" that install the\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2026-02-01",
      "last_updated": "2026-05-24",
      "ecosystems": [
        "ai-agents",
        "openclaw",
        "clawhub"
      ],
      "tools_affected": [
        "openclaw",
        "clawdbot",
        "moltbot",
        "clawhub-skills",
        "skills.sh"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "ai-agent",
        "skill-marketplace",
        "atomic-stealer",
        "amos",
        "malware",
        "koi-security",
        "snyk",
        "toxicskills",
        "prompt-injection"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-clawhavoc-clawhub-skills.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-clawhavoc-clawhub-skills.md"
    },
    {
      "id": "2026-01-openclaw-cve-2026-25253-gatewayurl-rce",
      "title": "OpenClaw 1-click RCE via WebSocket gateway-URL token theft (CVE-2026-25253, Jan 2026)",
      "description": "OpenClaw (formerly Clawdbot/Moltbot) ships a browser-based Control UI that connects to a WebSocket gateway on localhost. The UI's applySettingsFromUrl() function read a gatewayUrl parameter\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-01-26",
      "last_updated": "2026-05-29",
      "ecosystems": [
        "ai-agents",
        "openclaw"
      ],
      "tools_affected": [
        "openclaw",
        "clawdbot",
        "moltbot"
      ],
      "tags": [
        "cve",
        "openclaw",
        "websocket",
        "token-theft",
        "one-click-rce",
        "gatewayurl",
        "ai-agent"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-openclaw-cve-2026-25253-gatewayurl-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-openclaw-cve-2026-25253-gatewayurl-rce.md"
    },
    {
      "id": "2026-01-sveltespill-sveltekit-vercel-cache-deception",
      "title": "SvelteSpill \u2014 SvelteKit + Vercel cache deception exposes authenticated responses (CVE-2026-27118, Jan 2026)",
      "description": "Aikido Security's AI-assisted pentesting tooling discovered on 2026-01-20 that @sveltejs/adapter-vercel accepted a pathname query parameter intended purely for internal routing/rewriting, without\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-01-20",
      "last_updated": "2026-07-04",
      "ecosystems": [
        "npm",
        "svelte",
        "vercel"
      ],
      "tools_affected": [
        "@sveltejs/adapter-vercel",
        "SvelteKit on Vercel"
      ],
      "tags": [
        "cache-deception",
        "svelte",
        "sveltekit",
        "vercel",
        "session-hijack",
        "frontend"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-sveltespill-sveltekit-vercel-cache-deception.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-sveltespill-sveltekit-vercel-cache-deception.md"
    },
    {
      "id": "2026-01-opencode-localhost-rce",
      "title": "OpenCode AI coding agent \u2014 twin localhost RCEs (CVE-2026-22812 + CVE-2026-22813)",
      "description": "OpenCode is an open-source AI coding agent (anomalyco/opencode, 71K+ GitHub stars) \u2014 comparable to aider, Claude Code, Cursor, Cline, Codex CLI, and the OpenHands/OpenClaw family. Developers run\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2026-01-12",
      "last_updated": "2026-05-30",
      "ecosystems": [
        "ai-agents",
        "ai-ide",
        "npm"
      ],
      "tools_affected": [
        "opencode",
        "anomalyco-opencode",
        "sst-opencode"
      ],
      "tags": [
        "cve",
        "rce",
        "localhost",
        "browser-attacker-model",
        "xss",
        "websocket",
        "ai-ide",
        "lethal-trifecta"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-opencode-localhost-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-opencode-localhost-rce.md"
    },
    {
      "id": "2026-01-langsmith-account-takeover",
      "title": "LangSmith CVE-2026-25750 unvalidated baseUrl \u2192 account takeover (January 2026)",
      "description": "On 2026-01-07, Miggo Research disclosed two chained vulnerabilities in LangSmith, LangChain's observability and tracing platform used by AI development teams to monitor LLM calls, trace agent\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-01-07",
      "last_updated": "2026-06-03",
      "ecosystems": [
        "pypi",
        "ai-agents",
        "langchain"
      ],
      "tools_affected": [
        "langsmith",
        "langchain",
        "langsmith-sdk"
      ],
      "tags": [
        "cve",
        "ssrf",
        "account-takeover",
        "ai-agent-framework",
        "session-token",
        "unvalidated-redirect",
        "langchain"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-langsmith-account-takeover.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-langsmith-account-takeover.md"
    },
    {
      "id": "2026-02-google-antigravity-sandbox-escape",
      "title": "Google Antigravity sandbox escape via fd flag injection (Pillar Security, Feb 2026)",
      "description": "Pillar Security disclosed a Secure Mode bypass in Google Antigravity \u2014 Google's agentic IDE \u2014 that turns a prompt injection into full RCE. The bug: the findbyname tool fired before any\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2026-01-07",
      "last_updated": "2026-05-18",
      "ecosystems": [
        "antigravity",
        "ai-agents"
      ],
      "tools_affected": [
        "google-antigravity"
      ],
      "tags": [
        "cve",
        "prompt-injection",
        "sandbox-escape",
        "rce",
        "agentic-ide",
        "secure-mode",
        "fd",
        "google"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-google-antigravity-sandbox-escape.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-google-antigravity-sandbox-escape.md"
    },
    {
      "id": "2026-01-vscode-fork-recommended-extension-hijack",
      "title": "AI IDEs recommend non-existent extensions \u2014 OpenVSX namespace hijack (Jan 2026)",
      "description": "Koi Security found that the major VS Code-fork AI IDEs \u2014 Cursor, Windsurf, Google Antigravity, and Trae \u2014 ship a recommended-extensions list that points at extensions which don't exist on OpenVSX\u2026",
      "severity": "high",
      "status": "mitigated",
      "date_disclosed": "2026-01-05",
      "last_updated": "2026-05-23",
      "ecosystems": [
        "vscode",
        "openvsx"
      ],
      "tools_affected": [
        "cursor",
        "windsurf",
        "google-antigravity",
        "trae",
        "any-vscode-fork"
      ],
      "tags": [
        "supply-chain",
        "ide-extension",
        "openvsx",
        "namespace-hijack",
        "recommendation-poisoning",
        "slopsquatting-adjacent"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-vscode-fork-recommended-extension-hijack.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-vscode-fork-recommended-extension-hijack.md"
    },
    {
      "id": "2025-12-shai-hulud-3-test-payload",
      "title": "Shai-Hulud 3.0 test payload \u2014 @vietmoney/react-big-calendar@0.26.2 (Dec 2025)",
      "description": "A third generation of the Shai-Hulud worm (\"Shai-Hulud 3.0\" / Snyk's \"Holiday Whisper\") landed on npm on 2025-12-28 as a single low-profile package \u2014 @vietmoney/react-big-calendar@0.26.2 \u2014 with\u2026",
      "severity": "high",
      "status": "contained",
      "date_disclosed": "2025-12-28",
      "last_updated": "2026-05-26",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "any-node-project",
        "cursor",
        "claude-code"
      ],
      "tags": [
        "supply-chain",
        "worm",
        "credential-theft",
        "npm",
        "shai-hulud",
        "teampcp",
        "test-payload"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-shai-hulud-3-test-payload.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-shai-hulud-3-test-payload.md"
    },
    {
      "id": "2025-12-langchain-langgrinch",
      "title": "LangChain LangGrinch + path-traversal + SSRF + SQLi (CVE-2025-68664, CVE-2026-34070, CVE-2026-26019, CVE-2025-67644)",
      "description": "On 2025-12-23, Cyata disclosed CVE-2025-68664 (\"LangGrinch\") to LangChain. The bug lived in langchaincore.load.dump.dumps() / dumpd(): when serializing a \"free-form dictionary\" that happened to\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2025-12-23",
      "last_updated": "2026-06-09",
      "ecosystems": [
        "pypi",
        "npm",
        "ai-agents",
        "langchain"
      ],
      "tools_affected": [
        "langchain",
        "langchain-core",
        "langgraph",
        "langgraph-checkpoint-sqlite",
        "@langchain/community"
      ],
      "tags": [
        "cve",
        "deserialization",
        "prompt-injection",
        "secret-exfil",
        "path-traversal",
        "ssrf",
        "ai-agent-framework"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-langchain-langgrinch.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-langchain-langgrinch.md"
    },
    {
      "id": "2025-12-react2shell-rce",
      "title": "React2Shell \u2014 CVE-2025-55182 RCE in React Server Components (Dec 2025 \u2192 exploited through Apr 2026)",
      "description": "Security researchers disclosed a critical deserialization vulnerability in React's Flight protocol \u2014 the wire format used to stream React Server Component payloads. React did not properly validate\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2025-12-05",
      "last_updated": "2026-06-04",
      "ecosystems": [
        "npm",
        "react",
        "nextjs",
        "vite",
        "react-router"
      ],
      "tools_affected": [
        "React 18/19 (RSC)",
        "Next.js",
        "Waku",
        "React Router (RSC mode)",
        "RedwoodSDK",
        "Parcel RSC",
        "Vite RSC plugin"
      ],
      "tags": [
        "rce",
        "deserialization",
        "unauthenticated",
        "cisa-kev",
        "active-exploitation",
        "react-server-components"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-react2shell-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-react2shell-rce.md"
    },
    {
      "id": "2025-11-shai-hulud-second-coming",
      "title": "Shai-Hulud 'The Second Coming' (November 2025)",
      "description": "On 2025-11-24, attackers launched the second Shai-Hulud wave: 492 npm packages (132M monthly downloads) trojanized, including packages from Zapier, ENS Domains, PostHog, and Postman. The worm\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2025-11-24",
      "last_updated": "2026-05-16",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "any-node-project",
        "cursor",
        "claude-code",
        "lovable",
        "bolt",
        "replit"
      ],
      "tags": [
        "supply-chain",
        "worm",
        "credential-theft",
        "npm",
        "github",
        "trufflehog"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-11-shai-hulud-second-coming.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-11-shai-hulud-second-coming.md"
    },
    {
      "id": "2025-11-n8n-ni8mare-rce",
      "title": "n8n Ni8mare + RCE cluster \u2014 CVSS 10.0 unauth takeover of workflow automation (Nov 2025 \u2192 June 2026)",
      "description": "Security researcher Dor Attias reported CVE-2026-21858 on November 9, 2025. The vulnerability allowed a remote, unauthenticated attacker to execute arbitrary system commands on the host running\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2025-11-09",
      "last_updated": "2026-06-18",
      "ecosystems": [
        "npm",
        "self-hosted"
      ],
      "tools_affected": [
        "n8n (workflow automation)",
        "any AI agent pipeline using n8n as an orchestration layer"
      ],
      "tags": [
        "rce",
        "unauth",
        "workflow-automation",
        "credential-theft",
        "ai-agents",
        "oauth-pivot"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-11-n8n-ni8mare-rce.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-11-n8n-ni8mare-rce.md"
    },
    {
      "id": "2025-10-cursor-windsurf-chromium-ndays",
      "title": "Cursor & Windsurf ship stale Chromium \u2014 94+ n-day vulns, 1.8M devs (Oct 2025)",
      "description": "OX Security (\"Forked and Forgotten\") showed that Cursor and Windsurf \u2014 built on outdated VS Code \u2192 outdated Electron \u2192 outdated Chromium/V8 \u2014 are exposed to 94+ known (n-day) Chromium\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2025-10-21",
      "last_updated": "2026-05-23",
      "ecosystems": [
        "cursor",
        "windsurf",
        "electron"
      ],
      "tools_affected": [
        "cursor",
        "windsurf",
        "any-vscode-fork-on-old-electron"
      ],
      "tags": [
        "n-day",
        "chromium",
        "electron",
        "v8",
        "ai-ide",
        "patch-lag",
        "vendor-disputed"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-cursor-windsurf-chromium-ndays.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-cursor-windsurf-chromium-ndays.md"
    },
    {
      "id": "2025-10-glassworm-vscode-worm",
      "title": "GlassWorm \u2014 self-propagating VS Code / Open VSX extension worm (Oct 2025 \u2192 2026)",
      "description": "GlassWorm's signature trick is steganographic source: the malicious logic is encoded in printable-but-non-rendering Unicode (e.g., variation selectors / invisible code points), so a maintainer or\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2025-10-17",
      "last_updated": "2026-06-22",
      "ecosystems": [
        "vscode",
        "openvsx",
        "npm",
        "github"
      ],
      "tools_affected": [],
      "tags": [
        "supply-chain",
        "ide-extension",
        "worm",
        "self-propagating",
        "credential-theft",
        "crypto-theft",
        "invisible-unicode",
        "solana-c2",
        "botnet-takedown"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-glassworm-vscode-worm.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-glassworm-vscode-worm.md"
    },
    {
      "id": "2025-10-windsurf-cve-2025-62353-path-traversal",
      "title": "Windsurf path-traversal via prompt-injected README \u2014 Cascade reads/writes arbitrary files (CVE-2025-62353, Oct 2025)",
      "description": "HiddenLayer demonstrated indirect prompt injection against the Cascade AI agent inside Windsurf. Their PoC placed natural-language instructions inside an HTML comment in a project's README.md \u2014\u2026",
      "severity": "critical",
      "status": "patched",
      "date_disclosed": "2025-10",
      "last_updated": "2026-05-29",
      "ecosystems": [
        "windsurf"
      ],
      "tools_affected": [
        "windsurf",
        "cascade"
      ],
      "tags": [
        "windsurf",
        "cascade",
        "prompt-injection",
        "path-traversal",
        "cve",
        "indirect-prompt-injection",
        "hiddenlayer"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-windsurf-cve-2025-62353-path-traversal.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-windsurf-cve-2025-62353-path-traversal.md"
    },
    {
      "id": "2025-09-postmark-mcp-backdoor",
      "title": "postmark-mcp backdoor \u2014 first malicious MCP server (September 2025)",
      "description": "The npm package postmark-mcp \u2014 an unofficial MCP server for the Postmark email service \u2014 was modified in v1.0.16 (published 2025-09-17) to silently BCC every outgoing email to\u2026",
      "severity": "high",
      "status": "contained",
      "date_disclosed": "2025-09-25",
      "last_updated": "2026-05-16",
      "ecosystems": [
        "npm",
        "mcp"
      ],
      "tools_affected": [
        "claude-code",
        "cursor",
        "any-mcp-host"
      ],
      "tags": [
        "mcp",
        "supply-chain",
        "email-exfiltration",
        "trust-erosion",
        "npm"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-postmark-mcp-backdoor.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-postmark-mcp-backdoor.md"
    },
    {
      "id": "2025-09-shai-hulud-original",
      "title": "Shai-Hulud npm worm \u2014 original wave (September 2025)",
      "description": "On 2025-09-15, the first self-replicating npm worm \u2014 Shai-Hulud \u2014 was discovered. ~200 packages compromised, including @ctrl/tinycolor (2.2M weekly), ngx-bootstrap (300k weekly), and several\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2025-09-15",
      "last_updated": "2026-05-16",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "any-node-project",
        "cursor",
        "claude-code"
      ],
      "tags": [
        "supply-chain",
        "worm",
        "credential-theft",
        "npm",
        "github"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-shai-hulud-original.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-shai-hulud-original.md"
    },
    {
      "id": "2025-09-qix-compromise",
      "title": "qix npm account compromise \u2014 chalk, debug, ansi-styles (September 2025)",
      "description": "On 2025-09-08, npm maintainer Josh Junon (qix) was phished. The attacker took over ~18 of his packages \u2014 chalk, debug, ansi-styles, strip-ansi, color-convert, wrap-ansi, and more \u2014 collectively\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2025-09-08",
      "last_updated": "2026-05-16",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "any-node-project",
        "any-frontend",
        "cursor",
        "claude-code"
      ],
      "tags": [
        "supply-chain",
        "phishing",
        "npm",
        "crypto-wallet-hijack",
        "browser"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-qix-compromise.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-qix-compromise.md"
    },
    {
      "id": "2025-09-litl-ai-approval-dialog-bypass",
      "title": "'Lies in the Loop' (LITL) \u2014 approval-dialog padding hides malicious commands below the fold in Claude Code and VS Code Copilot (Sept 2025, no vendor fix)",
      "description": "Checkmarx Zero researchers discovered that AI coding agents that use Human-in-the-Loop (HITL) confirmation dialogs \u2014 the approval prompts that ask developers \"OK to run this command?\" before\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2025-09-01",
      "last_updated": "2026-06-20",
      "ecosystems": [
        "claude-code",
        "vscode-copilot"
      ],
      "tools_affected": [
        "Claude Code (Anthropic)",
        "GitHub Copilot Chat in VS Code (Microsoft)"
      ],
      "tags": [
        "prompt-injection",
        "indirect-prompt-injection",
        "approval-dialog",
        "hitl-dialog-forging",
        "rce",
        "claude-code",
        "vendor-wont-fix"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-litl-ai-approval-dialog-bypass.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-litl-ai-approval-dialog-bypass.md"
    },
    {
      "id": "2025-08-nx-s1ngularity",
      "title": "Nx 's1ngularity' \u2014 first AI-CLI-assisted malware (August 2025)",
      "description": "On 2025-08-26, malicious versions of Nx and several plugins were published to npm after attackers exploited a GitHub Actions injection bug to steal the publish token. The postinstall script\u2026",
      "severity": "critical",
      "status": "contained",
      "date_disclosed": "2025-08-26",
      "last_updated": "2026-05-16",
      "ecosystems": [
        "npm"
      ],
      "tools_affected": [
        "any-nx-project",
        "claude-code",
        "gemini-cli"
      ],
      "tags": [
        "supply-chain",
        "credential-theft",
        "npm",
        "ai-assisted-malware",
        "postinstall",
        "github-actions"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-nx-s1ngularity.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-nx-s1ngularity.md"
    },
    {
      "id": "2025-08-salesloft-drift-oauth-breach",
      "title": "Salesloft Drift OAuth Breach \u2014 UNC6395 steals Salesforce CRM data from Cloudflare, Palo Alto, Zscaler and hundreds of orgs (August 2025)",
      "description": "Threat actor UNC6395 compromised a Salesloft GitHub account, stole OAuth tokens from the Drift AI chat agent's Salesforce integration, and used them to exfiltrate CRM data \u2014 including AWS keys,\u2026",
      "severity": "high",
      "status": "contained",
      "date_disclosed": "2025-08-26",
      "last_updated": "2026-06-24",
      "ecosystems": [
        "saas",
        "oauth",
        "salesforce"
      ],
      "tools_affected": [
        "salesloft",
        "drift",
        "salesforce-crm"
      ],
      "tags": [
        "oauth-pivot",
        "ai-tool-oauth-pivot",
        "saas-supply-chain",
        "credential-theft",
        "unc6395",
        "github-account-compromise"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-salesloft-drift-oauth-breach.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-salesloft-drift-oauth-breach.md"
    },
    {
      "id": "2025-08-claude-code-inverseprompt",
      "title": "Claude Code InversePrompt and follow-on CVEs (multiple)",
      "description": "A growing collection of Claude Code CVEs \u2014 CVE-2025-54794, CVE-2025-54795 (Cymulate's \"InversePrompt\", Aug 2025), CVE-2025-52882 (information disclosure), CVE-2025-59536, CVE-2026-21852 (\"Leaks\u2026",
      "severity": "medium",
      "status": "patched",
      "date_disclosed": "2025-08",
      "last_updated": "2026-06-18",
      "ecosystems": [
        "claude-code"
      ],
      "tools_affected": [
        "claude-code"
      ],
      "tags": [
        "prompt-injection",
        "claude-code",
        "mcp",
        "indirect-prompt-injection",
        "cve",
        "trustfall"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-claude-code-inverseprompt.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-claude-code-inverseprompt.md"
    },
    {
      "id": "2025-07-amazon-q-wiper",
      "title": "Amazon Q VS Code extension wiper prompt (July 2025)",
      "description": "On 2025-07-13 a researcher submitted a PR to the aws-toolkit-vscode repo and was \u2014 by their account \u2014 granted admin permissions in response. They merged a prompt injection that shipped in Amazon Q\u2026",
      "severity": "medium",
      "status": "contained",
      "date_disclosed": "2025-07-17",
      "last_updated": "2026-05-16",
      "ecosystems": [
        "amazon-q",
        "vs-code"
      ],
      "tools_affected": [
        "amazon-q-developer-extension"
      ],
      "tags": [
        "prompt-injection",
        "supply-chain",
        "vs-code",
        "ai-extension",
        "github"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-amazon-q-wiper.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-amazon-q-wiper.md"
    },
    {
      "id": "2025-07-supabase-mcp-lethal-trifecta",
      "title": "Supabase MCP 'lethal trifecta' \u2014 full SQL DB exfiltration via stored prompt injection",
      "description": "General Analysis (popularized by Simon Willison as the \"lethal trifecta\") demonstrated that Cursor + Supabase MCP + an attacker-controlled row in a customer-submitted table = full database\u2026",
      "severity": "high",
      "status": "mitigated",
      "date_disclosed": "2025-07-06",
      "last_updated": "2026-05-16",
      "ecosystems": [
        "supabase",
        "mcp",
        "cursor"
      ],
      "tools_affected": [
        "supabase-mcp",
        "cursor",
        "any-agent-with-db-mcp"
      ],
      "tags": [
        "prompt-injection",
        "mcp",
        "supabase",
        "sql-injection",
        "rls-bypass",
        "lethal-trifecta",
        "lovable-relevant"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-supabase-mcp-lethal-trifecta.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-supabase-mcp-lethal-trifecta.md"
    },
    {
      "id": "2026-05-whitecobra-vscode-extensions",
      "title": "WhiteCobra \u2014 recurring VS Code / Cursor / Windsurf / Open VSX crypto-stealer campaign (July 2025 \u2192 ongoing)",
      "description": "WhiteCobra has published at least 24 malicious extensions across the VS Code Marketplace and Open VSX registry. The campaign targets developers who use AI coding tools (Cursor, Windsurf) for\u2026",
      "severity": "high",
      "status": "active",
      "date_disclosed": "2025-07-01",
      "last_updated": "2026-06-05",
      "ecosystems": [
        "vscode",
        "cursor",
        "windsurf",
        "openvsx"
      ],
      "tools_affected": [
        "VS Code",
        "Cursor",
        "Windsurf",
        "any IDE using Open VSX extensions"
      ],
      "tags": [
        "supply-chain",
        "extension-marketplace",
        "credential-theft",
        "crypto-theft",
        "lummastealer",
        "malicious-extension"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-whitecobra-vscode-extensions.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-whitecobra-vscode-extensions.md"
    },
    {
      "id": "2025-07-cursor-curxecute-mcpoison",
      "title": "Cursor CurXecute (CVE-2025-54135) + MCPoison (CVE-2025-54136) + case-sensitivity bypass (CVE-2025-59944)",
      "description": "Three Cursor IDE vulnerabilities, all patched, all worth understanding because the patterns recur. CurXecute (CVE-2025-54135, CVSS 8.6) let prompt injection from an MCP server modify mcp.json and\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2025-07",
      "last_updated": "2026-05-16",
      "ecosystems": [
        "cursor",
        "mcp"
      ],
      "tools_affected": [
        "cursor"
      ],
      "tags": [
        "prompt-injection",
        "mcp",
        "cursor",
        "rce",
        "configuration-bypass"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-cursor-curxecute-mcpoison.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-cursor-curxecute-mcpoison.md"
    },
    {
      "id": "2025-06-vsxploit-openvsx-build-token-theft",
      "title": "VSXPloit \u2014 Open VSX nightly build pipeline could be exploited to steal marketplace admin token (June 2025)",
      "description": "Koi Security researcher Oren Yomtov discovered that Open VSX's nightly build pipeline executed arbitrary code from community-submitted extension repositories, allowing any extension author to\u2026",
      "severity": "high",
      "status": "patched",
      "date_disclosed": "2025-06-25",
      "last_updated": "2026-06-20",
      "ecosystems": [
        "vscode",
        "openvsx",
        "cursor",
        "windsurf"
      ],
      "tools_affected": [
        "Open VSX Registry",
        "Cursor",
        "Windsurf",
        "VSCodium",
        "Google Cloud Shell Editor",
        "Gitpod",
        "StackBlitz",
        "Coder"
      ],
      "tags": [
        "supply-chain",
        "ide-extension",
        "openvsx",
        "token-theft",
        "build-pipeline",
        "marketplace-takeover",
        "historical"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-06-vsxploit-openvsx-build-token-theft.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/2025-06-vsxploit-openvsx-build-token-theft.md"
    },
    {
      "id": "ongoing-slopsquatting",
      "title": "Slopsquatting \u2014 attackers register AI-hallucinated package names",
      "description": "LLMs frequently hallucinate package names that don't exist. Attackers register those exact names on npm and PyPI as malware. The next person who pastes the same hallucinated import gets owned.\u2026",
      "severity": "medium",
      "status": "ongoing",
      "date_disclosed": "2025-04",
      "last_updated": "2026-05-16",
      "ecosystems": [
        "npm",
        "pypi"
      ],
      "tools_affected": [
        "any-llm-coding-tool",
        "cursor",
        "claude-code",
        "copilot",
        "codex",
        "v0",
        "lovable",
        "bolt"
      ],
      "tags": [
        "hallucination",
        "supply-chain",
        "typosquatting",
        "ai-generated-code",
        "npm",
        "pypi"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/ongoing-slopsquatting.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/ongoing-slopsquatting.md"
    },
    {
      "id": "ongoing-vibe-platform-exposure",
      "title": "Vibe-coded app data exposure \u2014 Lovable, Bolt, Replit, Base44 pattern issues",
      "description": "Systemic data exposure across vibe-coding platforms in 2025\u20132026. Lovable: 16 critical flaws documented + a BOLA report left open 48 days. Bolt: env-var leakage in client bundles. Replit: secrets\u2026",
      "severity": "high",
      "status": "ongoing",
      "date_disclosed": "2025",
      "last_updated": "2026-06-17",
      "ecosystems": [
        "lovable",
        "bolt",
        "replit",
        "v0",
        "supabase",
        "base44"
      ],
      "tools_affected": [
        "lovable",
        "bolt",
        "replit",
        "v0",
        "base44"
      ],
      "tags": [
        "data-exposure",
        "rls",
        "env-vars",
        "bola",
        "vibe-platform",
        "configuration",
        "auth-bypass"
      ],
      "url": "https://pranava0x0.github.io/vibe-coding-security/advisories/ongoing-vibe-platform-exposure.html",
      "markdown_url": "https://pranava0x0.github.io/vibe-coding-security/advisories/ongoing-vibe-platform-exposure.md"
    }
  ]
}