One file per incident. Latest at the top.

Date disclosed ID Severity Status
2026-07-04 Rollup polyfill impersonation — 6 npm packages drop full RAT, tentatively linked to Lazarus high contained
2026-07-01 Claude Desktop personalization-sync prompt injection → reverse shell — Anthropic calls it expected functionality high active
2026-03-01 PolinRider — DPRK-linked campaign backdoors npm, Packagist, Go, and a Chrome extension via maintainer-account takeover high active
2026-01-20 SvelteSpill — SvelteKit + Vercel cache deception exposes authenticated responses (CVE-2026-27118) high patched
2026-06-25 Cursor DuneSlide — two CVSS 9.8 zero-click prompt-injection-to-RCE flaws (CVE-2026-50548, CVE-2026-50549) critical patched
2026-04-06 Vite dev-server WebSocket arbitrary file read + fs.deny bypasses (CVE-2026-39363, CVE-2026-39364, CVE-2026-39365) high patched
2026-04-02 Claude Code deny-rule bypass via 50-subcommand parser cap (silently patched v2.1.90) high patched
2026-04-29 Claude Code GitHub Action's unsandboxed Read tool leaks CI/CD secrets via /proc/self/environ (patched 2.1.128) high patched
2026-05-29 Dependency-confusion recon campaign — 4 waves, escalated to full credential theft high active
2026-05-14 Svelte CVE-2026-42573 — DOM clobbering of internal framework state leads to XSS medium patched
2026-03-18 Claudy Day — three chained Claude.ai flaws exfiltrate conversation history via hidden URL-parameter prompt injection high mitigated
2026-06-25 Operation Navy Ghost — 8 fake pyrogram packages backdoor Telegram bot servers via victim's own bot token as C2 (~24K installs) high unconfirmed
2026-06-25 Mozilla 0DIN DNS Setup Trap — clean GitHub repos trick Claude Code into reverse shell via DNS-TXT record command injection (no patch) high active
2026-06-26 Amazon Q Developer CVE-2026-12957 + CVE-2026-12958 — auto-loading .amazonq/mcp.json ran attacker code with live AWS credentials on repo open (patched) high patched
2026-06-24 Miasma LeoPlatform + Go wave — 20 npm packages + Go module + 1,442 GitHub Actions repos compromised via Phantom Gyp (binding.gyp) in 3-second burst critical active
2026-06-22 Dify DifyTap — 4 CVEs (top CVSS 9.4) allow cross-tenant AI conversation exfiltration across 1M+ apps; patched 1.14.2 high patched
2026-06-24 Cordyceps — GitHub Actions CI/CD misconfiguration class exposes 300+ repos (Microsoft, Google, Cloudflare) to PR-based code execution and credential theft high active
2026-05-07 TrustFall — Claude Code, Cursor CLI, Gemini CLI, Copilot CLI, Codex CLI auto-execute MCP servers on folder-trust dialog (no patch; Anthropic won't fix) high active
2026-06-15 Microsoft 365 Copilot SearchLeak (CVE-2026-42824) — 1-click exfil of emails, MFA codes, and OneDrive files via parameter-to-prompt injection + CSP bypass high patched
2026-06-18 IDEsaster — 30+ flaws (24 CVEs) in Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed, Roo Code, Junie, Cline high active
2026-06-16 Langflow CVE-2026-5027 — unauthenticated path traversal → RCE via file upload (distinct from CVE-2026-33017) high patched
2026-06-14 PromptSnatcher — malicious Chrome ad-blocker extensions intercept AI chatbot conversations from 900K users high active
2026-06-13 AutoJack — AutoGen Studio 3-flaw chain: browsing agent + unauthenticated MCP WebSocket = localhost RCE high patched
2026-06-17 15 malicious JetBrains Marketplace plugins steal AI provider API keys on entry (70K+ installs) high active
2026-06-17 Mastra AI npm namespace compromise — 145 packages backdoored via hijacked contributor account critical active
2026-06-12 Klue AI integration breach — Icarus extortion group steals OAuth tokens; CRM data exfiltrated from Huntress and Recorded Future high contained
2026-06-11 Atomic Arch — AUR supply-chain attack: 1,500+ packages hijacked via orphaned-package takeover; eBPF rootkit high active
2026-06-15 Claude Code MCP OAuth token hijack via malicious npm postinstall hook — Anthropic won't fix high active
2026-06-13 Solana FakeFix Campaign — 25 malicious npm + PyPI packages steal wallet keys via GitHub issue spam high active
2026-06-12 Agentjacking — Sentry DSN injection via MCP poisons AI coding agent context (2,388 orgs exposed) high active
2026-06-10 onering Rust crate compromised — build.rs exfiltrates source-code diffs as fake Sentry telemetry high unconfirmed
2026-06-10 Streamlit CVE-2026-33682 — unauthenticated SSRF on Windows leaks NTLMv2 credentials high patched
2026-06-10 SymJack — symlink hijacking tricks AI coding agents into registering attacker-controlled MCP servers high mitigated
2026-06-09 LangGraph RCE chain — SQLite SQL injection + msgpack deserialization → arbitrary code execution critical patched
2026-06-08 Hades Campaign — 19 PyPI bioinformatics + MCP-developer packages poisoned with Bun credential stealer (June 2026) critical active
2026-06-05 Miasma Wave 5 — 73 Microsoft Azure GitHub repos + mantine-datatable poisoned; payload auto-fires via Claude Code / Cursor / Gemini CLI critical contained
2026-06-04 IronWorm — Rust npm worm with eBPF kernel rootkit + Tor C2 (36 packages) critical active
2026-06-06 Gluestack @react-native-aria RAT via compromised contributor token critical contained
2026-06-04 Phantom Gyp — Miasma wave 4: self-propagating npm worm via binding.gyp (57 packages) critical active
2026-06-04 Claude Code GitHub Actions [bot] trust bypass — supply chain risk (patched v1.0.94) high patched
2026-06-01 Cline CVE-2026-44211 — cross-origin WebSocket hijack → 1-click RCE critical active
2026-06-01 codexui-android npm — OpenAI Codex auth-token stealer high active
2026-06-01 Miasma — @redhat-cloud-services npm scope compromised by Mini-Shai-Hulud-derived worm critical contained
2026-05-25 Cargo May 2026 security release — symlink-override + sparse-URL leak (CVE-2026-5223, CVE-2026-5222) medium patched
2026-05-22 Megalodon — mass GitHub-Actions workflow poisoning of 5,561 repos critical contained
2026-05-22 BadHost — Starlette host-header auth bypass blasts FastAPI, vLLM, LiteLLM, MCP servers (CVE-2026-48710) critical patched
2026-05-22 Composio AI-agent platform breach — LLM-augmented attacker registered malicious tool definitions in the sandbox high contained
2026-05-22 TrapDoor — cross-ecosystem stealer poisons .cursorrules / CLAUDE.md critical active
2026-05-20 Claude Code network-sandbox SOCKS5 null-byte bypass high patched
2026-05-20 TeamPCP breaches GitHub internal repos via poisoned VS Code extension high contained
2026-05-19 Mini Shai-Hulud May 19 wave — @antv npm + Microsoft durabletask PyPI critical active
2026-05-18 Shai-Hulud copycats after the worm source went public high active
2026-05-18 Nx Console VS Code extension compromise (nrwl.angular-console 18.95.0) critical contained
2026-05-12 Claude Code claude-cli:// deeplink RCE (2.1.118) critical patched
2026-05 WhiteCobra — VS Code / Cursor / Windsurf / Open VSX crypto-stealer campaign (July 2025 → ongoing) high active
2026-05 PCPJack — credential-stealing counter-worm that removes TeamPCP infections high active
2026-05-06 ClaudeBleed — Claude in Chrome extension hijack high mitigated
2026-05-13 OpenClaw "Claw Chain" — 4 sandbox-escape CVEs critical patched
2026-05-13 Systemic MCP stdio RCE class high mitigated
2026-05-14 node-ipc compromise critical active
2026-05-11 PraisonAI auth bypass (CVE-2026-44338) high patched
2026-05-11 Mini Shai-Hulud wave — TanStack/Mistral/UiPath/OpenSearch critical active
2026-05-08 Cursor open-folder + Git-hook RCE high patched
2026-05-07 Microsoft Semantic Kernel RCE (CVE-2026-25592 / CVE-2026-26030) critical patched
2026-05-06 Next.js + React May 2026 security release (13 CVEs) high patched
2026-05 Windsurf zero-click MCP RCE (CVE-2026-30615) critical patched
2026-04-30 PyTorch Lightning + intercom-client (Mini Shai-Hulud) critical contained
2026-04-24 LiteLLM proxy pre-auth SQL injection (CVE-2026-42208, CISA KEV) critical patched
2026-04-24 elementary-data PyPI + GHCR compromise (malicious .pth auto-exec) critical contained
2026-04-23 Flowise RCE cluster — CVE-2025-59528 actively exploited + April Agent-node cluster (CVE-2026-41265 et al.) critical patched
2026-04-22 Bitwarden CLI backdoored — first AI-tool-cred-hunting supply-chain malware critical contained
2026-04-19 Vercel breach via Context.ai OAuth supply chain high contained
2026-04-08 Marimo notebook pre-auth RCE (CVE-2026-39987) critical patched
2026-04 Mini Shai-Hulud SAP packages high active
2026-04 "Comment and Control" PR prompt injection critical patched
2026-03 SGLang unauth RCE cluster — CVE-2026-3059 / CVE-2026-3060 (pickle ZMQ, CVSS 9.8) + CVE-2026-5760 (GGUF model RCE) critical patched
2026-03-12 TeamPCP breaches Trivy GitHub Actions → LiteLLM 1.82.7–1.82.8 backdoored critical contained
2026-03-31 Axios compromise critical contained
2026-03-31 Claude Code source-map leak medium contained
2026-03-27 OpenHands git-diff command injection (CVE-2026-33718) high patched
2026-02-25 Langflow CVE-2026-27966 — CSV Agent hardcodes allow_dangerous_code=True → prompt-injection RCE (CVSS 9.8) critical patched
2026-03-17 Langflow unauthenticated RCE (CVE-2026-33017) critical patched
2026-03-02 ModelScope ms-agent OS command injection (CVE-2026-2256) — unpatched, public PoC, CERT/CC advisory medium active
2026-03-11 Supabase Auth OIDC issuer-validation bypass (CVE-2026-31813) high patched
2026-02-28 Google Antigravity sandbox escape (Pillar) high patched
2026-02-17 Cline 2.3.0 supply-chain compromise (Clinejection → OpenClaw) critical contained
2026-02-17 SANDWORM_MODE — Shai-Hulud-style npm worm with MCP injection, CI implant, and 48-hour delayed activation critical active
2026-02-09 Claude Desktop Extensions (DXT) zero-click RCE — Anthropic won't fix critical active
2026-02-01 ClawHavoc — malicious-skill poisoning of OpenClaw's ClawHub marketplace high active
2026-01-26 OpenClaw 1-click RCE via WebSocket gateway-URL token theft (CVE-2026-25253) critical patched
2026-01-07 LangSmith CVE-2026-25750 unvalidated baseUrl → account takeover high patched
2026-01-12 OpenCode AI coding agent — twin localhost RCEs (CVE-2026-22812 + CVE-2026-22813) critical patched
2025-11-09 n8n Ni8mare (CVE-2026-21858, CVSS 10.0) — unauth RCE + credential theft in workflow automation critical patched
2025-12-28 Shai-Hulud 3.0 test payload — @vietmoney/react-big-calendar@0.26.2 high contained
2025-12-23 LangChain LangGrinch (CVE-2025-68664) + path traversal (CVE-2026-34070) critical patched
2025-12-05 React2Shell — CVE-2025-55182 RCE in React Server Components (CISA KEV, exploited through Apr 2026) critical patched
2026-01-05 AI IDEs recommend non-existent extensions — OpenVSX namespace hijack high mitigated
2025-11-24 Shai-Hulud "Second Coming" critical contained
2025-10-21 Cursor & Windsurf ship stale Chromium — 94+ n-day vulns high active
2025-10 Windsurf path-traversal via prompt-injected README (CVE-2025-62353) critical patched
2025-10-17 GlassWorm — self-propagating VS Code / Open VSX worm high active
2025-09-17 postmark-mcp backdoor high contained
2025-09-15 Shai-Hulud original critical contained
2025-09-08 qix npm account compromise critical contained
2025-09-01 Lies in the Loop (LITL) — approval-dialog padding hides malicious commands below the fold; no vendor fix (Claude Code, VS Code Copilot) high active
2025-08-26 Salesloft Drift OAuth Breach — UNC6395 steals Salesforce CRM data from Cloudflare, Palo Alto, Zscaler and hundreds of orgs high contained
2025-08-26 Nx s1ngularity critical contained
2025-08 → ongoing Claude Code InversePrompt (multiple CVEs) medium patched
2025-07-17 Amazon Q VS Code wiper medium contained
2025-07 Cursor CurXecute / MCPoison high patched
2025-07 Supabase MCP lethal trifecta high mitigated
2025-06-25 VSXPloit — Open VSX nightly build pipeline token theft; 8M+ developers at risk (patched June 2025) high patched
ongoing Slopsquatting medium ongoing
ongoing Vibe platform data exposure high ongoing

Severity

  • critical — active credential theft, RCE, or supply-chain worm. Drop everything.
  • high — practical exploitation path, requires action if you use the affected tool.
  • medium — pattern of attack worth knowing, mitigation usually exists.

Status

  • active — malware still in registry, attack still propagating, or no patch yet.
  • contained — package removed / patch shipped, but old lockfiles still vulnerable.
  • patched — vendor fix released; update and you're fine.
  • mitigated — design-level fix or workaround available, no perfect patch.
  • ongoing — class of attack that keeps recurring; treat as evergreen.

Format

Every advisory uses the same skeleton. See CONTRIBUTING.md for the template.