| 2026-07-04 |
Rollup polyfill impersonation — 6 npm packages drop full RAT, tentatively linked to Lazarus |
high |
contained |
| 2026-07-01 |
Claude Desktop personalization-sync prompt injection → reverse shell — Anthropic calls it expected functionality |
high |
active |
| 2026-03-01 |
PolinRider — DPRK-linked campaign backdoors npm, Packagist, Go, and a Chrome extension via maintainer-account takeover |
high |
active |
| 2026-01-20 |
SvelteSpill — SvelteKit + Vercel cache deception exposes authenticated responses (CVE-2026-27118) |
high |
patched |
| 2026-06-25 |
Cursor DuneSlide — two CVSS 9.8 zero-click prompt-injection-to-RCE flaws (CVE-2026-50548, CVE-2026-50549) |
critical |
patched |
| 2026-04-06 |
Vite dev-server WebSocket arbitrary file read + fs.deny bypasses (CVE-2026-39363, CVE-2026-39364, CVE-2026-39365) |
high |
patched |
| 2026-04-02 |
Claude Code deny-rule bypass via 50-subcommand parser cap (silently patched v2.1.90) |
high |
patched |
| 2026-04-29 |
Claude Code GitHub Action's unsandboxed Read tool leaks CI/CD secrets via /proc/self/environ (patched 2.1.128) |
high |
patched |
| 2026-05-29 |
Dependency-confusion recon campaign — 4 waves, escalated to full credential theft |
high |
active |
| 2026-05-14 |
Svelte CVE-2026-42573 — DOM clobbering of internal framework state leads to XSS |
medium |
patched |
| 2026-03-18 |
Claudy Day — three chained Claude.ai flaws exfiltrate conversation history via hidden URL-parameter prompt injection |
high |
mitigated |
| 2026-06-25 |
Operation Navy Ghost — 8 fake pyrogram packages backdoor Telegram bot servers via victim's own bot token as C2 (~24K installs) |
high |
unconfirmed |
| 2026-06-25 |
Mozilla 0DIN DNS Setup Trap — clean GitHub repos trick Claude Code into reverse shell via DNS-TXT record command injection (no patch) |
high |
active |
| 2026-06-26 |
Amazon Q Developer CVE-2026-12957 + CVE-2026-12958 — auto-loading .amazonq/mcp.json ran attacker code with live AWS credentials on repo open (patched) |
high |
patched |
| 2026-06-24 |
Miasma LeoPlatform + Go wave — 20 npm packages + Go module + 1,442 GitHub Actions repos compromised via Phantom Gyp (binding.gyp) in 3-second burst |
critical |
active |
| 2026-06-22 |
Dify DifyTap — 4 CVEs (top CVSS 9.4) allow cross-tenant AI conversation exfiltration across 1M+ apps; patched 1.14.2 |
high |
patched |
| 2026-06-24 |
Cordyceps — GitHub Actions CI/CD misconfiguration class exposes 300+ repos (Microsoft, Google, Cloudflare) to PR-based code execution and credential theft |
high |
active |
| 2026-05-07 |
TrustFall — Claude Code, Cursor CLI, Gemini CLI, Copilot CLI, Codex CLI auto-execute MCP servers on folder-trust dialog (no patch; Anthropic won't fix) |
high |
active |
| 2026-06-15 |
Microsoft 365 Copilot SearchLeak (CVE-2026-42824) — 1-click exfil of emails, MFA codes, and OneDrive files via parameter-to-prompt injection + CSP bypass |
high |
patched |
| 2026-06-18 |
IDEsaster — 30+ flaws (24 CVEs) in Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed, Roo Code, Junie, Cline |
high |
active |
| 2026-06-16 |
Langflow CVE-2026-5027 — unauthenticated path traversal → RCE via file upload (distinct from CVE-2026-33017) |
high |
patched |
| 2026-06-14 |
PromptSnatcher — malicious Chrome ad-blocker extensions intercept AI chatbot conversations from 900K users |
high |
active |
| 2026-06-13 |
AutoJack — AutoGen Studio 3-flaw chain: browsing agent + unauthenticated MCP WebSocket = localhost RCE |
high |
patched |
| 2026-06-17 |
15 malicious JetBrains Marketplace plugins steal AI provider API keys on entry (70K+ installs) |
high |
active |
| 2026-06-17 |
Mastra AI npm namespace compromise — 145 packages backdoored via hijacked contributor account |
critical |
active |
| 2026-06-12 |
Klue AI integration breach — Icarus extortion group steals OAuth tokens; CRM data exfiltrated from Huntress and Recorded Future |
high |
contained |
| 2026-06-11 |
Atomic Arch — AUR supply-chain attack: 1,500+ packages hijacked via orphaned-package takeover; eBPF rootkit |
high |
active |
| 2026-06-15 |
Claude Code MCP OAuth token hijack via malicious npm postinstall hook — Anthropic won't fix |
high |
active |
| 2026-06-13 |
Solana FakeFix Campaign — 25 malicious npm + PyPI packages steal wallet keys via GitHub issue spam |
high |
active |
| 2026-06-12 |
Agentjacking — Sentry DSN injection via MCP poisons AI coding agent context (2,388 orgs exposed) |
high |
active |
| 2026-06-10 |
onering Rust crate compromised — build.rs exfiltrates source-code diffs as fake Sentry telemetry |
high |
unconfirmed |
| 2026-06-10 |
Streamlit CVE-2026-33682 — unauthenticated SSRF on Windows leaks NTLMv2 credentials |
high |
patched |
| 2026-06-10 |
SymJack — symlink hijacking tricks AI coding agents into registering attacker-controlled MCP servers |
high |
mitigated |
| 2026-06-09 |
LangGraph RCE chain — SQLite SQL injection + msgpack deserialization → arbitrary code execution |
critical |
patched |
| 2026-06-08 |
Hades Campaign — 19 PyPI bioinformatics + MCP-developer packages poisoned with Bun credential stealer (June 2026) |
critical |
active |
| 2026-06-05 |
Miasma Wave 5 — 73 Microsoft Azure GitHub repos + mantine-datatable poisoned; payload auto-fires via Claude Code / Cursor / Gemini CLI |
critical |
contained |
| 2026-06-04 |
IronWorm — Rust npm worm with eBPF kernel rootkit + Tor C2 (36 packages) |
critical |
active |
| 2026-06-06 |
Gluestack @react-native-aria RAT via compromised contributor token |
critical |
contained |
| 2026-06-04 |
Phantom Gyp — Miasma wave 4: self-propagating npm worm via binding.gyp (57 packages) |
critical |
active |
| 2026-06-04 |
Claude Code GitHub Actions [bot] trust bypass — supply chain risk (patched v1.0.94) |
high |
patched |
| 2026-06-01 |
Cline CVE-2026-44211 — cross-origin WebSocket hijack → 1-click RCE |
critical |
active |
| 2026-06-01 |
codexui-android npm — OpenAI Codex auth-token stealer |
high |
active |
| 2026-06-01 |
Miasma — @redhat-cloud-services npm scope compromised by Mini-Shai-Hulud-derived worm |
critical |
contained |
| 2026-05-25 |
Cargo May 2026 security release — symlink-override + sparse-URL leak (CVE-2026-5223, CVE-2026-5222) |
medium |
patched |
| 2026-05-22 |
Megalodon — mass GitHub-Actions workflow poisoning of 5,561 repos |
critical |
contained |
| 2026-05-22 |
BadHost — Starlette host-header auth bypass blasts FastAPI, vLLM, LiteLLM, MCP servers (CVE-2026-48710) |
critical |
patched |
| 2026-05-22 |
Composio AI-agent platform breach — LLM-augmented attacker registered malicious tool definitions in the sandbox |
high |
contained |
| 2026-05-22 |
TrapDoor — cross-ecosystem stealer poisons .cursorrules / CLAUDE.md |
critical |
active |
| 2026-05-20 |
Claude Code network-sandbox SOCKS5 null-byte bypass |
high |
patched |
| 2026-05-20 |
TeamPCP breaches GitHub internal repos via poisoned VS Code extension |
high |
contained |
| 2026-05-19 |
Mini Shai-Hulud May 19 wave — @antv npm + Microsoft durabletask PyPI |
critical |
active |
| 2026-05-18 |
Shai-Hulud copycats after the worm source went public |
high |
active |
| 2026-05-18 |
Nx Console VS Code extension compromise (nrwl.angular-console 18.95.0) |
critical |
contained |
| 2026-05-12 |
Claude Code claude-cli:// deeplink RCE (2.1.118) |
critical |
patched |
| 2026-05 |
WhiteCobra — VS Code / Cursor / Windsurf / Open VSX crypto-stealer campaign (July 2025 → ongoing) |
high |
active |
| 2026-05 |
PCPJack — credential-stealing counter-worm that removes TeamPCP infections |
high |
active |
| 2026-05-06 |
ClaudeBleed — Claude in Chrome extension hijack |
high |
mitigated |
| 2026-05-13 |
OpenClaw "Claw Chain" — 4 sandbox-escape CVEs |
critical |
patched |
| 2026-05-13 |
Systemic MCP stdio RCE class |
high |
mitigated |
| 2026-05-14 |
node-ipc compromise |
critical |
active |
| 2026-05-11 |
PraisonAI auth bypass (CVE-2026-44338) |
high |
patched |
| 2026-05-11 |
Mini Shai-Hulud wave — TanStack/Mistral/UiPath/OpenSearch |
critical |
active |
| 2026-05-08 |
Cursor open-folder + Git-hook RCE |
high |
patched |
| 2026-05-07 |
Microsoft Semantic Kernel RCE (CVE-2026-25592 / CVE-2026-26030) |
critical |
patched |
| 2026-05-06 |
Next.js + React May 2026 security release (13 CVEs) |
high |
patched |
| 2026-05 |
Windsurf zero-click MCP RCE (CVE-2026-30615) |
critical |
patched |
| 2026-04-30 |
PyTorch Lightning + intercom-client (Mini Shai-Hulud) |
critical |
contained |
| 2026-04-24 |
LiteLLM proxy pre-auth SQL injection (CVE-2026-42208, CISA KEV) |
critical |
patched |
| 2026-04-24 |
elementary-data PyPI + GHCR compromise (malicious .pth auto-exec) |
critical |
contained |
| 2026-04-23 |
Flowise RCE cluster — CVE-2025-59528 actively exploited + April Agent-node cluster (CVE-2026-41265 et al.) |
critical |
patched |
| 2026-04-22 |
Bitwarden CLI backdoored — first AI-tool-cred-hunting supply-chain malware |
critical |
contained |
| 2026-04-19 |
Vercel breach via Context.ai OAuth supply chain |
high |
contained |
| 2026-04-08 |
Marimo notebook pre-auth RCE (CVE-2026-39987) |
critical |
patched |
| 2026-04 |
Mini Shai-Hulud SAP packages |
high |
active |
| 2026-04 |
"Comment and Control" PR prompt injection |
critical |
patched |
| 2026-03 |
SGLang unauth RCE cluster — CVE-2026-3059 / CVE-2026-3060 (pickle ZMQ, CVSS 9.8) + CVE-2026-5760 (GGUF model RCE) |
critical |
patched |
| 2026-03-12 |
TeamPCP breaches Trivy GitHub Actions → LiteLLM 1.82.7–1.82.8 backdoored |
critical |
contained |
| 2026-03-31 |
Axios compromise |
critical |
contained |
| 2026-03-31 |
Claude Code source-map leak |
medium |
contained |
| 2026-03-27 |
OpenHands git-diff command injection (CVE-2026-33718) |
high |
patched |
| 2026-02-25 |
Langflow CVE-2026-27966 — CSV Agent hardcodes allow_dangerous_code=True → prompt-injection RCE (CVSS 9.8) |
critical |
patched |
| 2026-03-17 |
Langflow unauthenticated RCE (CVE-2026-33017) |
critical |
patched |
| 2026-03-02 |
ModelScope ms-agent OS command injection (CVE-2026-2256) — unpatched, public PoC, CERT/CC advisory |
medium |
active |
| 2026-03-11 |
Supabase Auth OIDC issuer-validation bypass (CVE-2026-31813) |
high |
patched |
| 2026-02-28 |
Google Antigravity sandbox escape (Pillar) |
high |
patched |
| 2026-02-17 |
Cline 2.3.0 supply-chain compromise (Clinejection → OpenClaw) |
critical |
contained |
| 2026-02-17 |
SANDWORM_MODE — Shai-Hulud-style npm worm with MCP injection, CI implant, and 48-hour delayed activation |
critical |
active |
| 2026-02-09 |
Claude Desktop Extensions (DXT) zero-click RCE — Anthropic won't fix |
critical |
active |
| 2026-02-01 |
ClawHavoc — malicious-skill poisoning of OpenClaw's ClawHub marketplace |
high |
active |
| 2026-01-26 |
OpenClaw 1-click RCE via WebSocket gateway-URL token theft (CVE-2026-25253) |
critical |
patched |
| 2026-01-07 |
LangSmith CVE-2026-25750 unvalidated baseUrl → account takeover |
high |
patched |
| 2026-01-12 |
OpenCode AI coding agent — twin localhost RCEs (CVE-2026-22812 + CVE-2026-22813) |
critical |
patched |
| 2025-11-09 |
n8n Ni8mare (CVE-2026-21858, CVSS 10.0) — unauth RCE + credential theft in workflow automation |
critical |
patched |
| 2025-12-28 |
Shai-Hulud 3.0 test payload — @vietmoney/react-big-calendar@0.26.2 |
high |
contained |
| 2025-12-23 |
LangChain LangGrinch (CVE-2025-68664) + path traversal (CVE-2026-34070) |
critical |
patched |
| 2025-12-05 |
React2Shell — CVE-2025-55182 RCE in React Server Components (CISA KEV, exploited through Apr 2026) |
critical |
patched |
| 2026-01-05 |
AI IDEs recommend non-existent extensions — OpenVSX namespace hijack |
high |
mitigated |
| 2025-11-24 |
Shai-Hulud "Second Coming" |
critical |
contained |
| 2025-10-21 |
Cursor & Windsurf ship stale Chromium — 94+ n-day vulns |
high |
active |
| 2025-10 |
Windsurf path-traversal via prompt-injected README (CVE-2025-62353) |
critical |
patched |
| 2025-10-17 |
GlassWorm — self-propagating VS Code / Open VSX worm |
high |
active |
| 2025-09-17 |
postmark-mcp backdoor |
high |
contained |
| 2025-09-15 |
Shai-Hulud original |
critical |
contained |
| 2025-09-08 |
qix npm account compromise |
critical |
contained |
| 2025-09-01 |
Lies in the Loop (LITL) — approval-dialog padding hides malicious commands below the fold; no vendor fix (Claude Code, VS Code Copilot) |
high |
active |
| 2025-08-26 |
Salesloft Drift OAuth Breach — UNC6395 steals Salesforce CRM data from Cloudflare, Palo Alto, Zscaler and hundreds of orgs |
high |
contained |
| 2025-08-26 |
Nx s1ngularity |
critical |
contained |
| 2025-08 → ongoing |
Claude Code InversePrompt (multiple CVEs) |
medium |
patched |
| 2025-07-17 |
Amazon Q VS Code wiper |
medium |
contained |
| 2025-07 |
Cursor CurXecute / MCPoison |
high |
patched |
| 2025-07 |
Supabase MCP lethal trifecta |
high |
mitigated |
| 2025-06-25 |
VSXPloit — Open VSX nightly build pipeline token theft; 8M+ developers at risk (patched June 2025) |
high |
patched |
| ongoing |
Slopsquatting |
medium |
ongoing |
| ongoing |
Vibe platform data exposure |
high |
ongoing |