# Advisories

One file per incident. Latest at the top.

| Date disclosed | ID | Severity | Status |
|---|---|---|---|
| 2026-07-04 | [Rollup polyfill impersonation — 6 npm packages drop full RAT, tentatively linked to Lazarus](2026-07-rollup-polyfill-npm-lazarus.md) | high | contained |
| 2026-07-01 | [Claude Desktop personalization-sync prompt injection → reverse shell — Anthropic calls it expected functionality](2026-07-claude-desktop-personalization-sync-rce.md) | high | active |
| 2026-03-01 | [PolinRider — DPRK-linked campaign backdoors npm, Packagist, Go, and a Chrome extension via maintainer-account takeover](2026-03-polinrider-multi-ecosystem-dprk-campaign.md) | high | active |
| 2026-01-20 | [SvelteSpill — SvelteKit + Vercel cache deception exposes authenticated responses (CVE-2026-27118)](2026-01-sveltespill-sveltekit-vercel-cache-deception.md) | high | patched |
| 2026-06-25 | [Cursor DuneSlide — two CVSS 9.8 zero-click prompt-injection-to-RCE flaws (CVE-2026-50548, CVE-2026-50549)](2026-06-cursor-duneslide-zeroclick-rce.md) | critical | patched |
| 2026-04-06 | [Vite dev-server WebSocket arbitrary file read + fs.deny bypasses (CVE-2026-39363, CVE-2026-39364, CVE-2026-39365)](2026-04-vite-dev-server-file-read.md) | high | patched |
| 2026-04-02 | [Claude Code deny-rule bypass via 50-subcommand parser cap (silently patched v2.1.90)](2026-04-claude-code-subcommand-deny-bypass.md) | high | patched |
| 2026-04-29 | [Claude Code GitHub Action's unsandboxed Read tool leaks CI/CD secrets via /proc/self/environ (patched 2.1.128)](2026-04-claude-code-action-procfs-credential-leak.md) | high | patched |
| 2026-05-29 | [Dependency-confusion recon campaign — 4 waves, escalated to full credential theft](2026-05-npm-dependency-confusion-recon-campaign.md) | high | active |
| 2026-05-14 | [Svelte CVE-2026-42573 — DOM clobbering of internal framework state leads to XSS](2026-05-svelte-dom-clobbering-xss.md) | medium | patched |
| 2026-03-18 | [Claudy Day — three chained Claude.ai flaws exfiltrate conversation history via hidden URL-parameter prompt injection](2026-03-claudy-day-claude-ai-exfiltration.md) | high | mitigated |
| 2026-06-25 | [Operation Navy Ghost — 8 fake pyrogram packages backdoor Telegram bot servers via victim's own bot token as C2 (~24K installs)](2026-06-operation-navy-ghost-pyrogram.md) | high | unconfirmed |
| 2026-06-25 | [Mozilla 0DIN DNS Setup Trap — clean GitHub repos trick Claude Code into reverse shell via DNS-TXT record command injection (no patch)](2026-06-0din-dns-setup-trap.md) | high | active |
| 2026-06-26 | [Amazon Q Developer CVE-2026-12957 + CVE-2026-12958 — auto-loading .amazonq/mcp.json ran attacker code with live AWS credentials on repo open (patched)](2026-06-amazon-q-mcp-workspace-rce.md) | high | patched |
| 2026-06-24 | [Miasma LeoPlatform + Go wave — 20 npm packages + Go module + 1,442 GitHub Actions repos compromised via Phantom Gyp (binding.gyp) in 3-second burst](2026-06-miasma-leoplatform-go-wave.md) | critical | active |
| 2026-06-22 | [Dify DifyTap — 4 CVEs (top CVSS 9.4) allow cross-tenant AI conversation exfiltration across 1M+ apps; patched 1.14.2](2026-06-dify-difytap-cross-tenant-exfil.md) | high | patched |
| 2026-06-24 | [Cordyceps — GitHub Actions CI/CD misconfiguration class exposes 300+ repos (Microsoft, Google, Cloudflare) to PR-based code execution and credential theft](2026-06-cordyceps-cicd-github-actions.md) | high | active |
| 2026-05-07 | [TrustFall — Claude Code, Cursor CLI, Gemini CLI, Copilot CLI, Codex CLI auto-execute MCP servers on folder-trust dialog (no patch; Anthropic won't fix)](2026-05-trustfall-mcp-auto-execute.md) | high | active |
| 2026-06-15 | [Microsoft 365 Copilot SearchLeak (CVE-2026-42824) — 1-click exfil of emails, MFA codes, and OneDrive files via parameter-to-prompt injection + CSP bypass](2026-06-copilot-searchleak-cve-2026-42824.md) | high | patched |
| 2026-06-18 | [IDEsaster — 30+ flaws (24 CVEs) in Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed, Roo Code, Junie, Cline](2026-06-idessaster-ai-ide-cve-cluster.md) | high | active |
| 2026-06-16 | [Langflow CVE-2026-5027 — unauthenticated path traversal → RCE via file upload (distinct from CVE-2026-33017)](2026-06-langflow-cve-2026-5027-path-traversal.md) | high | patched |
| 2026-06-14 | [PromptSnatcher — malicious Chrome ad-blocker extensions intercept AI chatbot conversations from 900K users](2026-06-promptsnatcher-chrome-ai-chat-stealer.md) | high | active |
| 2026-06-13 | [AutoJack — AutoGen Studio 3-flaw chain: browsing agent + unauthenticated MCP WebSocket = localhost RCE](2026-06-autojack-autogen-studio-mcp-rce.md) | high | patched |
| 2026-06-17 | [15 malicious JetBrains Marketplace plugins steal AI provider API keys on entry (70K+ installs)](2026-06-jetbrains-ide-plugins-ai-key-theft.md) | high | active |
| 2026-06-17 | [Mastra AI npm namespace compromise — 145 packages backdoored via hijacked contributor account](2026-06-mastra-ai-npm-compromise.md) | critical | active |
| 2026-06-12 | [Klue AI integration breach — Icarus extortion group steals OAuth tokens; CRM data exfiltrated from Huntress and Recorded Future](2026-06-klue-icarus-oauth-breach.md) | high | contained |
| 2026-06-11 | [Atomic Arch — AUR supply-chain attack: 1,500+ packages hijacked via orphaned-package takeover; eBPF rootkit](2026-06-arch-linux-aur-supply-chain.md) | high | active |
| 2026-06-15 | [Claude Code MCP OAuth token hijack via malicious npm postinstall hook — Anthropic won't fix](2026-06-claude-code-mcp-oauth-hijack.md) | high | active |
| 2026-06-13 | [Solana FakeFix Campaign — 25 malicious npm + PyPI packages steal wallet keys via GitHub issue spam](2026-06-solana-fakefix-campaign.md) | high | active |
| 2026-06-12 | [Agentjacking — Sentry DSN injection via MCP poisons AI coding agent context (2,388 orgs exposed)](2026-06-agentjacking-sentry-mcp-injection.md) | high | active |
| 2026-06-10 | [onering Rust crate compromised — build.rs exfiltrates source-code diffs as fake Sentry telemetry](2026-06-onering-rust-crate-compromise.md) | high | unconfirmed |
| 2026-06-10 | [Streamlit CVE-2026-33682 — unauthenticated SSRF on Windows leaks NTLMv2 credentials](2026-06-streamlit-ssrf-windows.md) | high | patched |
| 2026-06-10 | [SymJack — symlink hijacking tricks AI coding agents into registering attacker-controlled MCP servers](2026-06-symjack-ai-coding-agent-mcp-symlink.md) | high | mitigated |
| 2026-06-09 | [LangGraph RCE chain — SQLite SQL injection + msgpack deserialization → arbitrary code execution](2026-06-langgraph-rce-chain.md) | critical | patched |
| 2026-06-08 | [Hades Campaign — 19 PyPI bioinformatics + MCP-developer packages poisoned with Bun credential stealer (June 2026)](2026-06-hades-campaign-pypi-mcp-attack.md) | critical | active |
| 2026-06-05 | [Miasma Wave 5 — 73 Microsoft Azure GitHub repos + mantine-datatable poisoned; payload auto-fires via Claude Code / Cursor / Gemini CLI](2026-06-miasma-wave5-microsoft-azure-github.md) | critical | contained |
| 2026-06-04 | [IronWorm — Rust npm worm with eBPF kernel rootkit + Tor C2 (36 packages)](2026-06-ironworm-npm-rust-ebpf.md) | critical | active |
| 2026-06-06 | [Gluestack @react-native-aria RAT via compromised contributor token](2026-06-gluestack-react-native-aria-rat.md) | critical | contained |
| 2026-06-04 | [Phantom Gyp — Miasma wave 4: self-propagating npm worm via binding.gyp (57 packages)](2026-06-phantom-gyp-miasma-wave4.md) | critical | active |
| 2026-06-04 | [Claude Code GitHub Actions [bot] trust bypass — supply chain risk (patched v1.0.94)](2026-06-claude-code-github-actions-bot-bypass.md) | high | patched |
| 2026-06-01 | [Cline CVE-2026-44211 — cross-origin WebSocket hijack → 1-click RCE](2026-06-cline-cve-2026-44211-websocket-rce.md) | critical | active |
| 2026-06-01 | [codexui-android npm — OpenAI Codex auth-token stealer](2026-06-codexui-android-codex-token-stealer.md) | high | active |
| 2026-06-01 | [Miasma — @redhat-cloud-services npm scope compromised by Mini-Shai-Hulud-derived worm](2026-06-miasma-redhat-cloud-services-compromise.md) | critical | contained |
| 2026-05-25 | [Cargo May 2026 security release — symlink-override + sparse-URL leak (CVE-2026-5223, CVE-2026-5222)](2026-05-cargo-symlink-sparse-url-cves.md) | medium | patched |
| 2026-05-22 | [Megalodon — mass GitHub-Actions workflow poisoning of 5,561 repos](2026-05-megalodon-github-actions-mass-campaign.md) | critical | contained |
| 2026-05-22 | [BadHost — Starlette host-header auth bypass blasts FastAPI, vLLM, LiteLLM, MCP servers (CVE-2026-48710)](2026-05-starlette-badhost-host-header-bypass.md) | critical | patched |
| 2026-05-22 | [Composio AI-agent platform breach — LLM-augmented attacker registered malicious tool definitions in the sandbox](2026-05-composio-ai-agent-platform-breach.md) | high | contained |
| 2026-05-22 | [TrapDoor — cross-ecosystem stealer poisons .cursorrules / CLAUDE.md](2026-05-trapdoor-cross-ecosystem-stealer.md) | critical | active |
| 2026-05-20 | [Claude Code network-sandbox SOCKS5 null-byte bypass](2026-05-claude-code-sandbox-socks5-bypass.md) | high | patched |
| 2026-05-20 | [TeamPCP breaches GitHub internal repos via poisoned VS Code extension](2026-05-teampcp-github-breach.md) | high | contained |
| 2026-05-19 | [Mini Shai-Hulud May 19 wave — @antv npm + Microsoft durabletask PyPI](2026-05-mini-shai-hulud-may19-wave.md) | critical | active |
| 2026-05-18 | [Shai-Hulud copycats after the worm source went public](2026-05-shai-hulud-copycat-wave.md) | high | active |
| 2026-05-18 | [Nx Console VS Code extension compromise (nrwl.angular-console 18.95.0)](2026-05-nx-console-vscode-compromise.md) | critical | contained |
| 2026-05-12 | [Claude Code `claude-cli://` deeplink RCE (2.1.118)](2026-05-claude-code-deeplink-rce.md) | critical | patched |
| 2026-05 | [WhiteCobra — VS Code / Cursor / Windsurf / Open VSX crypto-stealer campaign (July 2025 → ongoing)](2026-05-whitecobra-vscode-extensions.md) | high | active |
| 2026-05 | [PCPJack — credential-stealing counter-worm that removes TeamPCP infections](2026-05-pcpjack-counter-worm.md) | high | active |
| 2026-05-06 | [ClaudeBleed — Claude in Chrome extension hijack](2026-05-claudebleed-chrome-extension.md) | high | mitigated |
| 2026-05-13 | [OpenClaw "Claw Chain" — 4 sandbox-escape CVEs](2026-05-openclaw-claw-chain.md) | critical | patched |
| 2026-05-13 | [Systemic MCP stdio RCE class](2026-05-mcp-stdio-systemic-rce.md) | high | mitigated |
| 2026-05-14 | [node-ipc compromise](2026-05-node-ipc-compromise.md) | critical | active |
| 2026-05-11 | [PraisonAI auth bypass (CVE-2026-44338)](2026-05-praisonai-auth-bypass.md) | high | patched |
| 2026-05-11 | [Mini Shai-Hulud wave — TanStack/Mistral/UiPath/OpenSearch](2026-05-tanstack-mini-shai-hulud.md) | critical | active |
| 2026-05-08 | [Cursor open-folder + Git-hook RCE](2026-05-cursor-open-folder-autorun.md) | high | patched |
| 2026-05-07 | [Microsoft Semantic Kernel RCE (CVE-2026-25592 / CVE-2026-26030)](2026-05-semantic-kernel-rce.md) | critical | patched |
| 2026-05-06 | [Next.js + React May 2026 security release (13 CVEs)](2026-05-nextjs-react-security-release.md) | high | patched |
| 2026-05 | [Windsurf zero-click MCP RCE (CVE-2026-30615)](2026-05-windsurf-zero-click-mcp-rce.md) | critical | patched |
| 2026-04-30 | [PyTorch Lightning + intercom-client (Mini Shai-Hulud)](2026-04-pytorch-lightning-compromise.md) | critical | contained |
| 2026-04-24 | [LiteLLM proxy pre-auth SQL injection (CVE-2026-42208, CISA KEV)](2026-04-litellm-sql-injection.md) | critical | patched |
| 2026-04-24 | [elementary-data PyPI + GHCR compromise (malicious .pth auto-exec)](2026-04-elementary-data-pypi-ghcr-compromise.md) | critical | contained |
| 2026-04-23 | [Flowise RCE cluster — CVE-2025-59528 actively exploited + April Agent-node cluster (CVE-2026-41265 et al.)](2026-04-flowise-rce-cluster.md) | critical | patched |
| 2026-04-22 | [Bitwarden CLI backdoored — first AI-tool-cred-hunting supply-chain malware](2026-04-bitwarden-cli-shai-hulud-third-coming.md) | critical | contained |
| 2026-04-19 | [Vercel breach via Context.ai OAuth supply chain](2026-04-vercel-context-ai-breach.md) | high | contained |
| 2026-04-08 | [Marimo notebook pre-auth RCE (CVE-2026-39987)](2026-04-marimo-notebook-rce.md) | critical | patched |
| 2026-04 | [Mini Shai-Hulud SAP packages](2026-04-mini-shai-hulud-sap.md) | high | active |
| 2026-04 | ["Comment and Control" PR prompt injection](2026-04-comment-and-control-pr-injection.md) | critical | patched |
| 2026-03 | [SGLang unauth RCE cluster — CVE-2026-3059 / CVE-2026-3060 (pickle ZMQ, CVSS 9.8) + CVE-2026-5760 (GGUF model RCE)](2026-03-sglang-unauth-rce.md) | critical | patched |
| 2026-03-12 | [TeamPCP breaches Trivy GitHub Actions → LiteLLM 1.82.7–1.82.8 backdoored](2026-03-trivy-litellm-supply-chain.md) | critical | contained |
| 2026-03-31 | [Axios compromise](2026-03-axios-compromise.md) | critical | contained |
| 2026-03-31 | [Claude Code source-map leak](2026-03-claude-code-source-map-leak.md) | medium | contained |
| 2026-03-27 | [OpenHands git-diff command injection (CVE-2026-33718)](2026-03-openhands-git-diff-rce.md) | high | patched |
| 2026-02-25 | [Langflow CVE-2026-27966 — CSV Agent hardcodes `allow_dangerous_code=True` → prompt-injection RCE (CVSS 9.8)](2026-02-langflow-cve-2026-27966-csv-agent-rce.md) | critical | patched |
| 2026-03-17 | [Langflow unauthenticated RCE (CVE-2026-33017)](2026-03-langflow-rce.md) | critical | patched |
| 2026-03-02 | [ModelScope ms-agent OS command injection (CVE-2026-2256) — unpatched, public PoC, CERT/CC advisory](2026-03-msagent-cve-2026-2256-shell-injection.md) | medium | active |
| 2026-03-11 | [Supabase Auth OIDC issuer-validation bypass (CVE-2026-31813)](2026-03-supabase-auth-oidc-bypass.md) | high | patched |
| 2026-02-28 | [Google Antigravity sandbox escape (Pillar)](2026-02-google-antigravity-sandbox-escape.md) | high | patched |
| 2026-02-17 | [Cline 2.3.0 supply-chain compromise (Clinejection → OpenClaw)](2026-02-cline-clinejection.md) | critical | contained |
| 2026-02-17 | [SANDWORM_MODE — Shai-Hulud-style npm worm with MCP injection, CI implant, and 48-hour delayed activation](2026-02-sandworm-mode-npm-worm.md) | critical | active |
| 2026-02-09 | [Claude Desktop Extensions (DXT) zero-click RCE — Anthropic won't fix](2026-02-claude-desktop-extensions-rce.md) | critical | active |
| 2026-02-01 | [ClawHavoc — malicious-skill poisoning of OpenClaw's ClawHub marketplace](2026-02-clawhavoc-clawhub-skills.md) | high | active |
| 2026-01-26 | [OpenClaw 1-click RCE via WebSocket gateway-URL token theft (CVE-2026-25253)](2026-01-openclaw-cve-2026-25253-gatewayurl-rce.md) | critical | patched |
| 2026-01-07 | [LangSmith CVE-2026-25750 unvalidated baseUrl → account takeover](2026-01-langsmith-account-takeover.md) | high | patched |
| 2026-01-12 | [OpenCode AI coding agent — twin localhost RCEs (CVE-2026-22812 + CVE-2026-22813)](2026-01-opencode-localhost-rce.md) | critical | patched |
| 2025-11-09 | [n8n Ni8mare (CVE-2026-21858, CVSS 10.0) — unauth RCE + credential theft in workflow automation](2025-11-n8n-ni8mare-rce.md) | critical | patched |
| 2025-12-28 | [Shai-Hulud 3.0 test payload — @vietmoney/react-big-calendar@0.26.2](2025-12-shai-hulud-3-test-payload.md) | high | contained |
| 2025-12-23 | [LangChain LangGrinch (CVE-2025-68664) + path traversal (CVE-2026-34070)](2025-12-langchain-langgrinch.md) | critical | patched |
| 2025-12-05 | [React2Shell — CVE-2025-55182 RCE in React Server Components (CISA KEV, exploited through Apr 2026)](2025-12-react2shell-rce.md) | critical | patched |
| 2026-01-05 | [AI IDEs recommend non-existent extensions — OpenVSX namespace hijack](2026-01-vscode-fork-recommended-extension-hijack.md) | high | mitigated |
| 2025-11-24 | [Shai-Hulud "Second Coming"](2025-11-shai-hulud-second-coming.md) | critical | contained |
| 2025-10-21 | [Cursor & Windsurf ship stale Chromium — 94+ n-day vulns](2025-10-cursor-windsurf-chromium-ndays.md) | high | active |
| 2025-10 | [Windsurf path-traversal via prompt-injected README (CVE-2025-62353)](2025-10-windsurf-cve-2025-62353-path-traversal.md) | critical | patched |
| 2025-10-17 | [GlassWorm — self-propagating VS Code / Open VSX worm](2025-10-glassworm-vscode-worm.md) | high | active |
| 2025-09-17 | [postmark-mcp backdoor](2025-09-postmark-mcp-backdoor.md) | high | contained |
| 2025-09-15 | [Shai-Hulud original](2025-09-shai-hulud-original.md) | critical | contained |
| 2025-09-08 | [qix npm account compromise](2025-09-qix-compromise.md) | critical | contained |
| 2025-09-01 | [Lies in the Loop (LITL) — approval-dialog padding hides malicious commands below the fold; no vendor fix (Claude Code, VS Code Copilot)](2025-09-litl-ai-approval-dialog-bypass.md) | high | active |
| 2025-08-26 | [Salesloft Drift OAuth Breach — UNC6395 steals Salesforce CRM data from Cloudflare, Palo Alto, Zscaler and hundreds of orgs](2025-08-salesloft-drift-oauth-breach.md) | high | contained |
| 2025-08-26 | [Nx s1ngularity](2025-08-nx-s1ngularity.md) | critical | contained |
| 2025-08 → ongoing | [Claude Code InversePrompt (multiple CVEs)](2025-08-claude-code-inverseprompt.md) | medium | patched |
| 2025-07-17 | [Amazon Q VS Code wiper](2025-07-amazon-q-wiper.md) | medium | contained |
| 2025-07 | [Cursor CurXecute / MCPoison](2025-07-cursor-curxecute-mcpoison.md) | high | patched |
| 2025-07 | [Supabase MCP lethal trifecta](2025-07-supabase-mcp-lethal-trifecta.md) | high | mitigated |
| 2025-06-25 | [VSXPloit — Open VSX nightly build pipeline token theft; 8M+ developers at risk (patched June 2025)](2025-06-vsxploit-openvsx-build-token-theft.md) | high | patched |
| ongoing | [Slopsquatting](ongoing-slopsquatting.md) | medium | ongoing |
| ongoing | [Vibe platform data exposure](ongoing-vibe-platform-exposure.md) | high | ongoing |

## Severity

- **critical** — active credential theft, RCE, or supply-chain worm. Drop everything.
- **high** — practical exploitation path, requires action if you use the affected tool.
- **medium** — pattern of attack worth knowing, mitigation usually exists.

## Status

- **active** — malware still in registry, attack still propagating, or no patch yet.
- **contained** — package removed / patch shipped, but old lockfiles still vulnerable.
- **patched** — vendor fix released; update and you're fine.
- **mitigated** — design-level fix or workaround available, no perfect patch.
- **ongoing** — class of attack that keeps recurring; treat as evergreen.

## Format

Every advisory uses the same skeleton. See [CONTRIBUTING.md](../CONTRIBUTING.md) for the template.
