<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <title>Vibe Coding · Security Issue Tracking</title>
  <link href="https://pranava0x0.github.io/vibe-coding-security/" rel="alternate"/>
  <link href="https://pranava0x0.github.io/vibe-coding-security/feed.xml" rel="self"/>
  <id>https://pranava0x0.github.io/vibe-coding-security/</id>
  <updated>2026-07-04T00:00:00Z</updated>
  <subtitle>Living index of supply-chain attacks, malicious MCP servers, and prompt-injection campaigns relevant to vibe coding.</subtitle>
  <generator>vibe-coding-security site builder</generator>
  <entry>
    <title>SvelteSpill — SvelteKit + Vercel cache deception exposes authenticated responses (CVE-2026-27118, Jan 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-sveltespill-sveltekit-vercel-cache-deception.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-sveltespill-sveltekit-vercel-cache-deception.html</id>
    <updated>2026-07-04T00:00:00Z</updated>
    <summary>Aikido Security's AI-assisted pentesting tooling discovered on 2026-01-20 that @sveltejs/adapter-vercel accepted a pathname query parameter intended purely for internal routing/rewriting, without…</summary>
    <category term="cache-deception"/>
    <category term="svelte"/>
    <category term="sveltekit"/>
    <category term="vercel"/>
    <category term="session-hijack"/>
    <category term="frontend"/>
  </entry>
  <entry>
    <title>PolinRider — ongoing DPRK-linked campaign backdoors npm, Packagist, Go, and a Chrome extension via maintainer-account takeover (Mar 2026–ongoing)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-polinrider-multi-ecosystem-dprk-campaign.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-polinrider-multi-ecosystem-dprk-campaign.html</id>
    <updated>2026-07-04T00:00:00Z</updated>
    <summary>First flagged by the OpenSourceMalware team around 2026-03, PolinRider involves DPRK-linked threat actors — tied to the broader Contagious Interview / Famous Chollima developer-targeting cluster —…</summary>
    <category term="supply-chain"/>
    <category term="dprk"/>
    <category term="account-takeover"/>
    <category term="git-history-rewrite"/>
    <category term="credential-theft"/>
    <category term="wallet-theft"/>
    <category term="cross-ecosystem"/>
  </entry>
  <entry>
    <title>Dependency-confusion recon campaign — 4 waves, 9+ corporate-scope impersonations, escalated to full credential theft (May–Jul 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-npm-dependency-confusion-recon-campaign.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-npm-dependency-confusion-recon-campaign.html</id>
    <updated>2026-07-04T00:00:00Z</updated>
    <summary>Microsoft Threat Intelligence disclosed a dependency-confusion campaign: a single operator, publishing under three npm aliases (mr.4nd3r50n, ce-rwb, t-in-one), published 33 malicious packages in…</summary>
    <category term="dependency-confusion"/>
    <category term="supply-chain"/>
    <category term="reconnaissance"/>
    <category term="credential-theft"/>
    <category term="postinstall"/>
    <category term="npm"/>
  </entry>
  <entry>
    <title>Claude Desktop personalization-sync prompt injection → reverse shell — Anthropic calls it expected functionality (July 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-claude-desktop-personalization-sync-rce.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-claude-desktop-personalization-sync-rce.html</id>
    <updated>2026-07-04T00:00:00Z</updated>
    <summary>Pentera Labs red teamers showed that Claude Desktop's account-wide personalization/preferences feature — which syncs across every device signed into a Claude account — is an unsandboxed…</summary>
    <category term="prompt-injection"/>
    <category term="rce"/>
    <category term="mcp"/>
    <category term="lethal-trifecta"/>
    <category term="wont-fix"/>
    <category term="account-takeover"/>
  </entry>
  <entry>
    <title>Rollup polyfill impersonation — 6 npm packages deliver full RAT, tentatively linked to Lazarus (July 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-rollup-polyfill-npm-lazarus.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-rollup-polyfill-npm-lazarus.html</id>
    <updated>2026-07-04T00:00:00Z</updated>
    <summary>JFrog disclosed six malicious npm packages — led by rollup-packages-polyfill-core and rollup-runtime-polyfill-core — that impersonate the popular rollup-plugin-polyfill-node (~295,000…</summary>
    <category term="supply-chain"/>
    <category term="typosquat"/>
    <category term="credential-theft"/>
    <category term="rat"/>
    <category term="npm"/>
    <category term="dprk"/>
  </entry>
  <entry>
    <title>Claude Code deny-rule bypass via 50-subcommand parser cap (silently patched in v2.1.90)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-claude-code-subcommand-deny-bypass.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-claude-code-subcommand-deny-bypass.html</id>
    <updated>2026-07-02T00:00:00Z</updated>
    <summary>Adversa AI found that Claude Code's bash-command permission checker (bashPermissions.ts) stopped enforcing configured deny rules entirely on any compound shell command with more than 50…</summary>
    <category term="claude-code"/>
    <category term="permission-bypass"/>
    <category term="deny-rule"/>
    <category term="silent-patch"/>
    <category term="source-leak"/>
  </entry>
  <entry>
    <title>Vite dev-server WebSocket arbitrary file read + fs.deny bypasses (CVE-2026-39363, CVE-2026-39364, CVE-2026-39365)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-vite-dev-server-file-read.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-vite-dev-server-file-read.html</id>
    <updated>2026-07-02T00:00:00Z</updated>
    <summary>Three related flaws in Vite's dev server let an attacker who can reach it over the network (e.g. it was started with --host or otherwise exposed) read arbitrary files on the machine — including…</summary>
    <category term="file-read"/>
    <category term="dev-server"/>
    <category term="websocket"/>
    <category term="path-traversal"/>
    <category term="access-control-bypass"/>
  </entry>
  <entry>
    <title>Cursor DuneSlide — two CVSS 9.8 zero-click prompt-injection-to-RCE flaws (CVE-2026-50548, CVE-2026-50549)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cursor-duneslide-zeroclick-rce.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cursor-duneslide-zeroclick-rce.html</id>
    <updated>2026-07-02T00:00:00Z</updated>
    <summary>Cato AI Labs disclosed DuneSlide: two CVSS 9.8 zero-click flaws in Cursor IDE (CVE-2026-50548, CVE-2026-50549) that let attacker-controlled content read by the agent — an MCP tool response or a…</summary>
    <category term="prompt-injection"/>
    <category term="sandbox-escape"/>
    <category term="rce"/>
    <category term="zero-click"/>
    <category term="mcp"/>
    <category term="ai-ide"/>
  </entry>
  <entry>
    <title>Claudy Day — three chained Claude.ai flaws exfiltrate conversation history via hidden URL-parameter prompt injection (March 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-claudy-day-claude-ai-exfiltration.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-claudy-day-claude-ai-exfiltration.html</id>
    <updated>2026-07-01T00:00:00Z</updated>
    <summary>Oasis Security disclosed "Claudy Day": three chainable flaws in Claude.ai / claude.com that together let an attacker deliver a single crafted link and silently exfiltrate a victim's Claude…</summary>
    <category term="prompt-injection"/>
    <category term="data-exfiltration"/>
    <category term="claude-ai"/>
    <category term="open-redirect"/>
    <category term="anthropic"/>
  </entry>
  <entry>
    <title>Svelte CVE-2026-42573 — DOM clobbering of internal framework state leads to XSS (May 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-svelte-dom-clobbering-xss.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-svelte-dom-clobbering-xss.html</id>
    <updated>2026-07-01T00:00:00Z</updated>
    <summary>Svelte attaches internal reactivity/framework state directly to DOM elements at runtime rather than keeping it fully isolated in JavaScript objects. According to the GitHub Security Advisory…</summary>
    <category term="xss"/>
    <category term="dom-clobbering"/>
    <category term="svelte"/>
    <category term="frontend"/>
    <category term="unauthenticated"/>
  </entry>
  <entry>
    <title>Operation Navy Ghost — 8 fake pyrogram packages on PyPI target Telegram bot developers with full-server backdoor using Telegram as C2 (Jun 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-operation-navy-ghost-pyrogram.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-operation-navy-ghost-pyrogram.html</id>
    <updated>2026-06-30T00:00:00Z</updated>
    <summary>A threat actor published 8 fake pyrogram forks to PyPI over 6 months (November 2025 – June 2026), planting a hidden backdoor that grants full remote shell and file-system access to any server…</summary>
    <category term="supply-chain"/>
    <category term="backdoor"/>
    <category term="credential-theft"/>
    <category term="telegram"/>
    <category term="pypi"/>
    <category term="typosquat"/>
    <category term="c2"/>
    <category term="fake-package"/>
  </entry>
  <entry>
    <title>Mozilla 0DIN DNS Setup Trap — clean GitHub repos trick Claude Code into reverse shell via DNS-TXT record command injection (no CVE; no patch as of 2026-06-28)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-0din-dns-setup-trap.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-0din-dns-setup-trap.html</id>
    <updated>2026-06-28T00:00:00Z</updated>
    <summary>Mozilla's Zero Day Investigative Network (0DIN) demonstrated that a clean GitHub repository containing no malicious code can trick Claude Code into executing an attacker-controlled reverse shell…</summary>
    <category term="prompt-injection"/>
    <category term="dns-exfil"/>
    <category term="ai-agent"/>
    <category term="supply-chain"/>
    <category term="reverse-shell"/>
    <category term="error-recovery"/>
    <category term="indirect-injection"/>
  </entry>
  <entry>
    <title>Klue AI integration breach — Icarus extortion group steals Salesforce/HubSpot/Slack OAuth tokens from CRM data via AI productivity tool (June 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-klue-icarus-oauth-breach.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-klue-icarus-oauth-breach.html</id>
    <updated>2026-06-28T00:00:00Z</updated>
    <summary>The Icarus extortion group breached Klue, an AI-powered competitive intelligence platform, on 2026-06-11 to 2026-06-12 by exploiting OAuth tokens Klue held on behalf of customers. Attackers used…</summary>
    <category term="oauth-pivot"/>
    <category term="credential-theft"/>
    <category term="ai-tool-breach"/>
    <category term="crm-data"/>
    <category term="extortion"/>
    <category term="third-party-breach"/>
    <category term="salesforce"/>
    <category term="hubspot"/>
  </entry>
  <entry>
    <title>Amazon Q Developer CVE-2026-12957 + CVE-2026-12958 — auto-loading .amazonq/mcp.json runs attacker code with live cloud credentials on repo open (June 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-amazon-q-mcp-workspace-rce.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-amazon-q-mcp-workspace-rce.html</id>
    <updated>2026-06-27T00:00:00Z</updated>
    <summary>On April 20, 2026, Wiz Research reported two vulnerabilities to AWS:</summary>
    <category term="rce"/>
    <category term="mcp"/>
    <category term="workspace-trust"/>
    <category term="cloud-credentials"/>
    <category term="credential-theft"/>
    <category term="aws"/>
    <category term="malicious-repo"/>
  </entry>
  <entry>
    <title>Dify DifyTap — 4 CVEs allow cross-tenant AI conversation exfiltration (1M+ apps affected; patched 1.14.2)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-dify-difytap-cross-tenant-exfil.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-dify-difytap-cross-tenant-exfil.html</id>
    <updated>2026-06-26T00:00:00Z</updated>
    <summary>Zafran Security disclosed 4 CVEs in Dify (the open-source LLM app builder powering 1M+ applications across 50+ industries) that allow authenticated attackers to read private AI conversations from…</summary>
    <category term="cve"/>
    <category term="cross-tenant"/>
    <category term="data-exposure"/>
    <category term="prompt-injection"/>
    <category term="plugin-daemon"/>
    <category term="authorization-bypass"/>
    <category term="ai-agent-platform"/>
  </entry>
  <entry>
    <title>Miasma LeoPlatform + Go ecosystem wave — 20 npm packages + Go module + GitHub Actions compromise (June 24 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-leoplatform-go-wave.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-leoplatform-go-wave.html</id>
    <updated>2026-06-26T00:00:00Z</updated>
    <summary>On 2026-06-24 at 23:04:55 UTC, a compromised npm maintainer account (czirker) published 20 malicious versions of LeoPlatform / RStreams npm packages in a 3-second burst, using the Phantom Gyp…</summary>
    <category term="supply-chain"/>
    <category term="credential-theft"/>
    <category term="phantom-gyp"/>
    <category term="binding-gyp"/>
    <category term="miasma"/>
    <category term="shai-hulud-lineage"/>
    <category term="ci-cd"/>
    <category term="github-actions"/>
    <category term="go"/>
    <category term="npm-worm"/>
  </entry>
  <entry>
    <title>TrustFall — AI coding CLIs auto-execute MCP servers on folder trust (Claude Code, Cursor, Gemini CLI, Copilot CLI, Codex CLI)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-trustfall-mcp-auto-execute.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-trustfall-mcp-auto-execute.html</id>
    <updated>2026-06-25T00:00:00Z</updated>
    <summary>Adversa AI published TrustFall on 2026-05-07 after testing all four major agentic coding CLIs: Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI. A follow-up confirmed the same behavior…</summary>
    <category term="mcp"/>
    <category term="rce"/>
    <category term="trust-boundary"/>
    <category term="ci-cd"/>
    <category term="supply-chain"/>
    <category term="won't-fix"/>
    <category term="agentic-tools"/>
    <category term="claude-code"/>
    <category term="cursor"/>
  </entry>
  <entry>
    <title>Cordyceps — CI/CD misconfiguration class in GitHub Actions enables PR-based code execution and credential theft at 300+ major repos</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cordyceps-cicd-github-actions.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cordyceps-cicd-github-actions.html</id>
    <updated>2026-06-25T00:00:00Z</updated>
    <summary>The Cordyceps class has three forms:</summary>
    <category term="ci-cd"/>
    <category term="supply-chain"/>
    <category term="credential-theft"/>
    <category term="github-actions"/>
    <category term="pull-request"/>
    <category term="code-execution"/>
    <category term="class"/>
  </entry>
  <entry>
    <title>Mastra AI npm namespace compromise — 145 @mastra/* packages carry easy-day-js typosquat RAT via hijacked contributor account `ehindero` (June 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-mastra-ai-npm-compromise.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-mastra-ai-npm-compromise.html</id>
    <updated>2026-06-25T00:00:00Z</updated>
    <summary>A hijacked npm contributor account (ehindero) was used to inject easy-day-js — a typosquat of the popular dayjs date library — as a dependency across 145 packages (corrected from…</summary>
    <category term="supply-chain"/>
    <category term="credential-theft"/>
    <category term="typosquat"/>
    <category term="postinstall"/>
    <category term="ai-agents"/>
    <category term="crypto-stealer"/>
    <category term="miasma-lineage"/>
    <category term="dependency-injection"/>
  </entry>
  <entry>
    <title>Salesloft Drift OAuth Breach — UNC6395 steals Salesforce CRM data from Cloudflare, Palo Alto, Zscaler and hundreds of orgs (August 2025)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-salesloft-drift-oauth-breach.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-salesloft-drift-oauth-breach.html</id>
    <updated>2026-06-24T00:00:00Z</updated>
    <summary>Threat actor UNC6395 compromised a Salesloft GitHub account, stole OAuth tokens from the Drift AI chat agent's Salesforce integration, and used them to exfiltrate CRM data — including AWS keys,…</summary>
    <category term="oauth-pivot"/>
    <category term="ai-tool-oauth-pivot"/>
    <category term="saas-supply-chain"/>
    <category term="credential-theft"/>
    <category term="unc6395"/>
    <category term="github-account-compromise"/>
  </entry>
  <entry>
    <title>Microsoft 365 Copilot SearchLeak (CVE-2026-42824) — 1-click exfil of emails, MFA codes, and OneDrive files via parameter-to-prompt injection + CSP bypass</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-copilot-searchleak-cve-2026-42824.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-copilot-searchleak-cve-2026-42824.html</id>
    <updated>2026-06-24T00:00:00Z</updated>
    <summary>The Copilot Enterprise Search URL accepts a q= parameter. When a user clicks a link containing a malicious q= value, Copilot processes the injected text as a high-trust user prompt rather than a…</summary>
    <category term="cve"/>
    <category term="prompt-injection"/>
    <category term="parameter-to-prompt-injection"/>
    <category term="data-exfil"/>
    <category term="one-click-attack"/>
    <category term="microsoft"/>
    <category term="copilot"/>
    <category term="bing-ssrf"/>
    <category term="csp-bypass"/>
  </entry>
  <entry>
    <title>Langflow CVE-2026-27966 — CSV Agent hardcodes allow_dangerous_code=True → unauthenticated prompt-injection RCE (CVSS 9.8)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-langflow-cve-2026-27966-csv-agent-rce.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-langflow-cve-2026-27966-csv-agent-rce.html</id>
    <updated>2026-06-23T00:00:00Z</updated>
    <summary>The CSV Agent node's source code contained the line:</summary>
    <category term="cve"/>
    <category term="rce"/>
    <category term="prompt-injection"/>
    <category term="ai-agents"/>
    <category term="decorator-as-documentation"/>
    <category term="langchain"/>
    <category term="csv-agent"/>
    <category term="eval-on-llm-output"/>
    <category term="pre-auth"/>
  </entry>
  <entry>
    <title>GlassWorm — self-propagating VS Code / Open VSX extension worm (Oct 2025 → 2026)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-glassworm-vscode-worm.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-glassworm-vscode-worm.html</id>
    <updated>2026-06-22T00:00:00Z</updated>
    <summary>GlassWorm's signature trick is steganographic source: the malicious logic is encoded in printable-but-non-rendering Unicode (e.g., variation selectors / invisible code points), so a maintainer or…</summary>
    <category term="supply-chain"/>
    <category term="ide-extension"/>
    <category term="worm"/>
    <category term="self-propagating"/>
    <category term="credential-theft"/>
    <category term="crypto-theft"/>
    <category term="invisible-unicode"/>
    <category term="solana-c2"/>
    <category term="botnet-takedown"/>
  </entry>
  <entry>
    <title>ModelScope ms-agent OS command injection via Shell tool (CVE-2026-2256) — unpatched, public PoC, CERT/CC advisory</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-msagent-cve-2026-2256-shell-injection.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-msagent-cve-2026-2256-shell-injection.html</id>
    <updated>2026-06-22T00:00:00Z</updated>
    <summary>ModelScope's ms-agent is a Python-based open-source framework for building AI agents capable of executing OS commands, running code, analyzing data, and interacting with tools via the Model…</summary>
    <category term="cve"/>
    <category term="command-injection"/>
    <category term="ai-agent-framework"/>
    <category term="unpatched"/>
    <category term="shell-tool"/>
    <category term="regex-blacklist"/>
    <category term="prompt-injection-rce"/>
  </entry>
  <entry>
    <title>LiteLLM proxy pre-auth SQL injection — CVE-2026-42208 (April 2026, CISA KEV) + CVE-2026-42271 (June 2026, actively exploited)</title>
    <link href="https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-litellm-sql-injection.html"/>
    <id>https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-litellm-sql-injection.html</id>
    <updated>2026-06-22T00:00:00Z</updated>
    <summary>LiteLLM is an open-source LLM gateway/proxy widely used in vibe-coding stacks as the OpenAI-compatible front-end for Anthropic, AWS Bedrock, Azure OpenAI, Google Vertex, Cohere, and dozens of…</summary>
    <category term="cve"/>
    <category term="sql-injection"/>
    <category term="pre-auth"/>
    <category term="ai-proxy"/>
    <category term="cisa-kev"/>
    <category term="rapid-exploitation"/>
    <category term="credential-theft"/>
  </entry>
</feed>