# Vibe Coding - Security Issue Tracking — compact context > Living index of supply-chain attacks, malicious MCP servers, and prompt-injection campaigns relevant to vibe coding. Generated 2026-07-05. Compact variant: alerts + per-advisory TL;DR + 'am I affected?' commands. For full content use llms-full.txt. Index: https://pranava0x0.github.io/vibe-coding-security/llms.txt | Full: https://pranava0x0.github.io/vibe-coding-security/llms-full.txt | Web: https://pranava0x0.github.io/vibe-coding-security/ --- ## Rollup polyfill impersonation — 6 npm packages deliver full RAT, tentatively linked to Lazarus (July 2026) _severity=high | status=contained | disclosed=2026-07-04_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-rollup-polyfill-npm-lazarus.html JFrog disclosed six malicious npm packages — led by **`rollup-packages-polyfill-core`** and **`rollup-runtime-polyfill-core`** — that impersonate the popular `rollup-plugin-polyfill-node` (~295,000 downloads/week) and drop a full cross-platform remote-access trojan. JFrog tentatively links the campaign to North Korea's **Lazarus** group but stops short of firm attribution. All six packages have been removed from npm. **Am I affected?** ```bash # Check your lockfile / node_modules for any of the six malicious packages npm ls rollup-packages-polyfill-core rollup-runtime-polyfill-core swift-parse-stream quirky-token react-icon-svgs rollup-plugin-polyfill-connect 2>/dev/null grep -E "rollup-packages-polyfill-core|rollup-runtime-polyfill-core|swift-parse-stream|quirky-token|react-icon-svgs|rollup-plugin-polyfill-connect" package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null ``` Y… --- ## Claude Desktop personalization-sync prompt injection → reverse shell — Anthropic calls it expected functionality (July 2026) _severity=high | status=active | disclosed=2026-07-01_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-claude-desktop-personalization-sync-rce.html Pentera Labs red teamers showed that Claude Desktop's account-wide **personalization/preferences** feature — which syncs across every device signed into a Claude account — is an unsandboxed instruction channel: a base64-encoded prompt planted in personal preferences silently loads on every future chat and, if a command-capable MCP connector (e.g., Desktop Commander) is installed, executes a stealthy reverse shell with no user interaction beyond opening the app. Anthropic classified this as **exp… **Am I affected?** You are exposed if you use Claude Desktop with any command-capable MCP connector or extension installed (Desktop Commander or similar), **and** an attacker gains access to your Claude account (directly, or via a compromised linked email/SSO identity). ```text Review your Claude account's personal preferences / custom instructions manually for any text you did not write yourself, especially base64-looking blobs or instructions referencing "check … --- ## Amazon Q Developer CVE-2026-12957 + CVE-2026-12958 — auto-loading .amazonq/mcp.json runs attacker code with live cloud credentials on repo open (June 2026) _severity=high | status=patched | disclosed=2026-06-26_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-amazon-q-mcp-workspace-rce.html **Amazon Q Developer** automatically loaded MCP server configurations from `.amazonq/mcp.json` in any opened workspace — without user consent or trust verification — and spawned those servers as **unsandboxed processes inheriting the developer's live AWS credentials**. Opening a malicious repository was sufficient to execute attacker code and exfiltrate AWS keys, cloud tokens, SSH sockets, and API secrets. Patched in Language Servers for AWS 1.65.0 (released May 12, 2026); Wiz Research disclosed… **Am I affected?** **You are exposed if you use Amazon Q Developer and have not updated.** Check your current Language Server for AWS version: ```bash # In VS Code: Help → About → show all versions (look for Amazon Q Language Server) # Or check the AWS extension output channel for version info # Check installed plugin versions: # VS Code: Extensions view → Amazon Q → check version (need ≥ 2.20) # JetBrains: Plugins → Amazon Q → check version (need ≥ 4.3) # E… --- ## Mozilla 0DIN DNS Setup Trap — clean GitHub repos trick Claude Code into reverse shell via DNS-TXT record command injection (no CVE; no patch as of 2026-06-28) _severity=high | status=active | disclosed=2026-06-25_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-0din-dns-setup-trap.html Mozilla's Zero Day Investigative Network (0DIN) demonstrated that a **clean GitHub repository containing no malicious code** can trick Claude Code into executing an attacker-controlled reverse shell via three indirection layers: a Python package that intentionally fails init → Claude Code's error-recovery automation runs the suggested fix command → the fix command resolves its payload from an attacker-controlled **DNS TXT record**. No exploit code ever appears in the repository. **Am I affected?** You may be affected if: - You used Claude Code (with auto-execute or trust-this-folder enabled) to clone and set up an untrusted GitHub repository. - Claude Code ran `python3 -m init`, `npm run setup`, or similar init commands that you did not explicitly type yourself. - You noticed an unexpected outbound connection to an unknown host on port 4443. ```bash # Check for unexpected outbound connections from recent sessions # (after the f… --- ## Cursor DuneSlide — two CVSS 9.8 zero-click prompt-injection-to-RCE flaws (CVE-2026-50548, CVE-2026-50549) _severity=critical | status=patched | disclosed=2026-06-25_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cursor-duneslide-zeroclick-rce.html Cato AI Labs disclosed **DuneSlide**: two CVSS 9.8 zero-click flaws in Cursor IDE (**CVE-2026-50548**, **CVE-2026-50549**) that let attacker-controlled content read by the agent — an MCP tool response or a poisoned web-search result — escape Cursor's sandbox and write files anywhere on disk, with **no user click or approval beyond the original benign prompt**. Both were fixed in **Cursor 3.0** (released 2026-04-02); the CVEs were assigned 2026-06-05 and publicly disclosed 2026-07-01. **Am I affected?** ```bash # Check your Cursor version — anything before 3.0 is vulnerable cursor --version ``` If you're on Cursor < 3.0 and use MCP servers or let the agent browse/fetch web content, treat any session where the agent read untrusted MCP output or search results as a potential sandbox-escape window. Update to **Cursor ≥ 3.0** — both flaws are fixed there, so if you're current you're not exposed. --- ## Operation Navy Ghost — 8 fake pyrogram packages on PyPI target Telegram bot developers with full-server backdoor using Telegram as C2 (Jun 2026) _severity=high | status=unconfirmed | disclosed=2026-06-25_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-operation-navy-ghost-pyrogram.html A threat actor published **8 fake `pyrogram` forks** to PyPI over 6 months (November 2025 – June 2026), planting a hidden backdoor that grants **full remote shell and file-system access** to any server running the infected bot — using the **victim's own Telegram bot as the C2 channel**, bypassing traditional network egress monitoring. ~24,300 total downloads across all malicious packages. **Am I affected?** Check your Python environment for any of the malicious package names: ```bash # Check installed packages pip show pyrogram-navy vlifegram vlife-gram kelragram pyrogram-styled sepgram pyrogram-zeeb pyrogram-kelra 2>/dev/null | grep -E "^Name:|^Version:" # Check pip install history (Linux) grep -E "pyrogram-navy|vlifegram|vlife-gram|kelragram|pyrogram-navy|pyrogram-styled|sepgram|pyrogram-zeeb|pyrogram-kelra" \ ~/.local/share/pip/logs/*.log 2>/… --- ## Cordyceps — CI/CD misconfiguration class in GitHub Actions enables PR-based code execution and credential theft at 300+ major repos _severity=high | status=active | disclosed=2026-06-24_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cordyceps-cicd-github-actions.html **Cordyceps** (Novee Security, disclosed June 24, 2026): a class of GitHub Actions CI/CD misconfiguration that lets **any unauthenticated user with a free GitHub account** forge approvals, push code, or steal credentials by submitting a malicious pull request. 300+ of ~30,000 scanned high-impact repositories are fully exploitable — including **Microsoft Azure Sentinel, Google AI Agent Development Kit, Apache Doris, Cloudflare Workers SDK,** and **Python Software Foundation's Black formatter**. E… **Am I affected?** **Check your own repo:** ```bash # Find workflows using pull_request_target grep -r 'pull_request_target' .github/workflows/ 2>/dev/null # Check for write permissions combined with checkout of PR head grep -A20 'pull_request_target' .github/workflows/*.yml | grep -E 'contents: write|packages: write|id-token: write' # Find workflow_dispatch with unvalidated shell inputs grep -B5 -A10 'workflow_dispatch' .github/workflows/*.yml | grep -E 'inputs\… --- ## Miasma LeoPlatform + Go ecosystem wave — 20 npm packages + Go module + GitHub Actions compromise (June 24 2026) _severity=critical | status=active | disclosed=2026-06-24_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-leoplatform-go-wave.html On **2026-06-24 at 23:04:55 UTC**, a compromised npm maintainer account (`czirker`) published **20 malicious versions** of LeoPlatform / RStreams npm packages in a **3-second burst**, using the Phantom Gyp (`binding.gyp`) install-time execution primitive that bypasses `--ignore-scripts`. The same campaign simultaneously force-pushed a poisoned commit to **codfish/semantic-release-action** on GitHub (affecting **1,442 dependent repositories**) and compromised a **Go module** (`github.com/verana-l… **Am I affected?** **Check your npm lockfile and installed packages:** ```bash # Check if any LeoPlatform/RStreams packages are installed npm ls | grep -E "leo-sdk|leo-aws|leo-cli|leo-auth|leo-cron|leo-config|leo-logger|leo-cache|leo-streams|leo-connector|rstreams|serverless-leo|leo-cdk-lib|solo-nav|hexo-deployer-wrangler|hexo-shoka-swiper|prism-silq" # Or in package-lock.json grep -E '"leo-sdk"|"leo-aws"|"leo-cli"|"leo-auth"|"rstreams-metrics"|"serverless-leo"' … --- ## Dify DifyTap — 4 CVEs allow cross-tenant AI conversation exfiltration (1M+ apps affected; patched 1.14.2) _severity=high | status=patched | disclosed=2026-06-22_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-dify-difytap-cross-tenant-exfil.html Zafran Security disclosed **4 CVEs in Dify** (the open-source LLM app builder powering **1M+ applications** across 50+ industries) that allow authenticated attackers to **read private AI conversations from other customers' tenants**, trigger cross-tenant internal API calls, and exfiltrate documents uploaded by other users. The most severe CVE (**CVE-2026-41948, CVSS 9.4**) reaches through the plugin daemon to internal network endpoints via SSRF. All flaws except CVE-2026-41948 are patched in **D… **Am I affected?** If you run **Dify < 1.14.2** in a multi-tenant or multi-workspace configuration, all four CVEs apply. ```bash # Check your Dify version docker exec python -c "import importlib.metadata; print(importlib.metadata.version('dify'))" 2>/dev/null || \ grep "dify" requirements.txt 2>/dev/null # Or via the Dify web UI: Settings → About ``` **Single-tenant self-hosted deployments** have reduced exposure on CVE-2026-41947, CVE-202… --- ## IDEsaster — 30+ security flaws (24 CVEs) in Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed, Roo Code, Junie, Cline (June 2026) _severity=high | status=active | disclosed=2026-06-17_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-idessaster-ai-ide-cve-cluster.html Security researchers disclosed **30+ flaws** (**24 assigned CVEs**) across **8 AI coding tools** simultaneously — Cursor, Windsurf, Kiro.dev, GitHub Copilot (VS Code), Zed.dev, Roo Code, Junie, and Cline — in a coordinated release the researchers called **"IDEsaster"**. Vulnerability classes include **localhost RCE** (unauthenticated WebSocket / HTTP servers), **prompt injection leading to credential exfiltration**, **path traversal**, and **malicious workspace file execution**. No single "most … **Am I affected?** You are affected if you use any of the following tools and have NOT updated to the latest patched version: | Tool | Vendor | Update command | |---|---|---| | Cursor | Anysphere | Help → Check for updates, or reinstall from cursor.com | | Windsurf | Codeium | Help → Check for updates, or reinstall from codeium.com | | Kiro.dev | Amazon | Update from kiro.dev or via VS Code marketplace | | GitHub Copilot (VS Code) | GitHub/Microsoft | VS Code: Ext… --- ## 15 malicious JetBrains Marketplace plugins steal AI provider API keys on entry (70K+ installs) _severity=high | status=active | disclosed=2026-06-17_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-jetbrains-ide-plugins-ai-key-theft.html **15 malicious plugins** on the **JetBrains Marketplace** (combined **70,000+ installs**) silently exfiltrate AI provider API keys — OpenAI, Anthropic, Google AI, and others — **the moment the user enters them** in the plugin's settings panel and clicks "Apply." No lockfile to audit; the key is captured before it reaches your env. Remove any unfamiliar AI-assistant JetBrains plugin immediately, rotate all AI provider API keys, and audit `~/.config/JetBrains/` for unexpected outbound configs. **Am I affected?** ```bash # List all installed JetBrains plugins across recent IDE versions # (adjust the path to match your JetBrains product and version) ls ~/.config/JetBrains/*/plugins/ 2>/dev/null ls ~/Library/Application\ Support/JetBrains/*/plugins/ 2>/dev/null # macOS # Check for outbound network connections from IDE processes # (while IDE is running with a plugin active) lsof -i -n -P 2>/dev/null | grep -i idea ss -tnp 2>/dev/null | grep idea ``` **As… --- ## Mastra AI npm namespace compromise — 145 @mastra/* packages carry easy-day-js typosquat RAT via hijacked contributor account `ehindero` (June 2026) _severity=critical | status=active | disclosed=2026-06-17_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-mastra-ai-npm-compromise.html A hijacked npm contributor account (`ehindero`) was used to inject **`easy-day-js`** — a typosquat of the popular `dayjs` date library — as a dependency across **145 packages** (corrected from initially-reported 144) in the `@mastra/*` namespace (Mastra AI agent framework). The malicious `easy-day-js` version ran an obfuscated `postinstall` hook that downloaded and executed a cryptocurrency-stealing RAT, then self-deleted to remove evidence. The attack window was **01:15 – 02:36 UTC on 2026-06-1… **Am I affected?** ```bash # Check if any @mastra/* packages are installed npm ls --depth=0 2>/dev/null | grep "@mastra/" # Check if easy-day-js is in your dependency tree npm ls 2>/dev/null | grep "easy-day-js" # Check package-lock.json for the typosquat grep "easy-day-js" package-lock.json 2>/dev/null # Check npm cache ls ~/.npm/easy-day-js/ 2>/dev/null # Check for any crypto-stealer persistence artifacts (common RAT IOCs) # Look for unexpected cron/launchd/s… --- ## Langflow CVE-2026-5027 — unauthenticated path traversal → RCE via file upload endpoint (distinct from CVE-2026-33017) _severity=high | status=patched | disclosed=2026-06-16_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-langflow-cve-2026-5027-path-traversal.html **CVE-2026-5027** (CVSS 8.8) — **Langflow's file-upload endpoint** (`POST /api/v2/files`) accepts a caller-controlled `filename` parameter with no path sanitization. An unauthenticated attacker (Langflow auto-login is enabled by default) can write arbitrary files to arbitrary paths on the server filesystem → remote code execution. This is a **distinct vulnerability** from [CVE-2026-33017](2026-03-langflow-rce.md) (the earlier flow-build RCE that reached CISA KEV). Approximately **7,000 Langflow … **Am I affected?** ```bash # Check your Langflow version pip show langflow 2>/dev/null | grep Version langflow --version 2>/dev/null # Check if auto-login is enabled (default: true) cat ~/.langflow/.env 2>/dev/null | grep -i auto_login # or check the Langflow startup config # Check if the endpoint is reachable from the internet curl -s http://localhost:7860/api/v2/files -X OPTIONS 2>/dev/null ``` You are affected if: 1. You run Langflow **< 1.10.0** (or < 1.9.0 … --- ## Microsoft 365 Copilot SearchLeak (CVE-2026-42824) — 1-click exfil of emails, MFA codes, and OneDrive files via parameter-to-prompt injection + CSP bypass _severity=high | status=patched | disclosed=2026-06-15_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-copilot-searchleak-cve-2026-42824.html **CVE-2026-42824 ("SearchLeak")** — Varonis Threat Labs discovered a 3-stage chain in **Microsoft 365 Copilot Enterprise Search** that lets an attacker send a victim a single crafted link (on a real `microsoft.com` domain) and silently exfiltrate their emails, calendar events, OneDrive/SharePoint files, MFA codes, and password-reset links. Microsoft patched it on the backend; no user action is required. If your org uses M365 Copilot, the risk is eliminated — but the **attack class** (parameter-t… **Am I affected?** **Current exposure: None.** Microsoft patched the backend. No customer action is required to close the CVE-2026-42824 attack vector. **Historical exposure check:** If you have Copilot Enterprise audit logs for the period before June 15, 2026, look for: ``` # M365 Purview / Compliance Center audit query (PowerShell) Search-UnifiedAuditLog -StartDate 2026-01-01 -EndDate 2026-06-15 ` -Operations "CopilotInteraction" ` -ResultSize 1000 | Where-… --- ## PromptSnatcher — malicious Chrome ad-blocker extensions intercept AI chatbot conversations from 900K users across 8 platforms _severity=high | status=active | disclosed=2026-06-14_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-promptsnatcher-chrome-ai-chat-stealer.html Security researchers named **PromptSnatcher**: at least **two malicious Chrome browser extensions** masquerading as ad-blockers have been silently intercepting **full AI chatbot conversations** — including system prompts, user messages, and model responses — from **~900,000 users** across **8 AI platforms**: ChatGPT, Claude (claude.ai), Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI. Extensions with broad `tabs` and `webRequest` manifest permissions can inject content scripts… **Am I affected?** Any user who had one of the two malicious ad-blocker extensions installed while using AI chat platforms is affected. Because extension names are not published at time of writing (pending Chrome Web Store coordination), check your extension list: ```bash # In Chrome: chrome://extensions/ # Look for any recently installed ad-blocker you don't remember installing # Check permissions: extensions with "Read your browsing history" + "Read and change d… --- ## AutoJack — Microsoft Research AutoGen Studio 3-flaw chain: browsing agent renders attacker page → localhost MCP WebSocket → unauthenticated RCE _severity=high | status=patched | disclosed=2026-06-13_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-autojack-autogen-studio-mcp-rce.html Microsoft Research's **AutoGen Studio** — the visual IDE for AutoGen multi-agent systems — contains a **3-flaw chain** discovered by independent security researchers and named **"AutoJack"**: (1) the AutoGen Studio MCP server binds its WebSocket on `0.0.0.0` with no authentication; (2) no origin validation on the WebSocket handshake; (3) a browsing-capable AutoGen agent that visits a malicious attacker-controlled webpage can have that page's JavaScript reach the localhost MCP WebSocket and issue… **Am I affected?** ```bash # Check installed AutoGen Studio version pip show autogenstudio 2>/dev/null | grep Version # Check if AutoGen Studio MCP is running ss -tlnp 2>/dev/null | grep -E ':8081|:8080|:7860' # (default port may vary; check your autogenstudio config) # Check which interface it's bound to ss -tlnp 2>/dev/null | grep autogen ``` You are affected if: 1. You run AutoGen Studio locally and use AutoGen agents with browsing capabilities. 2. You run an… --- ## Agentjacking — Sentry DSN injection via MCP poisons AI coding agent context (2,388 orgs exposed) _severity=high | status=active | disclosed=2026-06-12_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-agentjacking-sentry-mcp-injection.html Tenet Security disclosed **Agentjacking** on 2026-06-12: attackers inject malicious instructions into **Sentry error data** (DSN-routed issue bodies, breadcrumbs, stack-frame locals), which AI coding agents (Claude Code, Cursor, Codex) then read via MCP tools and obediently execute — a new **indirect prompt-injection-at-scale attack class**. No CVE assigned; **Sentry declined to treat this as a root-cause fix** (injection is in user-controlled error data, not a Sentry bug). 2,388 organizations w… **Am I affected?** You are exposed if all of these are true: 1. You have the Sentry MCP server configured in Claude Code, Cursor, Codex, or any other AI agent 2. Your Sentry projects receive error data from user-controlled inputs (any public-facing app) 3. You or your agent calls `get_issue` / `list_issues` during debugging sessions ```bash # Check if Sentry MCP is configured cat ~/.claude/mcp.json 2>/dev/null | grep -i sentry cat ~/.cursor/mcp.json 2>/dev/null | … --- ## Klue AI integration breach — Icarus extortion group steals Salesforce/HubSpot/Slack OAuth tokens from CRM data via AI productivity tool (June 2026) _severity=high | status=contained | disclosed=2026-06-12_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-klue-icarus-oauth-breach.html The **Icarus** extortion group breached **Klue**, an AI-powered competitive intelligence platform, on **2026-06-11 to 2026-06-12** by exploiting OAuth tokens Klue held on behalf of customers. Attackers used automated Salesforce REST API queries to exfiltrate CRM records — including pipeline data, account details, and contact lists — from at least two confirmed victims: **Huntress** and **Recorded Future**. This is the AI-tool OAuth pivot class (template: [Vercel/Context.ai](2026-04-vercel-contex… **Am I affected?** You may be affected if: 1. Your organization uses Klue as a competitive intelligence or sales-intelligence platform. 2. You granted Klue OAuth access to any of: Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, Slack. 3. Your Salesforce or HubSpot instance contains CRM records, pipeline data, or contact lists. More broadly, this incident is a signal to audit **all** AI productivity tools that hold OAuth grants to your en… --- ## Atomic Arch — AUR supply-chain attack: 1,500+ community packages hijacked via orphaned-package takeover; eBPF rootkit for persistence (June 2026) _severity=high | status=active | disclosed=2026-06-11_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-arch-linux-aur-supply-chain.html The campaign now called **"Atomic Arch"** hijacked **1,500+ packages** in the **Arch Linux AUR (Arch User Repository)** — up from the initially-reported 400+, as researchers expanded their scope. Attackers used **orphaned-package takeover** as the primary initial-access method: AUR packages whose maintainer has gone inactive can be adopted by any registered user, providing a pre-existing trusted package identity with existing user base. The payload includes an **eBPF kernel rootkit** for persist… **Am I affected?** You may be affected if: 1. You run Arch Linux, Manjaro, EndeavourOS, Garuda, or another Arch-based derivative. 2. You install packages using AUR helpers (`yay`, `paru`, `pamac`, `trizen`, `aura`). 3. You installed AUR packages between **approximately 2026-05-01 and 2026-06-17** without manually reviewing the PKGBUILD. ```bash # List all AUR-installed packages (those not from official repos) pacman -Qm # Review recent package installs from pacma… --- ## onering Rust crate compromised — build.rs exfiltrates your source code as fake Sentry telemetry (June 2026) _severity=high | status=unconfirmed | disclosed=2026-06-10_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-onering-rust-crate-compromise.html On **2026-06-10**, Aikido Security detected malicious behavior in **`onering` v1.4.1** — a Rust synchronous queue/channels library (~18K Crates.io downloads). The malicious version injected a **`build.rs`** script that silently exfiltrates your **git diff / source code changes** to a remote server on every Cargo build, disguising the stolen data as a **Sentry telemetry event**. Both the Crates.io release and the maintainer's GitHub repository appear to be compromised — building from git does NOT… **Am I affected?** ```bash # Check if onering is in your dependency tree cargo tree | grep onering # Check which version is pinned in Cargo.lock grep -A2 'name = "onering"' Cargo.lock # If you have onering 1.4.1 installed, check for recent curl invocations in build output # (may be suppressed by Cargo; check with verbose build) cargo build -v 2>&1 | grep -i 'sentry\|curl' # Grep build.rs of onering for signs of the malicious code find ~/.cargo/registry/src -path… --- ## Solana FakeFix Campaign — 25 malicious npm + PyPI packages steal wallet keys and developer secrets via GitHub issue spam (June 2026) _severity=high | status=active | disclosed=2026-06-10_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-solana-fakefix-campaign.html The **"Solana FakeFix" campaign** planted **25 malicious packages** (16 npm + 4 PyPI + 5 additional CMS-loader variants) that impersonate Solana Web3 SDK tooling, promoted via **fake GitHub issue spam** on nine popular open-source projects framing the attacker's package as a community bug fix. Payloads harvest Solana wallet keys, cloud credentials, SSH keys, and AI-tool config from victim machines the moment a package is installed (npm `postinstall`) or imported (PyPI `__init__.py`). A bonus fak… **Am I affected?** ```bash # Check npm for FakeFix packages npm list --depth=0 2>/dev/null | grep -iE 'solana-web3-stable|solana-rpc-client|solana-mev-bot' # Check PyPI pip list 2>/dev/null | grep -iE 'solana-web3-stable|solana-rpc-client|solana-mev' # Audit recent GitHub issues for issue-spam pattern (if you maintain a Solana repo) # Look for issues recommending installing an unfamiliar package as a "fix" # Check for unexpected persistence artifacts # Windows: … --- ## Streamlit CVE-2026-33682 — unauthenticated SSRF on Windows leaks NTLMv2 credentials (June 2026) _severity=high | status=patched | disclosed=2026-06-10_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-streamlit-ssrf-windows.html **CVE-2026-33682** is an unauthenticated SSRF vulnerability in **Streamlit < 1.54.0 running on Windows** that can coerce the server into initiating an outbound SMB (port 445) authentication attempt, leaking the **NTLMv2 challenge-response hash** of the Windows user running Streamlit to any attacker on the network. NTLM hashes can be cracked offline or relayed in pass-the-hash / relay attacks to gain code execution. No authentication, no user interaction required. Fixed in **Streamlit 1.54.0**. **Am I affected?** ```bash # Check Streamlit version pip show streamlit | grep Version # Vulnerable if Version < 1.54.0 # Check if running on Windows python -c "import sys; print(sys.platform)" # Affected if: win32 ``` You are affected if: - `streamlit < 1.54.0` - Running on **Windows** (Linux/macOS are NOT affected — Linux doesn't automatically attempt NTLM for UNC paths) - The Streamlit server is reachable from any untrusted network (LAN, internet) --- ## SymJack — symlink hijacking tricks AI coding agents into registering attacker-controlled MCP servers (June 2026) _severity=high | status=mitigated | disclosed=2026-06-10_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-symjack-ai-coding-agent-mcp-symlink.html **SymJack** (Adversa AI, disclosed 2026-06-10) is a new attack class against AI coding agents: a malicious repository embeds a **symlink** that makes an innocent-looking project path (e.g., `tools/config-backup.json`) resolve at the filesystem level to the developer's MCP configuration file (e.g., `~/.claude/mcp.json`). When the developer approves what looks like a routine `cp` command from their AI agent, the symlink redirects the write into the MCP config, registering an **attacker-controlled … **Am I affected?** Check for unexpected symlinks in repositories you've recently cloned or worked in: ```bash # Find symlinks in any cloned repo that resolve outside the repo root find . -type l | while read link; do target=$(readlink -f "$link" 2>/dev/null) echo "$link -> $target" done | grep -v "^$(pwd)" # flag anything resolving outside repo root # Check your MCP configs for unexpected server entries cat ~/.claude/mcp.json 2>/dev/null cat ~/.cursor/mcp.j… --- ## LangGraph RCE chain — SQLite SQL injection + msgpack deserialization → arbitrary code execution (June 2026) _severity=critical | status=patched | disclosed=2026-06-09_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-langgraph-rce-chain.html Security researcher Yarden Porat discovered a two-CVE chain in **LangGraph** that allows any attacker who can supply a filter query to a self-hosted LangGraph deployment to achieve **arbitrary code execution on the server**. CVE-2025-67644 (SQL injection in the SQLite checkpoint) feeds attacker-controlled serialized data into CVE-2026-28277 (unsafe msgpack deserialization), yielding RCE. A third CVE (CVE-2026-27022) covers the Redis-checkpointer variant. **LangChain's managed LangSmith Deploymen… **Am I affected?** ```bash # Check installed versions pip show langgraph langgraph-checkpoint-sqlite langgraph-checkpoint-redis # Vulnerable if: # langgraph < 1.0.10 # langgraph-checkpoint-sqlite < 3.0.1 # (Redis checkpointer users: any version using user-controlled filter keys) # Check if your deployment exposes get_state_history() with user-controlled input: grep -r "get_state_history" . --include="*.py" | grep -v "test_" ``` **You are affected if:** - You run… --- ## Hades Campaign — 19 PyPI bioinformatics + MCP-developer packages poisoned with Bun credential stealer (June 2026) _severity=critical | status=active | disclosed=2026-06-08_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-hades-campaign-pypi-mcp-attack.html On **2026-06-08**, StepSecurity identified a sophisticated supply-chain campaign — dubbed **"Hades"** — that poisoned **19 PyPI packages** across 37 malicious wheel artifacts in two distinct target categories: (1) popular **bioinformatics / graph-ML packages** (ensmallen, dynamo, spateo, coolbox, u-fish, napari-ufish, gpsea, phenopacket-store-toolkit, and related tools), and (2) explicitly **MCP-developer-targeted packages** (`langchain-core-mcp`, `openai-mcp`, `instructor-mcp`, `tiktoken-mcp`, … **Am I affected?** ```bash # Check for poisoned packages in your active virtualenv / global site-packages pip list | grep -iE 'ensmallen|embiggen|dynamo|spateo|coolbox|u-fish|napari-ufish|gpsea|phenopacket|ppkt2synergy|pyphetools|langchain-core-mcp|openai-mcp|instructor-mcp|tiktoken-mcp|ray-mcp-server' # Check for .pth startup hooks placed by the malware python -c "import site; print(site.getsitepackages())" # Then look for unexpected *.pth files in those director… --- ## Gluestack @react-native-aria RAT via compromised contributor token (June 2026) _severity=critical | status=contained | disclosed=2026-06-06_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-gluestack-react-native-aria-rat.html A compromised npm contributor token let attackers publish 17 of the 20 **`@react-native-aria`** packages plus **`@gluestack-ui/utils`** (~960K weekly downloads) with a hidden **Remote Access Trojan (RAT)** starting June 6, 2026. Packages have been deprecated; roll back immediately and assume your dev machine is compromised if you `npm install`-ed any of these after June 6. **Am I affected?** Check whether any of the following packages are in your `node_modules`, `package-lock.json`, or `yarn.lock` at versions published on **2026-06-06 or later**: ```bash # Quick lockfile grep for the affected scope grep -E '"@react-native-aria/|@gluestack-ui/utils"' package-lock.json # Check installed version dates via npm npm view @react-native-aria/focus time --json | tail -5 npm view @gluestack-ui/utils time --json | tail -5 ``` Affected packag… --- ## Miasma Wave 5 — 73 Microsoft Azure GitHub repos + mantine-datatable compromised; payload auto-fires via Claude Code / Cursor / Gemini CLI (June 2026) _severity=critical | status=contained | disclosed=2026-06-05_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-wave5-microsoft-azure-github.html **Wave 5 of the Miasma/Shai-Hulud worm family** hit **73 Microsoft GitHub repositories** (across the Azure, Azure-Samples, Microsoft, and MicrosoftDocs GitHub organizations) on **2026-06-05**, plus **5 mantine-datatable repositories**, via a compromised contributor's GitHub account. Unlike prior waves that spread through the npm registry, Wave 5 **skips the registry entirely** and plants a 4.3 MB payload runner directly into source repositories, wired to auto-execute via **5 developer tools: Cla… **Am I affected?** ```bash # Check if you have any of the compromised repos in your local clone list git remote -v | grep -E "azure/durabletask|mantine-datatable|mantine-contextmenu|next-server-actions-parallel" # Check for malicious .claude/ or .cursor/ config added since 2026-06-04 git log --since="2026-06-04" --all --oneline -- .claude/ .cursor/ .vscode/tasks.json package.json # Check for the 4.3MB payload runner file (look for large unexpected JS files commit… --- ## Claude Code GitHub Actions [bot] trust bypass — supply chain risk on any repo using claude-code-action (June 2026) _severity=high | status=patched | disclosed=2026-06-04_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-claude-code-github-actions-bot-bypass.html `checkWritePermissions()` in Claude Code's GitHub Actions workflow **trusted any actor whose username ends in `[bot]`** regardless of actual permissions. Combined with prompt injection, an unauthenticated external attacker could exfiltrate CI secrets, steal OIDC tokens, and push malicious code to any downstream repository — including Anthropic's own `claude-code-action` source, turning it into a supply-chain vector. **Patched in Claude Code GitHub Actions v1.0.94.** **Am I affected?** ```bash # Check if you use anthropics/claude-code-action in any workflow grep -r "anthropics/claude-code-action" .github/workflows/ # Check which version you are pinned to grep "anthropics/claude-code-action@" .github/workflows/*.yml ``` If you pin to a version **older than v1.0.94** or use a floating reference (e.g., `@main`, `@latest`), you were exposed. --- ## IronWorm — Rust-based npm worm with eBPF rootkit + Tor C2 (June 2026) _severity=critical | status=active | disclosed=2026-06-04_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-ironworm-npm-rust-ebpf.html A new self-propagating npm supply-chain worm called **IronWorm** hit 36 packages in June 2026, deploying a **Rust ELF binary** that hides behind an **eBPF kernel rootkit** and exfiltrates credentials over **Tor** — making it invisible to many eBPF-based security monitoring tools and nearly untraceable at the network layer. **Am I affected?** ```bash # Check for packages from the compromised account npm ls 2>/dev/null | grep asteroiddao # Check installed packages for unexpected Rust/ELF binaries in postinstall output find node_modules -name "*.node" -newer /tmp/last_week 2>/dev/null # Look for backdated git commits added recently (timestamp mismatch) git log --all --format="%H %ai %ci %s" | awk '$2 != $3' | head -20 # Check if unexpected workflows were added git log --all --oneline… --- ## Phantom Gyp — Miasma wave 4: self-propagating npm worm via binding.gyp (June 2026) _severity=critical | status=active | disclosed=2026-06-04_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-phantom-gyp-miasma-wave4.html A fourth wave of the Miasma / Shai-Hulud worm lineage hit npm on **June 3–4, 2026**, using **`binding.gyp`** instead of `preinstall`/`postinstall` scripts to run malicious code at install time — a technique StepSecurity named **"Phantom Gyp."** Snyk tracks it as *Node-gyp Supply Chain Compromise June 2026*; **57 packages / 286+ malicious versions** (including **`@vapi-ai/server-sdk` with 408K+ monthly downloads** as the highest-profile victim) were published. Same credential-theft and self-propa… **Am I affected?** ```bash # Check for suspicious packages installed since June 3, 2026 # Look for packages with binding.gyp that are not well-known native addons find node_modules -name "binding.gyp" | while read f; do pkg=$(echo "$f" | cut -d/ -f1-3) echo "$pkg" done # Check install timestamps in npm cache npm cache ls 2>/dev/null | grep -E "2026-06-0[34]" # Snyk scan (updates signatures frequently) npx snyk test ``` If you ran `npm install` on any project… --- ## Cline CVE-2026-44211 — cross-origin WebSocket hijack → RCE (June 2026) _severity=critical | status=active | disclosed=2026-06-01_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cline-cve-2026-44211-websocket-rce.html **CVE-2026-44211** (CVSS 9.7) — Cline (the popular VS Code AI coding agent) starts a WebSocket server on port 3484 with **no authentication and no origin validation**. Any webpage a developer visits can connect to it and execute arbitrary shell commands on their machine. This is a textbook **"localhost is not a security boundary"** 1-click RCE. **Am I affected?** ```bash # Check your installed Cline version code --list-extensions --show-versions | grep saoudrizwan.claude-dev # Or in VS Code: Extensions panel → Cline → version shown # If version is ≤ 2.13.0, you are affected while VS Code is open. ``` You are **actively exposed while Cline is running** (i.e., while VS Code is open with the extension active). Any browser tab you visited between installing a vulnerable version and upgrading is a potential… --- ## codexui-android npm — OpenAI Codex auth-token stealer (June 2026) _severity=high | status=active | disclosed=2026-06-01_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-codexui-android-codex-token-stealer.html **`codexui-android`** (~29K weekly npm downloads) silently exfiltrates the OpenAI Codex OAuth auth blob (`~/.codex/auth.json`) to **`sentry.anyclaw.store/startlog`** on every `postinstall`. The same actor ("BrutalStrike") also delivered the payload via two Android apps (50K+ and 10K+ installs). First documented supply-chain attack targeting **OpenAI Codex authentication tokens specifically**. **Am I affected?** ```bash # Was the package installed? npm ls codexui-android 2>/dev/null cat ~/.npm/_logs/*.log 2>/dev/null | grep codexui-android # Check for the auth token ls -la ~/.codex/auth.json 2>/dev/null # Check npm install history npm ls --global codexui-android 2>/dev/null ``` If `codexui-android` ever ran its `postinstall` on a machine with `~/.codex/auth.json` present, treat the token as stolen. ### IOCs | Type | Value | |---|---| | npm package |… --- ## Miasma — @redhat-cloud-services npm scope compromised by Mini-Shai-Hulud-derived worm (June 2026) _severity=critical | status=contained | disclosed=2026-06-01_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-redhat-cloud-services-compromise.html On **2026-06-01**, Wiz Research and others identified a supply-chain compromise of the **`@redhat-cloud-services` npm scope** — Red Hat's official client libraries used by the Hybrid Cloud Console, Insights, and OpenShift frontends. **32 packages / 96 malicious versions** were published in a roughly **72-second automated burst** ([Aikido](https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm), [Wiz](https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redh… **Am I affected?** ### Check whether any compromised version reached your lockfile ```bash # Any version of the scope installed in the install window npm ls --all 2>/dev/null | grep '@redhat-cloud-services/' # Specific packages confirmed compromised (sample; see Red Hat RHSB-2026-006 for the full list) for p in chrome compliance-client frontend-components rbac-client host-inventory-client \ notifications-client patches-client sources-client subscriptions… --- ## Dependency-confusion recon campaign — 4 waves, 9+ corporate-scope impersonations, escalated to full credential theft (May–Jul 2026) _severity=high | status=active | disclosed=2026-05-29_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-npm-dependency-confusion-recon-campaign.html Microsoft Threat Intelligence disclosed a **dependency-confusion campaign**: a single operator, publishing under three npm aliases (`mr.4nd3r50n`, `ce-rwb`, `t-in-one`), published **33 malicious packages in an initial pair of bursts on May 28, 2026, then a further 12 in a third burst on May 29, 2026 (45 total)** under **9 organizational scopes that mirror real internal corporate namespaces** (e.g. `@cloudplatform-single-spa`, `@data-science`, `@payments-widget`, `@travel-autotests`, `@sber-ecom-… **Am I affected?** ```bash # Check whether any of the actor-linked scopes were ever installed npm ls --all 2>/dev/null | grep -E '@cloudplatform-single-spa|@wb-track|@data-science|@ce-rwb|@payments-widget|@travel-autotests|@t-in-one|@capibar\.chat|@sber-ecom-core|@mlspace|@car-loans|@sber-ecore-core|@emcd-vue|@marketfront|@tqm-mfe' # Audit for any postinstall reaching oob.moika.tech (May wave) or making requests # with an X-Secret header to a /api/v1/events path (… --- ## Cargo May 2026 security release — symlink-override + sparse-URL credential leak (CVE-2026-5223, CVE-2026-5222) _severity=medium | status=patched | disclosed=2026-05-25_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-cargo-symlink-sparse-url-cves.html On **2026-05-25** the Rust Security Response Team disclosed two Cargo CVEs, both fixed in **Rust 1.96.0 (released 2026-05-28)**: - **CVE-2026-5223 (medium):** Cargo did not reject **symlinks inside crate tarballs** from third-party registries — a malicious crate could ship a tarball whose extraction wrote files **one directory up** from its own cache and **overwrote the cached source of another crate from the same registry**. crates.io itself is **not affected** because it server-side-rejects s… **Am I affected?** ```bash # Are you on the vulnerable Cargo range? rustc --version # affected if < 1.96.0 (released 2026-05-28) # Do you use any third-party (non-crates.io) Cargo registry? (5223 is most relevant here.) grep -RE '^\[registries\.|^registry *=' ~/.cargo/config.toml .cargo/config.toml 2>/dev/null # If you operate a corporate/mirror Cargo registry: does it reject symlinks in uploads? # - Test by uploading a crate with a symlinked file and confir… --- ## Composio AI-agent platform breach — LLM-augmented attacker registered malicious tool definitions in the execution sandbox (May 2026) _severity=high | status=contained | disclosed=2026-05-22_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-composio-ai-agent-platform-breach.html On **2026-05-21** (01:05 – 09:15 PT), an attacker compromised **Composio** — a popular AI-agent infrastructure platform that brokers ~100 MCP toolkits (GitHub, Gmail, Jira, Notion, Slack, Linear, HubSpot, Drive, Vercel, Sentry, etc.) for downstream agents — by **brute-forcing exploit chains with LLM-generated attack patterns** until they landed in an *internal agentic tool* used to monitor connector health, pivoted that into the **automated-remediation** system, and finally **registered maliciou… **Am I affected?** Yes if **either** of these is true: - You are a **Composio customer** (developer using their API/SDK or their hosted toolkits), **or** - You are an **end-user of an app that connected to Composio on your behalf** (e.g. you authorized a third-party agent's GitHub/Gmail/etc. via Composio's OAuth flow). ```bash # 1. Customer / developer check # Did you have a Composio API key issued before 2026-05-22 23:00 PT? # If yes, it was deleted on 202… --- ## Megalodon — mass GitHub-Actions workflow poisoning of 5,561 repos (May 2026) _severity=critical | status=contained | disclosed=2026-05-22_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-megalodon-github-actions-mass-campaign.html On **2026-05-18**, an automated campaign codenamed **"Megalodon"** pushed **5,718 malicious commits to 5,561 GitHub repositories in a six-hour window**, injecting GitHub Actions workflows that exfiltrate **CI secrets, cloud credentials, SSH keys, OIDC tokens, and source-code secrets** to **`216.126.225.129:8443`**. The attacker never touched npm — they used **stolen GitHub credentials harvested from infostealer infections** (Hudson Rock: **331 of 978 affected accounts (~33%) matched known infost… **Am I affected?** ### Check if your GitHub account is in the leaked-credential pool If you've ever installed an Open VSX extension, run unverified VS Code Marketplace extensions, or your machine has been on the receiving end of a Lumma / RedLine / Atomic Stealer infection in the last year — assume your GitHub PAT is in scope. ### Check your repos for Megalodon's IOCs ```bash # Recent commits authored by the throwaway bot identities, since 2026-05-17 gh api graph… --- ## BadHost — Starlette host-header auth bypass blasts FastAPI, vLLM, LiteLLM, MCP servers (CVE-2026-48710) _severity=critical | status=patched | disclosed=2026-05-22_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-starlette-badhost-host-header-bypass.html **CVE-2026-48710 ("BadHost")** — Starlette < 1.0.1 builds `request.url` from the raw HTTP `Host` header without validation. A single character (`/`, `?`, or `#`) in `Host` shifts the path/query/fragment boundaries when the URL is re-parsed, so middleware that authorizes on `request.url.path` sees a different path than the ASGI router actually dispatched. **Any auth middleware reading `request.url.path` fails open.** Starlette ships ~**325M downloads/week** and sits under **FastAPI, vLLM, LiteLLM… **Am I affected?** ```bash # 1) Is Starlette < 1.0.1 anywhere in your deps? pip show starlette 2>/dev/null | grep -E '^(Name|Version):' pip list 2>/dev/null | grep -i starlette # Locked versions, all envs: grep -RniE 'starlette[<=>!~ ]+[0-9]' requirements*.txt pyproject.toml poetry.lock pdm.lock uv.lock 2>/dev/null # 2) Does any middleware in your code make security decisions from # request.url, request.url.path, or str(request.url)? # Each match is a candi… --- ## TrapDoor — cross-ecosystem stealer poisons .cursorrules / CLAUDE.md (May 2026) _severity=critical | status=active | disclosed=2026-05-22_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-trapdoor-cross-ecosystem-stealer.html **TrapDoor** is an active, coordinated supply-chain campaign that pushed **34+ malicious packages across 384+ versions** to **npm, PyPI, and Crates.io** at once (first activity 2026-05-22 20:20 UTC), impersonating crypto/DeFi/AI/security developer tooling. Beyond the usual wallet- and credential-stealing payload, its defining trick is **vibe-coding-specific**: it rewrites your repo's **`.cursorrules` and `CLAUDE.md`** with **zero-width Unicode** to hide a prompt-injection instruction, so your *o… **Am I affected?** ```bash # 1. Did any TrapDoor-named package land in your tree? (names seen so far) npm ls prompt-engineering-toolkit solidity-deploy-guard defi-threat-scanner --all 2>/dev/null pip show prompt-engineering-toolkit solidity-deploy-guard defi-threat-scanner 2>/dev/null grep -REn "prompt-engineering-toolkit|solidity-deploy-guard|defi-threat-scanner|trap-core" \ package-lock.json yarn.lock pnpm-lock.yaml requirements*.txt poetry.lock Cargo.lock 2>/d… --- ## Claude Code network-sandbox SOCKS5 null-byte allowlist bypass (May 2026) _severity=high | status=patched | disclosed=2026-05-20_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claude-code-sandbox-socks5-bypass.html Claude Code's **network sandbox** (the allowlist that's supposed to confine the agent to, say, `*.google.com`) could be bypassed with a **SOCKS5 hostname null-byte injection**: a host like `attacker-host.com\x00.google.com` passes the allowlist matcher (it sees the trailing `.google.com`) but the OS truncates at the `\x00` and dials `attacker-host.com`. Every release from **v2.0.24** (sandbox GA, 2025-10-20) through **v2.1.89** was affected — ~130 versions over ~5.5 months. Anthropic **silently … **Am I affected?** You were exposed if you relied on Claude Code's network allowlist as a security boundary on **any version from v2.0.24 through v2.1.89**, especially with a **wildcard / broad allowlist**. ```bash # What version are you on? (≥ 2.1.90 is fixed) claude --version 2>/dev/null # Check the bundled sandbox-runtime (≥ 0.0.43 contains the isValidHost() fix) grep -RIn '"version"' ~/.claude 2>/dev/null | grep -i sandbox # If you keep them, scan agent/prox… --- ## TeamPCP breaches GitHub's internal repos via poisoned VS Code extension (May 2026) _severity=high | status=contained | disclosed=2026-05-20_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-teampcp-github-breach.html On **2026-05-20**, GitHub confirmed that attackers exfiltrated **~3,800 of its own internal repositories** after a GitHub employee installed a **poisoned VS Code extension** on their device. As of **2026-05-21** GitHub and researchers have **named the extension**: the trojanized **Nx Console** build (`nrwl.angular-console` **v18.95.0**) — see the dedicated [Nx Console compromise advisory](2026-05-nx-console-vscode-compromise.md) — and **linked the breach to the [TanStack / Mini Shai-Hulud wave](… **Am I affected?** This is a breach of GitHub's *own* internal repos, not a directly distributed payload — so most readers are not directly compromised. The actionable risk is the **attack pattern**: a poisoned IDE extension on a developer machine. ```bash # List installed VS Code / Cursor / Windsurf extensions and their versions code --list-extensions --show-versions 2>/dev/null cursor --list-extensions --show-versions 2>/dev/null # Review what auto-updated rece… --- ## Mini Shai-Hulud May 19 wave — @antv npm + Microsoft durabletask PyPI (May 2026) _severity=critical | status=active | disclosed=2026-05-19_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-mini-shai-hulud-may19-wave.html On **2026-05-19**, threat actor **TeamPCP** (aka PCPcat / DeadCatx3 / UNC6780) ran two more arms of the Mini Shai-Hulud worm in the same window: a compromised npm maintainer account pushed **~637 malicious versions across ~317 npm packages** — the entire **`@antv`** data-viz ecosystem plus `echarts-for-react` (~1.1M weekly downloads), `timeago.js`, `size-sensor`, `canvas-nest.js` — in a ~22-minute automated burst, and three trojanized versions of **Microsoft's official `durabletask` PyPI SDK** (… **Am I affected?** ```bash # npm side — @antv ecosystem + standalone packages npm ls --all 2>/dev/null | grep -E '@antv/|echarts-for-react|timeago\.js|size-sensor|canvas-nest' # Did any land in your lockfile after 2026-05-18? grep -E '@antv/|echarts-for-react|timeago|size-sensor' package-lock.json 2>/dev/null # PyPI side — Microsoft durabletask pip show durabletask 2>/dev/null | grep -E '^(Name|Version):' # Versions 1.4.1 / 1.4.2 / 1.4.3 are malicious. Pin to 1.4… --- ## Nx Console VS Code extension compromised — nrwl.angular-console 18.95.0 (May 2026) _severity=critical | status=contained | disclosed=2026-05-18_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-nx-console-vscode-compromise.html On **2026-05-18**, a trojanized build of the **Nx Console** VS Code extension (`nrwl.angular-console` **v18.95.0**, ~**2.2M installs**) was published to the Visual Studio Marketplace and was live for only **~18 minutes** (12:30–12:48 UTC). Within seconds of *any* workspace opening, it pulled a **498 KB credential-stealer** hidden in a **dangling orphan commit inside the official `nrwl/nx` GitHub repo** and exfiltrated GitHub/npm/AWS/Vault/Kubernetes/1Password secrets — and notably **`~/.claude/s… **Am I affected?** You are at risk if you had Nx Console installed with auto-update on between **2026-05-18 12:30 and 12:48 UTC**, or if you manually installed `18.95.0`. ```bash # Is the bad version present? (VS Code / Cursor / Windsurf) code --list-extensions --show-versions 2>/dev/null | grep -i 'nrwl.angular-console' cursor --list-extensions --show-versions 2>/dev/null | grep -i 'nrwl.angular-console' # Inspect the on-disk extension folder for 18.95.0 ls … --- ## Shai-Hulud copycats after the worm source went public (May 2026) _severity=high | status=active | disclosed=2026-05-18_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-shai-hulud-copycat-wave.html On 2026-05-12 TeamPCP **open-sourced the fully weaponized Mini Shai-Hulud worm** to public GitHub and announced a paid "biggest supply-chain attack" **competition on BreachForums**. Within days, low-skill copycats began shipping near-verbatim clones on npm — the first being **`chalk-tempalte`**, a barely-modified copy of the leaked worm with its own C2. A single actor (`deadcode09284814`) published **four malicious packages** mixing a Shai-Hulud clone, plain infostealers, and a **Golang DDoS bot… **Am I affected?** ```bash # Did any of the named copycat packages land in your tree? npm ls chalk-tempalte axois-utils color-style-utils @deadcode09284814/axios-util --all 2>/dev/null # Grep lockfiles directly (catches transitive) grep -REn "chalk-tempalte|axois-utils|color-style-utils|deadcode09284814" \ package-lock.json npm-shrinkwrap.json yarn.lock pnpm-lock.yaml 2>/dev/null # Known C2 endpoints — check shell history / proxy logs / DNS grep -REn "lhr\.life… --- ## node-ipc compromise (3 malicious versions, May 2026) _severity=critical | status=active | disclosed=2026-05-14_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-node-ipc-compromise.html Three malicious versions of `node-ipc` (~822K weekly downloads) were published to npm on 2026-05-14: **`9.1.6`, `9.2.3`, and `12.0.1`**, each carrying an identical ~80 KB obfuscated payload that exfiltrates 90+ categories of credentials. `node-ipc` is a transitive dependency in countless build toolchains — you can be affected without ever installing it directly. **Am I affected?** ```bash # Show every node-ipc version anywhere in your tree npm ls node-ipc --all # Specifically check for the three bad versions npm ls node-ipc --all | grep -E '9\.1\.6|9\.2\.3|12\.0\.1' ``` ### IOCs | Type | Value | |---|---| | Malicious versions | `node-ipc@9.1.6`, `node-ipc@9.2.3`, `node-ipc@12.0.1` | | npm shasum (12.0.1) | `fe5d107b9d285327af579259a32977c4f475fa26` | | C2 domain | `sh.azurestaticprovider[.]net` | | C2 IP | `37.16.75[.]6… --- ## Svelte CVE-2026-42573 — DOM clobbering of internal framework state leads to XSS (May 2026) _severity=medium | status=patched | disclosed=2026-05-14_ URL: https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-svelte-dom-clobbering-xss.html **CVE-2026-42573** — Svelte `<= 5.55.6` is vulnerable to **DOM clobbering** of its internal framework state: attacker-controlled `id`/`name` attributes on form elements can shadow the properties Svelte relies on internally, letting injected markup be treated as trusted and executed as script. Fixed in **Svelte 5.55.7**. **Am I affected?** ```bash npm ls svelte 2>/dev/null | grep svelte # Vulnerable if svelte <= 5.55.6 ``` You're at risk if your app spreads user-influenced attributes (`{...someProps}`) onto `
` elements and onto ``/`