# Vibe Coding - Security Issue Tracking > Living index of supply-chain attacks, malicious MCP servers, and prompt-injection campaigns relevant to vibe coding. Tracks active supply-chain attacks (npm + PyPI), malicious MCP servers, CVEs in AI coding tools (Cursor, Claude Code, Windsurf, Gemini CLI, Copilot), prompt-injection campaigns, and credential-theft incidents that target people who build with AI coding tools. Every advisory has concrete 'am I affected?' commands, IOCs where available, and links to recovery playbooks. Audience: solo devs and small teams shipping with Cursor, Claude Code, Lovable, v0, Bolt, Replit, Windsurf, Codex. Every page is also available as raw markdown (replace `.html` with `.md` in any URL, or follow the `` declaration). ## Active alerts - [Alerts feed](https://pranava0x0.github.io/vibe-coding-security/alerts.html) ([md](https://pranava0x0.github.io/vibe-coding-security/alerts.md)): single scannable feed of active, recent, and historical incidents - [Atom feed](https://pranava0x0.github.io/vibe-coding-security/feed.xml): subscribe for new advisories in any RSS reader ## Advisories - [Rollup polyfill impersonation — 6 npm packages deliver full RAT, tentatively linked to Lazarus (July 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-rollup-polyfill-npm-lazarus.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-rollup-polyfill-npm-lazarus.md)) [high] 2026-07-04: JFrog disclosed six malicious npm packages — led by rollup-packages-polyfill-core and rollup-runtime-polyfill-core — that impersonate the popular rollup-plugin-polyfill-node (~295,000… - [Claude Desktop personalization-sync prompt injection → reverse shell — Anthropic calls it expected functionality (July 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-claude-desktop-personalization-sync-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-07-claude-desktop-personalization-sync-rce.md)) [high] 2026-07-01: Pentera Labs red teamers showed that Claude Desktop's account-wide personalization/preferences feature — which syncs across every device signed into a Claude account — is an unsandboxed… - [Amazon Q Developer CVE-2026-12957 + CVE-2026-12958 — auto-loading .amazonq/mcp.json runs attacker code with live cloud credentials on repo open (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-amazon-q-mcp-workspace-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-amazon-q-mcp-workspace-rce.md)) [high] 2026-06-26: On April 20, 2026, Wiz Research reported two vulnerabilities to AWS: - [Mozilla 0DIN DNS Setup Trap — clean GitHub repos trick Claude Code into reverse shell via DNS-TXT record command injection (no CVE; no patch as of 2026-06-28)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-0din-dns-setup-trap.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-0din-dns-setup-trap.md)) [high] 2026-06-25: Mozilla's Zero Day Investigative Network (0DIN) demonstrated that a clean GitHub repository containing no malicious code can trick Claude Code into executing an attacker-controlled reverse shell… - [Cursor DuneSlide — two CVSS 9.8 zero-click prompt-injection-to-RCE flaws (CVE-2026-50548, CVE-2026-50549)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cursor-duneslide-zeroclick-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cursor-duneslide-zeroclick-rce.md)) [critical] 2026-06-25: Cato AI Labs disclosed DuneSlide: two CVSS 9.8 zero-click flaws in Cursor IDE (CVE-2026-50548, CVE-2026-50549) that let attacker-controlled content read by the agent — an MCP tool response or a… - [Operation Navy Ghost — 8 fake pyrogram packages on PyPI target Telegram bot developers with full-server backdoor using Telegram as C2 (Jun 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-operation-navy-ghost-pyrogram.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-operation-navy-ghost-pyrogram.md)) [high] 2026-06-25: A threat actor published 8 fake pyrogram forks to PyPI over 6 months (November 2025 – June 2026), planting a hidden backdoor that grants full remote shell and file-system access to any server… - [Cordyceps — CI/CD misconfiguration class in GitHub Actions enables PR-based code execution and credential theft at 300+ major repos](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cordyceps-cicd-github-actions.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cordyceps-cicd-github-actions.md)) [high] 2026-06-24: The Cordyceps class has three forms: - [Miasma LeoPlatform + Go ecosystem wave — 20 npm packages + Go module + GitHub Actions compromise (June 24 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-leoplatform-go-wave.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-leoplatform-go-wave.md)) [critical] 2026-06-24: On 2026-06-24 at 23:04:55 UTC, a compromised npm maintainer account (czirker) published 20 malicious versions of LeoPlatform / RStreams npm packages in a 3-second burst, using the Phantom Gyp… - [Dify DifyTap — 4 CVEs allow cross-tenant AI conversation exfiltration (1M+ apps affected; patched 1.14.2)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-dify-difytap-cross-tenant-exfil.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-dify-difytap-cross-tenant-exfil.md)) [high] 2026-06-22: Zafran Security disclosed 4 CVEs in Dify (the open-source LLM app builder powering 1M+ applications across 50+ industries) that allow authenticated attackers to read private AI conversations from… - [IDEsaster — 30+ security flaws (24 CVEs) in Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed, Roo Code, Junie, Cline (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-idessaster-ai-ide-cve-cluster.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-idessaster-ai-ide-cve-cluster.md)) [high] 2026-06-17: Security researchers disclosed 30+ flaws (24 assigned CVEs) across 8 AI coding tools simultaneously — Cursor, Windsurf, Kiro.dev, GitHub Copilot (VS Code), Zed.dev, Roo Code, Junie, and Cline — in… - [15 malicious JetBrains Marketplace plugins steal AI provider API keys on entry (70K+ installs)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-jetbrains-ide-plugins-ai-key-theft.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-jetbrains-ide-plugins-ai-key-theft.md)) [high] 2026-06-17: Security researchers reported 15 malicious plugins on the JetBrains Marketplace targeting developers who configure AI provider credentials inside their IDE. The plugins mimic legitimate AI coding… - [Mastra AI npm namespace compromise — 145 @mastra/* packages carry easy-day-js typosquat RAT via hijacked contributor account `ehindero` (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-mastra-ai-npm-compromise.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-mastra-ai-npm-compromise.md)) [critical] 2026-06-17: A hijacked npm contributor account (ehindero) was used to inject easy-day-js — a typosquat of the popular dayjs date library — as a dependency across 145 packages (corrected from… - [Langflow CVE-2026-5027 — unauthenticated path traversal → RCE via file upload endpoint (distinct from CVE-2026-33017)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-langflow-cve-2026-5027-path-traversal.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-langflow-cve-2026-5027-path-traversal.md)) [high] 2026-06-16: In June 2026, researchers disclosed CVE-2026-5027: a path traversal vulnerability in the POST /api/v2/files endpoint. The filename field in the multipart upload request was not sanitized — an… - [Microsoft 365 Copilot SearchLeak (CVE-2026-42824) — 1-click exfil of emails, MFA codes, and OneDrive files via parameter-to-prompt injection + CSP bypass](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-copilot-searchleak-cve-2026-42824.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-copilot-searchleak-cve-2026-42824.md)) [high] 2026-06-15: The Copilot Enterprise Search URL accepts a q= parameter. When a user clicks a link containing a malicious q= value, Copilot processes the injected text as a high-trust user prompt rather than a… - [PromptSnatcher — malicious Chrome ad-blocker extensions intercept AI chatbot conversations from 900K users across 8 platforms](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-promptsnatcher-chrome-ai-chat-stealer.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-promptsnatcher-chrome-ai-chat-stealer.md)) [high] 2026-06-14: Security researchers named PromptSnatcher: at least two malicious Chrome browser extensions masquerading as ad-blockers have been silently intercepting full AI chatbot conversations — including… - [AutoJack — Microsoft Research AutoGen Studio 3-flaw chain: browsing agent renders attacker page → localhost MCP WebSocket → unauthenticated RCE](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-autojack-autogen-studio-mcp-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-autojack-autogen-studio-mcp-rce.md)) [high] 2026-06-13: Microsoft Research's AutoGen Studio — the visual IDE for AutoGen multi-agent systems — contains a 3-flaw chain discovered by independent security researchers and named "AutoJack": (1) the AutoGen… - [Agentjacking — Sentry DSN injection via MCP poisons AI coding agent context (2,388 orgs exposed)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-agentjacking-sentry-mcp-injection.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-agentjacking-sentry-mcp-injection.md)) [high] 2026-06-12: Tenet Security disclosed Agentjacking on 2026-06-12: attackers inject malicious instructions into Sentry error data (DSN-routed issue bodies, breadcrumbs, stack-frame locals), which AI coding… - [Klue AI integration breach — Icarus extortion group steals Salesforce/HubSpot/Slack OAuth tokens from CRM data via AI productivity tool (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-klue-icarus-oauth-breach.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-klue-icarus-oauth-breach.md)) [high] 2026-06-12: The Icarus extortion group breached Klue, an AI-powered competitive intelligence platform, on 2026-06-11 to 2026-06-12 by exploiting OAuth tokens Klue held on behalf of customers. Attackers used… - [Atomic Arch — AUR supply-chain attack: 1,500+ community packages hijacked via orphaned-package takeover; eBPF rootkit for persistence (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-arch-linux-aur-supply-chain.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-arch-linux-aur-supply-chain.md)) [high] 2026-06-11: The campaign now called "Atomic Arch" hijacked 1,500+ packages in the Arch Linux AUR (Arch User Repository) — up from the initially-reported 400+, as researchers expanded their scope. Attackers… - [onering Rust crate compromised — build.rs exfiltrates your source code as fake Sentry telemetry (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-onering-rust-crate-compromise.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-onering-rust-crate-compromise.md)) [high] 2026-06-10: On 2026-06-10, Aikido Security detected malicious behavior in onering v1.4.1 — a Rust synchronous queue/channels library (~18K Crates.io downloads). The malicious version injected a build.rs… - [Solana FakeFix Campaign — 25 malicious npm + PyPI packages steal wallet keys and developer secrets via GitHub issue spam (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-solana-fakefix-campaign.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-solana-fakefix-campaign.md)) [high] 2026-06-10: The "Solana FakeFix" campaign planted 25 malicious packages (16 npm + 4 PyPI + 5 additional CMS-loader variants) that impersonate Solana Web3 SDK tooling, promoted via fake GitHub issue spam on… - [Streamlit CVE-2026-33682 — unauthenticated SSRF on Windows leaks NTLMv2 credentials (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-streamlit-ssrf-windows.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-streamlit-ssrf-windows.md)) [high] 2026-06-10: Streamlit's static-file serving resolves filesystem paths using os.path.realpath() or Path.resolve() before validating the supplied path. On Windows, supplying a UNC path (e.g.,… - [SymJack — symlink hijacking tricks AI coding agents into registering attacker-controlled MCP servers (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-symjack-ai-coding-agent-mcp-symlink.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-symjack-ai-coding-agent-mcp-symlink.md)) [high] 2026-06-10: On 2026-06-10, Adversa AI published research on SymJack — a symlink-based attack that exploits a fundamental gap between what AI coding agents display to developers for approval and what the… - [LangGraph RCE chain — SQLite SQL injection + msgpack deserialization → arbitrary code execution (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-langgraph-rce-chain.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-langgraph-rce-chain.md)) [critical] 2026-06-09: Security researcher Yarden Porat discovered a two-CVE chain in LangGraph that allows any attacker who can supply a filter query to a self-hosted LangGraph deployment to achieve arbitrary code… - [Hades Campaign — 19 PyPI bioinformatics + MCP-developer packages poisoned with Bun credential stealer (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-hades-campaign-pypi-mcp-attack.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-hades-campaign-pypi-mcp-attack.md)) [critical] 2026-06-08: On 2026-06-08, StepSecurity identified a sophisticated supply-chain campaign — dubbed "Hades" — that poisoned 19 PyPI packages across 37 malicious wheel artifacts in two distinct target… - [Gluestack @react-native-aria RAT via compromised contributor token (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-gluestack-react-native-aria-rat.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-gluestack-react-native-aria-rat.md)) [critical] 2026-06-06: A compromised npm contributor token let attackers publish 17 of the 20 @react-native-aria packages plus @gluestack-ui/utils (~960K weekly downloads) with a hidden Remote Access Trojan (RAT)… - [Miasma Wave 5 — 73 Microsoft Azure GitHub repos + mantine-datatable compromised; payload auto-fires via Claude Code / Cursor / Gemini CLI (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-wave5-microsoft-azure-github.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-wave5-microsoft-azure-github.md)) [critical] 2026-06-05: On 2026-06-05, attackers leveraged a previously compromised contributor account (a credential stolen during the Phantom Gyp / binding.gyp wave 4 campaign from June 3–4) to push malicious commits… - [Claude Code GitHub Actions [bot] trust bypass — supply chain risk on any repo using claude-code-action (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-claude-code-github-actions-bot-bypass.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-claude-code-github-actions-bot-bypass.md)) [high] 2026-06-04: checkWritePermissions() in Claude Code's GitHub Actions workflow trusted any actor whose username ends in [bot] regardless of actual permissions. Combined with prompt injection, an unauthenticated… - [IronWorm — Rust-based npm worm with eBPF rootkit + Tor C2 (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-ironworm-npm-rust-ebpf.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-ironworm-npm-rust-ebpf.md)) [critical] 2026-06-04: A new self-propagating npm supply-chain worm called IronWorm hit 36 packages in June 2026, deploying a Rust ELF binary that hides behind an eBPF kernel rootkit and exfiltrates credentials over Tor… - [Phantom Gyp — Miasma wave 4: self-propagating npm worm via binding.gyp (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-phantom-gyp-miasma-wave4.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-phantom-gyp-miasma-wave4.md)) [critical] 2026-06-04: A fourth wave of the Miasma / Shai-Hulud worm lineage hit npm on June 3–4, 2026, using binding.gyp instead of preinstall/postinstall scripts to run malicious code at install time — a technique… - [Cline CVE-2026-44211 — cross-origin WebSocket hijack → RCE (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cline-cve-2026-44211-websocket-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-cline-cve-2026-44211-websocket-rce.md)) [critical] 2026-06-01: Cline versions ≤ 2.13.0 launch a local WebSocket server (the Kanban board server) on port 3484 when the VS Code extension activates. This server: - [codexui-android npm — OpenAI Codex auth-token stealer (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-codexui-android-codex-token-stealer.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-codexui-android-codex-token-stealer.md)) [high] 2026-06-01: On or around 2026-06-01, Aikido Security flagged codexui-android as a malicious npm package. The package presents a clean GitHub source repository — the attack lives entirely in the pre-built… - [Miasma — @redhat-cloud-services npm scope compromised by Mini-Shai-Hulud-derived worm (June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-redhat-cloud-services-compromise.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-miasma-redhat-cloud-services-compromise.md)) [critical] 2026-06-01: On 2026-06-01, Wiz Research and others identified a supply-chain compromise of the @redhat-cloud-services npm scope — Red Hat's official client libraries used by the Hybrid Cloud Console,… - [Dependency-confusion recon campaign — 4 waves, 9+ corporate-scope impersonations, escalated to full credential theft (May–Jul 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-npm-dependency-confusion-recon-campaign.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-npm-dependency-confusion-recon-campaign.md)) [high] 2026-05-29: Microsoft Threat Intelligence disclosed a dependency-confusion campaign: a single operator, publishing under three npm aliases (mr.4nd3r50n, ce-rwb, t-in-one), published 33 malicious packages in… - [Cargo May 2026 security release — symlink-override + sparse-URL credential leak (CVE-2026-5223, CVE-2026-5222)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-cargo-symlink-sparse-url-cves.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-cargo-symlink-sparse-url-cves.md)) [medium] 2026-05-25: On 2026-05-25 the Rust Security Response Team disclosed two Cargo CVEs, both fixed in Rust 1.96.0 (released 2026-05-28): - [Composio AI-agent platform breach — LLM-augmented attacker registered malicious tool definitions in the execution sandbox (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-composio-ai-agent-platform-breach.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-composio-ai-agent-platform-breach.md)) [high] 2026-05-22: On 2026-05-21 (01:05 – 09:15 PT), an attacker compromised Composio — a popular AI-agent infrastructure platform that brokers ~100 MCP toolkits (GitHub, Gmail, Jira, Notion, Slack, Linear, HubSpot,… - [Megalodon — mass GitHub-Actions workflow poisoning of 5,561 repos (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-megalodon-github-actions-mass-campaign.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-megalodon-github-actions-mass-campaign.md)) [critical] 2026-05-22: On 2026-05-18, an automated campaign codenamed "Megalodon" pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window, injecting GitHub Actions workflows that exfiltrate CI… - [BadHost — Starlette host-header auth bypass blasts FastAPI, vLLM, LiteLLM, MCP servers (CVE-2026-48710)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-starlette-badhost-host-header-bypass.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-starlette-badhost-host-header-bypass.md)) [critical] 2026-05-22: Starlette reconstructs request.url by concatenating the HTTP Host header with the request path and re-parsing the result. The Host value is not validated against RFC 9112 § 3.2 / RFC 3986 § 3.2.2… - [TrapDoor — cross-ecosystem stealer poisons .cursorrules / CLAUDE.md (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-trapdoor-cross-ecosystem-stealer.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-trapdoor-cross-ecosystem-stealer.md)) [critical] 2026-05-22: Socket flagged TrapDoor on 2026-05-24/25 as a single actor publishing in timed waves from a cluster of accounts across three registries simultaneously. The packages use deceptive,… - [Claude Code network-sandbox SOCKS5 null-byte allowlist bypass (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claude-code-sandbox-socks5-bypass.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claude-code-sandbox-socks5-bypass.md)) [high] 2026-05-20: Claude Code's network sandbox (the allowlist that's supposed to confine the agent to, say, .google.com) could be bypassed with a SOCKS5 hostname null-byte injection: a host like… - [TeamPCP breaches GitHub's internal repos via poisoned VS Code extension (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-teampcp-github-breach.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-teampcp-github-breach.md)) [high] 2026-05-20: On 2026-05-20, GitHub confirmed that attackers exfiltrated ~3,800 of its own internal repositories after a GitHub employee installed a poisoned VS Code extension on their device. As of 2026-05-21… - [Mini Shai-Hulud May 19 wave — @antv npm + Microsoft durabletask PyPI (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-mini-shai-hulud-may19-wave.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-mini-shai-hulud-may19-wave.md)) [critical] 2026-05-19: On 2026-05-19, threat actor TeamPCP (aka PCPcat / DeadCatx3 / UNC6780) ran two more arms of the Mini Shai-Hulud worm in the same window: a compromised npm maintainer account pushed ~637 malicious… - [Nx Console VS Code extension compromised — nrwl.angular-console 18.95.0 (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-nx-console-vscode-compromise.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-nx-console-vscode-compromise.md)) [critical] 2026-05-18: On 2026-05-18, a trojanized build of the Nx Console VS Code extension (nrwl.angular-console v18.95.0, ~2.2M installs) was published to the Visual Studio Marketplace and was live for only ~18… - [Shai-Hulud copycats after the worm source went public (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-shai-hulud-copycat-wave.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-shai-hulud-copycat-wave.md)) [high] 2026-05-18: On 2026-05-12 TeamPCP open-sourced the fully weaponized Mini Shai-Hulud worm to public GitHub and announced a paid "biggest supply-chain attack" competition on BreachForums. Within days, low-skill… - [node-ipc compromise (3 malicious versions, May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-node-ipc-compromise.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-node-ipc-compromise.md)) [critical] 2026-05-14: Three malicious versions of node-ipc (~822K weekly downloads) were published to npm on 2026-05-14: 9.1.6, 9.2.3, and 12.0.1, each carrying an identical ~80 KB obfuscated payload that exfiltrates… - [Svelte CVE-2026-42573 — DOM clobbering of internal framework state leads to XSS (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-svelte-dom-clobbering-xss.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-svelte-dom-clobbering-xss.md)) [medium] 2026-05-14: Svelte attaches internal reactivity/framework state directly to DOM elements at runtime rather than keeping it fully isolated in JavaScript objects. According to the GitHub Security Advisory… - [OpenClaw 'Claw Chain' — 4 chainable sandbox-escape flaws (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-openclaw-claw-chain.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-openclaw-claw-chain.md)) [critical] 2026-05-13: Cyera Research disclosed four chainable vulnerabilities in OpenClaw — the autonomous AI agent that rocketed to 135K+ GitHub stars in early 2026 — collectively dubbed "Claw Chain." The chain… - [Claude Code claude-cli:// deeplink RCE (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claude-code-deeplink-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claude-code-deeplink-rce.md)) [critical] 2026-05-12: Anthropic's Claude Code CLI shipped a naive command-line argument parser (eagerParseCliFlag in main.tsx) that scanned the whole argv for any string beginning with --settings=, without tracking… - [PraisonAI authentication bypass — CVE-2026-44338 + platform CVEs (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-praisonai-auth-bypass.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-praisonai-auth-bypass.md)) [high] 2026-05-11: On 2026-05-11 at 13:56 UTC, GitHub published advisory GHSA-6rmh-7xcm-cpxj for PraisonAI, an open-source multi-agent orchestration framework. The legacy Flask entrypoint shipped with two… - [Mini Shai-Hulud wave — TanStack, Mistral, UiPath, OpenSearch (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-tanstack-mini-shai-hulud.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-tanstack-mini-shai-hulud.md)) [critical] 2026-05-11: Over a 48-hour window on 2026-05-11 → 2026-05-12, the Mini Shai-Hulud worm — operated by threat actor group TeamPCP — compromised 172 unique packages across 403 malicious versions on npm and PyPI.… - [Cursor 'Open-Folder' autorun + Git-hook RCE (CVE-2026-26268, CVE-2026-22708, CVE-2026-32202, May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-cursor-open-folder-autorun.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-cursor-open-folder-autorun.md)) [high] 2026-05-08: A cluster of Cursor IDE vulnerabilities disclosed in May 2026 turn the act of opening — or just cloning — a repo into silent RCE on the developer's machine. CVE-2026-26268 (Novee, high severity) —… - [Microsoft Semantic Kernel — prompt injection to RCE (CVE-2026-25592, CVE-2026-26030, May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-semantic-kernel-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-semantic-kernel-rce.md)) [critical] 2026-05-07: On 2026-05-07, Microsoft disclosed two RCE flaws in Semantic Kernel, its open-source agent framework. CVE-2026-25592 (.NET SDK, CVSS 10.0) — an internal DownloadFileAsync helper was accidentally… - [TrustFall — AI coding CLIs auto-execute MCP servers on folder trust (Claude Code, Cursor, Gemini CLI, Copilot CLI, Codex CLI)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-trustfall-mcp-auto-execute.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-trustfall-mcp-auto-execute.md)) [high] 2026-05-07: Adversa AI published TrustFall on 2026-05-07 after testing all four major agentic coding CLIs: Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI. A follow-up confirmed the same behavior… - [ClaudeBleed — Claude in Chrome extension hijack (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claudebleed-chrome-extension.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-claudebleed-chrome-extension.md)) [high] 2026-05-06: Anthropic's "Claude in Chrome" extension exposes an externallyconnectable message handler that lets any other Chrome extension — even a zero-permission one — issue commands to the Claude agent in… - [Next.js + React May 2026 security release — 13 CVEs, including unauth SSRF (CVE-2026-44578)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-nextjs-react-security-release.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-nextjs-react-security-release.md)) [high] 2026-05-06: On 2026-05-06 → 05-07, Vercel published Next.js 15.5.18 and 16.2.6, rolling up 13 advisories — 7 high, 4 moderate, 2 low, including one upstream React Server Components vuln (CVE-2026-23870). The… - [Systemic MCP stdio RCE class — 200,000+ servers exposed (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-mcp-stdio-systemic-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-mcp-stdio-systemic-rce.md)) [high] 2026-05: OX Security disclosed a systemic, class-level vulnerability in the Model Context Protocol's stdio transport in May 2026. Audit of public-facing instances found 7,000 vulnerable MCP servers on… - [PCPJack — credential-stealing counter-worm that removes TeamPCP infections (May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-pcpjack-counter-worm.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-pcpjack-counter-worm.md)) [high] 2026-05: SentinelLabs identified PCPJack as a new malware framework distinct from TeamPCP, possibly developed by a former TeamPCP affiliate or member who started an independent operation. The… - [Windsurf zero-click MCP prompt-injection RCE (CVE-2026-30615)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-windsurf-zero-click-mcp-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-windsurf-zero-click-mcp-rce.md)) [critical] 2026-05: OX Security audited the MCP write-paths in major AI coding tools and found a class-wide vulnerability — prompt-injectable content read by the agent could trigger writes to the user's MCP… - [PyTorch Lightning + intercom-client compromise (Mini Shai-Hulud, April–May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-pytorch-lightning-compromise.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-pytorch-lightning-compromise.md)) [critical] 2026-04-30: On 2026-04-30, attackers — the same TeamPCP / Mini Shai-Hulud crew behind the TanStack wave and SAP packages — published trojanized PyPI builds of pytorch-lightning 2.6.2 and 2.6.3 (Lightning AI… - [Claude Code GitHub Action's unsandboxed Read tool leaks CI/CD secrets via /proc/self/environ (patched in Claude Code 2.1.128)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-claude-code-action-procfs-credential-leak.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-claude-code-action-procfs-credential-leak.md)) [high] 2026-04-29: Microsoft Threat Intelligence found that Claude Code's Read tool did not get the same sandboxing as the Bash tool, so a prompt-injected instruction hidden in a GitHub issue, PR, or comment could… - [elementary-data PyPI + GHCR compromise — malicious .pth auto-exec (April 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-elementary-data-pypi-ghcr-compromise.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-elementary-data-pypi-ghcr-compromise.md)) [critical] 2026-04-24: On 2026-04-24, attackers published a malicious elementary-data==0.23.3 to PyPI (uploaded 22:20:47 UTC) and poisoned the matching Docker images on GHCR (ghcr.io/elementary-data/elementary). The… - [LiteLLM proxy pre-auth SQL injection — CVE-2026-42208 (April 2026, CISA KEV) + CVE-2026-42271 (June 2026, actively exploited)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-litellm-sql-injection.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-litellm-sql-injection.md)) [critical] 2026-04-24: LiteLLM is an open-source LLM gateway/proxy widely used in vibe-coding stacks as the OpenAI-compatible front-end for Anthropic, AWS Bedrock, Azure OpenAI, Google Vertex, Cohere, and dozens of… - [Bitwarden CLI backdoored — first supply-chain attack to hunt AI-coding-tool creds (April 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-bitwarden-cli-shai-hulud-third-coming.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-bitwarden-cli-shai-hulud-third-coming.md)) [critical] 2026-04-22: On 2026-04-22, a malicious @bitwarden/cli v2026.4.0 (the package has ~70K weekly / ~250K monthly downloads) was published to npm and stayed live for ~90 minutes (≈17:57–19:30 ET) before takedown —… - [Vercel breach via Context.ai OAuth supply chain (April 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-vercel-context-ai-breach.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-vercel-context-ai-breach.md)) [high] 2026-04-19: On 2026-04-19 Vercel published a security bulletin disclosing that an attacker had pivoted from a third-party AI productivity tool (Context.ai) into a Vercel employee's Workspace, then into… - [Claude Code MCP OAuth token hijack via malicious npm postinstall hook — Anthropic won't fix](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-claude-code-mcp-oauth-hijack.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-06-claude-code-mcp-oauth-hijack.md)) [high] 2026-04-10: Mitiga Labs disclosed a 5-step attack chain where a malicious npm package's postinstall hook modifies ~/.claude.json to intercept MCP OAuth bearer tokens (Jira, Confluence, GitHub, and any other… - [Marimo notebook pre-auth RCE (CVE-2026-39987) — exploited in under 10 hours (April 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-marimo-notebook-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-marimo-notebook-rce.md)) [critical] 2026-04-08: Marimo exposes several WebSocket endpoints. The general /ws endpoint correctly calls validateauth() before accepting a connection. The /terminal/ws endpoint does not — it only checks whether the… - [Flowise RCE cluster — CVE-2025-59528 actively exploited + April 2026 Agent-node cluster (CVE-2026-41265 et al.)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-flowise-rce-cluster.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-flowise-rce-cluster.md)) [critical] 2026-04-07: Flowise stores upstream-provider API keys for OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, Cohere, Mistral, and similar — the same "central credentials cache" problem as LiteLLM, but for… - [Vite dev-server WebSocket arbitrary file read + fs.deny bypasses (CVE-2026-39363, CVE-2026-39364, CVE-2026-39365)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-vite-dev-server-file-read.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-vite-dev-server-file-read.md)) [high] 2026-04-06: Three related flaws in Vite's dev server let an attacker who can reach it over the network (e.g. it was started with --host or otherwise exposed) read arbitrary files on the machine — including… - [Claude Code deny-rule bypass via 50-subcommand parser cap (silently patched in v2.1.90)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-claude-code-subcommand-deny-bypass.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-claude-code-subcommand-deny-bypass.md)) [high] 2026-04-02: Adversa AI found that Claude Code's bash-command permission checker (bashPermissions.ts) stopped enforcing configured deny rules entirely on any compound shell command with more than 50… - ['Comment and Control' — prompt injection via GitHub PRs/issues hits Claude Code Security Review, Gemini CLI Action, Copilot Agent (April 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-comment-and-control-pr-injection.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-comment-and-control-pr-injection.md)) [critical] 2026-04: Researcher Aonan Guan (with JHU's Zhengyu Liu and Gavin Zhong) disclosed "Comment and Control" in April 2026: a class of prompt-injection attack where a payload in a GitHub PR title, issue body,… - [Mini Shai-Hulud — SAP-related npm packages (April–May 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-mini-shai-hulud-sap.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-04-mini-shai-hulud-sap.md)) [high] 2026-04: A Mini Shai-Hulud variant targeting the SAP ecosystem compromised mbt, @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite, and related packages starting in April 2026. The payload harvests local… - [Axios npm package compromise (March 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-axios-compromise.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-axios-compromise.md)) [critical] 2026-03-31: On 2026-03-31, two malicious versions of axios (70M+ weekly downloads) were published. They connected to a C2 owned by the Sapphire Sleet threat actor to pull a remote access trojan. Because Axios… - [Claude Code source-map leak — 512K lines of internal TypeScript shipped in npm package (March 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-claude-code-source-map-leak.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-claude-code-source-map-leak.md)) [medium] 2026-03-31: On 2026-03-31, Anthropic published a release of the @anthropic-ai/claude-code npm package that included a 59.8 MB source-map file exposing ~512,000 lines of unobfuscated TypeScript across roughly… - [OpenHands git-diff command injection — CVE-2026-33718 (March 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-openhands-git-diff-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-openhands-git-diff-rce.md)) [high] 2026-03-27: GitHub advisory GHSA-7h8w-hj9j-8rjw (published 2026-03-27) describes the bug: the filepath argument supplied to the git-diff API endpoint is directly interpolated into a shell command string and… - [Claudy Day — three chained Claude.ai flaws exfiltrate conversation history via hidden URL-parameter prompt injection (March 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-claudy-day-claude-ai-exfiltration.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-claudy-day-claude-ai-exfiltration.md)) [high] 2026-03-18: Oasis Security disclosed "Claudy Day": three chainable flaws in Claude.ai / claude.com that together let an attacker deliver a single crafted link and silently exfiltrate a victim's Claude… - [Langflow unauthenticated RCE — CVE-2026-33017 (March 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-langflow-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-langflow-rce.md)) [critical] 2026-03-17: Langflow disclosed CVE-2026-33017 on 2026-03-17. The root cause is unsafe handling of user-controlled input in the public flow-build endpoint (buildpublictmp): the input is evaluated within a… - [TeamPCP breaches Trivy GitHub Actions → LiteLLM 1.82.7–1.82.8 backdoored (March 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-trivy-litellm-supply-chain.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-trivy-litellm-supply-chain.md)) [critical] 2026-03-12: TeamPCP force-pushed malicious tags across 75 of 76 aquasecurity/trivy-action release tags, injecting a malicious entrypoint.sh. Any CI pipeline running an unpinned uses:… - [Supabase Auth OIDC issuer-validation bypass — CVE-2026-31813 (March 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-supabase-auth-oidc-bypass.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-supabase-auth-oidc-bypass.md)) [high] 2026-03-11: GitHub published advisory GHSA-v36f-qvww-8w8m on 2026-03-11 (rated Moderate by GitHub; high-impact in practice because it's an authentication bypass). The bug: when Supabase Auth processes an ID… - [ModelScope ms-agent OS command injection via Shell tool (CVE-2026-2256) — unpatched, public PoC, CERT/CC advisory](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-msagent-cve-2026-2256-shell-injection.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-msagent-cve-2026-2256-shell-injection.md)) [medium] 2026-03-02: ModelScope's ms-agent is a Python-based open-source framework for building AI agents capable of executing OS commands, running code, analyzing data, and interacting with tools via the Model… - [PolinRider — ongoing DPRK-linked campaign backdoors npm, Packagist, Go, and a Chrome extension via maintainer-account takeover (Mar 2026–ongoing)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-polinrider-multi-ecosystem-dprk-campaign.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-polinrider-multi-ecosystem-dprk-campaign.md)) [high] 2026-03-01: First flagged by the OpenSourceMalware team around 2026-03, PolinRider involves DPRK-linked threat actors — tied to the broader Contagious Interview / Famous Chollima developer-targeting cluster —… - [SGLang unauth RCE cluster — CVE-2026-3059 / CVE-2026-3060 (pickle ZMQ, CVSS 9.8) + CVE-2026-5760 (GGUF model RCE)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-sglang-unauth-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-03-sglang-unauth-rce.md)) [critical] 2026-03: Three critical unauthenticated RCE vulnerabilities in SGLang (the fast LLM inference and serving framework, ~1M monthly PyPI downloads) form a cluster: CVE-2026-3059 and CVE-2026-3060 (CVSS 9.8… - [Langflow CVE-2026-27966 — CSV Agent hardcodes allow_dangerous_code=True → unauthenticated prompt-injection RCE (CVSS 9.8)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-langflow-cve-2026-27966-csv-agent-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-langflow-cve-2026-27966-csv-agent-rce.md)) [critical] 2026-02-25: The CSV Agent node's source code contained the line: - [SANDWORM_MODE — Shai-Hulud-style npm worm with MCP injection, CI implant, and 48-hour delayed activation (Feb 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-sandworm-mode-npm-worm.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-sandworm-mode-npm-worm.md)) [critical] 2026-02-17: Socket's Threat Research Team identified at least 19 malicious npm packages across two publisher aliases (confirmed; number may grow). The campaign name comes from SANDWORM environment-variable… - [Claude Desktop Extensions (DXT) zero-click RCE — Anthropic declines to fix (Feb 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-claude-desktop-extensions-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-claude-desktop-extensions-rce.md)) [critical] 2026-02-09: LayerX disclosed (report dated 2026-02-09, with renewed coverage around RSAC in May 2026) that DXT extensions are not sandboxed and execute with the user's full local privileges. Claude can… - [Cline 'Clinejection' — AI triage bot → npm publish supply chain (February 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-cline-clinejection.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-cline-clinejection.md)) [critical] 2026-02-09: On 2026-02-09, security researcher Adnan Khan publicly disclosed "Clinejection" — a chain in the Cline AI coding agent's GitHub repo that let a maliciously titled issue tell Cline's own triage bot… - [ClawHavoc — mass malicious-skill poisoning of OpenClaw's ClawHub marketplace (February 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-clawhavoc-clawhub-skills.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-clawhavoc-clawhub-skills.md)) [high] 2026-02-01: Koi Security found that ClawHub — the open-by-default skill marketplace for the self-hosted OpenClaw AI agent (formerly Clawdbot / Moltbot) — was flooded with malicious "skills" that install the… - [OpenClaw 1-click RCE via WebSocket gateway-URL token theft (CVE-2026-25253, Jan 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-openclaw-cve-2026-25253-gatewayurl-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-openclaw-cve-2026-25253-gatewayurl-rce.md)) [critical] 2026-01-26: OpenClaw (formerly Clawdbot/Moltbot) ships a browser-based Control UI that connects to a WebSocket gateway on localhost. The UI's applySettingsFromUrl() function read a gatewayUrl parameter… - [SvelteSpill — SvelteKit + Vercel cache deception exposes authenticated responses (CVE-2026-27118, Jan 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-sveltespill-sveltekit-vercel-cache-deception.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-sveltespill-sveltekit-vercel-cache-deception.md)) [high] 2026-01-20: Aikido Security's AI-assisted pentesting tooling discovered on 2026-01-20 that @sveltejs/adapter-vercel accepted a pathname query parameter intended purely for internal routing/rewriting, without… - [OpenCode AI coding agent — twin localhost RCEs (CVE-2026-22812 + CVE-2026-22813)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-opencode-localhost-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-opencode-localhost-rce.md)) [critical] 2026-01-12: OpenCode is an open-source AI coding agent (anomalyco/opencode, 71K+ GitHub stars) — comparable to aider, Claude Code, Cursor, Cline, Codex CLI, and the OpenHands/OpenClaw family. Developers run… - [LangSmith CVE-2026-25750 unvalidated baseUrl → account takeover (January 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-langsmith-account-takeover.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-langsmith-account-takeover.md)) [high] 2026-01-07: On 2026-01-07, Miggo Research disclosed two chained vulnerabilities in LangSmith, LangChain's observability and tracing platform used by AI development teams to monitor LLM calls, trace agent… - [Google Antigravity sandbox escape via fd flag injection (Pillar Security, Feb 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-google-antigravity-sandbox-escape.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-02-google-antigravity-sandbox-escape.md)) [high] 2026-01-07: Pillar Security disclosed a Secure Mode bypass in Google Antigravity — Google's agentic IDE — that turns a prompt injection into full RCE. The bug: the findbyname tool fired before any… - [AI IDEs recommend non-existent extensions — OpenVSX namespace hijack (Jan 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-vscode-fork-recommended-extension-hijack.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-01-vscode-fork-recommended-extension-hijack.md)) [high] 2026-01-05: Koi Security found that the major VS Code-fork AI IDEs — Cursor, Windsurf, Google Antigravity, and Trae — ship a recommended-extensions list that points at extensions which don't exist on OpenVSX… - [Shai-Hulud 3.0 test payload — @vietmoney/react-big-calendar@0.26.2 (Dec 2025)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-shai-hulud-3-test-payload.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-shai-hulud-3-test-payload.md)) [high] 2025-12-28: A third generation of the Shai-Hulud worm ("Shai-Hulud 3.0" / Snyk's "Holiday Whisper") landed on npm on 2025-12-28 as a single low-profile package — @vietmoney/react-big-calendar@0.26.2 — with… - [LangChain LangGrinch + path-traversal + SSRF + SQLi (CVE-2025-68664, CVE-2026-34070, CVE-2026-26019, CVE-2025-67644)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-langchain-langgrinch.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-langchain-langgrinch.md)) [critical] 2025-12-23: On 2025-12-23, Cyata disclosed CVE-2025-68664 ("LangGrinch") to LangChain. The bug lived in langchaincore.load.dump.dumps() / dumpd(): when serializing a "free-form dictionary" that happened to… - [React2Shell — CVE-2025-55182 RCE in React Server Components (Dec 2025 → exploited through Apr 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-react2shell-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-12-react2shell-rce.md)) [critical] 2025-12-05: Security researchers disclosed a critical deserialization vulnerability in React's Flight protocol — the wire format used to stream React Server Component payloads. React did not properly validate… - [Shai-Hulud 'The Second Coming' (November 2025)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-11-shai-hulud-second-coming.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-11-shai-hulud-second-coming.md)) [critical] 2025-11-24: On 2025-11-24, attackers launched the second Shai-Hulud wave: 492 npm packages (132M monthly downloads) trojanized, including packages from Zapier, ENS Domains, PostHog, and Postman. The worm… - [n8n Ni8mare + RCE cluster — CVSS 10.0 unauth takeover of workflow automation (Nov 2025 → June 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-11-n8n-ni8mare-rce.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-11-n8n-ni8mare-rce.md)) [critical] 2025-11-09: Security researcher Dor Attias reported CVE-2026-21858 on November 9, 2025. The vulnerability allowed a remote, unauthenticated attacker to execute arbitrary system commands on the host running… - [Cursor & Windsurf ship stale Chromium — 94+ n-day vulns, 1.8M devs (Oct 2025)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-cursor-windsurf-chromium-ndays.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-cursor-windsurf-chromium-ndays.md)) [high] 2025-10-21: OX Security ("Forked and Forgotten") showed that Cursor and Windsurf — built on outdated VS Code → outdated Electron → outdated Chromium/V8 — are exposed to 94+ known (n-day) Chromium… - [GlassWorm — self-propagating VS Code / Open VSX extension worm (Oct 2025 → 2026)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-glassworm-vscode-worm.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-glassworm-vscode-worm.md)) [high] 2025-10-17: GlassWorm's signature trick is steganographic source: the malicious logic is encoded in printable-but-non-rendering Unicode (e.g., variation selectors / invisible code points), so a maintainer or… - [Windsurf path-traversal via prompt-injected README — Cascade reads/writes arbitrary files (CVE-2025-62353, Oct 2025)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-windsurf-cve-2025-62353-path-traversal.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-10-windsurf-cve-2025-62353-path-traversal.md)) [critical] 2025-10: HiddenLayer demonstrated indirect prompt injection against the Cascade AI agent inside Windsurf. Their PoC placed natural-language instructions inside an HTML comment in a project's README.md —… - [postmark-mcp backdoor — first malicious MCP server (September 2025)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-postmark-mcp-backdoor.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-postmark-mcp-backdoor.md)) [high] 2025-09-25: The npm package postmark-mcp — an unofficial MCP server for the Postmark email service — was modified in v1.0.16 (published 2025-09-17) to silently BCC every outgoing email to… - [Shai-Hulud npm worm — original wave (September 2025)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-shai-hulud-original.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-shai-hulud-original.md)) [critical] 2025-09-15: On 2025-09-15, the first self-replicating npm worm — Shai-Hulud — was discovered. ~200 packages compromised, including @ctrl/tinycolor (2.2M weekly), ngx-bootstrap (300k weekly), and several… - [qix npm account compromise — chalk, debug, ansi-styles (September 2025)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-qix-compromise.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-qix-compromise.md)) [critical] 2025-09-08: On 2025-09-08, npm maintainer Josh Junon (qix) was phished. The attacker took over ~18 of his packages — chalk, debug, ansi-styles, strip-ansi, color-convert, wrap-ansi, and more — collectively… - ['Lies in the Loop' (LITL) — approval-dialog padding hides malicious commands below the fold in Claude Code and VS Code Copilot (Sept 2025, no vendor fix)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-litl-ai-approval-dialog-bypass.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-09-litl-ai-approval-dialog-bypass.md)) [high] 2025-09-01: Checkmarx Zero researchers discovered that AI coding agents that use Human-in-the-Loop (HITL) confirmation dialogs — the approval prompts that ask developers "OK to run this command?" before… - [Nx 's1ngularity' — first AI-CLI-assisted malware (August 2025)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-nx-s1ngularity.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-nx-s1ngularity.md)) [critical] 2025-08-26: On 2025-08-26, malicious versions of Nx and several plugins were published to npm after attackers exploited a GitHub Actions injection bug to steal the publish token. The postinstall script… - [Salesloft Drift OAuth Breach — UNC6395 steals Salesforce CRM data from Cloudflare, Palo Alto, Zscaler and hundreds of orgs (August 2025)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-salesloft-drift-oauth-breach.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-salesloft-drift-oauth-breach.md)) [high] 2025-08-26: Threat actor UNC6395 compromised a Salesloft GitHub account, stole OAuth tokens from the Drift AI chat agent's Salesforce integration, and used them to exfiltrate CRM data — including AWS keys,… - [Claude Code InversePrompt and follow-on CVEs (multiple)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-claude-code-inverseprompt.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-08-claude-code-inverseprompt.md)) [medium] 2025-08: A growing collection of Claude Code CVEs — CVE-2025-54794, CVE-2025-54795 (Cymulate's "InversePrompt", Aug 2025), CVE-2025-52882 (information disclosure), CVE-2025-59536, CVE-2026-21852 ("Leaks… - [Amazon Q VS Code extension wiper prompt (July 2025)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-amazon-q-wiper.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-amazon-q-wiper.md)) [medium] 2025-07-17: On 2025-07-13 a researcher submitted a PR to the aws-toolkit-vscode repo and was — by their account — granted admin permissions in response. They merged a prompt injection that shipped in Amazon Q… - [Supabase MCP 'lethal trifecta' — full SQL DB exfiltration via stored prompt injection](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-supabase-mcp-lethal-trifecta.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-supabase-mcp-lethal-trifecta.md)) [high] 2025-07-06: General Analysis (popularized by Simon Willison as the "lethal trifecta") demonstrated that Cursor + Supabase MCP + an attacker-controlled row in a customer-submitted table = full database… - [WhiteCobra — recurring VS Code / Cursor / Windsurf / Open VSX crypto-stealer campaign (July 2025 → ongoing)](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-whitecobra-vscode-extensions.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2026-05-whitecobra-vscode-extensions.md)) [high] 2025-07-01: WhiteCobra has published at least 24 malicious extensions across the VS Code Marketplace and Open VSX registry. The campaign targets developers who use AI coding tools (Cursor, Windsurf) for… - [Cursor CurXecute (CVE-2025-54135) + MCPoison (CVE-2025-54136) + case-sensitivity bypass (CVE-2025-59944)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-cursor-curxecute-mcpoison.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-07-cursor-curxecute-mcpoison.md)) [high] 2025-07: Three Cursor IDE vulnerabilities, all patched, all worth understanding because the patterns recur. CurXecute (CVE-2025-54135, CVSS 8.6) let prompt injection from an MCP server modify mcp.json and… - [VSXPloit — Open VSX nightly build pipeline could be exploited to steal marketplace admin token (June 2025)](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-06-vsxploit-openvsx-build-token-theft.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/2025-06-vsxploit-openvsx-build-token-theft.md)) [high] 2025-06-25: Koi Security researcher Oren Yomtov discovered that Open VSX's nightly build pipeline executed arbitrary code from community-submitted extension repositories, allowing any extension author to… - [Slopsquatting — attackers register AI-hallucinated package names](https://pranava0x0.github.io/vibe-coding-security/advisories/ongoing-slopsquatting.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/ongoing-slopsquatting.md)) [medium] 2025-04: LLMs frequently hallucinate package names that don't exist. Attackers register those exact names on npm and PyPI as malware. The next person who pastes the same hallucinated import gets owned.… - [Vibe-coded app data exposure — Lovable, Bolt, Replit, Base44 pattern issues](https://pranava0x0.github.io/vibe-coding-security/advisories/ongoing-vibe-platform-exposure.html) ([md](https://pranava0x0.github.io/vibe-coding-security/advisories/ongoing-vibe-platform-exposure.md)) [high] 2025: Systemic data exposure across vibe-coding platforms in 2025–2026. Lovable: 16 critical flaws documented + a BOLA report left open 48 days. Bolt: env-var leakage in client bundles. Replit: secrets… ## Playbooks - [Auditing a vibe-coded repo](https://pranava0x0.github.io/vibe-coding-security/playbooks/auditing-a-vibe-coded-repo.html) ([md](https://pranava0x0.github.io/vibe-coding-security/playbooks/auditing-a-vibe-coded-repo.md)): Scope: a repo built with Cursor / Lovable / Bolt / v0 / Replit / Claude Code that you (or someone else) needs to ship safely. Especially if it touches user data. - [If an MCP server you installed was malicious](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-an-mcp-server-was-malicious.html) ([md](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-an-mcp-server-was-malicious.md)): Scope: any MCP (Model Context Protocol) server you connected to Claude Code, Cursor, Codex, Windsurf, Gemini CLI, or any other agent that turns out to be backdoored. - [If you installed a bad npm package](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-you-installed-a-bad-npm-package.html) ([md](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-you-installed-a-bad-npm-package.md)): Scope: any npm package — direct or transitive — that turned out to be compromised. - [If you ran a malicious npm postinstall script](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-you-ran-malicious-postinstall.html) ([md](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-you-ran-malicious-postinstall.md)): Scope: npm install ran an attacker-controlled install/preinstall/postinstall lifecycle script or binding.gyp node-gyp build step. - [If your GitHub PAT leaked](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-your-github-pat-leaked.html) ([md](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-your-github-pat-leaked.md)): Scope: any GitHub Personal Access Token (PAT), gh CLI session, or SSH key that was on disk when malware ran. - [If your local AI agent was exploited](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-your-local-ai-agent-was-exploited.html) ([md](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-your-local-ai-agent-was-exploited.md)): Scope: a local AI coding agent (Cline, Cursor, Windsurf, Claude Code, OpenClaw, OpenCode, aider, OpenHands) was exploited via prompt injection, localhost WebSocket RCE, malicious MCP server, or… - [If your npm token leaked](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-your-npm-token-leaked.html) ([md](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-your-npm-token-leaked.md)): Scope: any time ~/.npmrc, a NPMTOKEN env var, or a CI npm token was readable by malware. - [If your web app was compromised](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-your-webapp-was-compromised.html) ([md](https://pranava0x0.github.io/vibe-coding-security/playbooks/if-your-webapp-was-compromised.md)): Scope: a production web app (Next.js, React, FastAPI, Streamlit, or any framework) had an exploitable vulnerability that was or may have been actively exploited — RCE, auth bypass, SSRF,… - [Rotating cloud credentials](https://pranava0x0.github.io/vibe-coding-security/playbooks/rotating-cloud-credentials.html) ([md](https://pranava0x0.github.io/vibe-coding-security/playbooks/rotating-cloud-credentials.md)): Scope: AWS, GCP, Azure, Kubernetes — when you suspect creds on your machine or in CI were exfiltrated. ## Prevention - [Agent sandboxing](https://pranava0x0.github.io/vibe-coding-security/prevention/agent-sandboxing.html) ([md](https://pranava0x0.github.io/vibe-coding-security/prevention/agent-sandboxing.md)): If you let an agent execute shell commands on your host, you've delegated your full user privileges to a system that takes instructions from text it reads on the internet. Put the agent in a box. - [CI/CD & GitHub Actions hardening](https://pranava0x0.github.io/vibe-coding-security/prevention/ci-cd-hardening.html) ([md](https://pranava0x0.github.io/vibe-coding-security/prevention/ci-cd-hardening.md)): Your CI runs third-party code with your repo's write token and your secrets, on every push — and often on a timer with nobody watching. Pin it to immutable commits, scope its permissions to the… - [Credential hygiene](https://pranava0x0.github.io/vibe-coding-security/prevention/credential-hygiene.html) ([md](https://pranava0x0.github.io/vibe-coding-security/prevention/credential-hygiene.md)): Where your credentials live determines how bad a compromise is. The goal: nothing high-value sitting in plaintext on disk, ever. - [MCP hygiene](https://pranava0x0.github.io/vibe-coding-security/prevention/mcp-hygiene.html) ([md](https://pranava0x0.github.io/vibe-coding-security/prevention/mcp-hygiene.md)): An MCP server is arbitrary code running with your agent's privileges. Treat installing one with the same scrutiny as sudo npm install -g. - [npm hardening](https://pranava0x0.github.io/vibe-coding-security/prevention/npm-hardening.html) ([md](https://pranava0x0.github.io/vibe-coding-security/prevention/npm-hardening.md)): Reduce the blast radius of npm install so that a compromised package can't trivially own you. - [Package vetting checklist](https://pranava0x0.github.io/vibe-coding-security/prevention/package-vetting-checklist.html) ([md](https://pranava0x0.github.io/vibe-coding-security/prevention/package-vetting-checklist.md)): 60 seconds before any new install. Print this, tape it next to your monitor, do it every time. - [Supply-chain attack surface: where external code & data get in](https://pranava0x0.github.io/vibe-coding-security/prevention/supply-chain-attack-surface.html) ([md](https://pranava0x0.github.io/vibe-coding-security/prevention/supply-chain-attack-surface.md)): Every channel through which code or data from the internet reaches your machine, your CI, or your users — with the one defense that matters for each. Start here, then go deep in the linked guide.… ## Sources - [Advisory feeds](https://pranava0x0.github.io/vibe-coding-security/sources/advisory-feeds.html) ([md](https://pranava0x0.github.io/vibe-coding-security/sources/advisory-feeds.md)): Machine-readable sources. Wire these into your monitoring stack so you don't have to keep tabs open. - [Security blogs](https://pranava0x0.github.io/vibe-coding-security/sources/security-blogs.html) ([md](https://pranava0x0.github.io/vibe-coding-security/sources/security-blogs.md)): Long-form, technical writeups. Slower than X but with IOCs, hashes, and full timelines. - [X (Twitter) accounts to follow](https://pranava0x0.github.io/vibe-coding-security/sources/twitter-accounts.html) ([md](https://pranava0x0.github.io/vibe-coding-security/sources/twitter-accounts.md)): Build a dedicated list. Most supply-chain stories break here hours before the blog posts go up. ## Optional - [llms-full.txt](https://pranava0x0.github.io/vibe-coding-security/llms-full.txt): every advisory + playbook + prevention doc concatenated (~960KB) for full-context ingestion - [llms-ctx.txt](https://pranava0x0.github.io/vibe-coding-security/llms-ctx.txt): compact context — alerts + per-advisory TL;DRs only (~140KB) - [advisories/llms.txt](https://pranava0x0.github.io/vibe-coding-security/advisories/llms.txt): advisories-only index - [playbooks/llms.txt](https://pranava0x0.github.io/vibe-coding-security/playbooks/llms.txt): playbooks-only index - [prevention/llms.txt](https://pranava0x0.github.io/vibe-coding-security/prevention/llms.txt): prevention-only index - [advisories.json](https://pranava0x0.github.io/vibe-coding-security/advisories.json): structured advisory index with frontmatter - [api/v1/advisories.json](https://pranava0x0.github.io/vibe-coding-security/api/v1/advisories.json): same data behind a stable versioned URL - [advisory-schema.json](https://pranava0x0.github.io/vibe-coding-security/advisory-schema.json): JSON Schema for advisory frontmatter - [GitHub source](https://github.com/pranava0x0/vibe-coding-security): raw markdown, contribution guide, issue templates