arstechnica.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-01.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-01 2026 | Dozens of Red Hat packages backdoored through its offical NPM channelSupply Chain | Dozens of Red Hat packages were compromised through their official NPM channel. This security incident involved malicious code being injected into legitimate software, potentially affecting numerous users. The vulnerability highlights the risks associated with supply chain attacks and the importance of secure development practices. Further details regarding the scope and impact of the backdoor are still emerging. |
| 2026-06-01 2026 | Millions of AI agents imperiled by critical vulnerability in open source packagePython | A critical vulnerability has been discovered in an open-source package, posing a significant risk to millions of AI agents. The flaw could potentially be exploited to compromise these AI systems. Details of the vulnerability and its implications are available via the provided link. No bounty payout amount is mentioned in the content. |
| 2026-05-29 2026 | Fed up with vibe coders dev sneaks data-nuking prompt injection into their codeAI | Library update details a prompt injection vulnerability within the jqwik Java testing application for JUnit 5. The malicious instruction, disguised with ANSI escapes, directs AI coding agents to delete tests and code, posing a destructive risk to developers using vulnerable agents without warning or opt-out. Anthropic's Claude AI reportedly flagged this prompt injection. |
| 2026-05-05 2026 | Widely used Daemon Tools disk app backdoored in monthlong supply-chain attackSupply Chain | Writeup on the Daemon Tools supply-chain attack, detailing a monthlong compromise where malicious updates signed with official certificates infected versions 12.5.0.2421 through 12.5.0.2434. The malware, discovered by Kaspersky, exfiltrates system information and delivers follow-on payloads to select targets. This incident mirrors previous supply-chain attacks like CCleaner (2017), SolarWinds (2020), and 3CX (2023), highlighting the difficulty in defending against sophisticated, officially distributed compromises. |
| 2026-04-27 2026 | Open source package with 1 million monthly downloads stole user credentialsSupply Chain | Library **element-data** version 0.23.3 was compromised, stealing user credentials, cloud provider keys, API tokens, and SSH keys. A threat actor exploited a vulnerability in the developers' GitHub actions workflow to gain access to signing keys and sensitive information, allowing them to publish a malicious package to the Python Package Index and Docker image accounts. Users who installed the compromised version or ran the affected Docker image should assume their credentials may have been exposed. |