checkmarx.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | Exploiting GraphQL Query DepthGraphQL | Article on exploiting GraphQL query depth, demonstrating how nested object requests can lead to Denial of Service (DoS) attacks against applications like the Damn Vulnerable GraphQL Application. It highlights the performance degradation caused by deep recursion and references OWASP GraphQL Cheat Sheet and Apollo blog posts for remediation techniques such as setting timeouts, maximum depth, or query complexity thresholds. |
| 2026-04-22 2026 | Didn't Notice Your Rate Limiting: GraphQL Batching AttackGraphQL | Writeup detailing the GraphQL Batching Attack, a vulnerability where improperly implemented rate limiting allows attackers to bypass restrictions. This attack leverages GraphQL's batching feature, enabling multiple queries within a single HTTP request, to perform actions like server-side object enumeration or brute-force attacks. The article demonstrates how an attacker can submit numerous login mutations simultaneously, bypassing per-request rate limits and potentially gaining unauthorized access, as seen in the example of cracking a password from a list of common ones. |
| 2026-04-19 2026 | PyPI Supply Chain Attack: Colorama and Colorizr Name ConfusionPython | Library of malicious Python packages exploiting typo-squatting and name-confusion attacks against the Colorama library on PyPI. These packages, designed to mimic legitimate libraries, deliver payloads for persistent remote access, data exfiltration, and attempts to evade antivirus controls on both Windows and Linux systems. The campaign exhibits cross-ecosystem tactics, using NPM package names to target PyPI users, and features sophisticated persistence mechanisms and stealth techniques. |
| 2026-04-16 2026 | Attack on Software Supply Chains Using Fake Python InfrastructurePython | Library detailing a sophisticated software supply chain attack where an attacker distributed malware by creating a fake Python infrastructure with a typosquatted domain and a malicious "colorama" package. This campaign affected over 170,000 users, leveraging compromised GitHub accounts and multi-stage execution with obfuscation techniques to steal sensitive data like credentials and session tokens from various applications. |
| 2026-04-06 2026 | Rapid Exploitation and Clever Malware in the Supply Chain — Last Week in AppSecPython | Survey of recent supply chain attacks, including the Langflow code injection vulnerability (CVE-2026-33017) added to the CISA KEV database and the Telnyx Python framework compromise. The Telnyx attack leveraged .wav audio files to conceal malicious payloads that harvested and exfiltrated information. The article also references a JFrog technical analysis of the Telnyx malware. |