cxodigitalpulse.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-24.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-24 2026 | Bitwarden CLI Compromised in Supply Chain Attack Exposes Developer SecretsSupply Chain | Bitwarden's command-line interface (CLI) was compromised in a supply chain attack, potentially exposing developer secrets. The vulnerability stemmed from a malicious package published to npm, the Node.js package manager. While Bitwarden has confirmed the attack, they state that the compromised CLI version was not widely distributed. The company is investigating the full extent of the compromise and has taken steps to mitigate the risk. Further details are expected as the investigation progresses. |
| 2026-04-24 2026 | Tenable Research Uncovers Remote Code Execution Vulnerability in Microsoft GitHub Repository Exposing CI/CD Pipeline to Unauthorized Code ExecutionRCESupply Chain | Tenable Research discovered a remote code execution (RCE) vulnerability in a Microsoft GitHub repository. This flaw could allow attackers to gain unauthorized code execution within a Continuous Integration/Continuous Deployment (CI/CD) pipeline. The vulnerability, detailed in a report from Tenable, highlights a significant security risk for organizations relying on these automated build and deployment processes managed through GitHub. Further details on the specific exploit and its potential impact were not immediately available in the provided text. |
| 2026-04-23 2026 | Malicious Docker Images and VS Code Extensions Compromise Checkmarx Supply ChainSupply Chain | Analysis of a supply chain attack where malicious Docker images, specifically a trojanized `checkmarx/kics` image under tags like `v2.1.20` and `alpine`, and compromised Visual Studio Code extensions, were used to exfiltrate sensitive data and compromise developer environments, highlighting risks in trusted repositories and developer ecosystems. |
| 2026-04-22 2026 | Critical SGLang Flaw (CVE-2026-5760) Enables RCE via Malicious AI ModelsRCE | Writeup of CVE-2026-5760 in SGLang, a critical flaw enabling remote code execution via malicious AI models. Attackers can craft a GGUF model with a malicious tokenizer.chat_template to exploit an unsandboxed Jinja2 environment, triggering server-side template injection and executing arbitrary Python code. This high-severity vulnerability, requiring no authentication, impacts SGLang deployments serving LLMs. |
| 2026-04-14 2026 | OpenAI Impacted by North Korea-Linked Axios Supply Chain Hack Rotates Security CertificatesSupply Chain | Library compromise impacting OpenAI, where North Korea-linked actors poisoned the Axios JavaScript library on NPM. Malicious versions deployed a RAT, affecting OpenAI's macOS application signing workflow and exposing code-signing certificates. OpenAI rotated certificates and stated no user data or intellectual property was compromised, though older macOS applications will lose support. |
| 2026-04-07 2026 | Guardarian Users Targeted in Supply Chain Attack via Malicious Strapi NPM PackagesSupply Chain | Writeup of a supply chain attack targeting Guardarian users via malicious Strapi NPM packages. Threat actors published 36 fake packages, disguised as Strapi plugins, designed to deliver payloads including remote shells, Docker escape, and credential harvesting. Techniques involved exploiting Redis, targeting PostgreSQL, scanning for wallet files, exfiltrating Strapi configurations, and establishing persistent access. The attack evolved from aggressive payloads to reconnaissance and targeted credential theft, specifically for the Strapi ecosystem. |