cyberinsider.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-28.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-28 2026 | Polymarket suffers supply chain attack leading to $3 million crypto theftSupply Chain | Polymarket, a decentralized prediction market, experienced a significant supply chain attack. This breach resulted in the theft of $3 million worth of cryptocurrency. The incident highlights the vulnerabilities inherent in complex digital asset ecosystems and supply chain security. |
| 2026-06-22 2026 | FFmpeg PixelSmash bug triggers code execution on media file openRCE | Library for FFmpeg's CVE-2026-8461, "PixelSmash," a critical heap out-of-bounds write vulnerability in the MagicYUV decoder. This flaw allows remote code execution through specially crafted media files like AVI, MKV, or MOV, impacting numerous downstream applications including Kodi, OBS Studio, Jellyfin, and Nextcloud. Exploitation involves overwriting function pointers within FFmpeg's heap structures, enabling arbitrary command execution. The vulnerability was patched in FFmpeg 8.1.2. |
| 2026-06-17 2026 | Supply-chain attack injects backdoor on ShapedPlugin WordPress softwareSupply Chain | Library for detecting and mitigating supply-chain attacks like CVE-2026-10735 affecting ShapedPlugin's premium WordPress software. This attack involved injecting backdoors through legitimate update channels, leading to credential theft, 2FA secret exfiltration, and the deployment of tools like Tiny File Manager and Adminer. The incident highlights risks associated with compromised build pipelines and vendor update systems, impacting plugins such as Real Testimonials Pro, Product Slider Pro, and Smart Post Pro. |
| 2026-05-25 2026 | Drupal warns of active exploitation attempts targeting critical SQL injection flawSQLi | Analysis of CVE-2026-9082, a critical SQL injection vulnerability affecting Drupal sites using PostgreSQL, details active exploitation attempts observed by Imperva. This flaw in Drupal's database abstraction API allows unauthenticated attackers to execute arbitrary SQL, leading to potential information disclosure, privilege escalation, and remote code execution. CISA has added it to the KEV catalog, and agencies must secure systems by May 27. Patches are available for supported Drupal versions, and immediate updates are advised. |
| 2026-05-15 2026 | OpenAI confirms exposure in recent Shai-Hulud supply-chain attackSupply Chain | Writeup of the Mini Shai-Hulud supply-chain attack impacting OpenAI, which involved compromised npm packages from TanStack and exposed limited internal credentials and code-signing certificates. The incident led OpenAI to rotate signing keys for its desktop applications and prompted macOS users to update software by June 12, 2026, to avoid disruptions. The attack leveraged techniques like cache poisoning and OpenID Connect token extraction to compromise repositories and harvest secrets. |