cyberscoop.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-12.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-12 2026 | Mini Shai-Hulud malware compromises hundreds of open-source packages in sprawling supply-chain attackSupply Chain | "Mini Shai-Hulud" is a newly discovered malware that has compromised hundreds of open-source packages. This sprawling supply-chain attack targets developers by injecting malicious code into popular libraries, potentially affecting numerous downstream applications and users. The goal of the attack is believed to be the theft of credentials and sensitive information. This incident highlights the ongoing risks associated with the open-source software supply chain and the need for robust security measures. |
| 2026-04-20 2026 | Vuln in Googles Antigravity AI agent manager could escape sandbox give attackers remote code executionAI | Vulnerability in Google's Antigravity AI agent manager allowed prompt injection to bypass secure mode, granting attackers remote code execution by exploiting the `find_by_name` native tool before sandbox protections engaged. This discovery, made by Pillar Security and since patched, highlights the risks of unvalidated input for agentic AI, similar to findings in Cursor, and emphasizes the need to move beyond sanitization controls for native tool parameters. |
| 2026-04-20 2026 | Why the Axios attack proves AI is mandatory for supply chain securitySupply Chain | Library for AI-powered security operations, necessitated by attacks like the recent Axios supply chain compromise by North Korean threat actors. This resource highlights how AI-driven monitoring can detect malicious code changes in real-time, a crucial capability against adversaries leveraging AI for automated reconnaissance and evasive malware. It argues that AI is essential for matching the speed and complexity of modern threats, transforming Security Operations Centers (SOCs) into agentic workflows that amplify human analysts and significantly reduce mean time to detect and respond. |
| 2026-04-13 2026 | OpenAIs Mac apps needs an update thanks to the Axios hackSupply Chain | Library update requiring macOS users to install the latest versions due to a supply-chain attack on the Axios JavaScript library. A North Korean hacking group (UNC1069) injected malware into Axios after compromising its lead maintainer's accounts, impacting downstream software through millions of weekly downloads. OpenAI treated its signing certificate as compromised due to a misconfiguration in its GitHub workflow, even though no evidence suggests user data access or code alteration. |
| 2026-01-15 2026 | CISAs secure-software buying tool had a simple XSS vulnerability of its ownXSS | Writeup of a cross-site scripting (XSS) vulnerability in CISA's "Software Acquisition Guide: Supplier Response Web Tool." The flaw, discovered by OWASP former leader Jeff Williams, allowed for JavaScript injection and potential website defacement. While CISA addressed and patched the vulnerability, its discovery highlighted potential gaps in basic security testing for tools intended to promote secure software development. |