darkreading.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-25.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-25 2026 | In Less Than 24 Hours Attackers Weaponize Cisco CUCM FlawSSRF | Attackers have rapidly exploited a vulnerability in Cisco Unified Communications Manager (CUCM), weaponizing it within 24 hours of its disclosure. This critical flaw allows for potential remote code execution and other malicious activities, posing a significant threat to organizations relying on this communication platform. The swift exploitation highlights the urgent need for patching and enhanced security measures for Cisco CUCM deployments. The summary does not mention a specific bounty payout amount. |
| 2026-06-18 2026 | Developer Machines And Supply Chain Security RiskSupply Chain | This article discusses the significant supply chain security risks posed by compromised developer machines. It highlights how attackers can target these machines to inject malicious code into software projects, leading to widespread vulnerabilities and breaches. The content emphasizes the importance of securing developer environments, including endpoints, code repositories, and build pipelines, as a critical defense against such attacks. The goal is to prevent compromised development tools from becoming entry points for attackers into the software supply chain. |
| 2026-06-09 2026 | 'Hades' Attacks on PyPI Put New Spin on Shai-HuludSupply Chain | A sophisticated malware campaign, dubbed "Hades," has targeted the Python Package Index (PyPI). Attackers are using previously unknown techniques to distribute malicious packages, potentially impacting numerous developers and organizations relying on PyPI for dependencies. This new wave of attacks highlights the evolving threat landscape within open-source software ecosystems and emphasizes the need for enhanced security measures. The specific payout for reporting these vulnerabilities is not mentioned. |
| 2026-06-09 2026 | Miasma Supply Chain Worm Burrows Into 73 Microsoft RepositoriesSupply Chain | A supply chain worm named Miasma has compromised 73 Microsoft code repositories. This sophisticated malware targets developers, attempting to steal credentials and potentially inject malicious code into software projects. The worm's ability to spread through development environments poses a significant risk to the integrity of software built using these repositories. Security researchers are actively investigating the extent of the breach and working to mitigate the threat. |
| 2026-06-05 2026 | Rust-Written IronWorm Hits NPM Supply ChainSupply Chain | A new malware called IronWorm, written in Rust, has been discovered targeting the NPM (Node Package Manager) supply chain. This malicious software infiltrates the development ecosystem by compromising popular packages. The goal of IronWorm is to steal sensitive information from developers and their projects, posing a significant risk to the security of software built using these compromised dependencies. Further details on its specific infection vectors and the full extent of its capabilities are still under investigation. |
| 2026-05-27 2026 | Microsoft Issues Out-of-Band SharePoint PatchRCE | Microsoft has released an out-of-band patch for SharePoint to address a critical security vulnerability. This urgent update is necessary to protect users from potential exploits targeting the platform. The specific details of the vulnerability and the patch are available via the provided link. No bug bounty payout information is mentioned in this content. |
| 2026-05-19 2026 | Microsoft Exchange Zero-Day Under Attack No Patch AvailableXSS | Microsoft Exchange Zero-Day Under Attack, No Patch Available https://ift.tt/HM5e6fY |
| 2026-05-14 2026 | Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply ChainSupply Chain | A new worm, dubbed "Mini Shai-Hulud" by researchers, is actively infecting the software supply chain. This malware targets developers, aiming to compromise their development environments and potentially inject malicious code into legitimate software projects. The worm's propagation methods and specific targets are still under investigation, but its presence signifies a growing threat to the integrity of software development and distribution. Organizations are advised to enhance their security protocols and vigilance against such supply chain attacks. |
| 2026-05-09 2026 | Every Old Vulnerability Is Now an AI VulnerabilityXSS | This article argues that as Artificial Intelligence (AI) systems become more integrated, traditional cybersecurity vulnerabilities are now also AI vulnerabilities. Existing exploits and weaknesses in software, hardware, and network infrastructure can be leveraged to target or compromise AI models. This means that the vast landscape of known security flaws presents a significant risk to AI systems, requiring a re-evaluation of security strategies to account for this expanded threat surface. |
| 2026-05-07 2026 | 'TrustFall' Exposes Claude Code Execution RiskRCE | 'TrustFall' Exposes Claude Code Execution Risk https://ift.tt/uApnWBD |
| 2026-04-30 2026 | TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' AttackSupply Chain | TeamPCP has developed a new attack targeting SAP applications called "Mini Shai-Hulud." This sophisticated threat leverages multiple vulnerabilities to bypass security controls and achieve remote code execution. The attack appears to be highly effective, capable of compromising SAP NetWeaver Application Server Java components. Further details on the exploit's mechanics and impact are available via the provided link. No specific bounty payout amounts were mentioned. |
| 2026-04-29 2026 | AI Finds 38 Security Flaws in OpenEMRAIRCE | An AI security tool, DeepScribe, has identified 38 vulnerabilities in OpenEMR, a popular open-source electronic health record system. These flaws range in severity, with DeepScribe flagging 10 as critical. The company plans to disclose these findings responsibly to OpenEMR's development team. This discovery highlights the potential of AI in uncovering security weaknesses in complex software. The specific bounty payout amount for this discovery is not mentioned. |
| 2026-04-21 2026 | Google Fixes Critical RCE Flaw in AI-Based Antigravity ToolRCE | Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool https://ift.tt/1QOIZsB |
| 2026-04-17 2026 | SBOMs in 2026: Some Love, Some Hate, Much AmbivalenceSupply Chain | SBOMs in 2026: Some Love, Some Hate, Much Ambivalence |
| 2026-04-15 2026 | Privilege Elevation Dominates Massive Microsoft Patch UpdateAuthZ | Library of patches addressing Microsoft's April 2026 update, which included 165 CVEs, with a significant portion being elevation-of-privilege bugs. Key vulnerabilities detailed include CVE-2026-32201 (a SharePoint Server spoofing zero-day actively exploited), CVE-2026-33825 (a Defender privilege escalation zero-day), CVE-2026-33824 (a critical RCE in Windows IKE Service Extensions), and CVE-2026-33827 (a rare unauthenticated RCE in Windows secure tunneling). The update also featured numerous fixes for Microsoft Edge and Chromium. |
| 2026-04-06 2026 | AI-Assisted Supply Chain Attack Targets GitHubSupply Chain | AI-Assisted Supply Chain Attack Targets GitHub https://ift.tt/W3OMdbX |
| 2026-04-03 2026 | Source Code Leaks Highlight Lack of Supply Chain OversightSupply Chain | Analysis of recent supply chain attacks, including compromises of Trivy, Axios, and Anthropic's Claude Code, reveals significant vulnerabilities in development pipelines and credential management. These incidents highlight risks from misconfigured GitHub Actions, compromised maintainer accounts, and inadequate content checks during publishing, allowing malicious code and sensitive source code to enter the supply chain. Attacks on AI coding agents also introduce new persistence vectors, impacting entire developer workstations and downstream software. |
| 2025-10-24 2025 | Law Enforcement Cracks Down on XSS but Will It Last?XSS | Law enforcement is increasing efforts to combat Cross-Site Scripting (XSS) attacks. The effectiveness and longevity of these crackdowns are questioned. |
| 2024-07-30 2024 | OAuth+XSS Attack Threatens Millions of Web Users With Account TakeoverAPI SecAuthNXSS | An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites. |