gigazine.net
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-22.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-22 2026 | Following repeated supply chain attacks npm has introduced a 'phased release' system adding a mechanism that prevents packages from being published using only leaked tokens.Supply Chain | npm has implemented a "phased release" system to combat repeated supply chain attacks. This new mechanism prevents packages from being published solely through the use of leaked tokens. The update aims to enhance security within the npm ecosystem by adding an extra layer of protection against unauthorized package publishing. |
| 2026-05-15 2026 | A remote code execution vulnerability has been discovered in NGINX; the affected versions are listed below.RCE | Writeup of CVE-2026-42945, an 18-year-old heap buffer overflow in NGINX, enabling unauthenticated remote code execution when specific rewrite, if, or set directives are used with unnamed PCRE capture groups. DepthFirst's analysis highlights memory corruption issues, with potential exploitation on systems lacking ASLR. The vulnerability's severity is rated differently by NGINX (medium) and NIST (critical/high), depending on exploitability conditions. Affected users should update NGINX and review configurations for vulnerable directive combinations. |
| 2026-05-08 2026 | Mozilla explains the system that discovered 271 vulnerabilities in Firefox using Claude Mythos Preview.Fuzzing | Library for AI-assisted vulnerability discovery, detailing Mozilla's system that leveraged Claude Mythos Preview to identify 271 vulnerabilities in Firefox. This system utilized an agent-based harness atop existing fuzzing infrastructure to pinpoint flaws in areas like JIT, WebAssembly GC, IndexedDB, and XSLT, including a 15-year-old bug in the `<legend>` element and persistent XSLT issues. The AI demonstrated a low false positive rate, with dual LLM verification bolstering developer confidence, and highlighted the effectiveness of existing anti-poisoning measures by identifying blocked AI attack attempts. |
| 2026-04-28 2026 | An open-source package with over 1 million monthly downloads has a vulnerability that has been exploited to distribute malware-infected versions and steal user credentials.SecretsSupply Chain | Writeup of a supply chain attack on Elementary Open Source Python CLI v0.23.3, which was exploited to distribute malware and steal user credentials like API tokens and SSH keys. This incident highlights risks in developer account security and GitHub Actions workflows, impacting a package with over one million monthly downloads. Developers are advised to uninstall the compromised version, clear caches, rotate credentials, and check for malware. |
| 2026-04-24 2026 | Password manager Bitwarden suffers supply chain attack; users of the npm package should check their device.Supply Chain | Writeup of Bitwarden CLI supply chain attack, where malicious code infiltrated the CI/CD pipeline via GitHub Actions into package '@bitwarden/cli2026.4.0'. Users should audit npm, check CI logs, change secrets, and scan GitHub for unauthorized activity. Similarities to the Checkmarx attack are noted, including a Russian-language environment exclusion, though different actors are suspected. |