appsec.fyi · Sources

infoworld.com

7 curated AppSec resources from infoworld.com across 3 topics on appsec.fyi.

infoworld.com

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-09.

Supply Chain 5 API Sec 1 RCE 1
Date Added Resource Excerpt
2026-06-09 2026Meet Hades: The malware that lies to AI security agentsSupply ChainWriteup of the Hades campaign, a supply-chain attack compromising Python packages and targeting AI security agents. This sophisticated worm uses obfuscated scripts within `__init__.py` to execute multi-layer payloads, leveraging the Bun toolkit to bypass traditional controls. Hades exploits vulnerabilities in popular libraries like ensmallen and computational biology packages, while employing adversarial prompt injection to deceive LLM code analysis systems into classifying malicious code as clean. It propagates via GitHub, targets cloud credentials and AI agent configurations, and utilizes Sigstore to generate signed provenance bundles for compromised packages.
2026-06-05 2026Patching fast and slow: Ruby devs delay to defend against supply chain attackSupply ChainLibrary update from RubyGems introduces a "cooldown" feature to Bundler, allowing developers to delay installation of newly published Ruby packages. This defense mechanism combats software supply chain attacks by providing a grace period for malicious code to be identified before it's installed by unsuspecting users, though critical patches can still be applied immediately.
2026-06-02 2026Attack targeting OpenAI Codex users exposes AI software supply chain risksSupply ChainWriteup of the codexui-android npm package attack, revealing AI software supply chain risks. Attackers hid malicious code within a seemingly legitimate OpenAI Codex remote user interface package, exfiltrating developer authentication tokens, including long-lived refresh tokens. This incident highlights vulnerabilities in build and distribution pipelines, where published software artifacts may differ from public source code, leading to persistent access to AI developer tools and the resources they control.
2026-05-28 2026FastAPI-based AI tools exposed to authentication bypass by flaw in Starlette frameworkAPI SecTool for detecting authentication bypass vulnerabilities in applications built with the Starlette framework, which powers FastAPI. The flaw, CVE-2026-48710, allows unauthenticated attackers to bypass host-validation protections by sending malformed Host headers containing special characters like slashes or question marks. This can lead to authentication bypass, SSRF, and potentially remote code execution, impacting LLM gateways, MCP servers, and agent infrastructure. A website, badhost.org, is available to test for the vulnerability.
2026-05-19 2026AntV data visualization tool the latest to be hit by ongoing npm supply chain attacksSupply ChainLibrary that has been compromised by the Mini-Shai-Hulud worm, a prevalent npm supply chain attack. The worm targets AntV data visualization tools and attempts to steal npm and GitHub tokens, along with credentials from numerous file paths including cloud platforms and cryptocurrency wallets. Attackers store exfiltrated data in public GitHub repositories themed on Dune, and the malware may attempt persistence via a Python backdoor. Developers are advised to audit and move to known safe versions, rotate all credentials, and strengthen monitoring and package verification.
2026-04-30 2026Critical GitHub RCE bug exposed millions of repositoriesRCEWriteup of CVE-2026-3854, a critical RCE vulnerability in GitHub affecting millions of repositories. Exploiting the handling of server-side "git push" operations, specifically the X-STAT component, an authenticated user could execute arbitrary commands via crafted input. This command injection flaw, rated CVSS 8.8, was discoverable using AI-augmented tooling like IDA MCP, and impacted GitHub.com and Enterprise Server, granting full server compromise in self-hosted environments.
2021-12-22 2021Why SBOM management is no longer optionalSupply ChainLibrary for Software Bills of Materials (SBOM) management, crucial for addressing software supply chain vulnerabilities like Log4Shell. It emphasizes generating, storing, and searching SBOMs for rapid incident response, supporting aggregation and various SBOM formats like SPDX. This proactive approach ensures visibility and quick identification of affected applications during zero-day exploits.