infoworld.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-02.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-02 2026 | Attack targeting OpenAI Codex users exposes AI software supply chain risksSupply Chain | An attack targeting OpenAI Codex users has revealed significant AI software supply chain risks. The incident highlights vulnerabilities in how AI models are developed and deployed. While the specific details of the attack and its impact are still emerging, it underscores the need for robust security measures within the AI development lifecycle. This event serves as a critical reminder of the potential dangers associated with relying on third-party AI components and the importance of secure development practices to prevent future exploits. |
| 2026-05-28 2026 | FastAPI-based AI tools exposed to authentication bypass by flaw in Starlette frameworkAPI Sec | Tool for detecting authentication bypass vulnerabilities in applications built with the Starlette framework, which powers FastAPI. The flaw, CVE-2026-48710, allows unauthenticated attackers to bypass host-validation protections by sending malformed Host headers containing special characters like slashes or question marks. This can lead to authentication bypass, SSRF, and potentially remote code execution, impacting LLM gateways, MCP servers, and agent infrastructure. A website, badhost.org, is available to test for the vulnerability. |
| 2026-05-19 2026 | AntV data visualization tool the latest to be hit by ongoing npm supply chain attacksSupply Chain | Library that has been compromised by the Mini-Shai-Hulud worm, a prevalent npm supply chain attack. The worm targets AntV data visualization tools and attempts to steal npm and GitHub tokens, along with credentials from numerous file paths including cloud platforms and cryptocurrency wallets. Attackers store exfiltrated data in public GitHub repositories themed on Dune, and the malware may attempt persistence via a Python backdoor. Developers are advised to audit and move to known safe versions, rotate all credentials, and strengthen monitoring and package verification. |
| 2026-04-30 2026 | Critical GitHub RCE bug exposed millions of repositoriesRCE | Writeup of CVE-2026-3854, a critical RCE vulnerability in GitHub affecting millions of repositories. Exploiting the handling of server-side "git push" operations, specifically the X-STAT component, an authenticated user could execute arbitrary commands via crafted input. This command injection flaw, rated CVSS 8.8, was discoverable using AI-augmented tooling like IDA MCP, and impacted GitHub.com and Enterprise Server, granting full server compromise in self-hosted environments. |
| 2021-12-22 2021 | Why SBOM management is no longer optionalSupply Chain | Library for Software Bills of Materials (SBOM) management, crucial for addressing software supply chain vulnerabilities like Log4Shell. It emphasizes generating, storing, and searching SBOMs for rapid incident response, supporting aggregation and various SBOM formats like SPDX. This proactive approach ensures visibility and quick identification of affected applications during zero-day exploits. |