ox.security
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-14.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-14 2026 | New MCP Security Flaws: Kubectl-mcp-server Archon OS and MarkItDown VulnerabilitiesAPI Sec | Library detailing vulnerabilities in widely used MCP tools, including CVE-2025-65719 and CVE-2025-69443 affecting Kubectl-mcp-server and Archon OS. These flaws expose over 140,000 GitHub stars to data exfiltration, credential theft, and lateral movement. The findings highlight systemic risks in AI supply chains due to unauthenticated and sandboxed MCP protocols, emphasizing the critical need for security at the integration layer rather than shifting responsibility to users. |
| 2026-05-12 2026 | Shai-Hulud Here We Go Again: 170 Packages Hit Across npm & PyPiSupply Chain | Library for detecting and mitigating the "Shai-Hulud: Here We Go Again" malware, which targets npm and PyPi. This self-propagating credential-stealing malware has affected over 170 packages, including those from Mistral AI, OpenSearch Project, and TanStack, impacting hundreds of millions of downloads. The variant includes token monitoring and a machine wipe function triggered upon token revocation, and exfiltrates stolen credentials to GitHub repositories. Immediate actions recommended include rotating keys, enabling 2FA, and downgrading affected packages. |
| 2026-05-05 2026 | 8.3M Downloads Compromised: Lightning & Intercom-Client Infected in Latest Shai-Hulud AttackSupply Chain | Library update: The Python package `Lightning` (versions 2.6.2, 2.6.3) and the NPM package `intercom-client` (version 7.0.4) have been compromised by a Shai-Hulud supply chain attack, stealing credentials and API keys. Affected users should rotate keys, enable 2FA, and revert `Lightning` to version 2.6.1 or lower. The malware, a Node/Bun tool, collects secrets from the environment and exfiltrates them to an obfuscated host, while also using compromised npm tokens to download, patch, and republish trojanized packages. Over 1,800 repositories with stolen developer credentials were identified on GitHub. |
| 2026-05-02 2026 | Shai-Hulud Hits SAP: Stolen Credentials Found in 1200 GitHub ReposSecretsSupply Chain | Tool: Shai-Hulud worm variant, a Bun-based stealer, targets SAP npm packages, exfiltrating credentials, tokens, and cloud configurations. It uploads stolen data encrypted to over 1,200 public GitHub repositories, identifiable by the string "A Mini Shai-Hulud has Appeared." The malware attempts to steal secrets from developer machines, GitHub Actions environments, and cloud platforms like AWS, Azure, and GCP. Over 2.2 million monthly downloads are affected, with immediate actions including key rotation and upgrading affected packages. |
| 2026-04-23 2026 | Shai-Hulud: The Third Coming Bitwarden CLI Backdoored in Latest Supply Chain CampaignSupply Chain | Analysis of Shai-Hulud worm's attack on the @bitwarden/cli package reveals its self-propagating nature, exfiltrating credentials, NPM tokens, GitHub tokens, AWS, GCP, and Azure information. The worm encrypts exfiltrated data using AES-256-GCM and uploads it to public GitHub repositories, potentially originating from Russia as it avoids Russian-configured systems. Affected users are advised to rotate keys, add 2FA, check for malicious GitHub repositories, and downgrade the @bitwarden/cli package. |
| 2026-04-23 2026 | Xinference allegedly hacked by TeamPCP Malicious Package In PyPiSupply Chain | Writeup of the Xinference supply chain attack on PyPI, detailing how malicious versions (2.6.0-2.6.2) were uploaded containing obfuscated infostealer code. This malware targets cloud credentials, API keys, environment variables, SSH keys, cryptocurrency wallets, and database credentials, sending stolen data to a remote server. The attack leveraged a compromised bot to inject the malicious base64 payload into the `__init__.py` file, affecting users who installed these compromised versions. Recommended actions include downgrading to version 2.5.0 and rotating sensitive keys. |
| 2026-04-20 2026 | Supply Chain Attack Hits Vercel: User Data is Being Sold on BreachForums For $2MSupply Chain | Analysis of the Vercel and Context AI supply chain attack, detailing how compromised OAuth tokens and a malicious Chrome extension led to Vercel's internal database being offered for sale on BreachForums. The incident highlights risks associated with AI systems and third-party integrations, emphasizing the need for immediate key rotation, 2FA enablement, and auditing of third-party app access, particularly for Google Workspace and Vercel-maintained packages like Next.js. |
| 2026-04-16 2026 | The Mother of All AI Supply Chains: Critical Systemic Vulnerability at the Core of Anthropics MCPAI | Analysis of Anthropic's Model Context Protocol (MCP) reveals a systemic vulnerability enabling Arbitrary Command Execution (RCE) across its SDKs for Python, TypeScript, Java, and Rust. Exploitable via unauthenticated UI injection, hardening bypasses in Flowise, zero-click prompt injection in Windsurf and Cursor, and malicious marketplace distribution, this flaw impacts over 150 million downloads and thousands of servers. Affected tools include LiteLLM, LangChain, and IBM's LangFlow, with over 10 CVEs issued. |
| 2026-04-16 2026 | MCP Supply Chain Advisory: RCE Vulnerabilities Across the AI EcosystemAI | Advisory detailing a systemic command injection vulnerability within Anthropic's MCP protocol impacting multiple AI ecosystem products. Exploits, including CVE-2025-65720 for GPT Researcher, CVE-2026-30623 for LiteLLM, and CVE-2026-30624 for Agent Zero, allow unauthenticated or authenticated remote command execution by injecting arbitrary commands through MCP configurations in affected applications like LangFlow, Fay Digital Human Framework, and Bisheng. |
| 2026-04-05 2026 | Known Unpatched Exploitable: Redashs Python Sandbox Escape Gives Attackers Full Server AccessPython | Writeup of a Redash sandbox escape vulnerability, exploitable via the Python data source, allowing remote code execution and full server compromise. OX Research discovered that an insecure reassignment of Python's `getattr` function within the sandbox context enables attackers to access and execute arbitrary system commands, leading to potential data exposure and lateral movement. All Redash versions with the Python data source enabled are affected, with no patch currently available. |
| 2026-04-03 2026 | Axios Compromised With A Malicious DependencySupply Chain | Library for detecting and mitigating the Axios supply chain attack where versions 0.30.4 and 1.14.1 were compromised via the malicious dependency `plain-crypto-js` version 4.2.1. This attack installs a Remote Access Trojan (RAT) on Windows, macOS, and Linux systems, enabling attackers to gain complete control. Immediate actions include rotating credentials, pinning dependencies, and treating affected machines as fully compromised. The library can help identify affected versions and provide context on the attack's mechanisms across different operating systems. |
| 2026-01-27 2026 | XSS in Live Preview Microsoft VS Code Extension with 11M DownloadsXSS | Writeup of an XSS vulnerability in the Microsoft VS Code Live Preview extension, affecting over 11 million users. The vulnerability allowed remote attackers to exfiltrate local files, including sensitive credentials and API keys, by exploiting the extension's embedded HTTP server. The issue, which enabled data exfiltration, was responsibly disclosed to Microsoft and patched in version 0.4.16. |