reversinglabs.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-08.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-08 2026 | How to mitigate secrets risk and prevent future breachesSecrets | Library for detecting and managing secrets risk in code. It details how leaks of credentials, tokens, and signing keys in open source and proprietary repositories are a growing concern, with millions exposed on platforms like GitHub and npm. The library aids in situational awareness by identifying exposed secrets, understanding their purpose, and assessing their potential impact. It emphasizes investing in advanced tooling to filter false positives and prioritize active tokens, alongside evolving development practices to mitigate risks from the design stage forward, ultimately aiming to prevent future breaches. |
| 2026-05-07 2026 | AI-based fuzzing targets open-source LLM vulnerabilitiesFuzzing | Library that utilizes AI-enhanced fuzzing to discover vulnerabilities in open-source projects. This technique has already identified 26 new vulnerabilities, including a critical flaw in OpenSSL, by generating sophisticated and varied test inputs that explore new execution paths and uncover edge cases missed by traditional methods. The library aims to improve code coverage, increase efficiency, and automate vulnerability discovery, though users must be aware of potential drawbacks like false positives and the need for careful validation of AI-generated code. |
| 2026-05-06 2026 | Secrets security: The why the how and what to do about itSecrets | Report detailing the epidemic of secrets exposed in software repositories, explaining how attackers exploit exposed environment variables, tokens, and keys on platforms like PyPI, npm, and GitHub, and offering guidance on mitigation strategies. It highlights the speed at which attackers find these secrets, often within seconds, and the long discovery times for security teams, referencing examples of exposed AWS credentials and discussions of defense-in-depth approaches to software supply chain security. |
| 2026-05-05 2026 | Bootstrap script exposes PyPI to domain takeover attacksPythonSupply Chain | Library detailing a domain takeover vulnerability in legacy Python package bootstrap scripts. The vulnerability, discovered by ReversingLabs, affects numerous packages including tornado and slapos.core, by exploiting the now-available python-distribute[.]org domain. This could allow attackers to execute arbitrary code when developers run affected bootstrap scripts, potentially impacting software supply chain security. |
| 2026-05-05 2026 | Secrets leaks increase and expand beyond the codebaseSecrets | Library for detecting secrets leaks, focusing on increased risks beyond codebases in collaboration and project management tools like Slack, Jira, and Confluence. It highlights that secrets found in these platforms are often more critical and harder to detect than those in source code, as these tools typically lack integrated scanning capabilities. The library aims to address this gap by providing solutions for monitoring these unstructured data streams, acknowledging that traditional scanning methods optimized for code repositories are insufficient. |
| 2026-04-11 2026 | Ultralytics PyPI package delivers coinminerSupply Chain | Library compromise of Ultralytics PyPI package: Malicious versions 8.3.41, 8.3.42, 8.3.45, and 8.3.46 distributed an XMRig coinminer by exploiting a GitHub Actions script injection. This allowed attackers to execute arbitrary code, leading to multiple releases containing downloader code in __init__.py. The initial compromise involved crafted pull requests to inject malicious payloads, with subsequent malicious versions published due to maintainers not fully locating the breach. This supply chain attack had a significant potential impact due to Ultralytics' widespread adoption. |
| 2026-04-11 2026 | Shai-Hulud npm supply chain attack overviewSupply Chain | Writeup on the Shai-hulud npm supply chain attack, a self-replicating worm that compromises npm accounts to infect legitimate packages. This malware inserts malicious code into packages, spreading via `postinstall` scripts, and exfiltrates cloud service tokens (npm, GitHub, AWS, GCP) by installing TruffleHog and targeting specific secrets. The worm also attempts to exfiltrate GitHub tokens via malicious workflows and convert private repositories to public, impacting popular packages like ngx-bootstrap and ng2-file-upload. |
| 2026-04-09 2026 | Inside the TeamPCP cascading supply chain attackSupply Chain | Library for detecting and mitigating supply chain attacks, detailing the TeamPCP campaign that compromised the telnyx and LiteLLM PyPI packages, as well as Checkmarx extensions on Open VSX. The attacks leveraged stolen credentials to inject malicious code, exfiltrating cloud secrets and tokens, impacting security tools like Trivy and KICS GitHub Actions, and demonstrating the risks of unverified dependencies. |
| 2026-04-03 2026 | Axios compromise: How AppSec teams should respondSupply Chain | Library response checklist for the Axios supply chain compromise, detailing steps to audit dependencies, rotate credentials, review CI/CD logs, and secure code repositories. It advocates for continuous dependency inventory, extended SBOMs (xBOMs) including SaaSBOMs and CBOMs, ongoing OSS package monitoring, short-lived CI/CD credentials, and modeling cascading risk, particularly for crypto and fintech assets, to mitigate threats posed by compromised packages like axios and its transitive dependencies. |