appsec.fyi · Sources

tomshardware.com

5 curated AppSec resources from tomshardware.com across 4 topics on appsec.fyi.

tomshardware.com

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-07-11.

Date Added Resource Excerpt
2026-07-11 2026New hack exploits AI hallucinations to trick agents into running malicious code 'HalluSquatting' attack exploits a fundamental weakness in every available modelAIA new hacking technique, dubbed "HalluSquatting," exploits AI hallucinations to trick AI agents into executing malicious code. This attack targets a fundamental weakness present in all current AI models. By manipulating the AI's tendency to "hallucinate" or generate incorrect information, attackers can subtly inject commands that the AI will then execute. This poses a significant security risk across various AI applications.
2026-05-28 2026Wide-ranging 7-zip vulnerability with 8.8 CVE rating allows for code execution hundreds of millions of machines potentially at riskRCEWriteup of CVE-2023-23752, a critical vulnerability in 7-Zip affecting hundreds of millions of machines. This flaw allows for arbitrary code execution simply by opening a crafted archive, with no user interaction required beyond opening the file. Exploitable across Windows, Linux, and macOS, and integrated into numerous third-party applications and CI/CD pipelines, the vulnerability impacts widely used .7z, .zip, and .rar formats. Users are strongly advised to update to version 26.01 immediately.
2026-05-12 2026Compromised Mistral AI and TanStack packages may have exposed GitHub cloud and CI/CD credentials in 'mini Shai Hulud' malware infection supply-chain campaign spreads across npm and AI developer ecosystems like wildfireSupply ChainAnalysis of the "Mini Shai-Hulud" campaign reveals compromised Mistral AI and TanStack packages on npm and PyPI. Version 2.4.6 of the mistralai PyPI package injected malicious code that executed on import, downloading a credential-stealing payload disguised as transformers.pyz. Affected TanStack packages include @tanstack/react-router, @tanstack/history, and @tanstack/router-core. Developers are urged to rotate GitHub tokens, npm credentials, and CI/CD secrets due to the potential exposure of cloud and CI/CD credentials.
2026-05-11 2026Devastating 'Dirty Frag' exploit leaks out gives immediate root access on most Linux machines since 2017 no patches available no warning given Copy Fail-like vulnerability had its embargo brokenAuthZTool that provides immediate root access on most Linux machines since 2017 due to the Dirty Frag vulnerability. This local privilege escalation exploit leverages a zero-copy operation in IPSec-related modules, specifically affecting "xfrm-ESP Page Cache Write" and "RxRPC Page-Cache Write." Distributions like Ubuntu, Arch, RHEL, and Fedora are impacted. Mitigation involves disabling esp4, esp6, and rxrpc kernel modules. The exploit code is available via a GitHub repository for testing.
2026-04-22 2026Anthropic's Model Context Protocol includes a critical remote code execution vulnerability newly discovered exploit puts 200000 AI servers at riskAIWriteup of critical RCE vulnerability in Anthropic's Model Context Protocol (MCP) affecting its SDKs across Python, TypeScript, Java, and Rust. The flaw, rooted in STDIO transport interface handling of local process execution, allows arbitrary command injection via user-controlled input without sanitization. Exploitation vectors include UI injection in AI frameworks, hardening bypasses in tools like Flowise, zero-click prompt injection in AI coding IDEs such as Windsurf and Cursor, and malicious package distribution via MCP marketplaces. OX Security reported numerous CVEs, with some fixed and others awaiting resolution.