unit42.paloaltonetworks.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-07.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-07 2026 | Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code ExecutionRCE | Writeup detailing CVE-2026-0300, a buffer overflow vulnerability in Palo Alto Networks PAN-OS's Captive Portal service, enabling unauthenticated remote code execution. Exploitation by state-sponsored actors involved injecting shellcode, deploying tools like EarthWorm and ReverseSocks5 for tunneling, and enumerating Active Directory using compromised credentials. The analysis highlights the attackers' operational restraint and reliance on open-source tools for stealthy compromise of edge network devices. |
| 2026-04-24 2026 | The npm Threat Landscape: Attack Surface and MitigationsSupply Chain | Library detailing the evolving npm threat landscape, focusing on the Shai-Hulud worm and subsequent systematic supply chain compromises. It analyzes significant incidents like the Axios and Bitwarden CLI compromises, highlighting adversarial tactics such as wormable propagation via token theft, CI/CD pipeline persistence, and multi-stage payloads. The library also covers remediation playbooks for credential rotation and dependency purging, and details the technical specifics of obfuscation and execution mechanisms used by malware targeting npm users and distribution channels like Docker Hub and GitHub Actions. |
| 2026-04-19 2026 | LANDFALL: New Commercial-Grade Android Spyware (CVE-2025-21042)Mobile | Analysis of LANDFALL, a commercial-grade Android spyware targeting Samsung Galaxy devices, details its exploitation of CVE-2025-21042, a zero-day vulnerability in Samsung’s image processing library. Delivered via malicious DNG image files, potentially through WhatsApp, LANDFALL facilitates comprehensive surveillance. This operation, active since mid-2024 and patched in April 2025, predates public disclosures of similar exploit chains involving CVE-2025-21043 and iOS vulnerabilities, suggesting links to private-sector offensive actors in the Middle East. |
| 2026-04-19 2026 | Microsoft WSUS RCE (CVE-2025-59287) Actively ExploitedRCE | Analysis of CVE-2025-59287, a critical unauthenticated RCE in Microsoft WSUS, details its exploitation via unsafe deserialization through the GetCookie() or ReportingWebService endpoints. Observed attack chains involve PowerShell execution, network reconnaissance, and exfiltration to attacker-controlled webhooks. Affected systems include various Windows Server versions with the WSUS role enabled. Temporary mitigations include disabling the WSUS role or blocking ports 8530 and 8531. |
| 2026-04-11 2026 | GitHub Actions Supply Chain Attack: Coinbase to tj-actionsSupply Chain | Writeup of a GitHub Actions supply chain attack, detailing how attackers compromised tj-actions/changed-files and reviewdog/action-setup. This multi-layered attack initially targeted Coinbase's open-source project agentkit before escalating to impact thousands of repositories by injecting malicious payloads that leaked CI/CD runner secrets and credentials. The analysis highlights abuse of third-party actions and dependencies, emphasizing the need for detection and prevention steps for consumers and maintainers. |
| 2026-04-11 2026 | Shai-Hulud Worm Compromises npm EcosystemSupply Chain | Analysis of the Shai-Hulud 2.0 npm worm details its aggressive propagation through pre-install execution, bypassing static analysis. This campaign targets GitHub repositories, stealing credentials for AWS, GCP, and Azure, exfiltrating them to public GitHub repositories, and even attempting to destroy home directories as a fallback. The worm also automates its spread by injecting malicious code into other packages maintained by compromised developers, potentially crippling CI/CD pipelines and leading to significant cloud service compromises. LLMs may have assisted in generating its obfuscated payload. |
| 2026-04-11 2026 | Leaked Env Variables Allow Large-Scale Cloud ExtortionSecrets | Writeup of a cloud extortion campaign that successfully compromised and ransomed data by leveraging exposed environment variable files (.env). The campaign exploited credentials found in .env files, coupled with long-lived credentials and a lack of least privilege architecture, to gain initial access to victim AWS environments. Attackers utilized Tor, VPNs, and VPS endpoints for reconnaissance, lateral movement, and data exfiltration, targeting services like IAM, STS, S3, and SES. |
| 2026-04-11 2026 | CloudKeys in the Air: Exposed IAM Keys CryptojackingSecrets | Analysis of the EleKtra-Leak campaign details automated targeting of exposed AWS IAM keys on GitHub for cryptojacking. Threat actors quickly leverage compromised credentials to launch Amazon EC2 instances for Monero mining. Researchers used a Prisma Cloud HoneyCloud project to monitor this activity, observing hundreds of EC2 instances linked to the operation. The campaign employed automated tools to scan repositories and block identified AWS accounts, with researchers countering by creating randomized, non-attributable AWS accounts with overly-permissive IAM credentials to track actor movements. |
| 2026-04-11 2026 | Exposing a New BOLA Vulnerability in GrafanaAPI Sec | Writeup on CVE-2024-1313, a Broken Object Level Authorization (BOLA) vulnerability in Grafana, allows low-privileged users to delete dashboard snapshots from other organizations using snapshot keys. Versions 9.5.0 before 9.5.18, 10.0.0 before 10.0.13, 10.1.0 before 10.1.9, 10.2.0 before 10.2.6, and 10.3.0 before 10.3.5 are affected. The vulnerability, with a CVSS score of 6.5, arises from the dashboard snapshot APIs and could lead to data loss or integrity issues. Additionally, an endpoint allows any user to create snapshots with weak self-assigned keys, potentially enabling denial-of-service or brute-force attacks. |
| 2026-04-11 2026 | Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the WildAI | Writeup detailing observed in-the-wild indirect prompt injection (IDPI) attacks targeting AI agents. The analysis highlights real-world cases including AI-based ad review evasion, SEO manipulation for phishing, data destruction, and sensitive information leakage. It discusses 22 distinct payload engineering techniques and classifies attacker intents, emphasizing the growing weaponization of IDPI beyond theoretical risks. |
| 2026-04-11 2026 | New Prompt Injection Attack Vectors Through MCP SamplingAI | Writeup of new prompt injection attack vectors targeting the Model Context Protocol (MCP) sampling feature. Exploiting the implicit trust model and lack of built-in security controls, attackers can achieve resource theft, conversation hijacking, and covert tool invocation. The analysis details three proof-of-concept examples and evaluates mitigation strategies for MCP-based systems, highlighting vulnerabilities in this LLM integration standard. |
| 2026-04-10 2026 | SSRF Exposes Data of Technology, Industrial and Media OrganizationsSSRF | Analysis of CVE-2019-8451, a Server-Side Request Forgery vulnerability affecting Jira, reveals its potential to expose cloud infrastructure metadata. This vulnerability, exploitable without authentication, allows attackers to bypass firewalls and access sensitive information like credentials, configurations, and source code by redirecting requests to internal metadata APIs. Research indicates thousands of internet-exposed Jira instances remain vulnerable, with a significant portion leaking this critical data to technology, industrial, and media organizations. |
| 2026-04-10 2026 | RCE With Modern AI/ML Formats and Python LibrariesPython | Library vulnerabilities in NVIDIA's NeMo, Salesforce's Uni2TS, and Apple/ETH Zurich's FlexTok allow for remote code execution (RCE) when malicious metadata is loaded. These PyTorch-based AI/ML libraries, widely used on HuggingFace, leverage Hydra's `instantiate()` function to load configurations, inadvertently executing arbitrary code embedded in metadata. CVE-2025-23304 (NeMo) and CVE-2026-22584 (Uni2TS) have been assigned, with fixes released by the respective vendors. |
| 2026-04-06 2026 | Exposing Security Blind Spots in GCP Vertex AIAuthZ | Writeup on double agents in GCP Vertex AI, detailing how a misconfigured Per-Project, Per-Product Service Agent (P4SA) with excessive default permissions can be exploited. This research demonstrates obtaining privileged access to consumer project data and restricted Google-owned Artifact Registry repositories, including proprietary container images for the Vertex AI Reasoning Engine, by compromising a single service agent and exfiltrating its credentials. |
| 2026-04-02 2026 | Auditing the Gatekeepers: Fuzzing "AI Judges" to Bypass Security ControlsAI | Tool for fuzzing AI judges, called AdvJudge-Zero, exploits prompt injection vulnerabilities in LLM-based security gatekeepers. This fuzzer identifies stealthy control tokens, such as formatting symbols and structural phrases, that manipulate the AI's decision-making logic to bypass safety policies and allow prohibited content, or corrupt training data by awarding high scores to incorrect responses. The research demonstrates a 99% success rate in bypassing controls across various LLM architectures, highlighting the need for adversarial training to harden these systems. |