Appsec adventures

A security research team has uncovered a malicious campaign dubbed “MaliciousCorgi” involving two Visual Studio Code extensions with a combined 1.5 million installs that pose as helpful AI coding assistants but secretly harvest and exfiltrate developers’ code and activity data without consent. The extensions, still live on the official VS Code Marketplace, not only read and transmit entire files opened in the editor but also include hidden profiling and server-controlled harvesting mechanisms that can collect batches of files and metadata, exposing sensitive credentials, source code, and workspace information to remote servers in China  https://www.koi.ai/blog/maliciouscorgi-the-cute-looking-ai-extensions-leaking-code-from-1-5-million-developers

A severe security flaw tracked as CVE-2026-25049 has been disclosed in the n8n open-source workflow automation platform that allows authenticated users with permission to create or modify workflows to execute arbitrary system commands on the underlying host, potentially compromising the entire server and sensitive data and credentials stored there. The vulnerability arises from inadequate sanitization in the expression evaluation mechanism and impacts versions of n8n prior to 1.123.17 and 2.5.2, with a CVSS severity score of 9.4. Users are urged to update to the patched releases immediately to mitigate the risk.  https://thehackernews.com/2026/02/critical-n8n-flaw-cve-2026-25049.html

The blog explains that while prompt injection and SQL injection both involve untrusted input influencing system behavior, they are fundamentally different. SQL injection exploits how structured queries are interpreted by a database engine, whereas prompt injection manipulates how an AI model interprets or continues a natural language instruction. Because AI models don’t enforce boundaries or a defined grammar the way a database does, traditional defenses like parameterization don’t directly apply. The post warns against treating prompt injection like a conventional code injection flaw and suggests designing AI-involved systems with explicit context isolation, careful prompt construction, and runtime constraints so untrusted content can’t alter intended instructions.  https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection

The post describes how the author examined real-world deployments of Clawdbot , an open-source AI agent that connects large language models to messaging platforms and can execute tools for users. He found hundreds of publicly exposed control interfaces that give attackers easy access to credentials, conversation histories, and command execution on behalf of the owner. Because many deployments were misconfigured or left with development defaults, they exposed API keys, bot tokens, OAuth secrets, and even root access. The article uses this “butler gone rogue” metaphor to highlight the security trade-offs of autonomous agents and stresses the need for better defaults, hardened configurations, and careful consideration of the risks posed by pervasive, autonomous AI infrastructure.  https://www.linkedin.com/pulse/hacking-clawdbot-eating-lobster-souls-jamieson-o-reilly-whhlc/

Vercel announced that it has added automatic patching for the React2Shell vulnerability across its platform. This means Vercel will now detect projects affected by this security issue and apply patches without requiring manual steps from developers. The update improves security by reducing the window of exposure and lowering the operational burden on teams who might otherwise have to identify vulnerable dependencies and fix them manually. This automated capability helps ensure that applications deployed on Vercel remain protected against the specific React2Shell risk with minimal intervention from developers. https://vercel.com/changelog/automated-react2shell-vulnerability-patching-is-now-available

The article explains that public container registries pose significant security risks because anyone can publish images there, including potentially malicious actors. Threats include images with embedded malware, cryptojacking tools, backdoors, or names mimicking legitimate images to trick users. The piece highlights how attackers can exploit weak naming conventions, typosquatting, and unattended or abandoned images to get users to pull harmful content. It discusses credential leakage when images are built with secrets, lack of image provenance and trust metadata, and insufficient scanning for known vulnerabilities. The article recommends mitigating these risks by using signed and provenance-verified images, enforcing registry access controls, scanning images for malware and vulnerabilities before deployment, establishing internal trusted registries or mirrors, and implementing supply chain security practices so that only vetted and traceable images are used in production.  https:/...