Appsec adventures

This blog post from StepSecurity details a week-long automated attack campaign in February and March 2026 where an autonomous AI bot called hackerbot-claw systematically exploited GitHub Actions workflows across major open source repositories, including those belonging to Microsoft, DataDog, CNCF, and popular projects like Trivy and awesome-go. The bot used five different exploitation techniques including poisoned Go scripts via pull_request_target workflows, direct script injection, branch name injection, filename injection with base64 encoded commands, and AI prompt injection targeting Claude Code reviewers through poisoned configuration files. In the most severe incident, the attacker stole a personal access token from the aquasecurity/trivy repository and achieved full repository takeover, making the repository private, deleting years of releases, and pushing a malicious artifact to the Open VSX marketplace. The campaign successfully compromised at least five of seven targeted repo...

This OWASP resource provides actionable guidance for securing Model Context Protocol servers, which serve as the critical connection point between AI assistants and external tools, APIs, and data sources. It highlights that MCP servers present unique security challenges because they operate with delegated user permissions, use dynamic tool-based architectures, and support chained tool calls, all of which increase the potential impact of a single vulnerability. The guide outlines best practices covering secure architecture design, strong authentication and authorization, strict input and output validation, session isolation, and hardened deployment. It is intended for software architects, platform engineers, and development teams to help them reduce risk while safely enabling tool-integrated agentic AI capabilities.  https://genai.owasp.org/resource/a-practical-guide-for-secure-mcp-server-development/

This blog post announces DeepViolet, an open-source TLS and SSL analysis library that has been integrated into the ZAP HTTPS Info add-on to deliver risk assessments alongside connection details. DeepViolet provides a modular API that performs TLS handshake analysis, certificate chain validation, revocation checks, security header inspection, and DNS lookups, returning structured results with a numeric risk score and letter grade. The post walks through a sample scan showing how findings are categorized into protocols and connections, revocation and transparency, security headers, DNS security, certificate details, and cipher suites. The library is structured as a core API available on Maven Central, a standalone Java Swing desktop application for ad-hoc investigations, and a command-line interface for scripting. Planned features include scan persistence, customizable risk scoring with YAML-based rules, user-editable cipher suite evaluations, certificate transparency analysis, and AI-au...

This blog post from the Seqra Team introduces an approach that uses static analysis findings to guide ZAP active scans toward the most relevant endpoints, enabling a faster scanning mode suited for CI/CD pipelines. The integration uses dataflow-aware SAST tools like OpenTaint to produce DAST-friendly output containing endpoint paths, HTTP methods, and CWE classifications in SARIF format. A script generates a targeted ZAP configuration with isolated contexts for each CWE category, running CWE-specific scan policies only against endpoints where vulnerabilities were detected. Results are then filtered to retain only findings validated by ZAP. Testing on the OWASP Benchmark showed that this guided approach achieved the same detection accuracy as ZAP Insane strength while sending 87 percent fewer requests and completing scans eight times faster. A GitHub Action automates the workflow with full and differential scanning modes for pull requests, uploading validated vulnerabilities directly to...

ClawGuard is an open-source security scanner that acts as a firewall for AI agents, detecting prompt injection, jailbreaks, and data exfiltration in real time. It features 216 detection patterns across 13 categories, supports 15 languages, and achieves sub-10 millisecond scan times with an F1 score of 99 percent using pure Python with no external dependencies or API calls. The scanner includes a 10-stage preprocessing pipeline to catch evasion techniques like leetspeak, zero-width characters, homoglyphs, and base64 encoding, along with confidence scoring for each finding. ClawGuard offers a dedicated MCP security scanner for identifying hidden prompt injections in MCP server tool descriptions, an evaluation framework with 262 test cases, CLI and SARIF output for CI/CD integration, and compliance support for EU AI Act articles. The project has been used to responsibly disclose vulnerabilities in over 30 popular MCP servers and AI tools representing more than 280,000 combined GitHub star...

Pipelock is an open-source agent firewall that provides network scanning, process containment, and tool policy enforcement for AI agents through a single binary. It acts as a runtime firewall that sits inline between an agent and the internet, using capability separation where the agent process is network-restricted while Pipelock inspects all traffic through an 11-layer scanner pipeline covering secret exfiltration, DLP scanning with 46 built-in patterns, prompt injection detection, SSRF protection, and bidirectional MCP scanning with tool poisoning detection. It operates in three proxy modes—fetch proxy, forward proxy, and WebSocket proxy—and supports three operational modes: strict allowlist-only for high security, balanced for general use, and audit for monitoring. Additional features include a process sandbox using Landlock and seccomp on Linux, MCP tool policy enforcement with pre-execution rules, tool call chain detection, kill switch mechanisms, response scanning with a six-pas...