Appsec adventures

npm-scan detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm propagation that npm audit, Snyk, and Socket miss. It includes detection for major 2026 campaigns (Megalodon, Mini Shai-Hulud, TrapDoor, node-ipc, typosquatting, axios poisoning), plus HuggingFace impersonation, VSIX extensions, and Python CVE-2026-48710. Features: SBOM, SARIF, policy-as-code, HTML/PDF reports, Docker, GitHub Action, zero telemetry. Free tier includes all detectors; premium adds PDF and SIEM export.  https://github.com/lateos-ai/npm-scan

This article describes LLMjacking, a rapidly growing threat where attackers hijack private AI server resources to run their own prompts and tasks, avoiding compute costs. Based on a honeypot experiment with a Raspberry Pi masquerading as a high-performance AI server running Ollama, LM Studio, and MCP tools, the researcher observed that Shodan discovered the server within three hours, and over one month it received 113,000 requests from thousands of unique IPs. 23% of traffic targeted AI capability discovery and exploitation. Attackers did not attempt root access or code execution; instead, they focused on resource siphoning: parsing technical documentation, writing erotic novels, processing social media data, and using the compromised server as an API proxy to call Anthropic models. The article notes standardized reconnaissance tools (LLM-Scanner) that evolved during the experiment, plus systematic hunting for exposed .env files. Defensive measures include: binding LLM servers only to ...

PromptZero is a local proxy that detects and replaces sensitive data (IPs, hostnames, emails, credentials, names, national IDs, etc.) in prompts sent to Claude API, then restores real values in responses. It uses NLP (spaCy/Presidio) and regex patterns, substitutes with IANA-reserved ranges (RFC 5737/3849/2606), maintains session mapping tables, and supports pentest mode to disable name/organization detection. Runs via Docker or native install, works as a drop-in replacement for api.anthropic.com, and can route Claude Code CLI through it. Includes demo datasets, document summarization, and pentest report generator examples. From pentesters to pentesters. MIT license.  https://github.com/openbashok/promptzero

This article discloses NomShub, a critical vulnerability chain in the Cursor AI code editor that allows a malicious repository to silently hijack a developer's machine with no user interaction beyond opening the repository. The attack combines three elements: indirect prompt injection (malicious instructions hidden in a README file), a sandbox escape via shell builtins (Cursor's command parser is blind to commands like export and cd, allowing escape from workspace restrictions), and Cursor's built-in remote tunnel feature (cursor-tunnel) which provides authenticated shell access through Microsoft's Dev Tunnels infrastructure. The AI agent autonomously executes a multi-step chain: escaping the sandbox using a one-line command, establishing persistence by writing to ~/.zshenv, terminating existing tunnel processes, clearing cached GitHub credentials, starting a new tunnel, capturing the GitHub device authorization code, and exfiltrating it to an attacker-controlled server...

This article details CVE-2026-31431 (Copy Fail), a high-severity Linux kernel vulnerability (CVSS 7.8) that allows any unprivileged local user to corrupt page cache memory and escalate privileges to root. The exploit chains three kernel mechanisms: AF_ALG sockets (exposing kernel crypto to unprivileged users), the authencesn AEAD template, and splice() for zero-copy data movement. By splicing a readable target file (e.g., a setuid binary like /usr/bin/su or PAM configuration files) into a crafted AF_ALG decrypt operation, the attacker can write controlled bytes directly into the file's page cache without touching the on-disk file, avoiding normal file-write detection. The corruption persists only in memory, and when the corrupted setuid binary executes, the attacker gains root privileges. The vulnerability affects kernel versions 4.14 through 6.19 and 7.0 RCs, and active exploitation has been confirmed in the wild. Datadog's detection uses chained Workload Protection rules that...

This technical blog post demonstrates how attackers can compromise Claude Code, Anthropic's AI coding assistant, through malicious skill files and sub-agents. Skills are markdown files that instruct LLMs on how to perform specific tasks, and thousands of users share them on GitHub and skills.sh without proper vetting. The author shows that with default settings, a skill containing frontmatter with "allowed-tools: Bash(*)" and a dynamic context command (using !`command`) can execute arbitrary bash commands, including a reverse shell, without any user prompt or LLM reasoning. Sub-agents, which can run with "bypassPermissions" mode, can also execute malicious commands, such as installing a backdoored npm package. The article notes that while Claude Code has complex permission and command-parsing logic, the LLM itself may reject obviously malicious commands, but dynamic context inputs bypass this reasoning entirely. Defensive measures include denying Bash commands i...

This opinion piece warns that Anthropic's AI coding assistant, Claude Code, has a critical security vulnerability involving the Model Context Protocol (MCP). Researchers at Mitiga Labs demonstrated an attack chain where a malicious npm package with a post-install hook rewrites a single configuration file (~/.claude.json), which controls how Claude Code routes MCP traffic. This redirects authenticated requests and OAuth tokens (stored in plaintext) to attacker-controlled infrastructure instead of legitimate services like Jira, Confluence, or GitHub. The attacker then holds valid long-lived bearer tokens. The attack is difficult to detect because provider audit logs show Anthropic’s IP range and a valid user session — nothing appears wrong, but the user did not initiate the actions. Anthropic responded that the issue was out of scope, reasoning that prior code execution requires user consent to install the package, and as of this writing no patch exists. The article notes previous vu...

In this reflective piece from June 2026, Bruce Schneier revisits his 2010 argument that cryptography is ill-suited to solve major network security problems. He explains that while cryptography has inherent mathematical properties favoring defenders—such as key length increases benefiting defenders more than attackers—computer security as a whole is a fragile, fast-moving arms race where advantages can shift overnight. Schneier notes that cryptography is necessary but not sufficient for cybersecurity, as it must be implemented in software, hardware, networks, and operated by users, each step introducing vulnerabilities. Turning to AI, he observes that artificial intelligence is not advancing cryptography but is changing cybersecurity dramatically. AI has demonstrated superhuman ability to find software vulnerabilities and write exploits, with similar patch-writing capabilities likely emerging. This development has profound implications for both attackers and defenders, and Schneier conc...

This article explains that some of the most damaging threats to a company come not from external hackers but from insiders—people already inside the organization with legitimate access. An insider can be an employee, contractor, vendor, or former worker whose access was never removed. Threats fall into three categories: malicious insiders who intentionally steal or sabotage for money, revenge, or ideology; negligent insiders who cause harm through carelessness like clicking phishing links or sharing passwords; and compromised insiders whose accounts are taken over by external attackers. Modern insiders often exploit cloud services, collaboration tools, and remote work environments, gradually moving small amounts of data to avoid detection. Motivations include financial gain, recruitment by organized crime, or workplace disputes. Detection requires analyzing system logs, access patterns, and behavioral changes, while prevention relies on least-privilege access, continuous monitoring, au...

This report by Adversa AI introduces the AI Risk Quadrant (AIRQ) Framework, a quantitative security framework for evaluating AI agents across 10 enterprise archetypes (e.g., coding, browser, workflow, business process agents). Based on scoring 100 agents on Attack Surface, Blast Radius, and Defense Controls, the findings reveal that: only 11 percent of agents are both capable and well-defended (Fortified Leaders); 40 percent of agents fall into Exposed Giants (high capability, weak defenses); the lethal trifecta (private data access plus untrusted input plus outbound action) is nearly universal, meaning one hostile document can compromise most agents; 83 percent of claimed defenses lack public verification; and tool execution without sandboxing explains 76 percent of blast radius variance. The report provides quadrant visualizations, class-by-class security deep-dives, and strategic advice including requiring execution isolation as a procurement gate, tightening identity and egress con...