Archive
73 pieces of security research, engineering and field notes.
mcp-searxng interpolated the user-controlled section parameter into a dynamically built regular expression, allowing a malicious MCP client to block the Node.js event loop.
Checkmarx KICS, npm Bitwarden CLI packages and GlassWorm show how supply chain compromise has moved from poisoned code to weaponised developer trust.
A compromised AI productivity tool called Context.ai gave attackers OAuth access to a Vercel employee's Google Workspace, pivoting into internal systems. The AI tool supply chain is the new CI/CD supply chain.
Eighteen months of supply chain attacks against AI infrastructure reveal a structural pattern: the build pipeline, the package registry and the runtime protocol all share the same trust model failure.
Supply-chain compromise is no longer opportunistic. Self-replicating NPM worms, coordinated developer phishing and credential-harvesting pipelines show an attack class that has industrialised faster than the defences meant to contain it.
A CWE-22 path traversal in NVIDIA's RAG Blueprint MCP server allowed any MCP client to read arbitrary files and ingest them into the RAG collection. We submitted the fix and NVIDIA merged it.
The webhook service in vstorm-co's full-stack-ai-agent-template accepted arbitrary URLs and stored HTTP responses in the database, creating a full read SSRF that could exfiltrate cloud metadata credentials. The fix adds DNS-aware URL validation at every code path.
Modern frameworks keep reimplementing the same seven authentication bypass patterns. From hardcoded credentials to missing origin checks, the bugs are structural, not accidental, and the AI tooling boom is accelerating the cycle.
CVE-2025-10492, a CVSS 9.8 Java deserialisation flaw in the JasperReports component of Hitachi Energy Ellipse, enables unauthenticated RCE on critical manufacturing systems. No patch exists for the community edition of the underlying library.
The add_remote_skill endpoint in cft0808/edict applied path traversal protection to local and relative paths but skipped the file:// branch entirely. One .resolve() and an allowed_roots check closed the gap.
AIPex's MCP daemon on 127.0.0.1:9223 accepted WebSocket connections from any origin, letting malicious web pages invoke 30+ browser automation tools. A 39-line fix adds origin validation at the single upgrade handler.
CVE-2026-27663 and CVE-2026-27664 affect shared firmware components across Siemens SICAM A8000, EGS and S8000 product lines, enabling unauthenticated denial of service in power grid infrastructure.
