All topics

ai

40 pieces of writing

security10 min read

Vercel breached through a compromised Context.ai OAuth grant

A compromised AI productivity tool called Context.ai gave attackers OAuth access to a Vercel employee's Google Workspace, pivoting into internal systems. The AI tool supply chain is the new CI/CD supply chain.

security9 min read

From tj-actions to LiteLLM to MCP: supply chain compromise now operates at infrastructure scale

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.
vulnerability6 min read

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.

full-stack-ai-agent-template's webhook service had a full read SSRF with response exfiltration
vulnerability8 min read

full-stack-ai-agent-template's webhook service had a full read SSRF with response exfiltration

The webhook service in vstorm-co's full-stack-ai-agent-template accepted arbitrary URLs and stored HTTP responses in the database, creating a full read SSRF that could exfiltrate cloud metadata credentials. The fix adds DNS-aware URL validation at every code path.

security11 min read

Seven authentication bypasses that keep shipping in 2025 and 2026: the same architectural antipatterns, rewritten in new frameworks

Edict's file:// handler let anyone read files outside the project directory (CWE-22)
vulnerability5 min read

Edict's file:// handler let anyone read files outside the project directory (CWE-22)

AIPex's localhost daemon let any website control your browser through a WebSocket
vulnerability5 min read

AIPex's localhost daemon let any website control your browser through a WebSocket

AIPex's MCP daemon on 127.0.0.1:9223 accepted WebSocket connections from any origin, letting malicious web pages invoke 30+ browser automation tools. A 39-line fix adds origin validation at the single upgrade handler.

security10 min read

LangFlow, n8n and the pattern where AI configuration becomes code execution

Anthropic shipped its entire source code to npm and the internet kept it forever
security10 min read

Anthropic shipped its entire source code to npm and the internet kept it forever

Every MCPHub instance started with the same admin password. I changed that.
vulnerability7 min read

Every MCPHub instance started with the same admin password. I changed that.

MCPHub shipped every installation with the hardcoded credential admin/admin123 and published it in the README. The fix generates a cryptographically random password per instance.

LightRAG's Memgraph backend had a Cypher injection vulnerability hiding in plain sight
vulnerability7 min read

LightRAG's Memgraph backend had a Cypher injection vulnerability hiding in plain sight

security12 min read

Environment variables are the new command line: how AI agents keep leaking secrets through configuration files

TeamPCP compromised the AI proxy that holds everyone's API keys
security9 min read

TeamPCP compromised the AI proxy that holds everyone's API keys

LiteLLM, the universal LLM proxy with 95 million monthly downloads, was backdoored on PyPI for 46 minutes. It was enough.

PraisonAI let YAML config files set LD_PRELOAD and nobody checked
vulnerability7 min read

PraisonAI let YAML config files set LD_PRELOAD and nobody checked

Git tags, package registries and extension marketplaces share the same broken authentication model
security12 min read

Git tags, package registries and extension marketplaces share the same broken authentication model