All topics

open-source

31 pieces of writing

security9 min read

From tj-actions to LiteLLM to MCP: supply chain compromise now operates at infrastructure scale

Eighteen months of supply chain attacks against AI infrastructure reveal a structural pattern: the build pipeline, the package registry and the runtime protocol all share the same trust model failure.

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.
vulnerability6 min read

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.

full-stack-ai-agent-template's webhook service had a full read SSRF with response exfiltration
vulnerability8 min read

full-stack-ai-agent-template's webhook service had a full read SSRF with response exfiltration

security11 min read

Seven authentication bypasses that keep shipping in 2025 and 2026: the same architectural antipatterns, rewritten in new frameworks

Modern frameworks keep reimplementing the same seven authentication bypass patterns. From hardcoded credentials to missing origin checks, the bugs are structural, not accidental, and the AI tooling boom is accelerating the cycle.

Edict's file:// handler let anyone read files outside the project directory (CWE-22)
vulnerability5 min read

Edict's file:// handler let anyone read files outside the project directory (CWE-22)

AIPex's localhost daemon let any website control your browser through a WebSocket
vulnerability5 min read

AIPex's localhost daemon let any website control your browser through a WebSocket

Every MCPHub instance started with the same admin password. I changed that.
vulnerability7 min read

Every MCPHub instance started with the same admin password. I changed that.

MCPHub shipped every installation with the hardcoded credential admin/admin123 and published it in the README. The fix generates a cryptographically random password per instance.

LightRAG's Memgraph backend had a Cypher injection vulnerability hiding in plain sight
vulnerability7 min read

LightRAG's Memgraph backend had a Cypher injection vulnerability hiding in plain sight

A single index change bypassed daily_stock_analysis's entire rate limiter
vulnerability7 min read

A single index change bypassed daily_stock_analysis's entire rate limiter

PraisonAI let YAML config files set LD_PRELOAD and nobody checked
vulnerability7 min read

PraisonAI let YAML config files set LD_PRELOAD and nobody checked

PraisonAI's schedule config YAML could set LD_PRELOAD, PATH and 26 other dangerous environment variables with no validation. The fix adds a blocklist and fail-closed validation.

Git tags, package registries and extension marketplaces share the same broken authentication model
security12 min read

Git tags, package registries and extension marketplaces share the same broken authentication model

gptme was passing API keys on the command line where any user could read them
vulnerability8 min read

gptme was passing API keys on the command line where any user could read them

Hermes Agent's worktree feature copied arbitrary files from your filesystem
security7 min read

Hermes Agent's worktree feature copied arbitrary files from your filesystem

Hermes Agent's worktree feature would copy arbitrary files from your filesystem if you cloned a repository with a crafted .worktreeinclude. A two-line path traversal that took four months to land in the codebase.

Summarize's localhost daemon accepted requests from any website
security7 min read

Summarize's localhost daemon accepted requests from any website

I found SQL injection in Hugging Face's AI skills framework and got it fixed in nine days
vulnerability7 min read

I found SQL injection in Hugging Face's AI skills framework and got it fixed in nine days