All topics

security

55 pieces of writing

security13 min read

Tycoon 2FA against Entra ID and Google Workspace: MFA bypass and authentication assumptions under fire

Tycoon 2FA AiTM attacks against Entra ID and Google Workspace show why MFA cannot carry identity assurance alone when session theft, proxy phishing and degraded controls sit in the path after login.

security13 min read

OpenClaw's 470 advisories show unauthenticated RCE became a cloud AI platform pattern

security13 min read

Authentication bypass in 2026: access validation keeps failing before critical operations

security13 min read

PCPJack, polyfill CDN and Bright Data SDK show supply chain attacks moving into runtime weaponisation

Supply chain compromise is shifting from static package poisoning towards runtime weaponisation, where trusted code becomes a credential harvester, traffic broker or covert infrastructure node after deployment.

security13 min read

CIFSwitch CVE-2026-46243 and PraisonAI show privilege escalation is an architectural antipattern

security12 min read

Gogs, PraisonAI and KnowledgeDeliver show authentication bypass is a self-hosted platform design failure

MCP OAuth token persistence turns AI orchestration into a supply-chain trust boundary
security13 min read

MCP OAuth token persistence turns AI orchestration into a supply-chain trust boundary

MCP-based AI orchestration moves OAuth tokens, access grants and memory persistence into the same execution path. Credential handling is now the weakest link in the AI supply chain.

security13 min read

May 2026 developer-tooling compromises: VS Code extensions, PyPI packages and GitHub Actions turned workstations into supply-chain targets

security12 min read

npm, PyPI and Docker Hub in 2026: developer credentials became supply-chain infrastructure

security11 min read

GitHub Actions OIDC and TanStack show why 2026 supply chain attacks target release authority

Supply chain compromise has shifted from stealing credentials to poisoning package ecosystems through compromised CI/CD systems, maintainer accounts and trusted execution paths.

RAGFlow PR #14803 removed a CWE-502 pickle RCE footgun from deserialize_b64
vulnerability7 min read

RAGFlow PR #14803 removed a CWE-502 pickle RCE footgun from deserialize_b64

getsentry/XcodeBuildMCP PR #289 hardens shell escaping in MCP tool execution
vulnerability9 min read

getsentry/XcodeBuildMCP PR #289 hardens shell escaping in MCP tool execution

security13 min read

GitHub Actions OIDC tokens and Jenkins plugins show CI/CD infrastructure is now the supply chain target

CI/CD compromise is moving away from poisoned dependencies alone and towards the infrastructure that builds, signs and releases trusted software.

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding
vulnerability7 min read

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding

CodeGraphContext PR #882 rejects write Cypher on /api/graph
vulnerability7 min read

CodeGraphContext PR #882 rejects write Cypher on /api/graph