vulnerability

67 pieces of writing

A single index change bypassed daily_stock_analysis's entire rate limiter

A self-hosted stock analysis platform trusted the leftmost X-Forwarded-For entry for rate limiting, letting attackers rotate IPs and brute-force the admin login at will.

26 March 2026

security12 min read

Git tags, package registries and extension marketplaces share the same broken authentication model

24 March 2026

vulnerability8 min read

gptme was passing API keys on the command line where any user could read them

23 March 2026

security7 min read

Hermes Agent's worktree feature copied arbitrary files from your filesystem

Hermes Agent's worktree feature would copy arbitrary files from your filesystem if you cloned a repository with a crafted .worktreeinclude. A two-line path traversal that took four months to land in the codebase.

19 March 2026

security7 min read

Summarize's localhost daemon accepted requests from any website

11 March 2026

security11 min read

Prompt injection turned MCP-connected code assistants into attack proxies

10 March 2026

vulnerability7 min read

I found SQL injection in Hugging Face's AI skills framework and got it fixed in nine days

An audit of Hugging Face's skills repository found five SQL injection vectors in a single file. The fix was merged in nine days.

2 March 2026

security8 min read

Anthropic's Claude Code Security found 500 zero-days. The methodology was the problem.

27 February 2026

security5 min read

OpenClaw gathered 150,000 stars and shipped no security model

7 February 2026

security6 min read

When a GitHub Action rewrites its own history

A compromised GitHub Action silently rewrote every version tag to point at a single malicious commit - exposing secrets across 23,000 repositories in the process.

17 March 2025

Weekly digests

vulnerability

A single index change bypassed daily_stock_analysis's entire rate limiter

Git tags, package registries and extension marketplaces share the same broken authentication model

gptme was passing API keys on the command line where any user could read them

Hermes Agent's worktree feature copied arbitrary files from your filesystem

Summarize's localhost daemon accepted requests from any website

Prompt injection turned MCP-connected code assistants into attack proxies

I found SQL injection in Hugging Face's AI skills framework and got it fixed in nine days

Anthropic's Claude Code Security found 500 zero-days. The methodology was the problem.

OpenClaw gathered 150,000 stars and shipped no security model

When a GitHub Action rewrites its own history

Weekly threat intelligence digest — 2026-W12

Weekly threat intelligence digest — 2026-W11

Weekly threat intelligence digest — 2026-W10

Weekly threat intelligence digest — 2026-W09

Weekly threat intelligence digest — 2026-W08

Weekly threat intelligence digest — 2026-W07

Weekly threat intelligence digest — 2026-W06

Weekly threat intelligence digest — 2026-W05

Weekly threat intelligence digest — 2026-W04

Weekly threat intelligence digest — 2026-W03

Weekly threat intelligence digest — 2026-W02

Weekly threat intelligence digest — 2025-W52

Weekly threat intelligence digest — 2025-W51

Weekly threat intelligence digest — 2025-W50

Weekly threat intelligence digest — 2025-W49

Weekly threat intelligence digest — 2025-W48

Weekly threat intelligence digest — 2025-W47

Weekly threat intelligence digest — 2025-W46

Weekly threat intelligence digest — 2025-W45

Weekly threat intelligence digest — 2025-W44

Weekly threat intelligence digest — 2025-W43

Weekly threat intelligence digest — 2025-W42

Weekly threat intelligence digest — 2025-W41

Weekly threat intelligence digest — 2025-W40

Weekly threat intelligence digest — 2025-W39

Weekly threat intelligence digest — 2025-W38

Weekly threat intelligence digest — 2025-W37

Weekly threat intelligence digest — 2025-W36

Weekly threat intelligence digest — 2025-W35

Weekly threat intelligence digest — 2025-W34

Weekly threat intelligence digest — 2025-W33

Weekly threat intelligence digest — 2025-W32

Weekly threat intelligence digest — 2025-W31

Weekly threat intelligence digest — 2025-W30

Weekly threat intelligence digest — 2025-W29

Weekly threat intelligence digest — 2025-W28

Weekly threat intelligence digest — 2025-W27

Weekly threat intelligence digest — 2025-W26

Weekly threat intelligence digest — 2025-W25

Weekly threat intelligence digest — 2025-W24

Weekly threat intelligence digest — 2025-W23

Weekly threat intelligence digest — 2025-W21

Weekly threat intelligence digest — 2025-W20

Weekly threat intelligence digest — 2025-W19

Weekly threat intelligence digest — 2025-W17

Weekly threat intelligence digest — 2025-W16

Weekly threat intelligence digest — 2025-W15

Weekly threat intelligence digest — 2025-W13

Weekly threat intelligence digest — 2025-W12

Weekly threat intelligence digest — 2025-W11

Weekly threat intelligence digest — 2025-W10

Weekly threat intelligence digest — 2025-W07

Weekly threat intelligence digest — 2025-W06

Weekly threat intelligence digest — 2025-W05

Weekly threat intelligence digest — 2025-W03

Weekly threat intelligence digest — 2025-W02

Weekly threat intelligence digest — 2025-W01