Whoever had "AI attacks against GitHub Actions" on their #AppSec bingo card won this last week with the "hackerbot-claw" thing. We cover that story and more: buff.ly/F0NUqYS
#LastWeekInAppSec #AISecurity #SupplyChainSecurity #ApplicationSecurity #Cybersecurity
Last Week In AppSec we're seeing yet more ways in which researchers are able to trick AI code assistants by abusing trust in sources of context: like configuration files in code repositories and the contents of bug reports.
Read more: buff.ly/jD3gRHj
#ApplicationSecurity #LastWeekInAppSec #AI
Looking at the #LastWeekInAppSec, we see two widely-used application components with #DoS, and a nasty little path traversal in a package manager.
Details, mitigations, context for making risk-based decisions all on our blog: buff.ly/xL4NKOg
#React #NodeJS #Java #pnpm #npm #CVE #Vulnerability
This #LastWeekInAppSec is a great reminder that automation and dev tooling is part of an organizations attack surface. #Sigstore, #pnpm, and #n8n all have vulns to pay attention to, but (mostly) not panic over.
👉 should you worry? read: buff.ly/ATRNVz3
#AppSec #ProductSecurity #DevSecOps #DevOps
#LastWeekInAppSec was a busy one! Not only did we have #ShaiHulud rear its head again, but a number of big patching efforts came up as well 🧵1/5
Get details and analysis here: buff.ly/T63yQWd
#LastWeekInAppSec brings two cases where “safe by design” didn’t hold up — an #NPM math sandbox with an RCE flaw, and an #AI workflow tool with dangerous password-change logic.
Full roundup:
buff.ly/YrPW8GN
🧵1/4
☔️ #LastWeekInAppSec (Nov 11) highlights two low-severity issues with interesting implications for real-world #AppSec and #DevSecOps.
🔗 buff.ly/wN1crc3
🧵1/4
☔️ #LastWeekInAppSec: Two major regressions hit key #DevOps tools this week — both with real potential for impact in enterprise environments. 🔗 buff.ly/REjgAW4 🧵1/4
It's #LastWeekInAppSec time! Access control bypasses in #Python's #Authlib (#OAuth and #OpenID) and Java's #SpringFramework (#CSRF protection failure).
See buff.ly/ZUloV61 for deeper analysis, mitigation steps, etc.
#AppSec #VulnManagement #CyberSecurity #SupplyChainSecurity
Got 3 minutes? Catch up on the #AppSec news you might have missed #LastWeekInAppSec : buff.ly/dR3PQZJ
This week: go-mail #opensource library has SMTP injection; Rancher subject to SAML flow abuse in Manager & CLI. Read for full details including remediation and mitigation advice. #DevSecOps 🧵1/5
Two under-the-radar issues — A #Jenkins DoS #vulnerability and a CA cert validation failure opening folks to #MitM with #Kubernetes clients — happened #LastWeekInAppSec, while we were all focused on the Shai-Hulud attacks. buff.ly/o8xS3ox 🧵 1/3
Details, mitigations, and links: buff.ly/H7BB0oC #AppSec #BlueTeam #DevSecOps #CVE #GHSA #LastWeekInAppSec 🧵5/5
Last Week in AppSec (09 Sep 2025): Hono auth bypass, Netty 0-day smuggling, Claude Code trust risks. Full write-up: buff.ly/H7BB0oC #LastWeekInAppSec #AppSec #SecurityNews 🧵1/5
#LastWeekInAppSec for 19. August 2025: Code injection in AI Agent dev tool, path traversal in `go-getter`, model code injection protection bypass in TensorFlow Keras, and unsafe ImageMagick use in Rails Active storage buff.ly/clVmcTi 🧵 1/5
Time for another #LastWeekInAppSec for 12. Aug 2025: ChatGPT-5 system prompt leaked, CISA supports CVE, and AppSec Village completes buff.ly/gsnpATQ
Looking for #LastWeekInAppSec for 5. Aug? We're taking a bye week on it to hang out at #BHUSA and #DEFCON -- look for us to get back on it next week! Meanwhile, keep an eye out for your friendly researchers (and Darren) around Las Vegas.
It's time for another #LastWeekInAppSec (29. July 2025) -- AppSec items of interest you might have missed in the last week. buff.ly/1b2laNf
#LastWeekInAppSec
⎈ The Kubernetes package manager Helm has a high-severity Code Injection vulnerability CVE-2025-53547.
🚂 The Conductor open-source microservices workflow orchestrator is vulnerable to a Remote Code Execution #RCE (CVE-2025-26074)
More details: buff.ly/BXWkoeF
Looking for #LastWeekInAppSec? Us too! We had some technical difficulties publishing to our site, which we're working to rectify. Watch this space!
Data leaking #MCP Server, tricking IDE's into showing malicious extensions as verified, and a #DoS in #nextjs — #LastWeekInAppSec
buff.ly/domX3aU
#AppSec #vulnerability #AI #Cybersecurity
