Threats Tagged 'rce'

A systemic class of vulnerabilities in CI/CD workflows, dubbed Cordyceps, allows unauthenticated attackers to hijack millions of open source repositories by exploiting insecure patterns in GitHub Actions YAML files. These flaws enable command injection, privilege escalation, and supply chain compromise by abusing low-privileged workflows triggered by untrusted inputs that escalate to high-privilege actions. The vulnerabilities affect build tooling from major vendors including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. Exploitation can lead to malicious code injection, credential theft, and compromise of cloud accounts and protected branches. The issue arises from treating workflow configurations as non-security-critical code, allowing untrusted data to cross trust boundaries without proper auditing. This is not limited to GitHub but affects any workflow management system using similar patterns.

A threat actor named Icarus exploited a compromised legacy credential to access Klue's systems and generate OAuth tokens, which were then used to breach connected Salesforce instances of Klue customers. Over a dozen organizations, including BeyondTrust and LastPass, confirmed data theft involving business contact and CRM data. The attackers accessed only data available through the Klue integration with Salesforce; no internal systems of the affected companies were compromised. Salesforce and Gong disabled the Klue integration in response. LastPass confirmed that customer vaults and internal infrastructure were not impacted. The incident is limited to data accessible via the Klue-Salesforce integration.

Bulletin ID: 2026-047-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/23/2026 09:30 AM PDT Description: Language Servers for AWS provide the underlying language-server runtime that powers Amazon Q Developer's AI coding assistance across its IDE plugins (Visual Studio Code, JetBrains, Eclipse, and Visual Studio). We identified CVE-2026-12957, an improper trust boundary enforcement issue in Language Servers for AWS before version 1.65.0. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted. We identified CVE-2026-12958, a missing symlink-validation issue in Language Servers for AWS before version 1.69.0. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary. These issues affect the Amazon Q Developer IDE plugins, which bundle Language Servers for AWS. Both issues are remediated in Language Servers for AWS version 1.69.0. Affected products & versions: - Language Servers for AWS: < 1.69. - Amazon Q Developer for Visual Studio Code: < 2.20 - Amazon Q Developer for JetBains: < 4.3 - Amazon Q Developer for Eclipse: < 2.7.4 - AWS Toolkit with Amazon Q for Visual Studio: < 1.94.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

LastPass announced that hackers accessed customer data from its Salesforce environment after stealing the company's OAuth tokens in the Klue supply chain attack earlier this month. [...]

A stolen session cookie sat in underground markets for seven weeks before attackers used it to poison 32 Red Hat packages in the npm software registry, an example of the industrial approach behind modern supply chain attacks. Key takeaways Miasma is a self-propagating npm worm derived from Mini Shai-Hulud that TeamPCP open-sourced on May 12. The public release of the full weaponized toolchain means any operator can now replicate structurally identical supply chain campaigns. The Miasma campaign compromised 89-plus npm packages across three waves (June 1-5), affecting Red Hat, Vapi.ai, and Microsoft Azure repositories. The worm produced malicious packages with valid SLSA Build Level 3 provenance attestations, defeating the highest tier of supply-chain integrity verification. The root cause was a stolen developer credential that sat in infostealer logs for seven weeks before weaponization. This infostealer-to-supply-chain pipeline is the defining pattern of the Developer Credential Economy. The Miasma campaign’s third wave (June 5) introduced a significant escalation: persistence files that target AI coding assistants (Claude Code, Cursor, Gemini CLI, VS Code), expanding the attack surface from package registries to the developer’s local environment. Relying on execution-layer detection, such as EDR, is insufficient against supply chain threats because EDR tools lack visibility into the ephemeral CI/CD environments where credential theft and weaponization occur. Organizations should treat developer credentials as control-plane infrastructure and adopt a phased Continuous Threat Exposure Management (CTEM) approach: harden the generation layer, neutralize harvested secrets in real time, and enforce human-gated publishing controls. Background on the Miasma worm and npm supply chain attack On June 1, the Miasma self-propagating worm compromised 32 official npm packages under the @redhat-cloud-services namespace, delivering a credential-harvesting payload to an estimated 80,000 to 117,000 weekly downloads. Within five days, the campaign escalated through three distinct attack waves and forced GitHub to disable 73 repositories across four Microsoft organizations . The technical details of the Miasma supply-chain attack are alarming: valid Supply Chain Levels for Software Artifacts (SLSA) provenance attestations on malicious packages; a novel execution technique that bypasses install-script monitoring; and a new persistence mechanism that targets AI coding assistants. But the most important detail is a timestamp. Dark web monitoring firm Whiteintel detected a Red Hat employee’s GitHub credential and session cookie in infostealer logs on April 13. A second sighting appeared on May 15. The credential sat in underground markets for approximately seven weeks before attackers weaponized it on June 1. That seven-week gap is the signature of an emerging threat model that Tenable’s Research Special Operations (RSO) team calls the Developer Credential Economy , and has been tracking since March 2026. The Developer Credential Economy is a structured black market for highly privileged developer credentials where open-source supply chain compromises function as credential generation infrastructure, underground markets serve as the distribution layer, and multiple threat actors with distinct motivations weaponize the harvested access downstream. The Miasma campaign is the clearest example of this model to date, and it validates a pattern that has been accelerating across the npm, PyPI, and GitHub ecosystems throughout 2026. The three-layer economy, explained through Miasma When it first assessed this pattern in March, Tenable RSO built the analysis around the TeamPCP cascading campaign (Trivy, KICS, LiteLLM, Telnyx, and 66+ npm packages) and the Sapphire Sleet/UNC1069 Axios compromise . The thesis identified a three-layer structure: credential generation, distribution, and weaponization. Three months later, the Miasma campaign validates each layer with striking clarity. Layer Actor / group Operational focus Primary targets Miasma validation Generation TeamPCP Bulk credential harvesting via tool exploitation Trivy, KICS, TanStack, Red Hat npm scope Miasma's payload sweeps GitHub tokens, cloud credentials, CI/CD secrets, SSH keys, and .env files from every infected environment Distribution Underground markets, infostealer aggregators Credential brokering and tooling proliferation Stolen developer credentials; open-sourced worm code Red Hat employee credential sat in infostealer logs for seven weeks before weaponization; Shai-Hulud source published May 12 Weaponization Sapphire Sleet (DPRK-nexus), LAPSUS$, Miasma operator, copycat actors State-sponsored exfiltration, data theft, cascading supply chain compromise Axios (npm), Mercor AI, @vapi-ai/server-sdk, Azure/durabletask Each Miasma wave generates A fresh credential pool, feeding the next wave and enabling downstream actors Layer 1: Credential generation The Developer Credential Economy’s first layer is extraction. Threat actors compromise developer tooling and open-source infrastructure not primarily to distribute malware to end users, but to harvest the credentials those environments contain, such as GitHub tokens, npm publishing tokens, cloud provider credentials, CI/CD secrets, SSH keys, and API keys. TeamPCP pioneered this at scale beginning in September 2025 with the original Shai-Hulud worm. Its defining innovation was cascading credential extraction: compromise one trusted tool, harvest the credentials it holds, and use those credentials to compromise the next tool in the dependency chain. The Trivy vulnerability scanner compromise yielded CI/CD runner secrets. Those secrets enabled the KICS compromise . KICS yielded additional cloud credentials. Each link in the chain generated a broader set of privileged access. By May, TeamPCP had refined this into the Mini Shai-Hulud variant, which introduced two capabilities that made the generation layer dramatically more efficient: Wormable propagation : The malware queries the npm registry for every package the compromised identity can publish, and republishes itself across all of them automatically. CI/CD pipeline hijack via OpenID Connect (OIDC) token extraction : Rather than stealing static credentials, Mini Shai-Hulud requests short-lived OIDC tokens through GitHub Actions, enabling it to publish packages with valid cryptographic provenance. In the Miasma supply chain campaign, this generation layer operated through a Red Hat employee’s compromised GitHub account. The worm’s payload swept the infected environment for: GitHub tokens and personal access tokens npm publishing tokens AWS, GCP, and Azure cloud credentials HashiCorp Vault tokens Kubernetes service account tokens SSH private keys Docker registry credentials GPG keys .env files The June variant added dedicated collectors for GCP and Azure cloud identities, going beyond secret extraction to enumerate all cloud access the infected machine holds. Every machine that ran npm install against a compromised @redhat-cloud-services package version became a credential generation node. Layer 2: Distribution The second layer is the marketplace. Stolen credentials flow from the generation layer into underground markets, infostealer log aggregators, and access brokering services, where they become available to any buyer. The Miasma supply chain-attack timeline makes this layer visible in a way previous campaigns did not. Whiteintel detected the Red Hat employee’s GitHub credential and session cookie in infostealer logs on April 13. That credential was not generated by a targeted supply chain attack against Red Hat; a commodity infostealer harvested it, one of 13.2 million infostealer infections that SpyCloud's 2025 Identity Exposure Report documented as producing an average of 50 credentials per infection. The credential entered the distribution layer as one data point among billions: SpyCloud recaptured 5.3 billion credential pairs, 18.1 million exposed API keys and tokens, and 8.6 billion stolen session cookies from criminal underground monitoring in 2025 alone. For seven weeks, the credential sat in the distribution layer before someone acted on it. That dwell time is the systemic gap that the Developer Credential Economy exploits. Organizations that do not monitor underground markets for exposed developer credentials are operating on the assumption that the generation-to-weaponization pipeline does not exist, or that it operates too slowly to matter. Miasma demonstrates that even a seven-week window, which is long by underground market standards, is more than sufficient for weaponization. The distribution layer was further amplified on May 12, when TeamPCP published the complete Mini Shai-Hulud source code on GitHub under an MIT License with the message “Shai-Hulud: Open Sourcing The Carnage.” The release included CI cache-poisoning scripts, the OIDC token extractor, and the credential stealer with its propagation logic. This is the supply chain equivalent of publishing a working exploit framework: the tooling itself became a distribution channel, lowering the barrier to entry for any operator who wants to run a structurally identical campaign. Layer 3: Weaponization The third layer is operational use. Actors with distinct motivations acquire credentials from the distribution layer and weaponize them against specific targets. In March, the RSO team documented at least three distinct actors operating from the same credential pool : TeamPCP harvested at scale: Sapphire Sleet/UNC1069 (DPRK-nexus) operationalized stolen npm tokens for financial gain through the Axios compromise and LAPSUS$ exploited compromised Tailscale VPN credentials from the LiteLLM breach for data theft from Mercor AI. The same credential ecosystem fed all three. Miasma’s weaponization layer continues to evolve, but the trajectory across its three waves demonstrates the pattern: Wave 1 (June 1) used the stolen R

Attackers can send crafted media files to execute code in any application that uses FFmpeg’s libavcodec library. The post FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances appeared first on SecurityWeek .

The Volume Booster Chrome extension, with approximately 2 million weekly users, silently activated a commerce-tracking SDK (Give Freely) between versions 1.0.2 and 1.0.4 without triggering Chrome's permission re-consent prompt. The extension had previously been granted broad host permissions that were dormant until the SDK was activated. This SDK collects device identifiers, geolocation data, and telemetry continuously, regardless of user interaction with the extension's visible UI. The Chrome Web Store listing's privacy declaration does not disclose these data flows, creating a discrepancy between declared and actual behavior.

MESH is an open-source remote mobile forensics tool designed to enable encrypted, peer-to-peer wireless debugging and forensic data acquisition on mobile devices, particularly Android. It creates a censorship-resistant mesh network that overcomes NAT and firewall restrictions without exposing devices to the public internet. The tool supports integration with common forensic utilities and includes network monitoring capabilities. MESH is currently in public alpha, actively developed, and has undergone penetration testing with major vulnerabilities patched. It is intended for use in high-risk or censored environments and emphasizes transient, analyst-controlled forensic sessions rather than permanent infrastructure.

User Scanner v1.4.0 is an open-source OSINT tool designed for deep email and username intelligence gathering across over 285 platforms. It aggregates publicly accessible information and threat intelligence feeds to help security researchers and investigators map digital footprints and verify account registrations. The tool is actively maintained and emphasizes accessibility without paywalls. It does not exploit vulnerabilities or access private data. No specific security vulnerability or exploit has been reported for this tool.

AutoJack is a vulnerability in Microsoft Research's AutoGen Studio AI browsing agent framework that allows a malicious web page to hijack the AI agent and achieve full remote code execution (RCE) on the host machine via a privileged local service. The issue arises from a combination of trusting localhost connections, lack of authentication on a WebSocket endpoint, and executing commands directly from requests. The vulnerability affects two pre-release versions of AutoGen Studio (0.4.3.dev1 and 0.4.3.dev2) but not the stable release 0.4.2.2. A fix has been committed to the GitHub main branch but has not yet been released on PyPI. Until an official release is available, users should avoid running AutoGen Studio alongside browsing agents on the same machine or isolate them in containers or VMs.