Joern 4.0.536

Joern is the bug hunter's workbench. With this tool, you can uncover attack surface, sloppy coding practices, and variants of known vulnerabilities using an interactive code analysis shell. Joern supports C, C++, LLVM bitcode, x86 binaries via Ghidra, JVM bytecode via Soot, and Javascript...

CodeQL 2.25.4

Discover vulnerabilities across a codebase with CodeQL, an industry-leading semantic code analysis engine. CodeQL lets you query code as though it were data. Write a query to find all variants of a vulnerability, eradicating it forever. Then share your query to help others do the same...

An Automated Framework for Cybersecurity Policy Compliance Assessment against Security Control Standards

Organizational cybersecurity policies are often examined to determine whether they adequately comply standard security controls. This task is difficult because control statements are abstract, whereas policy documents describe governance practices in varied natural language. As a result,...

Can I Check What I Designed? Mapping Security Design DSLs to Code Analyzers

When assessing the potential impact of code-level vulnerabilities, e.g., discovered by automated analyzers, it is essential to consider them in the context of the system's security design. However, this is a challenging task due to the abstraction gap between security design, often specified usin...

Longitudinal Analyses of SAST Tools: A CodeQL Case Study

Open-source software OSS pipelines rely on automated static analysis tools to prevent the introduction of vulnerabilities in code. However, there is limited understanding of the efficacy of these tools across the OSS ecosystem over time. In this paper, we introduce a novel method to evaluate stat...

MAL-2026-3373 Malicious code in owa-analytics-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 644a42250298e29b58f2cfe75c1d362637e2c31f1a1ef9b9cfbe5d9ff0475fb8 The package owa-analytics-utils was found to contain malicious code. Source: ossf-package-analysis...

ethical-hacking-lab-reports

Ethical Hacking & Information Security Lab Reports !Security...

Security Bulletin: IBM Operations Analytics - Log Analysis is affected by Information disclosure due to default passwords not being forced to be changed on post-installation

Summary The default password is used by IBM Operations Analytics - Log Analysis as part of the authentication to the Log Analysis User Interface. CVE-2026-7365. Vulnerability Details CVEID:CVE-2026-7365 DESCRIPTION: IBM SmartCloud Analytics - Log Analysis uses default passwords default passwords...

MAL-2026-3365 Malicious code in @b2bneo-rest/api-csf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea4a9f32d6857ac3e548ca117915efd6694039bbc344390f1758f12291776817 The package @b2bneo-rest/api-csf was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @b2bneo-rest/api-csf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea4a9f32d6857ac3e548ca117915efd6694039bbc344390f1758f12291776817 The package @b2bneo-rest/api-csf was found to contain malicious code. Source: ossf-package-analysis...

GHSA-WP5R-2GW5-M7Q7 vm2's Transformer Fast-Path Bypass Exposes Internal State Variable

Summary vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL variable, which exposes...

vm2's Transformer Fast-Path Bypass Exposes Internal State Variable

Summary vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL variable, which exposes...

PT-2026-38394

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0 Description A performance optimization in the code transformer skips AST Abstract Syntax Tree analysis when the code does not contain the keywords catch, import, or async. This fast-path bypass allows sandboxed cod...

Demystifying and Detecting Agentic Workflow Injection Vulnerabilities in GitHub Actions

GitHub Actions is increasingly used to deploy LLM-based agents for repository-centric tasks such as issue triage, pull-request review, code modification, and release assistance. These agentic workflows extend traditional CI/CD automation with agentic capabilities but also create a new injection...

TUANDROMD-X: Advanced Entropy and Visual Analytics Dataset for Enhanced Malware Detection and Classification

Malware and malware-based attacks are becoming more prevalent and complex. Attackers regularly come up with new techniques that have the ability to evade conventional and signature-based malware defense. In order to address such threats, there is an increasing demand for advanced and better defen...

SkillScope: Toward Fine-Grained Least-Privilege Enforcement for Agent Skills

Agent Skills have become a practical way to extend LLM agents by packaging metadata, natural-language instructions, and executable resources into reusable capability bundles. However, this growing Skill ecosystem introduces a new compliance risk: a Skill may perform high-impact actions that excee...

Heimdallr: Characterizing and Detecting LLM-Induced Security Risks in GitHub CI Workflows

GitHub Continuous Integration CI workflows increasingly integrate Large Language Models LLMs to automate review, triage, content generation, and repository maintenance. This creates a new attack surface: externally controllable workflow inputs can shape LLM prompts and outputs, which may in turn...

LCC-LLM: Leveraging Code-Centric Large Language Models for Malware Attribution

LLMs are increasingly explored for malware analysis; however, current LLM-based malware attribution remains limited by unsupported indicators and insufficient code-level grounding for identifying malicious and vulnerable code segments. To address these limitations, this research introduces LCC-LL...

MAL-2026-3361 Malicious code in 24712-pl5004 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d79bb37b62b8d47ca459db0858a93ffb3c35e3791423c11a0853fb4ab17388e The package 24712-pl5004 was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in 24712-pl4712 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4c8947855d76def29ae6497648e1355d55d891c01d5eea51f475ef033c0eda29 The package 24712-pl4712 was found to contain malicious code. Source: ossf-package-analysis...