Malicious code in @antv/g-webgpu (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-3898 Malicious code in @antv/f2-wordcloud (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Chainlit AI Framework Flaws Enable Data Theft via File Read and SSRF Bugs

Security vulnerabilities were uncovered in the popular open-source artificial intelligence AI framework Chainlit that could allow attackers to steal sensitive data, which may allow for lateral movement within a susceptible organization. Zafran Security said the high-severity flaws, collectively...

Timing-Based Side-Channel Attack

github.com/mattermost/mattermost-server is vulnerable to timing-based side-channel attacks. The vulnerability is due to improper use of constant-time comparison for sensitive strings, which allows an attacker to exploit timing oracles to perform byte-by-byte brute-force attacks on Cloud API keys...

SUSE CVE-2025-54499

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

CVE-2025-54499

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

GHSA-XR3W-RMVJ-F6M7 Mattermost has an Observable Timing Discrepancy vulnerability

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

CVE-2025-54499

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

CVE-2025-54499

Mattermost CVE-2025-54499 affects Mattermost Server 10.5.x (≤10.5.10) and 10.11.x (≤10.11.2). The root cause is non-constant-time comparison for sensitive strings, enabling timing-based side-channel attacks that could reveal Cloud API keys and OAuth client secrets. Connected advisories also link ...

CVE-2025-34233

Vasion Print (formerly PrinterLogic) Virtual Appliance Host before 25.1.102 and Application before 25.1.1413 are affected by a protection mechanism failure in the file_get_contents()/CURL usage. When an administrator configures a printer hostname (or similar callback field), the value is passed u...

From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover

Exposed cloud credentials become the launchpad for mass phishing, highlighting email services as a prime target in cloud exploitation campaigns...

Malicious Package

Overview tclients-sdk is a malicious package. This package contains malicious code disguised as a legitimate cloud client utility, and its content has been removed from the official package manager. Its primary purpose is to steal cloud-related secrets, such as API keys and access tokens. The...

CVE-2025-2181

A sensitive information disclosure vulnerability in Palo Alto Networks Checkov by Prisma® Cloud can result in the cleartext exposure of Prisma Cloud access keys in Checkov's output...

CVE-2025-2181 Checkov by Prisma Cloud: Cleartext Exposure of Credentials

A sensitive information disclosure vulnerability in Palo Alto Networks Checkov by Prisma® Cloud can result in the cleartext exposure of Prisma Cloud access keys in Checkov's output...

Exploit for Improper Authentication in Dahuasecurity Ipc-Hum7Xxx_Firmware

PoC misc PoC - Internet of InSecurity Things Well worth to read about these crappy insecurity things: https://ipvm.com/reports/security-exploits Hikvision CVE-2021-36260 --- 2021-10-19 All credit to WatchfulIP https://watchfulip.github.io/ https://github.com/mcw0/PoC/blob/master/CVE-2021-36260.py...

U.S. Dept Of Defense: Exposed Extremely Sensitive Information in Public ZIP File

A publicly accessible ZIP file containing sensitive information, including SMTP credentials, database connection details, and AWS secret keys, was discovered. The sensitive data was exposed due to the lack of proper access controls and encryption. The exposed credentials could have been misused f...

Millions of iOS and Android Users at Risk as Popular Apps Expose Cloud Keys

Millions of iOS and Android users are at risk after Symantec discovered that popular apps contain hardcoded, unencrypted…...

GHSA-RFQQ-WQ6W-72JM MLflow has a Local File Read/Path Traversal bypass

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '' character can be used to insert a path into the fragment, effectively...

PYSEC-2024-244

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '' character can be used to insert a path into the fragment, effectively...

CVE-2023-31997

UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both 1 running UniFi OS 3.1 and 2 hosting the UniFi Network application. "Applicable Cloud Keys" include the following: Cloud Key Gen...