Chilling Effects

Younger Americans have soured on the second Donald Trump presidency, but they are not protesting it. Despite an unpopular Iran war and an even more unpopular Trump administration, college campus protests nationwide have gone silent. And at many schools, student activism is virtually nonexistent...

CVE-2026-45781 MCP Registry: OCI ownership validation fails open on upstream rate limits, allowing attacker-controlled package claims

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github./ namespace to OCI images the...

Profiling for Pennies: Unveiling the Privacy Iceberg of LLM Agents

Large Language Models LLMs have revolutionized how information are collected, aggregated, and reasoned. However, this enables a novel and accessible vector of privacy intrusion: the automated and in-depth personal profiling; this engenders a chilling effect of "peepers everywhere". Existing...

PraisonAI 路径遍历漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 1.5.113 contained a path traversal vulnerability. This vulnerability stemmed from the recipe registry’s extraction process, which used tar.extractall to extract a .praison tar...

PT-2026-27190

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description AVideo is an open source video platform. The standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that allows...

Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts

Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources HR and enterprise resource planning ERP platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts. "The extensions work in concert to...

MAL-2025-189852 Malicious code in telesto-dotenv-safe-webdriver-mocha-jwt (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10d513eeaab93246ff546ef260475c4d48574ff1738e8b1d59e46c843aaaa18a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in lookingan-nanakila41 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23a3e781d2dae1c1493f158976f4194fa70c816ad4e0027aab90423cc419756e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in nokire-kushina49 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aaa0d1fc37749d35502ade90249e42740156ebdd7c11c19d6d23f504471efbae This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-164938 Malicious code in rita-64 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7e87ff0d72ceb783e40664d24fbda071c42803d5ccad0f06ec1fe4261338718 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-138974 Malicious code in religious-amethyst-peafowl (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d2688efebff925b9851742440ed5acd19b2c047b4b48da253d991f44c00185c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in racial_gopher_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e2c0c7d7cd31e078570b37f5146e0e11b57b48c6795032c2faa52c4bd9fc99ae This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in empty_basilisk_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd9e3279e9fef266bea5c3b8e3486c68a96ed3b33234432239205dd3e61a7df2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-62142 Malicious code in budi-kue35-sluey (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e31e00608ed936cb81b4d121637b016b6f6b34c5e3976ef38abad34c1bc82cba This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

AI Pulse: AI Bots Are Targeting Commerce, Publishers, and High Tech

...

CVE-2025-62362

gpp-burgerportaal is a Dutch government citizen portal application. In versions before 2.0.3, 3.0.2, and 4.0.1, the name and email address of employees who publish content are exposed in network responses and can be discovered by viewing the browser's developer tools network tab. This information...

EUVD-2022-51711

Malicious code in bioql PyPI...

Publishers: How to Block AI Bots and Reclaim Control of Your Content

...

CVE-2022-4360

The WP RSS By Publishers WordPress plugin through 0.1 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...

CVE-2022-4359

The WP RSS By Publishers WordPress plugin through 0.1 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...