Investigating Detection and Obfuscation of Prompt Injection Attacks against Software Reverse Engineering AI Agents

Agentic software reverse engineering systems are vulnerable to prompt injection attacks placed into the source code of executable binary files. This research demonstrates defensive tactics for detecting the presences of prompt injection strings in the decompiler output of adversarial example...

GHSA-XW8C-RRVX-F7XQ ciguard: SCA HTTP client reads response body without size cap

Summary Both SCA HTTP clients src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py call payload = json.loadsresp.read.decode'utf-8' without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev or a successful TLS MITM could return a multi-GB response,...

Malicious code in conmiyagi-map (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c2e125bb096a79fe5c600e1826a5926312c29943a9f33edb1f2efbb0e0416203 The package conmiyagi-map was found to contain malicious code. Source: ghsa-malware fc52bddaac2d657d1e598f3b111f1195c1841882824da63324fac949f6f341ab...

On the Effectiveness of Instruction-Tuning Local LLMs for Identifying Software Vulnerabilities

Large Language Models LLMs show significant promise in automating software vulnerability analysis, a critical task given the impact of security failure of modern software systems. However, current approaches in using LLMs to automate vulnerability analysis mostly rely on using online API-based LL...

Black Duck SCA 安全漏洞

Black Duck SCA is a software composition analysis tool from Black Duck USA. A security vulnerability exists in Black Duck SCA versions prior to 2025.10.0 that stems from an overly broad configuration of user role permissions, which could lead to unauthorized project configuration changes or acces...

MAL-2025-49390 Malicious code in payments-notifications (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ec2ff3c7a16e539813080b53ccec2b3531078fed7382156c676025c1188b9c7c The package payments-notifications was found to contain malicious code. Source: ossf-package-analysis...

MAL-2025-6296 Malicious code in node-buildpack-test-app (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 853e825cb3a7ee79b6c801ac036e895ab6ef780891a544abe6b9f5c54bdc33b9 The OpenSSF Package Analysis project identified...

MAL-2025-5304 Malicious code in flag-package (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 438adadeb667385a6a147b98a62dbe1d6b61e621b47e82afaa959cec99b4a7fe Any computer that has this package installed or running should be considered...

MAL-2025-5148 Malicious code in sentry-docs (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 688bb145ba010593bc53d4870250dfa7bc897a70a613291ed2352ba008314c84 Any computer that has this package installed or running should be considered...

MINI-Q55M-WF3F-CC56

Bulletin has no description...

CVE-2022-49695

A vulnerability was found in the Linux kernel in the Intel igb driver function igbcleantxring when running in XDP mode. A use-after-free issue can arise from attempting to free skb memory using devkfreeskbany. This issue potentially leads to system instability and memory corruption. Mitigation To...

MAL-2025-135 Malicious code in cumulus-dashboard (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 0f1f8e685a786d680773dae17f3fdca813dc627d1a031200036521aef32b1566 The OpenSSF Package Analysis project identified 'cumulus-dashboard' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...

MAL-2025-22 Malicious code in @vf-org/smapi-js-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis bb778953ccadf1ddd3d3249677a4b7c27133ddd85d451ebe6cf0e04611264b86 The OpenSSF Package Analysis project identified '@vf-org/smapi-js-core' @ 8.2.10 npm as malicious. It is considered malicious because: - The...

MAL-2024-12113 Malicious code in testforyt7hb (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 7ffea609123713e81da0d17141ca37dca97eaa7848afcbf299d969e5108ce7e2 The OpenSSF Package Analysis project identified 'testforyt7hb' @ 1.2.0 npm as malicious. It is considered malicious because: - The package...

MAL-2024-11924 Malicious code in editions-dev-workshop (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis e10c5fb118ea2960476ee2fa51f5d3d97e5834b44b3ce58aef95d3fdf1d5a822 The OpenSSF Package Analysis project identified 'editions-dev-workshop' @ 5.0.0 npm as malicious. It is considered malicious because: - The...

AMD μProf 安全漏洞

AMD μProf is a software analysis tool from Ultra Micro Semiconductor AMD. A security vulnerability exists in AMD μProf that stems from improper input validation and could allow an attacker to perform a write to an invalid address, resulting in a denial of service...

VMconf 22 Vulnerability Management conference: Call For Papers started

Hello everyone! This episode will be about the VMconf 22 Vulnerability Management conference. CFP started on November 1, which will last a month and a half. So please submit your talk or share this video with someone who might be interested. Lets talk about the conference itself. All started with...

IoT-Implant-Toolkit - Toolkit For Implant Attack Of IoT Devices

IoT-Implant-Toolkit is a framework of useful tools for malware implantation research of IoT devices. It is a toolkit consisted of essential software tools on firmware modification, serial port debugging, software analysis and stable spy clients. With an easy-to-use and extensible shell-like...

UPDATE: OWASP Dependency-Check 3.2.1

PenTestIT RSS Feed My first post about this open source OWASP project was about an older version. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 3.2.1! Actually, this post is also...

Machine Learning Penetration Testing: GyoiThon

GyoiThon is a growing penetration test tool using Deep Learning. Deep Learning improves classification accuracy in proportion to the amount of learning data. Therefore, GyoiThon will be taking in new learning data during every scan. Since GyoiThon uses various features of software included in HTT...