‼️🚨 Critical remote code execution in libssh2, the SSH client library embedded in countless tools: CVE-2026-55200, rated CVSS 9.2 by VulnCheck. Every version up to and including 1.11.1 is affected.
It's an out-of-bounds heap write in ssh2_transport_read(), which fails to bound-check the SSH packet_length field. A malicious or MITM'd SSH server can send oversized packets to corrupt memory and run code on the connecting client.
No known exploitation yet and it's not in CISA's KEV. Fix: move to a build that includes commit 7acf3df (PR #2052), and inventory anything that links libssh2 for SSH, SCP, or SFTP.
PSA: If you used Claude Fable-5 today with memory turned on you just violated all your NDAs. Anthropic requires a 30 day retention policy including human review, and the memory feature (on by default) searches past chats for context, so sensitive historical chats get pulled in.
New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers
Source: https://t.co/05wqlIz2Mb
A new wave of the Shai-Hulud supply chain campaign, adding 23 newly discovered malicious PyPI package-version artifacts to an already alarming operation that previously compromised 37 packages.
What makes this wave particularly dangerous is how quickly threat actors are iterating their delivery methods. The _index.js payload deploys a novel LLM anti-analysis technique, embedding a large fake system-instruction block inside a non-executing JavaScript comment at the top of the file.
#cybersecuritynews
‼️🚨 A new npm supply-chain attack compromised 57 packages across over 286 malicious versions in under 2 hours. The attackers used self-replicating malware, a new version of the Miasma worm, which also used evasion techniques to stay under the radar.
The payload targets CI/CD and developer credentials, including GitHub Actions secrets, cloud credentials, Vault tokens, SSH keys, npm and GitHub tokens, and password-manager stores. This variant also injects AI coding assistant config files at `.claude`, `.cursor`, `.gemini`, and `.vscode` paths, a separate persistence and repo-poisoning angle.
🚨 Claude Code's GitHub Actions Vulnerability Lets Attackers Compromise Any Repository
Source: https://t.co/lb0fzVp2ox
A critical supply chain vulnerability in Claude Code's GitHub Actions that could allow attackers to compromise any repository using Anthropic's official CI/CD workflow, including Anthropic's own infrastructure.
When combined with prompt injection techniques, it could enable a fully unauthenticated external attacker to exfiltrate secrets, steal OIDC tokens, and push malicious code to any downstream repository that depends on the Claude Code GitHub Actions workflow.
Claude Code GitHub Actions restricts workflow execution to users with write or admin access. However, the checkWritePermissions function unconditionally trusted any actor ending in [bot] regardless of actual permissions.
#cybersecuritynews
Web application vulnerabilities ranked by real-world exploitation frequency — not theoretical risk. Drawn from breach reports, CVE data, and incident response findings. https://t.co/BU0DEg1meV
🚨 UPDATE: GitHub confirms its security breach was caused by a poisoned VS Code extension on an employee device.
The attacker is believed to have exfiltrated around 3,800 internal repositories, with critical secrets already rotated.
AWS CodeBuild: Escalating privileges via CodeConnections
Thomas Preece
An undocumented internal endpoint, codebuild-builds.{REGION}.amazonaws.com, responds to GetBuildInfo and can return the raw GitHub App installation token (or Bitbucket JWT) used by CodeConnections. That token grants admin/write access across every repo the app can reach — including bypassing branch protections.
The write-up includes: 🔍 proof of the hidden endpoint and API surface leaking tokens; ⚠️ impact analysis of how one token bypasses protections and escalates access; 🧭 a full exploit path for defenders to audit and harden environments.
First mentioned in AWS Security Digest Issue #255: https://t.co/eQ4OmNxMxf
Read here: https://t.co/D2V6msY8fg
Local File Inclusion in AWS Remote MCP Server via CLI Shorthand Syntax
Coby Abrams
Coby discovered an LFI (CVE-2026-4270) in the official AWS Remote MCP Server that completely bypasses FileAccessMode=NO_ACCESS. The AWS CLI’s shorthand for loading local file contents into command parameters was passed through unsanitized by the MCP server — point it at a sensitive file, trigger an error, and the error response leaks the file contents. Reproducible against https://t.co/RPD5z9B3hA; patched in v1.3.9.
🔍 What matters: the vulnerability abuses CLI file-loading shorthand and server-side lack of input sanitization, not a client bug.
⚠️ Impact: secrets or config files can be exfiltrated via error messages even when NO_ACCESS is set.
��� Fix: update AWS Remote MCP Server (and any forks) to v1.3.9 or later now.
This was first mentioned in AWS Security Digest Issue #254: https://t.co/hRh6bKZwZ9
Read here: https://t.co/aG7FnFkVer
Everyone is tweeting out "use pnpm & set a minimumReleaseAge of 7 days"
but don't forget blockExoticSubdeps - which would also prevent the usage of a remote github reference here!
Malicious skills are evolving, and attackers are finding ways to execute them before model-level defenses even activate.
In the first post of our new series, I’ll show you how dynamic context in coding agents can introduce new supply chain risks:
https://t.co/xdqgUo8xEA
The Claude Platform on AWS is now generally available.
AWS customers get the full set of Claude API features, with AWS authentication, billing, and commitment retirement.
Managing API keys is one of the top security concerns we hear from customers.
Today we’re introducing keyless auth for Claude Platform: authenticate via browser with the CLI, or let workloads use their existing cloud identity (AWS, GCP, Azure, or any OIDC token provider).