Analyse: Legitimate DCloud Uni-App Toolkit Weaponised at Scale…
Latest intel
View all →Trending on GitHub
· this weekFixes shipped
Authentication bypass keeps recurring because modern applications validate identity at convenient edges, then perform critical operations in layers that no longer know whether access was proven.
Supply chain compromise is shifting from static package poisoning towards runtime weaponisation, where trusted code becomes a credential harvester, traffic broker or covert infrastructure node after deployment.
Threat Feed
liveCIFSwitch CVE-2026-46243 and PraisonAI show why vertical movement often follows from designs that let low-trust identities shape high-trust operations.
Gogs, PraisonAI and KnowledgeDeliver show why authentication bypass in self-hosted platforms is often an architectural failure, not a missing if statement.
More research
May 2026 supply-chain compromises showed that poisoned developer tooling now targets the identity and execution layer before code reaches a repository.
Supply chain compromise has shifted from stealing credentials to poisoning package ecosystems through compromised CI/CD systems, maintainer accounts and trusted execution paths.
Google Project Zero's Pixel 10 zero-click chain shows how Android hardening changes exploit shape without removing reachable attack surface in media parsing and device drivers.
Recent vm2, NodeVM and Ollama flaws show a recurring failure pattern: developer-friendly JavaScript isolation is being treated as a hard security boundary when the runtime was never designed to provide one.
Checkmarx KICS, npm Bitwarden CLI packages and GlassWorm show how supply chain compromise has moved from poisoned code to weaponised developer trust.
A compromised AI productivity tool called Context.ai gave attackers OAuth access to a Vercel employee's Google Workspace, pivoting into internal systems. The AI tool supply chain is the new CI/CD supply chain.
Eighteen months of supply chain attacks against AI infrastructure reveal a structural pattern: the build pipeline, the package registry and the runtime protocol all share the same trust model failure.
Modern frameworks keep reimplementing the same seven authentication bypass patterns. From hardcoded credentials to missing origin checks, the bugs are structural, not accidental, and the AI tooling boom is accelerating the cycle.
CVE-2025-10492, a CVSS 9.8 Java deserialisation flaw in the JasperReports component of Hitachi Energy Ellipse, enables unauthenticated RCE on critical manufacturing systems. No patch exists for the community edition of the underlying library.
CVE-2026-27663 and CVE-2026-27664 affect shared firmware components across Siemens SICAM A8000, EGS and S8000 product lines, enabling unauthenticated denial of service in power grid infrastructure.
AI orchestration platforms like LangFlow and n8n are accumulating critical RCE vulnerabilities because their architectures treat user-supplied configuration as trusted code.
CVE-2026-3356 exposes a design-level authentication failure across Anritsu's entire Remote Spectrum Monitor line. CVSS 9.3, all versions affected, no fix planned.
CVE-2026-3055, a critical out-of-bounds read in Citrix NetScaler ADC and Gateway, is being actively exploited. CISA has added it to the KEV catalog.
