Security vulnerabilities and alerts
View All Tags
The popular AI framework LiteLLM has fallen victim to a severe supply chain poisoning attack. The threat actor, TeamPCP, compromised the upstream tool Trivy to steal publishing tokens, subsequently planting a malicious version in the PyPI repository equipped with fork bomb capabilities and container escape functionality.
VULNERABILITY ALERTS
Apifox has fallen victim to a supply chain poisoning attack. By tampering with the official CDN-hosted event tracking script, `apifox-app-event-tracking.min.js`, attackers have successfully implanted a high-risk Trojan loader into the client application.
VULNERABILITY ALERTS
A critical security vulnerability has been identified in OpenAI Codex: an attacker can bypass permission validation and achieve remote code execution (RCE) simply by inducing a user to open a folder.
VULNERABILITY ALERTS
Security researchers have detected a large-scale supply chain attack on the official npm registry orchestrated by the North Korean-linked threat group **FAMOUS CHOLLIMA** (also known as LabP2P). The group released at least **26 malicious packages** masquerading as legitimate development tools. These packages utilize `install.js` scripts to automatically trigger Remote Access Trojans (RATs) upon installation, aiming to exfiltrate developers' SSH keys, Git repositories, browser credentials, and sensitive clipboard data.
VULNERABILITY ALERTS