chris6m ago

Axios sits underneath LangChain, OpenAI's SDK, dozens of MCP clients, ...
It's npm account got hijacked and published two backdoored versions!
If you are in AI agent deployments, see What You Should Do Right Now:
https://mistaike.ai/blog/axios-npm-supply-chain/

Quote:
https://mastodon.social/@mistaike/116334359828804865

#InfoSec #CyberSecurity #SupplyChain #AIAgent #MCPProtocol

Axios Has 100 Million Weekly Downloads. North Korea Backdoored It in 39 Minutes. โ€” mistaike

On March 31, a North Korea-linked threat actor hijacked the Axios npm maintainer account and published two backdoored versions within 39 minutes. The cross-platform RAT payload targeted every OS. Axios sits underneath virtually every AI agent framework, MCP client, and workflow automation tool in production today.

mistaike.ai
Offensive Sequence18m ago
๐Ÿšจ CVE-2026-34564 (CRITICAL, CVSS 9.1): ci4ms < 0.31.0.0 vulnerable to stored XSS via Menu Management. Low-priv attackers can inject scripts, impacting admins & users. Patch & audit menus now. https://radar.offseq.com/threat/cve-2026-34564-cwe-79-improper-neutralization-of-i-8f6e6ad8 #OffSeq #XSS #infosec #vuln
urlDNA.io 18m ago
Possible Phishing ๐ŸŽฃ
on: โš ๏ธhxxps[:]//learn-bridge-eng-tezr[.]typedream[.]app/
๐Ÿงฌ Analysis at: https://urldna.io/scan/69cdb1b83b77500009260e4e
#cybersecurity #phishing #infosec #urldna #scam #infosec
Jiqiang Feng | Innora AI Security38m ago

Vim's Partial Patch Problem: 14+ Heap Overflows Left Behind After CVE-2026-28421

One (int) cast was fixed. At least 14 identical truncations remain across ex_getln.c, memline.c, terminal.c, session.c and others.

size_t โ†’ (int) cast silently truncates values > INT_MAX โ†’ undersized alloc โ†’ heap buffer overflow (CWE-190 โ†’ CWE-122).

Trigger vectors: swap files, undo files, session files, terminal output โ€” all accessible via shared filesystems and repos.

Vim's lead maintainer closed the GitHub Security Advisory and threatened to ban the reporter.

The fix is trivial: remove the redundant (int) casts. alloc() already accepts size_t.

Full writeup: https://medium.com/@engningarchitect/vims-partial-patch-problem-14-heap-overflows-left-behind-after-cve-2026-28421-95c3b6863642

#vim #infosec #CVE #heapoverflow #vulnerability #opensource

Vimโ€™s Partial Patch Problem: 14+ Heap Overflows Left Behind After CVE-2026โ€“28421

Feng Ning ยท Innora Security Research ยท April 2026

Medium
EUVD Bot45m ago

๐Ÿšจ EUVD-2026-18170

๐Ÿ“Š Score: 6.9/10 (CVSS v3.1)
๐Ÿ“ฆ Product: Mongoose, Mongoose, Mongoose (+19 more)
๐Ÿข Vendor: Cesanta
๐Ÿ“… Updated: 2026-04-02

๐Ÿ“ A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the component TLS 1.3 Handler. Such manipulation of the argument pubkey leads to heap-based bu...

๐Ÿ”— https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-18170

#cybersecurity #infosec #euvd #cve #vulnerability

EUVD

European Vulnerability Database

EUVD Bot45m ago

๐Ÿšจ EUVD-2026-18165

๐Ÿ“Š Score: 6.3/10 (CVSS v3.1)
๐Ÿ“ฆ Product: Secure Email Gateway
๐Ÿข Vendor: SEPPmail
๐Ÿ“… Updated: 2026-04-02

๐Ÿ“ SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to forge a GINA-encrypted email.

๐Ÿ”— https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-18165

#cybersecurity #infosec #euvd #cve #vulnerability

EUVD

European Vulnerability Database

EUVD Bot45m ago

๐Ÿšจ EUVD-2026-18166

๐Ÿ“Š Score: 7.8/10 (CVSS v3.1)
๐Ÿ“ฆ Product: Secure Email Gateway
๐Ÿข Vendor: SEPPmail
๐Ÿ“… Updated: 2026-04-02

๐Ÿ“ SEPPmail Secure Email Gateway before version 15.0.3 does not properly authenticate the inner message of S/MIME-encrypted MIME entities, allowing an attacker to control trusted headers.

๐Ÿ”— https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-18166

#cybersecurity #infosec #euvd #cve #vulnerability

EUVD

European Vulnerability Database

EUVD Bot45m ago

๐Ÿšจ EUVD-2026-18168

๐Ÿ“Š Score: 7.8/10 (CVSS v3.1)
๐Ÿ“ฆ Product: Secure Email Gateway
๐Ÿข Vendor: SEPPmail
๐Ÿ“… Updated: 2026-04-02

๐Ÿ“ SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to bypass subject sanitization and forge security tags using Unicode lookalike characters.

๐Ÿ”— https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-18168

#cybersecurity #infosec #euvd #cve #vulnerability

EUVD

European Vulnerability Database

EUVD Bot46m ago

๐Ÿšจ EUVD-2026-18160

๐Ÿ“Š Score: 7.7/10 (CVSS v3.1)
๐Ÿ“ฆ Product: Secure Email Gateway
๐Ÿข Vendor: SEPPmail
๐Ÿ“… Updated: 2026-04-02

๐Ÿ“ SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to cause attacker-controlled certificates to be used for future encryption to a victim by adding the certificates to S/MIME signatures.

๐Ÿ”— https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-18160

#cybersecurity #infosec #euvd #cve #vulnerability

EUVD

European Vulnerability Database

EUVD Bot46m ago

๐Ÿšจ EUVD-2026-18162

๐Ÿ“Š Score: 7.7/10 (CVSS v3.1)
๐Ÿ“ฆ Product: Secure Email Gateway
๐Ÿข Vendor: SEPPmail
๐Ÿ“… Updated: 2026-04-02

๐Ÿ“ SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to bypass subject sanitization and forge tags such as [signed OK].

๐Ÿ”— https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-18162

#cybersecurity #infosec #euvd #cve #vulnerability

EUVD

European Vulnerability Database