SecureChap

import lightning That line executed on developer machines worldwide last week. For 42 minutes on April 30, 2026, it also triggered a supply chain worm. Versions 2.6.2 and 2.6.3 of the official PyPI package - PyTorch Lightning by Lightning AI - were published maliciously after the publisher's credentials were stolen. No typosquatting involved; just account compromise. The trigger hid in a modified __init__.py file. On import, it spawned a background thread with no user interaction required. That thread ran _runtime/start.py (SHA256 8046a11187c135da6959862ff3846e99ad15462d2ec8a2f77a30ad53ebd5dcf2). The script checked for Bun JavaScript runtime v1.3.13, downloading it from GitHub if missing, then executed _runtime/router_runtime.js - a 14.8MB hex-obfuscated payload. The JS targeted cloud credentials across AWS (IMDSv2, STS, Secrets Manager), Azure (AD, Key Vault, Service Fabric), and GCP (OAuth2, metadata, KMS). It also hit browsers like Chrome, Firefox, and Brave, plus .env files, API keys, and GitHub tokens. Exfiltration went via HTTPS POST to an attacker C2 server. It used GitHub as a dead drop, committing logs prefixed "EveryBoiWeBuildIsAWormyBoi", and pushed changes directly to victim repositories. For persistence, the payload wrote to the developer's editor. In VS Code, it added a .vscode/tasks.json with "runOn: folderOpen" that fired node setup.mjs to re-pull the payload from /tmp. A Claude Code .claude/settings.json got a "SessionStart" hook doing the same. If a write token was grabbed, it dropped a malicious GitHub Actions workflow named "Formatter" to dump repo secrets. Lightning AI quarantined the packages and reverted to 2.6.1 from 12:45:20 to 13:27:30 UTC. PyPI logs ~11M monthly downloads for lightning. Microsoft Defender flags it as "ShaiWorm", linked to the Mini Shai-Hulud campaign with its Dune sandworm theme. No CVE assigned as of May 5, 2026. A trusted import became the vector for cloud and code compromise.

Canonical audited uutils coreutils 0.8.0 for Ubuntu inclusion. The Rust reimplementation of GNU coreutils failed on 113 issues. Zellic disclosed 44 CVEs on May 1, 2026. Ubuntu 26.04 sticks with GNU versions for cp, mv, and rm. TOCTOU races in those utilities couldn't be patched in time. Take CVE-2026-35352 in mkfifo. It creates the FIFO with mkfifo, then runs chmod separately. An attacker swaps the path for a symlink between syscalls, redirecting the chmod to alter a target file's permissions. CVE-2026-35364 in mv across devices removes the source before fully recreating the destination. That window lets symlink manipulation redirect data streams. In CVE-2026-35357 for cp, the destination gets umask-derived permissions like 0644 during creation, before chmod tightens them. On shared systems, contents are briefly readable by others. CVE-2026-35349 in rm bypasses --preserve-root via symlinks to /. Path validation skips canonicalization before unlinking. The pattern repeats across CVE-2026-35338 to CVE-2026-35381: chmod, chown, chgrp, mkfifo, mkdir, mktemp, cut, dd, tail, comm, sort, rm, cp, mv, install, touch, mknod, printenv, nohup, chroot, kill, id, ln, split, chcon, env, expr, tr. uutils relies on check-then-act with raw paths. GNU coreutils uses *at() syscalls and openat with O_NOFOLLOW for file-descriptor anchoring. Analysis by Collin Funk, GNU coreutils committer. seclists.org/oss-sec/2026/q… Rewriting core utilities demands more than syntax matching - it requires syscall discipline.

Nineteen years separate the first cataloged package manager path traversal (CVE-2007-0469) from this year's rediscovery (CVE-2026-34591, CVE-2026-35206). Same bug class. Same archive-extraction primitive. Different ecosystem. A new survey by Nesbitt catalogs a dozen CWE patterns that hit npm, PyPI, RubyGems, Composer, Cargo, Go, Helm, NuGet, and Conda over and over. A few standouts: Argument injection into VCS tools - six separate CVEs in one tool alone across git, hg, and Perforce wrappers (CVE-2021-29472, CVE-2022-36069, CVE-2021-43809, CVE-2023-5752, CVE-2022-24440, plus one more). Integrity checks that fail open: CVE-2016-1252 (clearsigned parser accepted unsigned content), CVE-2022-31156 (sig check silently skipped on error), CVE-2022-46176 (missing SSH host key on git index clones). Dependency confusion was already CVE-2013-0334 - eight years before its 2021 fame. Terminal escape sequences in package metadata: at least nine CVEs across four ecosystems. CocoaPods CVE-2024-38368: an orphaned admin API was left in place for ten years, until a researcher used it to claim 1,800 packages. The thesis: knowledge doesn't transfer between projects. Every ecosystem rediscovers the same dozen bugs from scratch. nesbitt.io/2026/05/04/pac…

A honeypot booter site, cyberzap.fun, drew only 14 fake orders before a researcher killed it. Lina (lina.sh) blogged the discovery on April 29, 2026. Run by Dutch National Police, the site went offline that day, replaced by a 401 error. bytecannon.net, a related honeypot domain, also disappeared. It belonged to Operation PowerOFF - Europol-led, with Dutch police, FBI, and UK NCA targeting DDoS-for-hire services. By April 17, 2026, the operation had seized 53 domains across 21 countries, made 4 arrests, executed 25 search warrants, and warned over 75,000 users. cyberzap.fun launched April 3, 2025. Registration required a Cloudflare Turnstile CAPTCHA and a one-time activation token by email. The dashboard mimicked a real booter: Gbps charts, connected-bot counters, attack-type selectors for UDP and HTTP floods, target by IP or URL. Payments via Bitcoin, Monero, PayPal, or credit card all returned "Payment Error." The history tab showed nothing but failed transactions. Lina's test attack registered as Request #15 - meaning 14 orders in 13 months, most of them likely internal testing. Hosted on bit.nl in Ede, Netherlands - a colocation provider regularly used by Dutch police. The MX records pointed there too. A sister domain, netcrashers.net, openly redirected to an Operation PowerOFF seizure warning. A multi-million-dollar trap, 14 orders in a year, killed by one curious blog post.

A VVIP got tracked across 9 countries in 4 hours. November 25, 2024. A Middle East operator subscriber. Citizen Lab's "Bad Connection" report walks through the full chain. The actor - STA1 - is a cloud-based C2 platform, likely a commercial surveillance vendor with multiple government clients. Active since November 2022. The phases: 10:39 - SS7 sendRoutingInfoForSM reconnaissance. 10:41 - SS7 provideSubscriberInfo from geographically distributed Global Titles. 10:46 - Diameter Insert-Subscriber-Data-Request, pivoting through Tango Networks UK and 019Mobile Israel. 10:56 - SS7 anyTimeInterrogation for escalation. 13:29 - Diameter queries spoofing AIS Thailand and China Unicom. 11 spoofed operator identities total. SEATEL Cambodia, Tmcel Mozambique, FL1 Liechtenstein, Utel Uganda, Polkomtel Poland - all impersonated by forging Origin-Host and Origin-Realm fields. Citizen Lab also documents STA2: a SIMjacker variant linked to Fink Telecom Services in Switzerland, used by a private firm working with governments. Likely thousands of devices affected. No CVE. SS7 has no authentication. Diameter trusts whoever names themselves. The protocols that route your calls were never built to ask who is asking.

A 732-byte Python script gets root on unpatched Linux. No per-distro tweaks. That's CVE-2026-31431, "Copy Fail." Discovered April 29. Added to CISA KEV on May 1. The flaw lives in authencesn - authenticated encryption with sequence numbers - inside the kernel crypto API. The chain: socket(AF_ALG) → bind("authencesn(...)") → splice(file → pipe) → splice(pipe → alg_fd) → recv() → 4 bytes written into the page cache of a setuid binary → root. Works unmodified on Ubuntu, RHEL, Amazon Linux, SUSE. Mainline patch landed at commit a664bf3d603d, but managed Kubernetes services haven't rolled patched node images yet. The defensive move while you wait: Tetragon as a DaemonSet, kprobe on __x64_sys_socket, match on address family 38 (AF_ALG), Override action returning EPERM. Kernel 4.19+. No BPF-LSM, no kernel cmdline edits, no node reboots. Modprobe blacklisting algif_aead won't help when it's compiled in. The kernel patch fixes the root cause but needs a reboot. Tetragon plugs the hole right now. isala.me/blog/mitigatin… When you can't patch fast, override the syscall.

"Sorry" ransomware hit roughly 44,000 cPanel servers. CVE-2026-41940 is the cPanel & WHM auth bypass watchTowr Labs (Sina Kheirkhah / @SinSinology) detailed April 29 in "The Internet Is Falling Down, Falling Down, Falling Down." All versions post-11.40 are affected. Patch landed April 28. Mechanism is CRLF (\r\n) smuggling in Basic Auth's `pass` field. With no sanitization, an unauthenticated request injects `hasroot=1\r\ntfa_verified=1\r\nuser=root` straight into `/var/cpanel/sessions/raw/` when the `` obfuscation component is empty, bypassing `docheckpass_whostmgrd`. The chain: a failed login mints a pre-auth session. A CRLF-laced `Authorization: Basic` header carries the payload. The raw session file accepts it. A token-rejected request to `/scripts2/listaccts` promotes the change into the JSON cache. The tampered session now grants root. Exploited as a zero-day for months before the fix. watchTowr's PoC is public on GitHub: …wr-vs-cPanel-WHM-AuthBypass-to-RCE.py. The "Sorry" payload is a Linux encryptor that appends `.sorry` and drops a uniform README.md pointing every victim to the same Tox contact. Per researcher Rivitna, files are wrapped with ChaCha20 plus an embedded RSA-2048 key - no decryption without the private key. cPanel powers over 70 million domains. Shadowserver clocked ~44,000 compromised IPs. A forgotten line ending in auth turned hosting control planes into ransomware vectors.

Copy and paste this in Terminal to install Homebrew. That's the instruction on a fake page that snared macOS users via Google ads. Discovered April 30, 2026, by SANS ISC and published May 1. The lure lives at sites.google.com/view/brewpage on Google Sites - still active as of publication. Search results for "Homebrew" route victims there through malvertising. The pasted command is a 225-byte ASCII script. It downloads a 1,448-byte zsh script from the C2 at glowmedaesthetics[.]com/curl/63810ee8b478... That zsh script decodes a base64-encoded 2,647-byte payload from the MacSync Stealer family. The stealer pops a legitimate-looking macOS password prompt via the native dialog. It grants Finder access to the Terminal process. Host data gets collected, archived as /tmp/osalogging.zip, and sent via HTTP to glowmedaesthetics[.]com. One-time execution with no long-term foothold. Abusing Google's infrastructure for the phishing host.

Noreply@appsheet.com sent phishing emails that bypassed filters and stole 30,000 Facebook accounts. The domain belongs to Google and authenticates as such, landing messages directly in inboxes. Campaign AccountDumpling, tracked by Guardio, launched in early April 2026. It hit that victim count by May 1 through multi-stage credential grabs. Each email carried a "Meta Support" notice: submit an appeal or face permanent account deletion. Data flowed to private Telegram channels from four clustered infrastructures. First: Netlify sites cloned the Facebook help center. Users entered DOB, phone details, and uploaded government ID photos, all sent straight to Telegram. Second: Vercel platforms branded as "Security Check" or "Meta | Privacy Center." They deployed fake CAPTCHAs to snag credentials, business information, and 2FA codes for Telegram bots. Third: PDFs hosted on Google Drive, designed in free Canva tools. Posing as verification guides, they prompted for passwords, 2FA, ID photos, and used html2canvas to snag screenshots. Fourth: Emails mimicking job offers from WhatsApp, Meta, Adobe, Pinterest, Apple, or Coca-Cola. These built trust over exchanges before linking to the phishing setups. The PDFs' Canva metadata betrayed the creator - PHẠM TÀI TÂN - connecting back to phamtaitan.vn, a digital marketing domain. Targets spanned the U.S., Italy, Canada, Philippines, India, Spain, Australia, U.K., Brazil, and Mexico. Trusted domains made the phishing indistinguishable from real alerts.

Drag a localhost URL to steal Microsoft 365 access. That's ConsentFix v3. Third iteration of a technique Push Security revealed in December 2025. Targets Azure/Entra ID tenants via OAuth2 code flow on pre-consented first-party apps. Recon phase: Validate Azure tenancy with tenant IDs. Gather employee details from Hunter.io and open sources. Infra setup: Disposable accounts across Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, Pipedream. Lure deployment: Microsoft login clone on Cloudflare Pages. Trigger genuine OAuth at login.microsoftonline.com. The hook: Post-auth, Microsoft redirects to localhost with the code. v3 prompts drag-and-drop to the phishing site. Token swap: Pipedream webhook grabs the code, exchanges for refresh token through Microsoft APIs. Persistence play: Inject tokens into Specter Portal. FOCI apps yield control over Outlook, Teams, OneDrive, SharePoint, Graph. No payloads dropped. No MFA tricked. No consent requested. Built-in trust chains erode with a single redirected drag.

A 4-byte page-cache write in Linux kernels since 2017 escalates to root via CVE-2026-31431. Disclosed by Xint.io and Theori to kernel maintainers on March 23, 2026. Patched April 1 in mainline commit a664bf3d603d, undoing a 2017 algif_aead speedup. Brian Pak's tweet broke it publicly April 29-30. Verified on Ubuntu 24.04 LTS kernel 6.17.0-1007-aws, Amazon Linux 2023 6.18.8-9.213.amzn2023, RHEL 10.1 6.12.0-124.45.1.el10_1, SUSE 16 6.12.0-160000.9-default. Hits Debian, Arch, Fedora, Rocky, Alma, Oracle, CloudLinux, Gentoo too. Not a race: a deterministic logic slip in authencesn. AF_ALG socket plus splice() delivers the payload. The proof-of-concept: 732 bytes Python, stdlib alone - os, socket, zlib. Unprivileged local access suffices. Step by step: Bind AF_ALG socket to authencesn using hmac(sha256) and cbc(aes). Assemble shellcode aimed at /usr/bin/su's page cache. Execute splice() for the 4-byte corruption. Launch su. Kernel passes the infected cache page, triggering root shellcode. Local unprivileged to root. 100% reliable per researchers, enables container escapes. Resets on reboot, no disk footprint. Requires local foothold; no direct remote path. Kernel optimizations from nearly a decade ago now hand root to anyone with shell access.

Erick Nascimento's SSH keys powered a botnet against Brazilian ISPs. Huge Networks, the Miami-based anti-DDoS firm he leads since 2014, saw its internals leaked in April 2026 by an anonymous source. The files included Portuguese malware samples and Nascimento's private keys. Built on a Mirai variant, the botnet infected TP-Link Archer AX21 routers through CVE-2023-1389, a patched command injection vulnerability from April 2023. Attacks used DNS reflection: small spoofed queries amplified responses by 60-70x from open resolvers. Leaked bash history revealed Python scripts from Huge Networks-assigned IPs scanning for router flaws and misconfigured DNS. Scripts hit Brazilian IP prefixes in bursts: 10-60 seconds each, four processes running parallel, then onto the next. C2 infrastructure pointed to hikylover[.]st and c.loyaltyservices[.]lol, domains flagged for Mirai activity. A DigitalOcean server at 174.138.89.122 orchestrated it all, drawing abuse reports throughout the year. Victims: small Brazilian ISPs unaffiliated with Huge Networks. Ex-customers reported retaliation: post-cancellation attacks ended only after adopting Computize mitigation. Nascimento's response: keys stolen in a January 2026 breach, bastion wiped January 11, no usage trace afterward. He accused a competitor without naming them, pointing to "blockchain-stored evidence" he won't disclose. This echoes past cases - Mirai creators owned a mitigation firm; May 2025 FBI action against a dual-role Brazilian operator. The mitigator becomes the threat.

router.workdir: "/tmp/x; sh; #" That JSON value handed researcher MrBruh root on a TP-Link TL-MR6400 router. His writeup disclosed it as CVE-2026-3841. The bug lives in the Telnet management CLI's `cli` binary, specifically the `mdlog prepare` handler. It reads `router.workdir` from a conf.json file with cJSON, then blindly appends the value to a busybox tftp shell command without sanitization. With authenticated Telnet access over LAN, the attacker stands up a rogue TFTP server and serves a tampered conf.json embedding the payload. When the router fetches and processes the file for mdlog prep, the concatenated command executes: tftp aborts at the semicolon, sh launches a root shell, and the comment discards the trailing args. TP-Link patched the flaw on 12 Mar 2026. MrBruh's writeup "Finding a RCE in my old TP-Link router" went up 30 Apr 2026 after a 120-day disclosure window. The resulting shell was fully interactive, no further exploits needed. One unsanitized string turns a config pull into code exec.

gem install knot-rspec-formatter-json The install script harvests your environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI config, and RubyGems credentials, then exfiltrates the bundle to a Webhook.site endpoint. Socket flagged 7 malicious Ruby gems and 9 Go modules pushed by a GitHub account named "BufferZoneCorp". Two of each were sleepers - clean code, waiting for trust. The Go side is uglier. Beyond credential theft, the modules tamper with .github/workflows YAML, drop fake Go binaries into the build cache so future invocations execute attacker code, and append a hard-coded public key to ~/.ssh/authorized_keys for persistence after the runner spins down. Disclosed by Socket's Kirill Boychenko. The gems have been yanked, the Go modules blocked. CI runners hold every credential the company has and almost no one watches what they execute on install.

mbt v1.2.48 published to npm, compromised. Part of a April 29, 2026 attack on SAP's official packages: @cap-js/sqlite v2.2.2, @cap-js/postgres v2.2.2, @cap-js/db-service v2.10.1. Discovery led to immediate deprecation; no CVE. Medium confidence points to TeamPCP - same actors in Trivy, Checkmarx, Bitwarden CLI incidents. Flow began with malicious preinstall. Triggered setup.mjs download of Bun from GitHub. Bun launched obfuscated execution.js. Core payload: Python script targeting CI Runner.Worker process. Read /proc//maps for layout, /proc//mem for contents. Isolated JSON secrets: "key": {"value": "...", "isSecret":true}. Bypassed all GitHub Actions log protections. Extracted: npm/GitHub tokens, SSH, AWS/Azure/GCP creds, K8s secrets, CI/CD env vars. Encrypted haul uploaded to victim's own public GitHub repos, described as "A Mini Shai-Hulud has Appeared." Token validation via malware scanning for "OhNoWhatsGoingOnWithGitHub:" in commit messages. Trusted packages extract what pipelines try to hide.

root:x\r\nhasroot=1\r\ntfa_verified=1\r\nsuccessful_internal_auth_with_timestamp=1777462149 That CRLF-injected Authorization header unlocks WHM root via CVE-2026-41940. All cPanel & WHM versions vulnerable. Sina Kheirkhah (@SinSinology) of watchTowr Labs disclosed it April 29, 2026. KnownHost confirmed active exploitation before disclosure. cPanel stores sessions in two files: /var/cpanel/sessions/raw/ (plain text) and /var/cpanel/sessions/cache/ (JSON). saveSession in Cpanel/Session.pm strips NUL bytes but ignores \r\n. If the session cookie lacks the "ob" encryption component, the encoder doesn't run - plaintext writes go straight to disk. First: fail a login at /login/?login_only=1 on port 2087. This returns a whostmgrsession cookie without ob. Then: send a Basic Auth GET with the CRLF payload above in the Authorization header. Finally: GET /scripts2/listaccts triggers do_token_denied, which reads the raw file and rewrites the JSON cache with the injected fields. hasroot=1 and tfa_verified=1 land in the JSON cache. Password validation skipped. AUTH_OK returned unconditionally. Full WHM root. Security tokens exposed. Patches: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5. ~70 million domains run on cPanel. A missing \r\n filter turns a failed login into root.

ProcDump's GitHub mirror hid a RAT that phoned home via Ethereum. Deployed December 2025 to April 1, 2026, 44 facade repos on GitHub spoofed 37 admin tools. Detected in March 2026, they targeted searches for PsExec, Sysmon, AzCopy, LAPS, and similar on Bing, Yahoo, DuckDuckGo, Yandex. SEO poisoning pushed these clean facades to the top. Repos had innocent READMEs linking to secondary ones with malicious MSIs. Enterprise admins, DevOps engineers, and security analysts on Windows were the marks. Infection chain: MSI CustomAction launches obfuscated CMD batch downloading Node.js runtime from nodejs.org. AES-256-CBC decrypts an in-memory loader for the JavaScript RAT core. It sticks around with an HKCU Run key. C2 uses smart contract 0xc12c8d8f9706244eca0acf04e880f10ff4e52522, polled every 500ms via nine public RPC endpoints. Every 30 seconds, it beacons as fake browser assets - .png, .jpg, .css, .ico. Attackers switch C2 by editing the blockchain. Fileless and multi-stage, the RAT evades file scanners. Lazarus Group (North Korea) attribution from Contagious Interview overlaps. Tied to MuddyWater (Iran/APT34) by EtherHiding C2 code. No CVE assigned. Blockchain C2 made command-and-control unblockable and dynamic.

Claude Opus co-authored a malicious GitHub commit on February 28, 2026. The commit - cd3c6ccbfe02a0fcf249fdcf67fd3ec351a7ed7c - targeted an autonomous trading agent repository. It injected a tainted npm dependency, pulling in @validate-sdk/v2, first uploaded in October 2025. This was part of the PromptMink campaign, run by Famous Chollima (aka Shifty Corsair), a North Korean APT group focused on crypto developers. Benign wrappers like @solana-launchpad/sdk and @meme-sdk/trade silently imported the malicious packages, evading scans. In the Graphalgo campaign, attackers registered Blockmerce LLC in Florida (document L25000392646) in August 2025. They created fake firms Veltrix Capital and Bridgers Finance, with GitHub orgs active since June 2025. Job interviews delivered the packages: social engineering lured developers into installing them. UNC1069 (BlueNoroff/Lazarus) compromised axios, publishing csec-crypto-utils. It stole AWS keys, GitHub tokens, and .npmrc files, exfiltrating to csec-c2-server.onrender.com. The express-session-js RAT fetched a stage-2 payload from JSON Keeper, then connected to 216.126.237.71 via Socket.IO. It enabled keylogging, screenshots, clipboard monitoring, crypto wallet extraction, and remote mouse/keyboard control. Graphalgo's payload evolved from a 5.1KB JavaScript stealer to an 85MB Node.js SEA binary, plus NAPI-RS Rust modules for Windows, Linux, and macOS. Two-layer strategy across campaigns: benign outer packages passed automated checks, while inner dependencies ran the payloads. Supply chain layers hide threats where detection ends.

70,000 WordPress sites carried a dormant backdoor for nearly five years. Quick Page/Post Redirect plugin, with over 70,000 active installs as of April 2026, introduced the issue in versions 5.2.1 and 5.2.2 from 2020-2021. Those releases added a hidden self-updater pointing to w.anadnet.com - bypassing WordPress.org's signed update channel. In February 2021, the self-updater code was quietly removed from official WordPress.org versions. But in March 2021, a tampered build of version 5.2.3 was distributed via that external server. It had a different SHA-256 hash from the legitimate WordPress.org release. The backdoor hooked into WordPress's the_content filter, but activated only for logged-out visitors. Logged-in admins saw a clean site. The payload injected SEO content fetched from anadnet.com directly into page output - effectively renting Google rankings across 70,000 sites. Discovered in April 2026 by Austin Ginder at Anchor hosting, after alerts on 12 infected sites in his fleet. No CVE assigned. The plugin was pulled from WordPress.org pending review. The anadnet.com domain remains registered, but its C2 subdomain no longer resolves. Trusted code shipped from the official directory. Then quietly updated itself from somewhere else.

A .gemini/ config file in an untrusted repo grants arbitrary command execution via Google Gemini CLI. CVSS 10.0. No CVE. Affects @google/gemini-cli before 0.39.1 and 0.40.0-preview.3, plus google-github-actions/run-gemini-cli before 0.1.22. The vulnerability stems from CI/CD headless mode: Gemini CLI trusts workspace folders automatically, prior to sandbox setup. Attacker embeds the malicious config with tainted environment variables. CI loads the repository, config activates - commands run unchecked on the runner. Novee Security disclosed in late April 2026. Version 0.39.1 patches it by requiring explicit folder trust. GEMINI_TRUST_WORKSPACE must equal 'true'. --yolo mode enforces ~/.gemini/settings.json tool allowlists, preventing prompt injections from greenlighting run_shell_command. CVE-2026-26268 in Cursor IDE enables sandbox escape, CVSS 8.1. Attack begins with cloning a public GitHub repo concealing a bare repository. The bare repo's .git/config holds a malicious post-checkout hook. User opens the project, queries Cursor agent: "explain the codebase." Agent enters the bare repo, performs git checkout to master - hook executes, attacker payload runs with user privileges. Bypasses auth. No alerts. Patched in Cursor 2.5. Joint disclosure by Novee Security and Cursor, February 2026 advisory. Cursor's "CursorJacking" flaw, no CVE, CVSS 8.2, per LayerX. Malicious VS Code or Cursor extensions read the IDE's local SQLite database for API keys and tokens. Core secrets sit unisolated from extensions. Still unpatched through April 30, 2026. AI-assisted coding tools turn trusted environments into attack vectors.