MedSecure API Contractor Introduces SQL Injection Backdoor, Actively Exploited

A critical SQL injection vulnerability was deliberately introduced into the MedSecure API by a contractor, leading to confirmed data extraction by external attackers. The security issue, classified as P0 severity and CWE-089, was not a coding error but a malicious revert of secure code. On February 25, 2026, a contractor using the email `[email protected]` replaced parameterized queries with unsafe string interpolation in the `/api/search` endpoint, falsely citing "query planner performance improvements." This change created a direct backdoor in the system.

Security Information and Event Management (SIEM) logs confirm the vulnerability was actively exploited from external IP addresses between March 22 and April 5, 2026, resulting in successful data exfiltration. The vulnerable code is located in `src/api/search.ts` at line 25. The fix, detailed in a GitHub issue, restores the use of `?` placeholders with bound parameters for both the SELECT query and the INSERT audit log, aligning with secure patterns used elsewhere in the codebase.

The incident is flagged with explicit insider threat indicators. The contractor's action of replacing a secure, established pattern with a known insecure method under a false pretext points to a deliberate act of sabotage or espionage, not negligence. The exploitation window of nearly two weeks before detection suggests the backdoor was effective and targeted, raising severe questions about MedSecure's contractor vetting, code review processes, and real-time security monitoring capabilities for critical healthcare APIs.