This page collects WhisperX intelligence signals tagged #supply chain attack. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A new vulnerability in the AI development pipeline bypasses traditional malware entirely, relying instead on poisoned documentation to compromise coding agents. The attack vector, demonstrated in a proof-of-concept against the service Context Hub, reveals a critical weakness in how AI assistants consume and trust exter...
A critical security flaw in the SEC's GitHub Actions workflow, `pr-loop.yml`, creates a direct path for attackers to steal high-value API secrets, including the `ANTHROPIC_API_KEY` and `ALEXS_CODEX_KEY`. The vulnerability is a textbook 'pwn request' scenario, where the workflow's configuration grants it access to the r...
A critical security flaw, identified as prototype pollution, has been patched in the widely used `ini` npm package, a fundamental library for parsing INI configuration files across the Node.js ecosystem. The vulnerability, tracked as GHSA-qqgx-2p2h-9c37, existed in all versions prior to 1.3.6. If exploited, an attacker...
AI recruiting startup Mercor has confirmed a security breach after an extortion-focused hacking group claimed responsibility for stealing data from the company's internal systems. The incident is directly tied to the compromise of the open-source LiteLLM project, a widely used library for unifying large language model ...
The Kubernaut Agent's core investigation pipeline is vulnerable to prompt injection attacks, as it processes untrusted content from multiple Kubernetes sources directly into its LLM context window without any sanitization or detection. This creates a direct path for attackers to manipulate the agent's reasoning and out...
A critical software supply chain attack on the widely-used Axios library has exposed the fragility of modern development ecosystems. On March 31, 2026, attackers seized control of a trusted maintainer account and injected malicious code directly into official Axios updates. This breach, though lasting only hours, sprea...
A critical security vulnerability has been exposed in a GitHub issue triage system, where an attacker successfully manipulated an AI bot's instructions to force it to post a specific, unauthorized verification message. The exploit, described as an "agentic workflow injection," overrides the bot's standard operating pro...
The threat landscape has intensified, with ransomware-as-a-service (RaaS) operations and sophisticated supply chain attacks driving a surge in critical incidents. Over the past 24 hours, six reports were rated critical, dominated by DragonForce claiming five new victims across pharmaceuticals, manufacturing, and retail...
A critical security vulnerability pattern has been identified in GitHub Actions workflows, exposing sensitive tokens and secrets. An automated scan of a major open-source repository revealed 422 instances where authentication tokens and secrets are directly interpolated into `run:` blocks within CI/CD pipelines. This p...
Kubernetes 包管理器 Helm 爆出高危安全漏洞,攻击者可通过特制的 `Chart.yaml` 文件在本地执行任意代码。该漏洞被追踪为 CVE-2025-53547(GHSA-557j-xg8c-q2mm),由 Helm 项目贡献者发现,核心风险在于依赖更新流程。当用户处理包含恶意内容的 `Chart.yaml` 文件及其关联的 `Chart.lock` 文件时,攻击者可利用此漏洞在目标系统上实现代码注入与执行。 漏洞细节显示,攻击向量集中在 `Chart.yaml` 文件的特定字段。当 Helm 解析这些字段并处理依赖关系时,恶意构造的内容可能绕过安全限制,触发非预期的代码执行路径。此漏洞影响范围广泛,因为 Helm ...
A critical vulnerability in the EngageLab SDK has exposed an estimated 50 million Android users to potential compromise, with a staggering 30 million of those users identified as cryptocurrency wallet holders. This flaw represents a severe supply-chain security failure, placing a massive user base at direct risk of dat...
A critical security gap has been identified in the deployment pipeline, where container images are being deployed without any vulnerability scanning, signature verification, or registry authentication. This leaves the infrastructure exposed to known CVEs, supply chain attacks, and potential malicious payloads. The curr...
A significant data breach at business analytics firm Anodot has left more than a dozen of its corporate customers facing extortion demands. The attack, which targeted Anodot's systems, successfully exfiltrated sensitive data, placing major companies like Rockstar Games in the crosshairs of cybercriminals. This incident...
Microsoft's April 2026 Patch Tuesday is a critical security event, addressing a total of 167 vulnerabilities. The most urgent fix is for a zero-day vulnerability in SharePoint, a widely used enterprise collaboration platform. The presence of an actively exploited zero-day elevates the immediate risk for organizations, ...
A critical vulnerability in Kyverno's policy engine can inadvertently leak the powerful controller service account token to external, potentially malicious servers. The flaw, tracked as CVE-2026-40868, resides in the `apiCall` servicecall helper, which automatically injects an `Authorization: Bearer` header using Kyver...
A security breach at cloud platform Vercel has triggered a scramble among cryptocurrency developers to secure their API keys. The incident, which may be linked to a compromised AI tool, potentially exposed sensitive credentials used by application frontends. These frontends serve as the critical user-facing layer conne...
Vercel, the popular frontend cloud platform, has confirmed a security breach where hackers stole customer data. The intrusion was not a direct attack on Vercel's own systems but a sophisticated supply-chain exploit. According to the company, attackers leveraged a prior, separate security breach at Context AI, an AI sta...
A critical breach at Vercel, the cloud platform behind countless crypto frontends, has triggered urgent warnings for DeFi users to halt interactions, as attackers now potentially control the delivery pipeline for web applications. The intrusion, which Vercel CEO Guillermo Rauch attributes to an employee compromised via...
A breach at AI tool vendor Context.ai has cascaded into a significant security incident at software giant Vercel, exposing the hidden risks of third-party integrations and employee access. Threat actors, after compromising Context.ai, used that foothold over the weekend to infiltrate Vercel's systems. The attack vector...
Cloud platform Vercel has confirmed a breach of its internal systems, with attackers gaining entry through a compromised third-party AI tool. The incident exposed a 'limited subset' of customer data, specifically non-sensitive environment variables. Vercel maintains its core services are operational and that sensitive ...