Shiva Sankar
@shivasurya.bsky.social
Senior SWE @cartainc | CS UWaterloo | prev @Dropbox | Author - Code Pathfinder (http://codepathfinder.dev) - open-source AI-native static code analysis
This week in appsec: Issue #19
> Roundcube forgot SVG image bypasses remote image blocking
> First malicious MCP in the wild: postmark-mcp v1.0.16
> Claude Opus 4.6 autonomously discovered hundreds of real 0-days in heavily fuzzed OSS projects
appsecweekly.net/p/issue-19-a...
#appsec
> Roundcube forgot SVG image bypasses remote image blocking
> First malicious MCP in the wild: postmark-mcp v1.0.16
> Claude Opus 4.6 autonomously discovered hundreds of real 0-days in heavily fuzzed OSS projects
appsecweekly.net/p/issue-19-a...
#appsec
Issue #19 - Appsec Weekly 🛡️ - Feb 9, 2026
Your go-to source for the latest in application security trends, tools, and insights!
appsecweekly.net
February 11, 2026 at 2:11 AM
This week in appsec: Issue #19
> Roundcube forgot SVG image bypasses remote image blocking
> First malicious MCP in the wild: postmark-mcp v1.0.16
> Claude Opus 4.6 autonomously discovered hundreds of real 0-days in heavily fuzzed OSS projects
appsecweekly.net/p/issue-19-a...
#appsec
> Roundcube forgot SVG image bypasses remote image blocking
> First malicious MCP in the wild: postmark-mcp v1.0.16
> Claude Opus 4.6 autonomously discovered hundreds of real 0-days in heavily fuzzed OSS projects
appsecweekly.net/p/issue-19-a...
#appsec
This week in appsec: Issue #18
> GCP Apigee cross-tenant bug leaked plaintext tokens via metadata server pivot
> Notepad++ supply chain attack ran June-Dec 2025
> Moltbook exposed 1.5M agent tokens
> Deno Sandbox: <1s microVMs for untrusted LLM code
appsecweekly.net/p/issue-18-a...
> GCP Apigee cross-tenant bug leaked plaintext tokens via metadata server pivot
> Notepad++ supply chain attack ran June-Dec 2025
> Moltbook exposed 1.5M agent tokens
> Deno Sandbox: <1s microVMs for untrusted LLM code
appsecweekly.net/p/issue-18-a...
Issue #18 - Appsec Weekly 🛡️ - Feb 3, 2026
Your go-to source for the latest in application security trends, tools, and insights!
appsecweekly.net
February 5, 2026 at 1:54 AM
This week in appsec: Issue #18
> GCP Apigee cross-tenant bug leaked plaintext tokens via metadata server pivot
> Notepad++ supply chain attack ran June-Dec 2025
> Moltbook exposed 1.5M agent tokens
> Deno Sandbox: <1s microVMs for untrusted LLM code
appsecweekly.net/p/issue-18-a...
> GCP Apigee cross-tenant bug leaked plaintext tokens via metadata server pivot
> Notepad++ supply chain attack ran June-Dec 2025
> Moltbook exposed 1.5M agent tokens
> Deno Sandbox: <1s microVMs for untrusted LLM code
appsecweekly.net/p/issue-18-a...
New AppSec Weekly Issue #17 covers
💣 the cURL bug bounty program ending
🔥 automated exploit generation with LLMs,
⚓ nodes/proxy GET behavior in Kubernetes.
Plus tools for LAN discovery and PDF sanitization.
appsecweekly.net/p/issue-17-a...
💣 the cURL bug bounty program ending
🔥 automated exploit generation with LLMs,
⚓ nodes/proxy GET behavior in Kubernetes.
Plus tools for LAN discovery and PDF sanitization.
appsecweekly.net/p/issue-17-a...
Issue #17 - AppSec Weekly 🛡️
Your go-to source for the latest in application security trends, tools, and insights for third week of January 2026!
appsecweekly.net
January 28, 2026 at 11:49 PM
New AppSec Weekly Issue #17 covers
💣 the cURL bug bounty program ending
🔥 automated exploit generation with LLMs,
⚓ nodes/proxy GET behavior in Kubernetes.
Plus tools for LAN discovery and PDF sanitization.
appsecweekly.net/p/issue-17-a...
💣 the cURL bug bounty program ending
🔥 automated exploit generation with LLMs,
⚓ nodes/proxy GET behavior in Kubernetes.
Plus tools for LAN discovery and PDF sanitization.
appsecweekly.net/p/issue-17-a...
Reposted by Shiva Sankar
New galaxies. New friends. Yoshi joins the adventure. The Super Mario Galaxy Movie is only in theaters April 1.
January 25, 2026 at 2:13 PM
New galaxies. New friends. Yoshi joins the adventure. The Super Mario Galaxy Movie is only in theaters April 1.
Issue #16 of AppSec Weekly
CodeBreach: AWS CodeBuild misconfiguration → full SDK takeover
Google weaponizes Net-NTLMv1 with rainbow tables
OpenCode CVSS 10.0 RCE (unauthenticated localhost server)
Svelte ecosystem: 5 CVEs DoS + XSS
Handling shell secrets without leaking to /proc
#AppSec
CodeBreach: AWS CodeBuild misconfiguration → full SDK takeover
Google weaponizes Net-NTLMv1 with rainbow tables
OpenCode CVSS 10.0 RCE (unauthenticated localhost server)
Svelte ecosystem: 5 CVEs DoS + XSS
Handling shell secrets without leaking to /proc
#AppSec
January 21, 2026 at 2:01 AM
Issue #16 of AppSec Weekly
CodeBreach: AWS CodeBuild misconfiguration → full SDK takeover
Google weaponizes Net-NTLMv1 with rainbow tables
OpenCode CVSS 10.0 RCE (unauthenticated localhost server)
Svelte ecosystem: 5 CVEs DoS + XSS
Handling shell secrets without leaking to /proc
#AppSec
CodeBreach: AWS CodeBuild misconfiguration → full SDK takeover
Google weaponizes Net-NTLMv1 with rainbow tables
OpenCode CVSS 10.0 RCE (unauthenticated localhost server)
Svelte ecosystem: 5 CVEs DoS + XSS
Handling shell secrets without leaking to /proc
#AppSec
Issue #15 of AppSec Weekly 🛡️
🪓 6-bug chain → pre-auth RCE in LogPoint SIEM
🪓 PassSeeds: hijacking passkeys for crypto beyond WebAuthn
🪓 Tailscale kills default TPM encryption
🪓 Malicious VS Code extensions in the wild
🪓 Notion AI prompt injection exfiltration
🪓 npm staged publishing post
#AppSec
🪓 6-bug chain → pre-auth RCE in LogPoint SIEM
🪓 PassSeeds: hijacking passkeys for crypto beyond WebAuthn
🪓 Tailscale kills default TPM encryption
🪓 Malicious VS Code extensions in the wild
🪓 Notion AI prompt injection exfiltration
🪓 npm staged publishing post
#AppSec
January 11, 2026 at 3:43 AM
Issue #15 of AppSec Weekly 🛡️
🪓 6-bug chain → pre-auth RCE in LogPoint SIEM
🪓 PassSeeds: hijacking passkeys for crypto beyond WebAuthn
🪓 Tailscale kills default TPM encryption
🪓 Malicious VS Code extensions in the wild
🪓 Notion AI prompt injection exfiltration
🪓 npm staged publishing post
#AppSec
🪓 6-bug chain → pre-auth RCE in LogPoint SIEM
🪓 PassSeeds: hijacking passkeys for crypto beyond WebAuthn
🪓 Tailscale kills default TPM encryption
🪓 Malicious VS Code extensions in the wild
🪓 Notion AI prompt injection exfiltration
🪓 npm staged publishing post
#AppSec
Started publishing weekly roundups of what's happening in #AppSec
MongoDB CVE that hit self-hosted instances
tokenless CSRF making it into OWASP guidance
OpenPGP implementation bugs.
LangChain CVE-2025-68664
TruffleHog's JWT liveness checks.
appsecweekly.net/p/issue-14-a...
#DevSecOps
MongoDB CVE that hit self-hosted instances
tokenless CSRF making it into OWASP guidance
OpenPGP implementation bugs.
LangChain CVE-2025-68664
TruffleHog's JWT liveness checks.
appsecweekly.net/p/issue-14-a...
#DevSecOps
Issue #14 - AppSec Weekly - Jan 2026 🛡️
Your go-to source for the latest in application security trends, tools, and insights from first week of January 2026
appsecweekly.net
January 2, 2026 at 2:44 AM
Started publishing weekly roundups of what's happening in #AppSec
MongoDB CVE that hit self-hosted instances
tokenless CSRF making it into OWASP guidance
OpenPGP implementation bugs.
LangChain CVE-2025-68664
TruffleHog's JWT liveness checks.
appsecweekly.net/p/issue-14-a...
#DevSecOps
MongoDB CVE that hit self-hosted instances
tokenless CSRF making it into OWASP guidance
OpenPGP implementation bugs.
LangChain CVE-2025-68664
TruffleHog's JWT liveness checks.
appsecweekly.net/p/issue-14-a...
#DevSecOps