It's important your developers understand these risks, because the agent's protections are far from enough. Think of it as "anti-phishing awareness" for AI agents.
Read at Checkmarx Zero: buff.ly/uWNTb5O 🧵4/4

And depending on the implementation, these risks can range from "we should have made this more clear" to "this is an outright deception". Ori Ron takes us past LITL into HITL dialog forging, and shows how two different AI agents (#ClaudeCode and #CopilotChat) try to address this issue. 🧵3/4

Checkmarx Zero already showed you how #LiesInTheLoop (LITL) can compromise the utility of the Human-in-the-Loop safety systems AI agents provide.

But that's only the start of the risk. Those same HITL prompts can have other security risks lurking within them.🧵2/4

So if an attacker can get CAI to use fake “credentials” or connection info from untrusted data -- as simple as sneaking an HTML comment into a served page on a target host -- they can make it run arbitrary system commands on the machine where CAI is installed.

More: buff.ly/x6gPiPf 🧵 4/4

This injection is possible because the tool builds and runs SSH commands using connection details (host, username, port) that it extracts and synthesizes from data found on services it is testing; but it doesn't properly escape them. Yep, bad sanitization again. 🧵 3/4

CVE-2025-67511 affects all versions of the Cybersecurity AI (CAI) framework up to and including 0.5.9. If you use it, make sure you know how to reduce the risk of damage (see link above).

#CVE #CommandInjection #AISecurity #Cybersecurity 🧵 2/4

If you rely on Elysia in production, review your validations and update now. Prototype-pollution chains are regularly abused in real-world exploits—don’t wait for this one to become the next incident. buff.ly/RCQHiLI
#ElysiaJS #AppSec #RCE #SecureDevelopers #JavaScriptSecurity 🧵5/5

Upgrade to 1.4.17 immediately—especially if your app takes input from untrusted clients. If you sanitize or block __proto__ at your edge, your exposure is lower, but patching remains the safest path.
#PatchNow #APIsecurity #NodeJS #DefenseInDepth 🧵4/5

Elysia’s popularity comes from its strong typing and smooth integration with OpenAPI workflows. That same schema-driven behavior makes this vulnerability impactful when multiple standalone validations (#Zod, #TypeBox, #ArkType) touch the same fields.
#OpenAPI #TypeSafety #SecureCoding 🧵3/5

At its core, this is a prototype-pollution flaw—dangerous on its own—but in Elysia’s validation/merge logic, it becomes a stepping stone to full RCE under the server’s authority.
#PrototypePollution #WebSecurity #SupplyChainSecurity #BackendSecurity 🧵2/5

In our latest article, Dias takes apart the code step-by-step to help defenders understand the inner workings of this highly-successful Shai-Hulud NPM malware campaign. buff.ly/dO5sLHC

From payload construction to clever tactics for data exfiltration and self-propagation, the first round of Shai-Hulud took everyone by surprise. And despite the security community's work, a more aggressive "Second Coming" was able to bypass many detection methods

🚨 CVE-2025-65958 | Open WebUI | Authenticated SSRF (High)
Authenticated users can force the server to send HTTP requests to arbitrary URLs, enabling internal network scanning and access to internal services. Affects versions < 0.6.37.

Patch: Upgrade to v0.6.37

buff.ly/1dg6IHi
buff.ly/Yewlmqu

And of course, as always, we appreciate the support of Microsoft and OpenVSX, both of whom responded promptly and professionally.

#SupplyChainSecurity #MaliciousPackages #DeveloperSecurity #SoftwareSupplyChain #ExtensionSecurity #VisualStudioCode

The adversary seems to have leveled up, artificially inflating install counts (thousands of installs with only a few downloads? Sus.) and releasing without a payload to gain adoption. They also hit #OpenVSX, an alternative to #VSCodeMarketplace; maybe they thought they'd sneak by us there? NOPE.