This article explains how Cline’s issue‑triage bot was exploited via a three‑step chain—prompt injection, cache poisoning, and credential commingling—leading to an unauthorized package release that potentially affected about five million users.
A UAF zero-day in Chrome, critical flaws in four VS Code extensions, and a Microsoft Copilot bug that leaked confidential emails. A review of security risks lurking in developers’ everyday tools.
In its February 2026 KEV catalog update, CISA added four vulnerabilities, including a Google Chrome use-after-free flaw (CVE-2026-2441). One of them dates back 17 years.
A CVSS 10.0 vulnerability in Dell RecoverPoint for VMs was found to have been exploited by the China-linked threat group UNC6201 for more than a year and a half.
A breakdown of how Notepad++'s WinGUp updater was hijacked through a hosting provider compromise and used to serve malicious binaries to selected users.
An unsafe deserialization vulnerability was found in PHPUnit's PHPT test runner. This article summarizes the risk to CI/CD pipelines and how to mitigate it.
A high-severity stack buffer overflow was found in OpenSSL 3.0 through 3.6. The CMS AuthEnvelopedData path can be attacked without authentication. Update now.
An explanation of a new attack technique that abuses GitHub’s fork feature and commit display behavior to distribute malware via links that look like official repository URLs.
A Dolby decoder vulnerability fixed in the January 2026 Android security update. It could allow arbitrary code execution just by receiving an audio file.
Node.js security patches that had been delayed since December 2025 were finally released. This article summarizes the eight vulnerability fixes, including three High-severity issues.