Clinejection: How a GitHub Issue Title Compromised an AI Coding Assistant Used by 5M Developers
TL;DR In December 2025, Cline — an AI coding assistant with over 5 million users — gave an...
Tag archive
TL;DR In December 2025, Cline — an AI coding assistant with over 5 million users — gave an...
GitLab has moved Dependency Scanning Auto-Remediation into beta, aimed squarely at the transitive supply-chain risk it just spent a research cycle measuring. The interesting question is not whether the fix ships, but whether anyone downstream trusts the bot enough to merge it.
Researchers at Novee catalogue Cordyceps, a class of CI/CD supply-chain exploit where pull requests and comments from untrusted contributors get executed with maintainer permissions. A scan of 30,000 high-impact repositories flagged 654 candidates and confirmed over 300 as fully exploitable, with named blast radius inside Microsoft, Google, Apache and Cloudflare.
Un atacante exfiltró 100GB de datos de Crunchyroll en 24 horas usando acceso de un empleado de Telus. 15M+ suscriptores potencialmente afectados. Sony no ha confirmado.
Every scanner involved in the March 2025 tj-actions/changed-files attack did exactly what it was...
Un ataque ransomware a Marquis, proveedor fintech de cientos de bancos en Texas, robó SSNs y datos financieros de 672,075 personas. La brecha silenciosa que duró meses.
Hackers accedieron a Navia durante 24 días (dic 2025 - ene 2026) robando SSNs y datos de salud de 2.7M personas. El Estado de Washington entre las víctimas.
Un ataque a la cadena de suministro comprometió Trivy, el scanner de seguridad open-source más usado en DevSecOps. 75 tags de GitHub secuestrados, Docker images maliciosas, worm y Kubernetes wiper.
TeamPCP — el grupo detrás del ataque a Trivy — lanzó CanisterWorm, un gusano npm que se auto-propaga por 135 paquetes usando tokens robados y un C2 en blockchain imposible de derribar.
Booking.com confirmed unauthorized third-party access to reservation data this week. The exposure didn't come from the core platform — it came from the vendor chain. Here's what failed and how to test for it.

In May 2026, 700+ compromised Laravel-Lang package versions shipped a credential stealer through Composer. Here's how to harden your Laravel deploy pipeline: --no-scripts, allow-plugins, lockfile discipline, scoped deploy keys, and a full incident checklist.
From tj-actions/changed-files (CVE-2025-30066, 23,000 repos) to Trivy (hackerbot-claw, March 2026) to Bitwarden CLI (April 2026). Real cases, IOCs, the pull_request_target misconfiguration that ties them together, and detection rules CI/CD teams can