top of page
ALL POSTS
Agentjacking: How Attackers Trick AI Coding Agents Into Executing Malicious Code
Key Findings Agentjacking attacks trick AI coding agents into executing arbitrary code by injecting malicious payloads into Sentry error events, achieving 85% exploitation success rate At least 2,388 organizations exposed with valid injectable Sentry DSNs; attackers need only a publicly available credential to launch attacks OpenClaw AI agent vulnerable to hidden command injection through contact names, vCards, and location pins that bypass visual truncation and rendering Var
Jun 124 min read
Malicious VS Code AI Extensions Threaten Developer Security
Key Findings Two malicious Microsoft Visual Studio Code (VS Code) extensions, disguised as AI-powered coding assistants, have over 1.5 million combined installs and are stealing developer source code. The extensions, "ChatGPT - 中文版" and "ChatGPT - ChatMoss(CodeMoss)", capture every file being opened and every source code modification, and send the data to servers located in China without user knowledge or consent. The extensions also incorporate real-time monitoring and devic
Jan 262 min read
CISA Flags Microsoft Office and HPE OneView Bugs as Actively Exploited
Key Findings: CISA has added two security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2009-0556: A code injection flaw in Microsoft Office PowerPoint that allows remote code execution CVE-2025-37164: A code injection vulnerability in HPE OneView that allows remote unauthenticated code execution Background CVE-2009-0556 is a memory corruption vulnerability in legacy Microsoft PowerPoint that was exploited in the wild in April 2009. It affects Powe
Jan 82 min read
bottom of page
