Part one of a two-part series on GitHub Actions security, covering the core threat model, common misconfigurations, and real-world attack examples.
https://www.wiz.io/blog/github-actions-security-threat-model-and-defenses
#github
Please open Telegram to view this post
VIEW IN TELEGRAM
👍2❤1🔥1
A lightweight intro to passkeys from Google.
https://bughunters.google.com/blog/passkeys-are-your-new-best-friend
#iam
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥4❤2👍2
Amazon's RuleForge is a multi-agent AI system that auto-generates CVE detection rules from exploit PoC code. It uses parallel generation (via Amazon Bedrock/Fargate), a separate judge model (reducing false positives by 67%), and multistage validation, achieving 336% faster rule production than manual workflows while keeping humans in the final approval loop.
https://www.amazon.science/blog/how-amazon-uses-agentic-ai-for-vulnerability-detection-at-global-scale
#AI
Please open Telegram to view this post
VIEW IN TELEGRAM
❤2👍2🔥1
Cloudflare built a CI-native, plugin-based AI code review system using OpenCode, orchestrating up to 7 specialised agents (security, performance, code quality, etc.) per merge request. It processed 131K reviews across 48K MRs, averaging $0.98/review at 3m39s median latency, with an 85.7% prompt cache hit rate.
https://blog.cloudflare.com/ai-code-review
#AI
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
❤1👍1🔥1
A walkthrough of my Claude Code setup across a multi-project monorepo: global settings, safety guardrails, a context/plan/code workflow, subagents and plugins, and the StarCraft-themed customisations that make the terminal feel like mine.
https://blog.marcolancini.it/2026/blog-my-claude-code-setup
#ClaudeCode
Please open Telegram to view this post
VIEW IN TELEGRAM
❤2👍2🔥2
Fast and accurate AI powered file content types detection.
https://github.com/google/magika
#AI
Please open Telegram to view this post
VIEW IN TELEGRAM
❤2👍1🔥1
Wiz Research discovered CVE-2026-3854 (CVSS 8.7): an unsanitized semicolon injection in GitHub's X-Stat internal header allows any authenticated user to override security fields via git push -o, achieving RCE on GitHub com and full GHES server compromise.
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
#github
Please open Telegram to view this post
VIEW IN TELEGRAM
👍3❤1🔥1
OpenShell is the safe, private runtime for autonomous AI agents.
https://github.com/NVIDIA/OpenShell
#AI
Please open Telegram to view this post
VIEW IN TELEGRAM
❤2👍2🔥2
Postman is sharing the evolution of their Security Review Process (SRP). What didn't work, what they changed, and how they built SRP v2, a risk-based, automation-first security model embedded directly into their SDLC.
https://blog.postman.com/how-we-scaled-security-reviews-without-slowing-down-engineering
#SRP
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
❤1👍1🔥1
How Block built benchmrk, a harness for measuring SAST scanner efficacy against ground truth you control.
https://engineering.block.xyz/blog/proof-not-promises-evaluating-code-scanner-efficacy
#SAST
Please open Telegram to view this post
VIEW IN TELEGRAM
❤1👍1🔥1
NVD's April 2026 scope reduction (enriching only KEVs and critical federal software) collides with AI-accelerated vulnerability discovery (e.g., Claude Mythos), creating a dangerous gap in OSS CVE coverage.
https://pulse.latio.tech/p/building-an-ai-ready-vulnerability
#AI
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
❤1👍1🔥1
🔶 The Danger of Multi-SSO AWS Cognito User Pools
This post explores security anti-patterns in multi-SSO AWS Cognito User Pools: ghost identity injection via misconfigured Lambda triggers, "triggerSource" blind spots, sub-splitting attacks on "event.userName", and IdP identifier hijacks. It also introduces "maSSO", a weaponized OIDC/SAML IdP for pentesting.
https://blog.doyensec.com/2026/05/05/cloudsectidbits-masso-cognito-sso.html
#aws
This post explores security anti-patterns in multi-SSO AWS Cognito User Pools: ghost identity injection via misconfigured Lambda triggers, "triggerSource" blind spots, sub-splitting attacks on "event.userName", and IdP identifier hijacks. It also introduces "maSSO", a weaponized OIDC/SAML IdP for pentesting.
https://blog.doyensec.com/2026/05/05/cloudsectidbits-masso-cognito-sso.html
#aws
❤1👍1🔥1
Research disclosing that ChatGPT, Claude, Grok, and Perplexity embed third-party trackers (Meta, Google, TikTok) that leak conversation URLs, email hashes, and user identifiers, often bypassing cookie consent. via client-side pixels and server-side forwarding.
https://leakylm.github.io
#AI
Please open Telegram to view this post
VIEW IN TELEGRAM
❤1👍1🔥1
Wiz researchers analysed popular AI GitHub Actions (Anthropic, OpenAI, Google) and found: bot permission-check bypasses enabling untrusted external apps to trigger AI workflows, novel credential-file exfiltration vectors unrecognised by LLMs as sensitive, and widespread misconfigurations in repos with 200,000+ combined stars.
https://www.wiz.io/blog/github-actions-security-ai-powered-actions-vulnerabilities
#AI
Please open Telegram to view this post
VIEW IN TELEGRAM
❤1👍1🔥1