❌

Normal view

Received β€” 29 April 2026 ⏭ Security

The Thymeleaf Template Injection That Only Hurts If You Let It

βœ‡/r/netsec - Information Security News & Discussion
By: /u/lirantal
29 April 2026 at 16:28

As we commonly know in appsec, not every vulnerability, even if critical 10 is relevant. This is a take from my buddy Brian Vermeer at Snyk, he's a Java Champion and offers his opinion as a developer to the Thymeleaf vulnerability CVE-2026-40478

submitted by /u/lirantal
[link] [comments]

SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack

βœ‡The Hacker News
By: Ravie Lakshmanan
29 April 2026 at 16:26
Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware. According to reports from Aikido Security, Onapsis, OX Security,Β SafeDep, Socket, StepSecurity, and Google-owned Wiz, the campaign – calling itself the MiniΒ Shai-Hulud – has affected the following packages associated with

New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs

βœ‡The Hacker News
By: Ravie Lakshmanan
29 April 2026 at 14:43
Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real

Set up automated dependency scanning after the recent npm/PyPI supply chain attacks

βœ‡/r/netsec - Information Security News & Discussion
By: /u/root0ps
29 April 2026 at 13:33

With everything that's happened recently, the Axios npm account hijack, LiteLLM getting poisoned on PyPI, and that coordinated npm/PyPI/Docker Hub campaign in April, I finally stopped manually running npm audit and set up something proper.

Been running Dependency-Track for a few weeks now. It's an OWASP open source project that works differently from the usual scanners, you upload an SBOM for each project and it continuously monitors against NVD, OSS Index, GitHub Advisories, and more. New CVE drops affecting your stack? You get notified without doing anything.

Wrote up how I set it up on Hetzner with Docker, Traefik for HTTPS, and GitHub Actions to auto-generate and upload SBOMs on every push

submitted by /u/root0ps
[link] [comments]

Webinar: How to Automate Exposure Validation to Match the Speed of AI Attacks

βœ‡The Hacker News
By: Unknown
29 April 2026 at 12:02
In February 2026, researchers uncovered a shift that completely changed the game: threat actors are now using custom AI setups to automate attacks directly into the kill chain. We aren't just talking about AI writing better phishing emails anymore. We’re talking about autonomous agents mapping Active Directory and seizing Domain Admin credentials in minutes. The problem? Most defensive workflows

What to Look for in an Exposure Management Platform (And What Most of Them Get Wrong)

βœ‡The Hacker News
By: The Hacker News
29 April 2026 at 11:30
Every security team has a version of the same story. The quarter ends with hundreds of vulnerabilities closed. The dashboards are bursting with green. Then someone in a leadership meeting asks: "So, are we actually safer now?" Crickets. The room goes quiet because an honest answer requires context – which is something that patch counts and CVSS scores were never designed to provide. Exposure

Critical cPanel Authentication Vulnerability Identified β€” Update Your Server Immediately

βœ‡The Hacker News
By: Ravie Lakshmanan
29 April 2026 at 09:37
cPanel has released security updates to address a security issue impacting various authentication paths that could allow an attacker to obtain access to the control panel software. The problem affects all currently supported versions of cPanel and WebHost Manager (WHM), according to an alert published by WebPros on Tuesday. It does not have an official identifier. The issue has been addressed in

CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV

βœ‡The Hacker News
By: Ravie Lakshmanan
29 April 2026 at 08:46
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities are listed below - CVE-2024-1708 (CVSS score: 8.4) - A path traversal vulnerability inΒ  ConnectWise ScreenConnect

LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure

βœ‡The Hacker News
By: Ravie Lakshmanan
29 April 2026 at 05:34
In yet another instance of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI's LiteLLM Python package has come under active exploitation in the wild within 36 hours of the bug becoming public knowledge. The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that could be exploited to modify the underlying

❌