This week's articles
A Security Engineer's Guide to MCP
MCP is quickly becoming the API standard for AI coding agents. That means new attack surfaces, and security engineers need to know how to test them safely.
#ai
#defend
#security
#strategy
From MCP to Shell
The article discusses security vulnerabilities in the Model Context Protocol (MCP) that enable remote code execution (RCE) in tools like Claude Code and Gemini CLI.
#attack
#ai
Malicious MCP Server on npm postmark-mcp Harvests Emails
On September 25, 2025, the npm package 'postmark-mcp' was compromised, secretly exfiltrating email contents. Learn about the incident timeline, impact, and immediate mitigation steps, including uninstalling, rotating credentials, and scanning.
#defend
#supply-chain
#ai
Exploiting GitHub Actions at Fortune-100 Companies
Part 2 of Orca's research showing how a single pull request was used to exploit GitHub Actions at Microsoft, Google, and Nvidia, leading to RCE and secret exposure.
#attack
#ci/cd
#defend
#github
#supply-chain
Terraform Search: Deep-Dive
One of the latest additions to Terraform is Terraform search. Although not a feature for directly manipulating your state file, it will likely be involved in the process of bringing existing infrastructure under management by Terraform. This post explains what Terraform search is, how it works, and see a few examples of it in use.
#terraform
#iac
#explain
Critical Vulnerability in AI Vibe Coding platform Base44
The Wiz Blog article discusses a critical vulnerability in the AI-powered vibe coding platform Base44, which was recently acquired by Wix. The vulnerability allowed unauthorized access to private applications by exploiting undocumented registration and email verification endpoints, bypassing authentication controls like Single Sign-On (SSO).
#ai
#attack
#saas
#build
|