When it comes to supply chain security, speed and focus are critical. Not every headline or vulnerability deserves equal attention, but the right ones demand fast detection, clear prioritization, and timely action. This newsletter is designed to cut through the noise and spotlight the issues worth acting on.
This month, that includes MCPoison Cursor IDE introducing trust bypasses, Deppchat suffering one-click RCE, nginx-defender exposing weak admin credentials, and Copier enabling unauthorized filesystem reads. On the CI/CD front, OpenSSF’s MLSecOps guide and Alpha-Omega’s SBOM whitepaper highlight practical steps for resilience, while malicious PyPi and npm packages continue to exploit dependencies—underscoring the need for proactive monitoring and response. Let's dig in!
The NIST CVSS score has not yet been provided, while GitHub’s CNA assessment assigns a high base score of 7.2. Cursor’s IDE automatically scans the.cursor/ directory when a project is opened and processes any MCP-related files, facilitating smooth execution of trusted tools. However, this introduces potential security risks in collaborative settings, as MCPs follow a one-time approval model: once a user approves an MCP configuration, any subsequent changes to its commands or arguments are trusted without further validation or prompts.
DeepChat, a smart assistant that integrates AI into personal workflows, had a remote code execution flaw in versions prior to 0.3.1. The vulnerability could be triggered when a user visited a website or clicked a link containing a specially crafted deepchat: URL. This caused the DeepChat app to process the URL via its custom handler, allowing an attacker to execute code on the victim’s system. The issue is resolved in version 0.3.1. CNA base score of 9.6 (CRITICAL).
nginx-defender is a high-performance cloud-native WAF. A config vulnerability has been identified in certain deployments where default credentials, such as default_password: "change_me_please"in the config.yaml file and where GF_SECURITY_ADMIN_PASSWORD=admin123in the docker-compose.yml file remain unchanged. If these defaults are used, attackers with network access could gain administrative control, bypassing security protections. The issue has been resolved in version 1.5.0 and later. While interesting as a vulnerability, it was only assigned a Medium risk with a 6.5 base score.
Unauthorised file system read operations via Copier library and CLI
This CVE affects Copier versions prior to 9.9.1, a library and CLI for rendering project templates, and was disclosed on August 18, 2025. The flaw exposes pathlib.Path objects in Jinja templates with unrestricted I/O, allowing malicious templates to read, overwrite, or delete arbitrary files, bypassing Copier’s intended filesystem restrictions. The vulnerability has a CVSS v4.0 score of 8.5 (High). It poses a risk of sensitive data exposure, including SSH keys, and has been fixed in Copier 9.9.1; users must upgrade, as no workarounds exist for earlier versions.
IN THE NEWS
CI/CD Security
ghrc.io appears to be a malicious typosquatted registry
If you’ve ever run docker login ghrc.io or set up automation through GitHub Actions to log in to ghrc.io instead of the real ghcr.io Github container registry, your credentials may have been exposed. Simply pulling an image won’t leak them, since credentials are bound to the hostname and anonymous pulls fail. However, if you mistakenly logged in to the wrong host, you should reset your password and/or revoke any PATs used.
Whitepaper: A Practical Guide for Building Robust AI/ML Pipeline Security Source: OpenSSF
This whitepaper presents a practical, visual framework for integrating security throughout the machine learning lifecycle, adapting proven DevSecOps strategies for AI/ML. Aimed at engineers, data scientists, MLOps teams, security professionals, and open source contributors, it offers visual models, risk controls, and open source guidance using tools like Sigstore, OpenSSF Scorecard, and SLSA. The paper provides real-world recommendations to help operations teams secure their ML systems end-to-end through MLSecOps practices.
Whitepaper: Unmasking Phantom Dependencies with SBOMs as Ecosystem Neutral Metadata Source: Alpha-Omega
Seth Larson, the Python Software Foundation’s Security Developer-in-Residence, has published a white paper with Alpha-Omega addressing the "Phantom Dependency" problem. The paper outlines the development and acceptance of PEP 770 and the use of Software Bill-of-Materials (SBOMs) to improve accuracy in tools like vulnerability scanners and compliance systems, especially for complex dependency graphs in fields such as AI and scientific computing. Key projects like numpy, cryptography, and pip are already exploring adoption.
Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks Source: TheHackerNews
Cybersecurity researchers uncovered malicious Python and npm packages designed to execute supply chain attacks by exploiting dependencies. The PyPI package termcolor, through its dependency colorinal, deployed multi-stage malware capable of persistence, system data theft, and remote code execution on both Windows and Linux, with communication masked via the Zulip chat app. Similarly, malicious npm packages such as redux-ace and rtk-logger were distributed under false pretenses, stealing credentials, monitoring user activity, and exfiltrating data.
Malicious Package Detection in Cloudsmith Source: Cloudsmith
Cloudsmith now integrates data from OSV.dev and the OpenSSF Malicious Packages project to automatically detect and block malicious packages before they reach your builds or customers. Unlike vulnerabilities, malicious packages are intentionally crafted to harm, either through credential theft, data exfiltration, backdoors, or compromised pipelines, and are increasingly targeting developer workflows via public registries like npm and PyPI.
Kubernetes 1.34 is here, and it introduces 10 new Alpha features that signal the platform’s direction toward better hardware support, developer experience, and workload resilience. Highlights include major advances in DRA for GPUs and AI chips, now allowing fractional GPU usage, device readiness prioritisation, consumable capacity, and device health reporting. Other improvements tackle long-standing challenges like complex YAML formatting, streamlined Pod certificate delivery, asynchronous scheduling and smarter container restarts.
Tuning Linux Swap for Kubernetes Source: kubernetes.io
The upcoming Kubernetes v1.34 release is set to stabilise the NodeSwap feature, allowing Linux nodes to use swap space for improved memory management. This is a significant shift from the long-standing practice of disabling swap for predictability. While swap can reduce OOM kills by offloading less-used memory pages to disk, effective tuning is critical to avoid performance degradation and conflicts with Kubelet’s eviction logic. Key Linux kernel parameters such as swap aggressiveness, minimum free memory buffer, and reclamation thresholds play a major role in determining swap behaviour.
Creators of Open Policy Agent have joined Apple Source: OPA Blog
The creators of Open Policy Agent (OPA), several of which were working at Styra, have joined Apple, which already relies heavily on OPA for its authorisation infrastructure. While OPA remains a CNCF-governed open source project with the same roadmap and community-driven development, Apple’s investment strengthens its long-term stability and evolution. For Cloudsmith, this matters because it ensures the continued growth, performance, and tooling of OPA, the core technology underpinning our EPM policy solution, which should continue to give our customers the confidence in a secure, future-proof foundation.
Critical Namespace Injection Vulnerability in Kubernetes Capsule Let Attackers Inject Arbitrary Labels Source: Cyber Security News
A critical vulnerability (tracked in OSV.dev as GHSA-fcpm-6mxq-m5vv) has been discovered in Kubernetes Capsule v0.10.3 and earlier, allowing authenticated tenant users to inject arbitrary labels into system namespaces and bypass multi-tenant isolation. The flaw, disclosed by researcher Oliverbaehler, stems from insufficient namespace validation checks, enabling attackers to exploit label injection to gain unauthourised cross-tenant resource access, escalate privileges, and potentially compromise sensitive system namespaces such as kube-system.
AI, MLLs & MCP
A Customer Service AI Agent Spits Out Complete Salesforce Records in an Attack by Security Researchers Source: CX Today
Security researchers at Zenity demonstrated that a customer service AI agent built on Microsoft Copilot Studio could be manipulated to reveal complete Salesforce records, exposing a fundamental vulnerability in autonomous, agentic AI. Experts warn that thousands of public-facing agents remain susceptible, emphasising the widening gap between AI capabilities and security.
llm-d is a Kubernetes-native platform for distributed inference, designed to make serving large generative AI models at scale straightforward, delivering fast deployment and cost-efficient performance across a wide range of hardware accelerators. In this podcast episode, Clayton Coleman and Rob Shaw discuss how they manage workloads (particularly accelerated AI/ML tasks) while performing large-scale model inference using the inference gateway and llm-d. Rob Shaw is also a direct contributor to the vLLM project.
MCP C# SDK Aligns with New Protocol Specification, Bringing Security and Tooling Updates Source: InfoQ
The MCP C# SDK has been updated to version 2025-06-18, bringing new features for .NET AI developers, including an improved authentication protocol, elicitation support, structured tool output, and resource links in tool responses. The new authentication system separates the roles of authentication and resource servers, improving flexibility and security with OAuth 2.0 and OpenID Connect. Additional improvements include enhanced metadata and human-friendly schema titles.
Researchers Uncover GPT-5 Jailbreak and Zero-Click AI Agent Attacks Exposing Cloud and IoT Systems Source: TheHackerNews
Cybersecurity researchers have uncovered sophisticated jailbreak techniques targeting OpenAI’s GPT-5, showing that even its advanced reasoning and safety measures can be bypassed. Using methods like Echo Chamber, which seeds a subtly malicious conversational context, and with narrative-driven steering, attackers can elicit harmful or illicit outputs without triggering refusal mechanisms.
Attend our hallway session: Securing the Software Supply Chain with OPA, EPSS & Trivy. Stop by Cloudsmith’s booth C1 and put your artifacts to the test on a Raspberry Pi. Any attendee who completes the activity on the Pi will receive a raffle ticket to enter and win their own Raspberry Pi Desktop Set!
Cloudsmith is excited to sponsor GitHub Universe 2025. We'll be on the ground in San Francisco throughout the week, and we'd love to meet you there. To make best use of your time, book a meeting with us.
You can still see the recording of how Cloudsmith and Chainguard are advancing DevSecOps with end-to-end artifact security, SBOM integration, and policy-driven CI/CD pipelines. You’ll leave with actionable tools and proven strategies to harden your pipeline and ship with confidence
