Claude Code API key leak, GitHub CodeQL hijack

Check Point Research uncovered critical flaws in Anthropic’s Claude Code that write every prompt, API key and secret to plaintext files under ~/.claude/projects and expose them via project‑level configuration hooks. Attackers can trigger remote code execution and exfiltrate credentials when developers clone malicious repos. All issues have been patched, but the finding highlights a new secret‑leak vector in AI‑assisted dev tools.

Two critical auth bypass CVEs in ruby‑saml ≤v1.17.0 stem from differing XML parsers (REXML vs Nokogiri). With one valid signature, an attacker can forge SAML assertions and log in as any user, compromising SSO‑protected apps. Updating to ruby‑saml 1.18.0 mitigates the issue for downstream libraries and services.

Praetorian uncovered a race‑condition in GitHub CodeQL that lets an attacker inject code into nearly any repository's Actions workflow, exfiltrating private source and stealing secrets. The flaw, tracked as CVE‑2025‑24362, turns the default CodeQL security scan into a supply‑chain weapon. GitHub says no platform compromise has been observed.

Curl will pause all vulnerability submissions on HackerOne and email for July 2026, calling it a "summer of bliss." With the world's most ubiquitous HTTP library offline for security reports, any critical bugs discovered this month will sit unaddressed until August, potentially leaving countless apps exposed.

A flaw in Google Cloud’s Vertex AI Python SDK let an attacker pre‑create the SDK’s deterministic staging bucket, hijack a victim’s model upload, inject malicious code, and achieve remote code execution on the target’s serving infrastructure. The bug, fixed in SDK v1.148.0, underscores the danger of predictable bucket names in shared cloud services.

Researchers found DragonForce’s custom Go RAT, Backdoor.Turn, piggybacking on Microsoft Teams’ TURN relay protocol to disguise command‑and‑control traffic as legitimate Teams traffic. This technique lets the gang evade network defenses and stay hidden within trusted Microsoft infrastructure, raising alarm for any organization that relies on Teams for communications.

EvilTokens is a phishing-as-a-service kit that abuses Microsoft’s OAuth device code flow, letting attackers capture valid access tokens after victims complete a legitimate login. By sidestepping password entry, it enables rapid account takeover and BEC campaigns across Microsoft 365 environments.

Security researchers uncovered a Go-based cross‑platform RAT called SStar Agent that lands via a poisoned npm package masquerading as a Tailwind CSS plugin. The malicious package is bundled into a fake Web3 engineering take‑home project, delivering the payload on both macOS and Windows when developers run npm scripts.

A phishing email masquerading as a Bithumb notice let attackers steal the private keys of a Humanity Protocol director, draining $36 million worth of H tokens and crashing the token by up to 90%. Quantstamp’s forensic work links the malware to North Korean threat actors, underscoring the human‑factor risk in crypto projects.

A 404 Media investigation uncovered more than a dozen U.S. police cases where officers exploited the Flock surveillance camera system to track individuals without warrants. The abuse highlights how insider access can bypass technical safeguards, turning surveillance tools into personal spying devices.

The authors prove an impossibility result: any defense that blocks malicious prompt injections can also block legitimate flows, and attackers can always craft contexts that make harmful prompts look benign. This means prompt injection may remain a fundamental vulnerability for autonomous AI agents, reshaping how we approach alignment and security.