- AppSec Weekly
- Posts
- Issue #15 - AppSec Weekly ๐ก๏ธ - Jan 2026
Issue #15 - AppSec Weekly ๐ก๏ธ - Jan 2026
Your go-to source for the latest in application security trends, tools, and insights from second week of January 2026
Shiva Sankar
January 09, 2026
AppSec Weekly - Jan 2026
๐ถ๏ธ ๐ถ๏ธ This Week in AppSec World ๐ถ๏ธ ๐ถ๏ธ
Security researcher Mehmet Ince discovered a perfect exploit chain in LogPoint's SIEM/SOAR platform where six individually low-severity bugs (exposed internal routes, hardcoded signing secrets, leaked API credentials, SSRF to host-only endpoints, static AES keys, and rule-engine command injection) combine into pre-authentication remote code execution without requiring credentials. The writeup demonstrates how bugs dismissed as "harmless" or "wontfix tickets" by product managers become powerful exploit primitives when chained together, emphasizing the critical lesson for security teams to model multi-step attacker paths rather than triaging findings in isolation, with CVEs assigned ranging from 7.1 to 7.5 High severity after 112 days to disclosure.
PassSeeds is a novel hack by Daniel Buchner (former Microsoft Passkey/WebAuthn team lead) that repurposes the P-256 public key of a passkey as deterministic seed material for cryptosystems beyond WebAuthn's authentication-only model, including secp256k1 Bitcoin wallets, BLS12-381 zero-knowledge proofs, and decentralized social media signing keys. The technique exploits an overlooked property: by never exposing the public key at creation and performing ECDSA public key recovery from two signatures over the same challenge, developers can deterministically reconstruct the public key on-demand while maintaining platform sync, biometric UX, and phishing resistance. This enables cryptographic use cases requiring hardware-secured, synced secrets without waiting for unimplemented WebAuthn extensions like PRF or Large Blob, effectively creating a cross-browser polyfill for deterministic key derivation today.
Tailscale reversed its secure-by-default policy on January 7, 2026 (version 1.92.5), disabling TPM-based state file encryption that had been enabled by default since October 2025 (version 1.90.2) after widespread failures caused by firmware updates, VM operations, and container deployments. TPM chips proved unreliable across heterogeneous environments with 1-5% failure rates on consumer hardware, 10-20% on VMs, and 50% in Kubernetes due to Platform Configuration Register (PCR) changes that prevent unsealing encryption keys, leaving Tailscale clients unable to start without manual state file deletion and re-authentication. Organizations that relied on automatic state file encryption (containing node keys, machine private keys, and Tailnet Lock keys) must now manually enable it via --encrypt-state flag or EncryptState policy, treat state files as sensitive artifacts requiring OS-level disk encryption, and audit compliance narratives that assumed application-level encryption was enabled by default.
Koi Security discovered malicious VS Code extensions (Bitcoin Black theme, Codo AI) that steal screenshots, WiFi passwords, clipboard contents, and browser sessions from developers by hijacking a legitimate signed executable to bypass security defenses. The attacker A/B tested different social engineering lures (crypto-themed versus AI productivity tools) while using identical malware infrastructure and left debug comments in their code marking malicious sections. Despite the malicious behavior, Codo AI remained available on the VS Code marketplace at the time of disclosure on December 8, 2025.
Andrew Nesbitt's analysis reveals Dependabot is a stateless Ruby library (dependabot-core, MIT licensed since 2024) with four core components (FileFetcher, FileParser, UpdateChecker, FileUpdater) that generates dependency update PRs but relies entirely on proprietary GitHub infrastructure for scheduling, state tracking, CVE matching, and coordination. The library runs fresh on each job with no memory between executions, receiving complete context via JSON job definitions and outputting API instructions rather than pushing commits directly, while GitHub's separate dependency graph system (used for alerts and SBOM generation) uses different parsing logic, creating three disconnected systems total. For SCA workflows, this architecture means SBOM accuracy depends on GitHub's proprietary dependency graph limitations (missing transitive dependencies in some ecosystems), update cadence is controlled by GitHub's scheduler rather than the open-source core, and integrating static/dynamic analysis into automated PRs requires custom GitHub Actions workflows since dependabot-core only outputs file changes without built-in analysis hooks.
NPM announced staged publishing in January 2026, introducing a mandatory review period with MFA verification before packages become publicly available, following the devastating Shai-Hulud attacks that stole $50M and backdoored 25,000 repositories in late 2025. This change accompanies the migration from deprecated classic tokens to OIDC trusted publishing (using short-lived cryptographic credentials instead of long-lived API tokens) and granular access tokens with 7-day maximum lifetimes, reducing supply chain risks from compromised credentials. The staged publishing model adds deliberate friction to prevent instant malicious package propagation and may reduce typo-squatting and accidental publishes, though implementation details (opt-in versus mandatory, CI/CD compatibility) remain under development.
๐ค This Week in AI Security ๐ค
PromptArmor discovered an unpatched data exfiltration vulnerability in Notion AI where attackers embedded invisible prompt injection in documents (e.g., resumes) to manipulate the AI into generating malicious image URLs containing sensitive data, which browsers automatically fetched before users approved edits. The attack successfully exfiltrated confidential hiring information including salaries, candidate feedback, and diversity goals by exploiting how Notion's AI feature treats all content as executable instructions rather than untrusted input. Initially dismissed by HackerOne, Notion patched the issue on January 7, 2026 after public disclosure, exposing a critical SaaS AI threat model where LLM-powered features bypass traditional access controls and require explicit output filtering, content security policies, and least-privilege tool scopes instead of prompt-level defenses.
๐ AppSec Tools of The Week ๐
Picklescan ๐ฅ
Picklescan is an open-source Python security scanner (MIT licensed, 353 GitHub stars) that detects malicious code execution in Pickle files by examining bytecode for dangerous operations like eval() and os.system(), commonly used to backdoor machine learning models on PyTorch and Hugging Face. However, JFrog discovered three critical zero-day vulnerabilities in 2025 (CVSS 9.3) allowing attackers to bypass detection through crafted Pickle opcodes, exposing the limitations of blocklist-based static analysis compared to allowlist approaches like Trail of Bits' Fickling.
Tailsnitch is an open-source security auditor for Tailscale configurations (MIT licensed) that performs 52 automated checks across access controls, authentication, device security, network exposure, and logging to detect misconfigurations like default allow-all ACLs, reusable auth keys, disabled Tailnet Lock, and public Funnel exposure. The tool provides interactive fix mode for API-driven remediation, generates SOC 2 compliance evidence reports with Common Criteria mappings, and integrates with CI/CD pipelines to fail builds when critical/high severity findings exceed defined thresholds
Rusty-cpp is a comment-based static analyzer that brings Rust's borrow checking, lifetime tracking, and ownership rules to existing C++ codebases through @safe/@unsafe annotations and Rust-like types (Box, Arc, Option) without compiler changes, enabling incremental adoption of memory safety guarantees via libclang AST analysis. However, the project appears AI-generated (co-authored by Claude), contains 90 compiler warnings for dead code, brittle string-prefix type checking, and commits that immediately remove broken functionality, raising serious concerns about code quality and production readiness despite the elegant annotation-based approach.
And thatโs a wrap for this week! If you enjoy this curated issue, feel free to forward or share it with your appsec folks, team, hackerclub. For feedback, hugs, bugs or chats drop an email to [email protected]