Omer Amiad (Focal Security) found a cross-tenant flaw in GCP Apigee that let an attacker reach other customers’ analytics/access logs and sometimes grab plaintext user access tokens straight out of them. The chain is a clean cloud pivot: trick Apigee into talking to the metadata server, steal a service-account token, escalate via a Dataflow pipeline, then use that higher-privileged identity to read/write data sitting in shared cross-tenant buckets.

OpenClaw, aka MoltBot, took the internet by storm because it runs locally, remembers everything, and can actually do tasks for you instead of just suggesting them. 1Password’s point is that this is also a security nightmare if its memories and tokens sit in plain text on disk, so agents should get a separate identity and have access mediated continuously at runtime with time bound, revocable permissions.

Deno Sandbox is Deno’s answer to “LLM code runs right now with real keys”: it spins up tiny microVMs in the Deploy cloud (booting in under a second) so you can execute untrusted, user generated code without letting it touch your actual servers. The clever bit is how it handles secrets and network access: secrets never show up as real env vars, code only sees a placeholder, and the real key is only injected for outbound requests to approved hosts, with non allowed egress blocked at the VM boundary via an outbound proxy. When you like what you built, sandbox.deploy() pushes it straight to Deno Deploy, and you can keep state with volumes or speed up setup with snapshots.

Notepad++ says state-backed attackers hijacked its update path by compromising its shared hosting infrastructure, then selectively redirecting some users’ updater traffic to attacker-controlled update manifests and downloads. The project’s timeline pegs the activity starting around June 2025 and only fully dying once the hosting provider rotated credentials and cut off lingering internal-service access by Dec 2, 2025, and Notepad++ has since moved hosts and hardened WinGup and the update XML with certificate and signature checks (with stricter enforcement planned in upcoming releases).

Sy Brand’s “Writing a Linux Debugger” is a 10-part, build-it-from-scratch series that starts with the basics of a ptrace-style debugger: setup, breakpoints, and reading registers and memory. From there it levels up into DWARF and ELF work for source context, stepping, and source-level breakpoints, then finishes with real debugger staples like stack unwinding, variable inspection, and a grab bag of advanced topics and future work.

Cursor figured out how to make semantic search usable on huge repos without waiting hours by reusing a teammate’s existing index when the codebases are mostly the same. They build and sync a Merkle tree of file hashes, pick a close match via a simhash lookup, then require cryptographic “proofs” so search results only come from files you can actually show you have.

Wiz found Moltbook had a badly configured Supabase backend, so a “public” API key sitting in the site’s JavaScript effectively gave anyone full read and write access to production data, including 1.5M agent auth tokens, about 35K emails, and private DMs. The scary part was integrity, not just leakage: attackers could impersonate any agent, spam-create millions of “agents” with no real verification or rate limits, and even edit live posts to inject content or prompt payloads, until Moltbook locked things down through a rapid, multi-step fix.

Sherlock (now renamed Tokentap) is a local “LLM traffic inspector” that runs a proxy plus a live TUI so you can see what Claude Code, Codex, and similar tools actually send, how many tokens each request burns, and it saves every prompt as Markdown and raw JSON for later review. Security wise, treat it like full TLS interception: it can see everything passing through, and the HN thread flagged that it shells out to mitmproxy with ssl_insecure=true, so you should only run it in a tightly scoped, disposable setup and never as a “just install the CA everywhere” tool. If you’re into bugbounty, I know you would just suggest Burp Suite :)

NetBird is an open source remote access platform that combines a WireGuard based overlay network with zero trust access controls, so you can connect users and machines without the usual VPN gateway sprawl. Instead of “anyone on the VPN can see everything,” you provision users and groups from your IdP, segment resources, enforce MFA and posture checks, and write granular policies for who can reach what. It’s built to run almost anywhere, can be self hosted under a BSD 3 license, and gives you centralized management plus activity logging so you can answer the boring but essential question: who did what, and when.

Minimal is an open source set of hardened base images rebuilt daily on Wolfi using apko, aiming for zero or near zero known CVEs by only shipping the packages you actually need. It bakes in supply chain basics like a CVE gate in CI, non root defaults, SBOMs, and keyless cosign signing, plus many images drop the shell to shrink the blast radius.

And that’s a wrap for this week! If you enjoy this curated issue, feel free to forward or share it with your appsec folks, team, hackerclub. For feedback, hugs, bugs or chats drop an email to [email protected]