📰 TLDR AppSec Weekly 📰

This week’s security roundup highlights critical developments across the software supply chain and application security landscape. GitHub’s tj-actions/changed-files compromise exposed secrets in CI/CD pipelines, prompting immediate rotations and workflow audits. Mayo Clinic introduced a reverse RAG technique to combat AI hallucinations, ensuring reliable data in healthcare applications. Meanwhile, a malicious Maven package was discovered exfiltrating OAuth credentials on a monthly timer, and critical SAML parser differential vulnerabilities (CVE-2025-25291/25292) in ruby-saml enabled authentication bypasses. On the tooling front, Semgrep successfully migrated to OCaml 5 using dynamic garbage collector tuning to maintain performance, while TruffleHog released a Burp Suite extension for real-time secret detection in HTTP traffic.

🌶️ 🌶️ This Week in AppSec World 🌶️ 🌶️

Harden-Runner detection: tj-actions/changed-files action is compromised

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

Parser differentials between REXML and Nokogiri in ruby-saml (≤ v1.17.0) allowed attackers to bypass SAML SSO, enabling full account takeover. Exploits trick the library into verifying mismatched signature and digest values from different parsers. Affected projects include GitLab and any using omniauth-saml. Update to ruby-saml v1.18.0 immediately. Further details and a PoC are expected from GitHub Security Lab.

Tick Tock, Your Credentials Are Gone: The Maven Package With a Monthly Theft Schedule

A typosquatted Maven package (io.github.leetcrunch:scribejava-core:8.3.5) was discovered exfiltrating OAuth credentials on the 15th of each month. It mimics the popular scribejava-core library (5.5k+ GitHub stars) and sends stolen keys to Pastebin.

Upgrading Semgrep from OCaml 4 to OCaml 5

Introducing TruffleHog's Burp Suite Extension: A Techical Deep Dive

TruffleHog has released a new Burp Suite extension that automatically scans HTTP traffic for exposed secrets, including live API keys and credentials. The extension integrates seamlessly with Burp Suite, surfacing verified secrets in both the UI and issue tracker. It runs TruffleHog locally every 10 seconds, ensuring up-to-date detection without manual effort. This tool bridges the gap between source code secret scanning and dynamic web traffic analysis. Now available in the Burp Suite BApp store.

📦 Atlassian’s SBOM Generation at Scale

Atlassian built a centralized platform to automatically generate SBOMs for every repository commit. The system uses tools like syft, cdxgen, and cyclone-dx to create comprehensive SBOMs uploaded to S3 and processed into their data lake. To date, it has generated over 1 million SBOMs covering 1.8 billion packages across 4,200 repositories. This initiative supports regulatory compliance, enhances supply chain transparency, and drives standardization across Atlassian’s tech stacks.

🤖 This Week in AI Security 🤖

Mayo Clinic’s secret weapon against AI hallucinations: Reverse RAG in action

Mayo Clinic has developed a “Reverse RAG” approach, linking every AI-generated fact back to its original data source, drastically reducing hallucinations in non-diagnostic healthcare use cases. By combining CURE clustering with vector databases, they ensure full data traceability. This method speeds up tasks like synthesizing patient records from 90 minutes to 10. Mayo’s AI efforts are expanding into genomics and imaging, aiming to revolutionize personalized care.

🏆 AppSec Tools of The Week 🏆

t0sche/cvss-bt

Enriching the NVD CVSS scores to include Temporal & Threat Metrics

toniblyx/my-arsenal-of-aws-security-tools

List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

And that’s a wrap for this week! If you enjoy this curated issue, feel free to forward or share it with your appsec folks, team, hackerclub. For feedback, hugs, bugs or chats drop an email to [email protected]