#mac

### Summary A malicious website can abuse the server URL override feature of the OpenCode web UI to achieve cross-site scripting on `http://localhost:4096`. From there, it is possible to run arbitrary commands on the local system using the `/pty/` endpoints provided by the OpenCode API. ### Code execution via OpenCode API - The OpenCode API has `/pty/` endpoints that allow spawning arbitrary processes on the local machine. - When you run `opencode` in your terminal, OpenCode automatically starts an HTTP server on `localhost:4096` that exposes the API along with a web interface. - JavaScript can make arbitrary same-origin `fetch()` requests to the `/pty/` API endpoints. Therefore, JavaScript execution on `http://localhost:4096` gets you code execution on local the machine. ### JavaScript execution on localhost:4096 The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to pre...

### Summary The user-provided string `repository` in the `helmv3` manager is appended to the `helm registry login` command without proper sanitization. ### Details Adversaries can provide a maliciously crafted `Chart.yaml` in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code. The value for both uses of the `repository` variable in [lib/modules/manager/helmv3/common.ts](https://github.com/renovatebot/renovate/blob/b69416ce1745f67c9fc1d149738e2f52feb4f732/lib/modules/manager/helmv3/common.ts) are not being escaped using the `quote` function from the `shlex` package. This lack of proper sanitization has been present in the product since version 31.51.0 (https://github.com/renovatebot/renovate/commit/f372a68144a4d78c9f7f418168e4efe03336a432), released on January 24 of 2022. ### PoC 1. Create a git repo with the following content: `renovate.json5`: ```json5 { $schema: "https://docs.renovatebot.com/renovate-schema.json", customDatasou...

### Summary The user-provided string `depName` in the `gleam` manager is appended to the `gleam deps update` command without proper sanitization. ### Details Adversaries can provide a maliciously crafted `gleam.toml` in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code. All values added to the `packagesToUpdate` variable in [lib/modules/manager/gleam/artifacts.ts](https://github.com/renovatebot/renovate/blob/e9cbd02865b1827f7e4269c05250a12ee2203a71/lib/modules/manager/gleam/artifacts.ts) are not being escaped using the `quote` function from the `shlex` package. This lack of proper sanitization has been present in the product since version 39.53.0 (https://github.com/renovatebot/renovate/commit/d29698e0131231652970f02765312769975e4d38), released on December 6 of 2024. ### PoC 1. Create a git repo with the following content: `renovate.json5`: ```json5 { $schema: "https://docs.renovatebot.com/renovate-schema.json", customDatasource...

### Summary The user-provided string `depName` in the `hermit` manager is appended to the `./hermit install` and `./hermit uninstall` commands without proper sanitization. ### Details Adversaries can provide a maliciously named hermit dependency in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code. All values added to the `packagesToInstall` and `packagesToUninstall` variables in [lib/modules/manager/hermit/artifacts.ts](https://github.com/renovatebot/renovate/blob/41e8b99f86a6e2a56f80f7aa1a08a59d76f2358c/lib/modules/manager/hermit/artifacts.ts) are not being escaped using the `quote` function from the `shlex` package. This lack of proper sanitization for installing packages has been present in the product since the introduction of the hermit manager in version 32.135.0 (https://github.com/renovatebot/renovate/commit/b696abb3c2741508fbb4029f39153140a3722e1e), released on July 30 of 2022. In version 37.199.1 (https://github.com/renovate...

### Summary The user-provided string `packageName` in the `npm` manager is appended to the `npm install` command during lock maintenance without proper sanitization. ### Details Adversaries can provide a maliciously crafted Renovate configuration file to trick Renovate to execute arbitrary code. The user-provided workspace names and package keys that are added to the `updateCmd` variables in [lib/modules/manager/npm/post-update/npm.ts](https://github.com/renovatebot/renovate/blob/5bdaf47eebde770107017c47557bca41189db588/lib/modules/manager/npm/post-update/npm.ts) are not being escaped using the `quote` function from the `shlex` package. This lack of proper sanitization has been present in the product since version 35.63.0 (https://github.com/renovatebot/renovate/commit/012c0ac2fe32832e60a62bde405c0a241efd314c), released on April 27 of 2023. ### PoC 1. Create a git repo with the following content: `renovate.json5`: ```json5 { $schema: "https://docs.renovatebot.com/renovate-schema...

### Summary The user-provided chart name in the `kustomize` manager is appended to the `helm pull --untar` command without proper sanitization. ### Details Adversaries can provide a maliciously crafted `kustomization.yaml` in conjunction with a Helm repo's `index.yaml` file to trick Renovate to execute arbitrary code. The value for the `depName` argument for the `helmRepositoryArgs` function in [lib/modules/manager/kustomize/artifacts.ts](https://github.com/renovatebot/renovate/blob/cc08c6e98f19e6258c5d3180c70c98e1be0b0d37/lib/modules/manager/kustomize/artifacts.ts#L33) is not being escaped using the `quote` function from the `shlex` package. This lack of proper sanitization has been present in the product since version 39.218.9 (https://github.com/renovatebot/renovate/commit/cc08c6e98f19e6258c5d3180c70c98e1be0b0d37), released on March 26 of 2025. ### PoC 1. Create a mock Helm repository. Have its `index.yaml` endpoint return: ```yaml apiVersion: v1 entries: "example || kill 1; ech...

A data broker was fined by California regulators for selling sensitive data on Alzheimer’s patients and millions of others.

## Impact The Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. ## Patches This issue has been patched in version 2.2.0. Users are advised to upgrade to v2.2.0 or later, where IP whitelist validation uses strict IP comparison logic rather than partial string matching. ## Workarounds Users unable to upgrade immediately should avoid relying solely on IP whitelisting for webhook security. Recommended mitigations include: - Adding authentication mechanisms such as shared s...

AI agents are no longer just writing code. They are executing it. Tools like Copilot, Claude Code, and Codex can now build, test, and deploy software end-to-end in minutes. That speed is reshaping engineering—but it’s also creating a security gap most teams don’t see until something breaks. Behind every agentic workflow sits a layer few organizations are actively securing: Machine Control

Cybersecurity researchers have disclosed details of a new campaign dubbed SHADOW#REACTOR that employs an evasive multi-stage attack chain to deliver a commercially available remote administration tool called Remcos RAT and establish persistent, covert remote access. "The infection chain follows a tightly orchestrated execution path: an obfuscated VBS launcher executed via wscript.exe invokes a