NewMaxx Bulletin Subreddit Discord Server RSS Reader

Security Bulletins

Operator-facing response guides for active and recent security incidents affecting AI infrastructure, developer tooling, and the supply-chain surfaces that most pipelines depend on. Each bulletin links to its primary source and lists concrete steps to take if you were affected.

  1. HIGHApr 22, 2026 · Supply-chain · Docker Hub · Open VSX

    Checkmarx KICS Docker Hub Compromise, What to Do If You Pulled the Affected Images

    Attackers overwrote legitimate checkmarx/kics Docker tags (v2.1.20, v2.1.20-debian, alpine, debian, latest) with poisoned versions and published counterfeit v2.1.21 / v2.1.21-debian tags. The modified KICS binary harvests secrets from any IaC files it scans and exfiltrates to audit.checkmarx[.]cx. Related Open VSX extensions cx-dev-assist (1.17.0, 1.19.0) and ast-results (2.63.0, 2.66.0) were also flagged for fetching and executing remote code via the Bun runtime.

    Read the bulletin → Primary source: Socket Research
  2. HIGHApr 22, 2026 · Supply-chain · PyPI · AI infra

    xinference PyPI Compromise, What to Do If You Installed It

    Three xinference releases (2.6.0, 2.6.1, 2.6.2) were trojanized on PyPI with code in __init__.py that runs on every import. The payload harvests SSH keys, Git credentials, AWS material (IMDS, Secrets Manager, SSM), Kubernetes tokens, Docker auth, .env files, and TLS keys, exfiltrating to whereisitat[.]lucyatemysuperbox[.]space. Attribution to TeamPCP is contested.

    Read the bulletin → Primary source: JFrog Security Research
  3. HIGHApr 21, 2026 · Authorization flaw · BOLA · AI app builder

    Lovable BOLA Exposure, What to Do If You Built an App on Lovable

    A researcher disclosed a Broken Object Level Authorization flaw in Lovable's /projects/{id}/* endpoints that reportedly allowed unauthenticated access to source code, chat history with embedded secrets, and Supabase service keys for projects created before approximately November 2025. Lovable disputed the framing and has not, based on public sources reviewed, published a formal incident bulletin.

    Read the bulletin → Original disclosure: @weezerOSINT on X
  4. HIGHApr 23, 2026 update · OAuth · Supply-chain · Cloud platform

    Vercel × Context.ai OAuth Supply-Chain Breach, What to Do as a Vercel Customer

    A compromise of Context.ai (per Hudson Rock, traced to a Lumma Stealer infection on a Context.ai employee originating from a Roblox cheat download) led to OAuth-token abuse against a Vercel employee's Google Workspace via Context.ai's Chrome extension, and subsequent enumeration and decryption of customer environment variables not marked sensitive. Vercel's April 23 update expanded customer notifications after broader log review and flagged additional accounts with prior, independent compromise.

    Read the bulletin → Primary source: Vercel security bulletin