Broken Cloud Update - 2026-04-01 16:13 UTC

Another day, another dependency betrayal.

🔐 AVideo CSRF Blob

admin/save.json.php lacks CSRF. Logged‑in admin visits evil site → S3 keys, PayPal mail, plugin config overwritten. SameSite=None cookie makes it trivial. GHSA-4wwr-7h7c-chqr. Patch or enforce tokens, rotate any stolen creds.

📁 Admidio .htaccess Theater

Docker image runs Apache with AllowOverride None → .htaccess deny rules ignored. Uploads become publicly reachable. GHSA-7fh7-8xqm-3g88. Fix: rebuild with commit 5f770c1 or set AllowOverride All, or move uploads out of docroot. Those “restricted” files? Now public.

📦 Axios Hijack in K8s

Axios 1.14.1 & 0.30.4 were RAT’d for ~3 h. Images built then likely beaconing. Reddit thread. Scan (trivy), drop bad versions, block C2 IPs, rotate secrets. Assume compromised.

🤖 Trivy Action Gone Rogue

Compromised Trivy GitHub Action stole CI/CD tokens & AWS keys from Cisco repos → source & cloud theft. BleepingComputer. Rotate every token/key touched, audit Actions for bad version, lock dependencies. Blind trust = breach.

💻 Claude Code Poisoned Update

Same axios hijack hit Claude Code updaters via lockfiles. Threatroad post. Check lockfiles for axios 1.14.1 or 0.30.4, ditch/downgrade, npm audit, rotate any lifted creds. Supply‑chain slips in silently—stay paranoid.