Mar 22, 2026
Broken Cloud Update - 2026-03-22 16:14 UTC
"Agent skills" are just a shiny wrapper for the exact same supply chain garbage we've fought for a decade. π£ Repojacking AI Marketplaces If your devs use AI agent development tools,
Broken Cloud Portal
Broken Cloud News
Cloud Security
Mar 22, 2026
Broken Cloud Update - 2026-03-22 02:10 UTC
Passing the `silent=True` flag in ONNX Hub bypasses trust verification and exposes ML pipelines to unauthenticated models, while standard cloud environments remain full of overly permissive IAM trusts waiting to be enumerated. π€« Silent
Mar 21, 2026
Broken Cloud Update - 2026-03-21 20:14 UTC
It's always a great realization when you discover your datastore doesn't actually check who's asking, and your auth service blindly trusts whatever token you hand it. ποΈ Zero-Auth etcd
Mar 21, 2026
Broken Cloud Update - 2026-03-21 16:14 UTC
It's always a good day when we remember that custom regex filters and hardcoded default secrets are the load-bearing pillars of the internet. π₯ Regex Strikes Again Someone thought writing custom IP blocklists
Mar 21, 2026
Broken Cloud Update - 2026-03-21 02:12 UTC
Security tools are backdoored, storage gateways are leaking identities, and core crypto libraries are failing Cryptography 101. π΄ββ οΈ The Trivy Supply Chain Bait-and-Switch Trivyβs official release pipeline got compromised. Version 0.69.4 is
Mar 20, 2026
Broken Cloud Update - 2026-03-20 20:06 UTC
Identity boundaries are dissolving and CLI tools are deciding security prompts are optional. πͺͺ Identity Perimeter Shells Oracle dropped an emergency patch for a critical 9.8 CVSS flaw in Identity Manager. If this appliance
Mar 20, 2026
Broken Cloud Update - 2026-03-20 17:55 UTC
Nothing like watching your pipelines get owned before the coffee kicks in. π§ Langflow's Public Backdoor Langflow patched an old RCE but ignored their public flow builder. Unauth attackers can inject malicious pipelines
Mar 19, 2026
Broken Cloud Update - 2026-03-19 20:07 UTC
Another week of open-source tools handing out admin rights and hypervisors deciding your network traffic is optional. π Langflow RCE Authenticated attackers can bypass lazy path validation in the Langflow v2 API to write arbitrary
Mar 19, 2026
Broken Cloud Update - 2026-03-19 16:07 UTC
Just once I'd like to review an architecture where config parsers don't hand out root and audio drivers don't compromise the hypervisor. πͺ Zero-Auth RCE by Default MCP Connect
Mar 19, 2026
Broken Cloud Update - 2026-03-19 02:02 UTC
It's incredible how many infrastructure takeovers start with a single missing string character or blind trust in an internal dashboard. π The Missing Slash Bypass It turns out basic string matching is still
Mar 18, 2026
Broken Cloud Update - 2026-03-18 20:53 UTC
We spend millions on network boundaries just to watch firewalls hand out root and AI sandboxes tunnel data over DNS. π₯ Firewall Management Shells Interlock ransomware operators are actively chaining an unauthenticated zero-day (CVE-2026-20131) in
Mar 18, 2026
Broken Cloud Update - 2026-03-18 16:33 UTC
Nothing like watching an enterprise burn because someone forgot MFA for their fleet managers. π₯ The Single Sign-Out Lie Killed a compromised Entra ID session? The attacker is likely still camping out in AWS STS