Shiva Sankar
@shivasurya.bsky.social
Senior SWE @cartainc | CS UWaterloo | prev @Dropbox | Author - Code Pathfinder (http://codepathfinder.dev) - open-source AI-native static code analysis
Issue #16 of AppSec Weekly
CodeBreach: AWS CodeBuild misconfiguration → full SDK takeover
Google weaponizes Net-NTLMv1 with rainbow tables
OpenCode CVSS 10.0 RCE (unauthenticated localhost server)
Svelte ecosystem: 5 CVEs DoS + XSS
Handling shell secrets without leaking to /proc
#AppSec
CodeBreach: AWS CodeBuild misconfiguration → full SDK takeover
Google weaponizes Net-NTLMv1 with rainbow tables
OpenCode CVSS 10.0 RCE (unauthenticated localhost server)
Svelte ecosystem: 5 CVEs DoS + XSS
Handling shell secrets without leaking to /proc
#AppSec
January 21, 2026 at 2:01 AM
Issue #16 of AppSec Weekly
CodeBreach: AWS CodeBuild misconfiguration → full SDK takeover
Google weaponizes Net-NTLMv1 with rainbow tables
OpenCode CVSS 10.0 RCE (unauthenticated localhost server)
Svelte ecosystem: 5 CVEs DoS + XSS
Handling shell secrets without leaking to /proc
#AppSec
CodeBreach: AWS CodeBuild misconfiguration → full SDK takeover
Google weaponizes Net-NTLMv1 with rainbow tables
OpenCode CVSS 10.0 RCE (unauthenticated localhost server)
Svelte ecosystem: 5 CVEs DoS + XSS
Handling shell secrets without leaking to /proc
#AppSec
Issue #15 of AppSec Weekly 🛡️
🪓 6-bug chain → pre-auth RCE in LogPoint SIEM
🪓 PassSeeds: hijacking passkeys for crypto beyond WebAuthn
🪓 Tailscale kills default TPM encryption
🪓 Malicious VS Code extensions in the wild
🪓 Notion AI prompt injection exfiltration
🪓 npm staged publishing post
#AppSec
🪓 6-bug chain → pre-auth RCE in LogPoint SIEM
🪓 PassSeeds: hijacking passkeys for crypto beyond WebAuthn
🪓 Tailscale kills default TPM encryption
🪓 Malicious VS Code extensions in the wild
🪓 Notion AI prompt injection exfiltration
🪓 npm staged publishing post
#AppSec
January 11, 2026 at 3:43 AM
Issue #15 of AppSec Weekly 🛡️
🪓 6-bug chain → pre-auth RCE in LogPoint SIEM
🪓 PassSeeds: hijacking passkeys for crypto beyond WebAuthn
🪓 Tailscale kills default TPM encryption
🪓 Malicious VS Code extensions in the wild
🪓 Notion AI prompt injection exfiltration
🪓 npm staged publishing post
#AppSec
🪓 6-bug chain → pre-auth RCE in LogPoint SIEM
🪓 PassSeeds: hijacking passkeys for crypto beyond WebAuthn
🪓 Tailscale kills default TPM encryption
🪓 Malicious VS Code extensions in the wild
🪓 Notion AI prompt injection exfiltration
🪓 npm staged publishing post
#AppSec