If you’re working in #AppSec or #DevSecOps and want to streamline your operations, let’s talk — I’d love to introduce you!
4/4
Amazon’s AI Coding Assistant Compromised by Malicious Prompt!
In a chilling reminder of AI’s growing attack surface, a malicious prompt was quietly inserted into Amazon’s Q coding assistant via a pull request and told to wipe the user’s file system and AWS cloud resources. The rogue code instructed the AI to “clean a system to a near-factory state,” including running destructive AWS CLI commands.
Amazon has since removed the malicious version and released an update, but it's a good reminder that AI coding tools are only as secure as their supply chain and prompt filtering. Vet your extensions. Lock down access. And never assume “AI knows better.”
Heads up, developers! A major npm Registry security breach has compromised 847 packages. Social engineering gave attackers access to maintainer accounts. Stay vigilant!
#Cybersecurity #DevSecOps #npm
Leaked and Loaded: DOGE’s API Key Crisis
One leaked API key exposed 52 private LLMs and potentially sensitive systems across SpaceX, Twitter, and even the U.S. Treasury.
In this episode of Cyberside Chats, @sherridavidoff and @MDurrin break down the DOGE/XAI API key leak. They share how it happened, why key management is a growing threat, and what you should do to protect your organization from similar risks.
Watch the video: https://youtu.be/Lnn225XlIc4
Listen to the podcast: https://www.chatcyberside.com/e/api-key-catastrophe-when-secrets-get-leaked/
Missed one of my past conference talks? Let’s fix that.
I’m sharing my favorites—packed with real-world advice, lessons, and a few laughs.
“Security is Everybody’s Job”
https://twp.ai/4ion6e
Missed one of my past conference talks? Let’s fix that.
I’m sharing my favorites—packed with real-world advice, lessons, and a few laughs.
“DevSecOps with OWASP DevSlop” https://twp.ai/4iofNZ
Have you heard? I'm giving my workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day" at NDC Porto this year! Super excited to experience this conference, share and learn with folks. 
Missed one of my past conference talks? Let’s fix that.
I’m sharing my favorites—packed with real-world advice, lessons, and a few laughs.
“Security is Everybody’s Job” https://twp.ai/4in9rk
Hi y'all! New to infosec.exchange!
We're RSOLV - building automated security vulnerability detection + remediation (yes, a _fix_, not just a red flag)
While researching AI-generated code, we discovered something wild: 19.6% of AI package suggestions don't exist. Hackers are pre-registering them.
Traditional scanners miss this completely. We detect AND fix it.
Learn how Windows manages authentication, access control, and resource permissions with clarity and precision.
This book offers hands-on PowerShell examples that guide you through key internals like the Security Reference Monitor, SAM, and Kerberos—ideal for researchers, defenders, and developers.
We also discuss Dustin’s new venture, Katilyst (https://twp.ai/9PSJTv), a new startup focused on empowering engineering teams to take ownership of security in a practical, scalable way.
#RSAC2025 #SecurityChampions #Katilyst #AppSec #DevSecOps
2/2
Missed one of my past conference talks? Let’s fix that.
I’m sharing my favorites—packed with real-world advice, lessons, and a few laughs.
“DevSecOps with OWASP DevSlop” https://twp.ai/4in9rP
KI-Tools im Code: 55-89% Produktivitätssteigerung, aber Vorsicht ist geboten! 
Unter https://bit.ly/44roKZp habe ich versucht aufzuzeigen, wie ihr AI sicher in der Softwareentwicklung genutzt werden könnte - von technischen Safeguards bis Governance-Frameworks 
Mega-Research mit 200+ Seiten Referenzen, ISO-Standards & Praxisbeispielen von BMW bis GitHub!
Was sind eure Erfahrungen mit AI-Code-Tools? 
#KISicherheit #SoftwareEntwicklung #DevSecOps #AI #TechGermany 
Non-Human Identities: The Hidden Risk in Your Stack
Non-human identities (NHIs)—like API keys, service accounts, and OAuth tokens—now outnumber human accounts in many enterprises. But are you managing them securely? With 46% of organizations reporting compromises of NHI credentials just this year, it’s clear: these powerful, often-overlooked accounts are the next cybersecurity frontier.
Read The Hacker News article for more details: https://thehackernews.com/2025/06/the-hidden-threat-in-your-stack-why-non.html
Are you reviewing your NPM dependancies for malicious code? #devsecops #appsec #npm
https://www.scworld.com/news/complex-npm-attack-uses-7-plus-layers-of-obfuscation-to-spread-pulsar-rat
Looking for a remote position in #OpenSource? Browse hundreds of jobs in technical and non-technical roles on #OSJH
https://opensourcejobhub.com/jobs/?q=remote&utm_source=mosjh
#career #sysadmin #engineer #sales #security #marketing #developer #DevSecOps #SRE #FOSS
We also discuss Dustin’s new venture, Katilyst (https://twp.ai/9PSKjV), a new startup focused on empowering engineering teams to take ownership of security in a practical, scalable way.
#RSAC2025 #SecurityChampions #Katilyst #AppSec #DevSecOps
2/2
AI Coding Assistants Can be Both a Friend & a Foe
New research shows that GitLab's AI assistant, Duo, can be tricked into writing malicious code and even leaking private source data through hidden instructions embedded in developer content like merge requests and bug reports.
How? Through a classic prompt injection exploit that inserts secret commands into code that Duo reads. This results in Duo unknowingly outputting clickable malicious links or exposing confidential information.
While GitLab has taken steps to mitigate this, the takeaway is clear: AI assistants are now part of your attack surface. If you’re using tools like Duo, assume all inputs are untrusted, and rigorously review every output.
Read the details: https://arstechnica.com/security/2025/05/researchers-cause-gitlab-ai-developer-assistant-to-turn-safe-code-malicious/
We also discuss Dustin’s new venture, Katilyst (https://twp.ai/9PSkCT), a new startup focused on empowering engineering teams to take ownership of security in a practical, scalable way.
#RSAC2025 #SecurityChampions #Katilyst #AppSec #DevSecOps
2/2
Hey has anyone any examples of bad / vulnerable GitHub action workflows ?
Studying for an interview.
Toxic Flange (Gurjeet)
