UNPWNED SECURITY BLOG
Ship secure,
not sorry.
Guides, checklists, and real-world security fixes for developers who build fast and ship often.
VS Code Zero-Day Lets Attackers Steal GitHub Tokens in One Click
A newly disclosed VS Code zero-day vulnerability allows attackers to steal GitHub authentication tokens by tricking developers into clicking a single malicious link.
WP Maps Pro Bug Exploited to Create Admin Accounts on WordPress Sites
A vulnerability in the WP Maps Pro WordPress plugin is being actively exploited to create unauthorized admin accounts. Here is what small teams need to know.
Kimsuky Uses HTTPSpy and VS Code Tunnels in Targeted Attacks on Military and Corporate Networks
North Korean state actor Kimsuky has expanded its toolkit with HTTPSpy and HelloDoor malware, and is abusing VS Code Tunnels to blend into developer environments.
KnowledgeDeliver Zero-Day Exploited to Plant Web Shells on LMS Servers
Attackers exploited a critical unpatched flaw in the KnowledgeDeliver LMS to deploy the Godzilla web shell, giving them persistent backdoor access to compromised servers.
TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and Crates.io
A coordinated attack campaign named TrapDoor planted credential-stealing malware across npm, PyPI, and Crates.io in over 34 packages and 384 versions starting May 22, 2026.
CISA Flags Actively Exploited Vulnerabilities in Langflow and Trend Micro Apex One
CISA added two actively exploited vulnerabilities to its KEV catalog, including a critical flaw in the Langflow AI platform. Here is what small teams need to know.
Grafana GitHub Breach Exposes Source Code via TanStack npm Attack
Grafana Labs confirmed a breach limited to its GitHub environment after a compromised TanStack npm package exposed public and private source code repositories.
Pwn2Own Berlin 2026: Researchers Earned $1.3 Million Exploiting 47 Zero-Days
Security researchers collected $1,298,250 at Pwn2Own Berlin 2026 by exploiting 47 zero-day vulnerabilities. Here is what the results mean for small teams.
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
Microsoft disclosed CVE-2026-42897, an actively exploited spoofing flaw in on-premise Exchange Server rooted in a cross-site scripting bug with a CVSS score of 8.1.
US Congress Demands Answers After ShinyHunters Breach Hits Canvas Learning Platform
ShinyHunters breached Instructure's Canvas platform twice, stealing student data and disrupting schools during final exams. Now Congress wants answers from the company.
Hackers Abuse Google Ads and Claude.ai Chats to Deliver Mac Malware
Attackers are using Google Ads and legitimate Claude.ai shared chat URLs to trick Mac users into installing malware. Here is what happened and how to protect yourself.
Canvas Breach Disrupts Schools and Colleges Nationwide
A data extortion attack hit Canvas, the widely-used education platform, defacing its login page and threatening to leak data from 275 million students and faculty.
Quasar Linux Malware Targets Software Developers with Rootkit and Credential-Stealing Capabilities
A new Linux implant called Quasar Linux is targeting developers with rootkit, backdoor, and credential-stealing features. Here is what you need to know.
Instructure Confirms Data Breach as ShinyHunters Claims Responsibility
Educational tech company Instructure has confirmed a data breach after the ShinyHunters extortion group claimed the attack. Here is what developers should know.
Bluekit Phishing Service Bundles AI Assistant and 40 Attack Templates
A new phishing-as-a-service tool called Bluekit lowers the bar for attackers with 40+ brand templates and an AI assistant for writing convincing lures.
LiteLLM CVE-2026-42208: A Critical SQL Injection Exploited Within 36 Hours
A critical SQL injection flaw in the popular LiteLLM Python package was exploited in the wild within 36 hours of public disclosure. Here is what developers need to know.
American Utility Firm Itron Discloses Breach of Internal IT Network
Itron filed an SEC 8-K disclosing unauthorized access to internal systems. Here is what happened and what small teams can learn from this incident.
Hackers Exploit File Upload Bug in Breeze Cache WordPress Plugin
A critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin is being actively exploited. Here is what small teams need to know and do now.
Over 1,300 SharePoint Servers Remain Vulnerable to Active Spoofing Attacks
More than 1,300 Microsoft SharePoint servers are still unpatched against a spoofing flaw that was first exploited as a zero-day and remains under active attack.
French Government Agency Confirms Breach as Hacker Sells Citizen Data
France Titres, the agency that issues French identity documents, confirmed a data breach after a threat actor claimed responsibility and began selling stolen citizen data online.
Next.js Middleware Auth Bypass: What CVE-2025-29927 Means for Your Site
A critical Next.js vulnerability lets attackers skip middleware auth checks by sending a single HTTP header. If your site uses middleware for route protection, this is the first thing to patch.
How to Fix Exposed .env Files Before Hackers Find Them
Your .env file contains your database password, API keys, and secrets. Here is how to check if it is exposed and fix it in 5 steps.
7 Security Mistakes AI Code Generators Make (and How to Fix Them)
AI-generated code is 2.74x more likely to have security flaws. These are the 7 most common mistakes and how to catch them.
The Web Security Checklist Every Indie Hacker Needs
15 security checks grouped by category. SSL, headers, secrets, auth, and database. Covers everything you need before shipping.
Want to know if your site has these issues?
SCAN YOUR SITE FREE