Kickbacks.ai Security Review: VS Code Adware With a Payout Page
Kickbacks.ai security review and reverse engineering. This VS Code extension patches files, runs unsigned updates, and acts as adware. What businesses should know.
Practical security advice, industry-specific guides, and lessons from the field. No jargon, no fear tactics.
Kickbacks.ai security review and reverse engineering. This VS Code extension patches files, runs unsigned updates, and acts as adware. What businesses should know.
LiquidJS, a templating library with 7 million monthly downloads, lets attackers run any code on your server through a crafted template string. No login required. Public exploit available.
A single compromised account pushed malicious code to 42 repos across Microsoft and Azure GitHub orgs in under an hour. If you trust code because of who published it, that trust is now a liability.
A self-propagating worm is using a blind spot in npm's native build system to execute code the moment you install a package. No install scripts. No warnings. Just binding.gyp.
The token-checking campaign we warned about two weeks ago has entered phase two. Attackers are mass-cloning private repositories using stolen PATs. Your source code is walking out the door.
7 waves. 170+ packages. VS Code extensions. Jenkins plugins. A self-propagating worm. And they breached GitHub itself. Here's the full timeline of the most prolific supply chain campaign of 2026.
A 19-year-old flaw in how Linux handles SMB/CIFS file shares lets any local user become root. If your office uses shared drives on a Linux server, you need to patch today.
An unauthenticated CRLF injection in cPanel gives full root control. If your website runs on shared hosting, your host might already be compromised. CVSS 9.8.
LiteLLM, the proxy that manages your AI API keys, has a pre-auth SQL injection. CVSS 9.8. On CISA KEV. Exploited 36 hours after disclosure. Every API key it stores is compromised.
29 packages under the @redhat-cloud-services namespace were compromised with a self-propagating credential stealer. 80,000 weekly downloads. If Red Hat's packages aren't safe, neither are yours.
A use-after-free in Redis's Lua engine has been there since 2012. CVSS 10.0. Demonstrated at Pwn2Own. If your app uses Redis for caching or sessions, you need to check your version.
Ask ChatGPT to summarize a webpage and it might phish you. An attacker can embed invisible instructions in any page that hijack how ChatGPT renders the summary. Your IP leaks. Fake login links appear. Welcome to 2026.