SecurityHorrors is a simple blog where you can read security horror stories: breaches, outages, leaked keys, painful misconfigurations, and the postmortems nobody wants to star in. Yikes!
Made by Andras who is working on several open-source projects including Coolify and Jean and many other things at coolLabs
Have a story?
Posts
New 22 May 2026
Megalodon: 5,561 Repos Swallowed in Six Hours
TLDR and details on the Megalodon supply chain attack mass-backdooring GitHub repositories via malicious CI/CD workflow commits.
22 May 2026
Chromium: The Tab That Never Really Closed
TLDR and details on a Chromium vulnerability allowing attackers to run JavaScript in the background even after the browser is closed.
22 May 2026
BIND 9: Three Cracks in the Resolver Wall
TLDR and affected version summary for three BIND 9 DNS resolver vulnerabilities causing denial of service via high CPU usage.
22 May 2026
Drupal: The Postgres Backdoor Query
TLDR and affected version summary for CVE-2026-9082, a SQL injection vulnerability in Drupal affecting PostgreSQL deployments.
20 May 2026
GitHub: The Extension That Opened the Vault
TLDR and impact summary for the GitHub internal repository breach caused by a malicious VS Code extension installed by a GitHub developer.
20 May 2026
Composer: Tokens Spilled on the CI Stage
TLDR and affected version summary for CVE-2026-45793, a Composer vulnerability that may expose GitHub authentication tokens in CI logs.
20 May 2026
NGINX njs: One Overflow to Crash Them All
TLDR and affected version summary for CVE-2026-8711, a heap buffer overflow in NGINX JavaScript (njs) that can crash workers and may allow RCE.
19 May 2026
Mini Shai-Hulud: 639 Packages Deep and Still Burrowing
TLDR and affected package summary for the latest wave of the Mini Shai-Hulud npm supply-chain campaign targeting antv and echarts-for-react.
19 May 2026
Nx Console: One Stolen Token, One Poisoned Marketplace
TLDR and affected version summary for the Nx Console VS Code extension compromise via a contributor's leaked GitHub PAT.
19 May 2026
VoidStealer: Reaching Past Chrome's Encryption
TLDR and details on VoidStealer, an infostealer bypassing Chrome's App-Bound Encryption to extract credentials and session data.
14 May 2026
PostgreSQL: Eleven Stitches on a Quiet Afternoon
TLDR and affected version summary for the 11 CVEs patched in the May 14, 2026 PostgreSQL release.
14 May 2026
Fragnesia and ssh-keysign-pwn: Two More Bones Under the Kernel
TLDR and affected system summary for Fragnesia (CVE-2026-46300) and ssh-keysign-pwn (CVE-2026-46333).
14 May 2026
Shadow Supply: The Package That Stole Your Secrets
TLDR and affected version summary for the node-ipc npm supply-chain compromise.
13 May 2026
NGINX: Three Cracks in the Proxy Wall
TLDR and affected version summary for NGINX Rift, CVE-2026-42926, and CVE-2026-42946
11 May 2026
Mini Shai-Hulud: The Package That Crawled Through CI
TLDR and affected package summary for the Mini Shai-Hulud npm and PyPI supply-chain campaign.
7 May 2026
React and Next.js: Thirteen Doors Left Open
TLDR and affected version summary for the May 2026 React and Next.js security advisories.
7 May 2026
Dirty Frag: Two Kernel Teeth Under the Floorboards
TLDR and affected system summary for Dirty Frag, CVE-2026-43284 and CVE-2026-43500.
1 May 2026
Bleeding Llama: The Local AI That Remembered Too Much
TLDR and affected version summary for CVE-2026-7482, the Bleeding Llama vulnerability in Ollama.
29 Apr 2026
CopyFail: Root Was Only 732 Bytes Away
TLDR and affected system summary for CVE-2026-31431, the Linux CopyFail local privilege escalation.