Every week we dig through hundreds of links from all over the web, and it’s often hard for developers keep up. So, we thought we’d put together some links we couldn’t fit in the Dev Digest in what we call The Overflow.
This week, we’re looking at what’s been happening in the world of security, and have some hand-picked sources for you to check out if you want to learn more.
16 Zero-Days Found in PDF Platforms Using AI Agents
Security researchers at Novee used a human-AI swarm approach to uncover 16 zero-days across Foxit and Apryse PDF platforms, including one-click XSS and remote code execution via injected metadata. It’s a shocking reminders PDFs are complex application stacks with a significant attack surface, and are not as simple as they might seem.
AI Safety Has One Year to Matter Before Markets Make It Irrelevant
With Anthropic and OpenAI both heading toward IPOs, investor Michael Dempsey argues there’s a narrow window — perhaps 12 months — to embed meaningful safety practices into the industry’s infrastructure, or else it’ll be too late. Once labs answer to public shareholders, market pressure is likely to make safety permanently secondary to speed.
🔗 Read on mhdempsey.substack.com
How a GitHub Issue Became a Poisoned npm Package
A prompt injection vulnerability in Cline’s AI triage bot, combined with GitHub Actions cache poisoning, allowed attackers to steal npm publish tokens and push a malicious package to around 4,000 developers before it was caught.
AirSnitch Bypasses Wi-Fi Client Isolation on Virtually Every Router
UC Riverside researchers have shown that WPA2 and WPA3 client isolation — the feature designed to stop devices on the same network attacking each other — is fundamentally broken. Every router tested was vulnerable to at least one attack variant, enabling full man-in-the-middle access on home and enterprise networks alike.
XSS: Still #1 on MITRE’s Threat List
Cross-site scripting has topped MITRE and CISA’s threat rankings for the third year running, with 7,303 CVEs — nearly double its closest competitor. It hasn’t left the top 4 since 2010, and Content Security Policy remains the best defence.
–
We hope you enjoyed this article, and be sure to check back again next week for more!