badbeat.dev - badbeat.dev

AI Security

When the AI Deals You a Marked Deck: Vibe Coding's npm Supply Chain Problem

The npm ecosystem absorbed four major supply-chain waves between September 2025 and May 2026. Vibe coding amplifies the blast radius. Here's the technical breakdown.

AI Security

When Prompt Injection Becomes RCE: Inside CVE-2026-26030

A single prompt. One eval() call. Host RCE. Inside CVE-2026-26030 — the Semantic Kernel bypass that turned an AI agent into a remote code execution primitive.

woocommerce

WooCommerce Security 2026: Lessons From a Brutal Year

WooCommerce stores faced a brutal 2025 — unauthenticated exploits, stealthy card skimmers, and thousands of unpatched plugins. Here's what happened and how to harden your store in 2026.

CVE Analysis

Cacti RCE to Docker Desktop Escape: Anatomy of a Two-CVE Kill Chain

Two CVEs — an authenticated Cacti RCE and an unauthenticated Docker Desktop escape — chain into a full host compromise in about six commands. Anatomy of the kill chain.