hackerbot-claw Operation Review: Pull Requests as an Attack Vector in GitHub Actions
Executive Summary In February 2026, an autonomous bot named hackerbot-claw exploited insecure GitHub Actions configurations across multiple high-profile repositories. The campaign abused unsafe pull_request_target triggers, unsanitized inputs, dynamic shell execution, and overprivileged GITHUB_TOKEN permissions to achieve remote code execution (RCE) in GitHub-hosted runners. Across at least six repositories, the bot successfully executed arbitrary commands, and […]
Six CVEs in One Day: What’s Going On with n8n?
Executive Summary In a single day, six vulnerabilities were disclosed in n8n, spanning remote code execution, command injection, arbitrary file access, and cross-site scripting. All six issues affect authenticated functionality and repeatedly break isolation between workflows, configuration, and the underlying host. This is not random disclosure noise, it’s a clear signal of systemic security weaknesses […]
CVE-2026-1470: Remote Code Execution via n8n Expression Evaluation
Executive Summary CVE-2026-1470 is a critical remote code execution (RCE) vulnerability in the n8n workflow automation platform. The flaw stems from unsafe evaluation of user-supplied workflow expressions, allowing authenticated users to execute arbitrary JavaScript code within the n8n runtime and fully compromise the instance. Exploitation requires low privileges, no user interaction, and impacts all unpatched […]
From Compromise to Detection: Uncovering Azure Attacks with Upwind
In the past decade, the cloud revolution evolved into a major movement – one that introduced a new and complex attack surface. Attackers are increasingly targeting public cloud environments, leveraging misconfigurations and native cloud features to gain initial access, establish persistence, and achieve their malicious objectives. In this article, we dive into attack vectors in […]
Critical Security Alert: Unauthenticated RCE in React CVE-2025-55182 & Next.js CVE-2025-66478
Two new critical vulnerabilities, CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), were publicly disclosed today, impacting React and Next.js applications. These issues allow unauthenticated remote code execution under default framework configurations, requiring no special setup or developer mistakes. Testing confirms that even newly generated Next.js applications created with create-next-app and built for production are immediately vulnerable without […]