home.social
Sign in Create account

#repo_poisoning — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #repo_poisoning, aggregated by home.social.

  1. hasamba @[email protected] ·

    ----------------

    🤖 Tool: MEDUSA — AI-first Security Scanner

    Overview

    MEDUSA is presented as an AI-first security scanner with more than 9,600 detection patterns focused on AI/ML applications, LLM agents, RAG pipelines, MCP servers and traditional codebases. The release v2026.5.0 emphasizes AI supply-chain coverage with a new Git scanning capability and repo poisoning detection.

    Key technical facts
    • Detection surface: 9,600+ AI security patterns targeting agent frameworks, MCP protocols, RAG components and editor/IDE config files.
    • CVE coverage: Product claims detection of 133 CVEs, with named detections including Log4Shell, Spring4Shell, XZ Utils backdoor, LangChain RCE, MCP remote code execution and React2Shell.
    • New rules: v2026.5.0 adds 45 attack rules for repo poisoning and 11 rules for MCP advanced attacks (schema poisoning, sampling injection, cross-server manipulation, Flowise RCE).
    • Repo poisoning specifics: Detection across 28+ AI editor and IDE file types (examples enumerated include Cursor, Cline, Copilot, Claude Code, Gemini CLI, Kiro, Codex CLI, Windsurf, Amazon Q, Roo Code).
    • Performance & outputs: Parallel processing for multi-core scanning, smart caching to skip unchanged files, and multiple export formats (JSON, HTML, Markdown, SARIF).

    Technical implications (reporting the release)

    The release documents a focused effort on AI supply-chain tactics: repo poisoning heuristics, editor-config weaponization, and MCP-targeted attack rules. The product adds path-relative FP filtering to reduce false positives when repo names previously matched heuristics. The Git scanning feature is described as a single-step repo analysis for supply-chain indicators.

    Constraints and scope

    The documentation frames MEDUSA as cross-platform (Windows/macOS/Linux) with IDE integrations and optional linter enhancements. The release notes list capabilities and detection counts; they do not provide operational deployment commands or step‑by‑step setup details.

    🔹 medusa #ai_security #repo_poisoning #log4shell #langchain

    🔗 Source: github.com/Pantheon-Security/m

    #langchain #log4shell #repo_poisoning #ai_security