{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dependency-confusion/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-45539"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["apm"],"_cs_severities":["high"],"_cs_tags":["symlink","file-disclosure","apm-cli","dependency-confusion"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eA vulnerability exists in the \u003ccode\u003eapm-cli\u003c/code\u003e tool (versions 0.5.4 through 0.12.4) where symbolic links within APM packages are mishandled during the installation process. Specifically, when an APM package containing symlinks under the \u003ccode\u003e.apm/prompts/\u003c/code\u003e or \u003ccode\u003e.apm/agents/\u003c/code\u003e directories is installed, the \u003ccode\u003eapm install\u003c/code\u003e command dereferences these symlinks. This leads to the contents of the linked files being copied into the project\u0026rsquo;s deployment directories. This vulnerability, identified as CVE-2026-45539, allows a malicious APM package author to potentially disclose sensitive file contents from the system running the \u003ccode\u003eapm install\u003c/code\u003e command if the user running the command has read access to them. The issue stems from the \u003ccode\u003ePromptIntegrator\u003c/code\u003e and \u003ccode\u003eAgentIntegrator\u003c/code\u003e classes, which lack proper symlink handling.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious APM package.\u003c/li\u003e\n\u003cli\u003eThe package includes a symbolic link within the \u003ccode\u003e.apm/agents/\u003c/code\u003e or \u003ccode\u003e.apm/prompts/\u003c/code\u003e directory. The symlink points to a sensitive file on the victim\u0026rsquo;s system (e.g., \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/proc/self/environ\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker publishes this malicious package to a repository or otherwise distributes it to victims.\u003c/li\u003e\n\u003cli\u003eVictim adds the malicious package as a dependency in their \u003ccode\u003eapm.yml\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eVictim runs the \u003ccode\u003eapm install\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eapm install\u003c/code\u003e command clones the package and, due to vulnerable code in \u003ccode\u003ePromptIntegrator\u003c/code\u003e or \u003ccode\u003eAgentIntegrator\u003c/code\u003e, dereferences the symbolic link.\u003c/li\u003e\n\u003cli\u003eThe content of the file pointed to by the symlink is copied into the victim project\u0026rsquo;s deployment directories (e.g., \u003ccode\u003e.github/\u003c/code\u003e, \u003ccode\u003e.claude/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the disclosed file content, potentially leading to credential theft or other unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-45539) leads to arbitrary file content disclosure. An attacker can craft a malicious APM package to read and exfiltrate the content of any file readable by the user running the \u003ccode\u003eapm install\u003c/code\u003e command. The observed result is that the files in the deploy directories will contain the content of the linked file. This could include sensitive information like environment variables, configuration files, or even credentials. This allows the attacker to perform lateral movement or privilege escalation within the victim\u0026rsquo;s environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix provided in the advisory by routing affected finders through the existing safe helper (\u003ccode\u003eBaseIntegrator.find_files_by_glob()\u003c/code\u003e) to mitigate CVE-2026-45539.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect APM CLI Installation with Suspicious Symlink Targets\u0026rdquo; to identify attempts to exploit this vulnerability via \u003ccode\u003eprocess_creation\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eImplement the optional defense-in-depth measures suggested in the advisory, such as raising an exception on \u003ccode\u003esource.is_symlink()\u003c/code\u003e within \u003ccode\u003ecopy_prompt\u003c/code\u003e, \u003ccode\u003ecopy_agent\u003c/code\u003e, \u003ccode\u003e_write_codex_agent\u003c/code\u003e, and \u003ccode\u003e_write_windsurf_agent_skill\u003c/code\u003e functions.\u003c/li\u003e\n\u003cli\u003eTreat any symlink under a dependency\u0026rsquo;s \u003ccode\u003e.apm/\u003c/code\u003e tree as a security finding during scanning.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T13:27:19Z","date_published":"2026-05-18T13:27:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-apm-symlink-disclosure/","summary":"A vulnerability in the `apm-cli` tool allows a malicious APM package to include symlinks that, when installed, can lead to file-content disclosure, by dereferencing symlinks under `.apm/prompts/` and `.apm/agents/` during `apm install`, and copying host-local file contents into the project tree.","title":"APM CLI Symlink Vulnerability Leads to File Content Disclosure (CVE-2026-45539)","url":"https://feed.craftedsignal.io/briefs/2026-05-apm-symlink-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Dependency-Confusion","version":"https://jsonfeed.org/version/1.1"}