{"id":106364,"date":"2026-01-15T18:54:59","date_gmt":"2026-01-15T16:54:59","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=106364"},"modified":"2026-02-27T20:38:02","modified_gmt":"2026-02-27T18:38:02","slug":"last-week-in-appsec-for-15-january-2026","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/","title":{"rendered":"Last Week in AppSec for 15. January 2026"},"content":{"rendered":"<style type=\"text\/css\">@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");@font-face{font-family:'Hack';src:url('https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/hack-font\/3.3.0\/web\/fonts\/hack-regular-subset.woff2') format('woff2')}:root{--code-font:'Hack','Menlo','Consolas',monospace !important;--code-bg:#1e1e1e;--code-color:#0c1;--code-dim:#071;--text-color:#121185;--highlight-color:#f8ff91;--highlight-color-alt:#736ca0}article.content{max-width:100% !important;min-width:80% !important;width:99% !important}.wp-block-code code{text-wrap:nowrap !important}figure{margin-top:1.5rem;margin-bottom:1.5rem}p.caption,figcaption{font-size:1rem !important;font-style:italic !important;color:var(--code-dim) !important}p.caption *,figcaption *{font-size:inherit !important}div.callout{max-width:80% !important;padding-top:.5rem;padding-bottom:.5rem;margin-top:1rem;margin-bottom:1rem;display:block;margin-left:10%;border-top:.3rem solid #121185;border-bottom:.3rem solid #121185}div.callout p{font-size:x-large;text-align:left;font-weight:bold}.cxzero-video-include{display:block;max-width:1920px;width:100%;padding-top:1rem;padding-bottom:1rem}.cxzero-video-include video{display:block;padding:.5rem;background-color:var(--code-bg);width:98%;object-fit:cover}pre.wp-block-code,pre.highlighted-code,pre.sourceCode,pre{border:1px solid var(--code-color);width:90%;background-color:var(--code-bg);color:var(--code-color);margin:1em;padding:2em;overflow-x:scroll;font-family:var(--code-font);font-size:10.5pt;line-height:1.1em;text-wrap:nowrap !important;box-shadow:5px 5px 13px 0 var(--code-bg)}* kbd,* code,* tt{font-family:var(--code-font);padding-inline:.5em;color:var(--code-dim);font-size:85%}pre code{color:var(--code-color);font-size:90%}pre.highlighted-code span{font-family:var(--code-font);font-size:10.5pt;color:var(--code-color)}pre.highlighted-code span.comment{font-style:italic;color:var(--code-dim)}pre.highlighted-code span.keyword,pre.highlighted-code span.preproc{font-weight:bold;font-style:oblique}blockquote,blockquote *{font-size:1.375rem !important;font-style:italic !important}blockquote{border-left:.1rem solid;padding-left:1rem}mark,mark *{background-color:var(--highlight-color) !important}mark.ai-content,mark.ai-content *{background-color:var(--highlight-color-alt) !important;color:#fff !important}.cxzero-cve-block{border:1px solid var(--code-color,#0c1);padding:.5rem;p{padding:0;margin:0}span.vulndesc{display:block;font-size:.9rem;font-weight:400;font-style:italic}span.cvss::before{content:\"  \"}span.cvss{background:#fe0}span.cvss.critical{background:#c00;color:#eee}span.cvss.high{background:#ffac1c;color:#0015ff}span.vector::before{content:\"\u25b8\"}span.vector,span.vector *{overflow-wrap:break-word;font-family:var(--code-font);font-size:10pt}.kev{display:block;font-weight:bold}.kev::before{content:\"\u203c\ufe0f\"}}.print-source-info{display:none}@media print{.header,.header *,.article-nav,.article-nav *,.aticle-nav,.aticle-nav *,.section_latest,.section-latest *,footer,footer *,.section-menu-page,.section-menu-page *,.top-menu,.top-menu *,.top-menu__container,.top-menu__container *,.section-zero-article,.section-zero-article *{display:none}@page{margin:13mm !important}.section-aticle-header__image-or-video{max-width:125mm}.print-source-info{display:block;border-left:.2rem solid #000;font-style:italic !important;font-size:85%;padding-left:1rem}}<\/style> <script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script> <script>hljs.highlightAll();<\/script> \n\n\n\n<p class=\"print-source-info\"><script>document.write(\"Copyright Checkmarx, all rights reserved. Retrieved \"+new Date().toLocaleDateString()+\" from<br\/>\"+window.location.href);<\/script><noscript>This document copyright Checkmarx, all rights reserved.<\/noscript><\/p>\n\n\n\n<p>\n  In this edition of <em>Last Week In AppSec<\/em>, the theme is \u201cdev tooling\u201d:\n<\/p>\n<ul>\n  <li>\n    The Sigstore <code>cosign<\/code> system fails to properly validate signature\n    audit log, reducing safety\n  <\/li>\n  <li>\n    The <code>pnpm<\/code> package manager is missing some important integrity\n    checks on remote dependencies in lockfiles\n  <\/li>\n  <li>\n    <strong>n8n<\/strong>, a popular AI-driven automation platform, struggles\n    with webhooks complexity, leading to authorization bypasses and even an\n    <abbr title=\"Remote Code Execution\">RCE<\/abbr>\n  <\/li>\n<\/ul>\n<h2 id=\"sigstore-cosign-patches-bug-that-would-allow-audit-log-spoofing\" class=\"article-anchor\">\n  Sigstore Cosign patches bug that would allow audit log spoofing\n<\/h2>\n<div id=\"CVE-2026-22703\" class=\"cxzero-cve-block\">\n  <p>\n    <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2026-22703\/\" class=\"vulnid\">CVE-2026-22703<\/a>\n    <span class=\"cvss\">CVSS v3.1 =5.5<\/span>\n    <span class=\"vector\"><a href=\"https:\/\/www.first.org\/cvss\/calculator\/3-1#CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:H\/A:N\">CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:H\/A:N<\/a><\/span>\n    <span class=\"vulndesc\">Cosign verification accepts any valid Rekor entry under certain\n      conditions<\/span>\n  <\/p>\n<\/div>\n<p>\n  The <a href=\"https:\/\/www.sigstore.dev\/\">Sigstore<\/a> system uses a\n  <code>cosign<\/code> tool to generate and check signatures, allowing consumers\n  of applications and components to verify the integrity by both checking that a\n  signature is valid verifying an audit log. Versions of cosign 2.6.x (prior to\n  2.6.2) or 3.0.x (prior to 3.0.4) would verify integrity even when the Rekor\n  audit log didn\u2019t have a complete association to the signature it was checking.\n<\/p>\n<p>\n  Essentially, this lowered the difficulty for attackers to create forged\n  signatures. An attacker would still need to compromise a legitimate\n  maintainer\u2019s identity and signing keys, though, so there\u2019s no cause for panic.\n<\/p>\n<p>\n  Still,\n  <a href=\"https:\/\/docs.sigstore.dev\/logging\/overview\/\">the \u201cRekor\u201d component of Sigstore<\/a>\n  that provides audit logging is an important part of Sigstore\u2019s strength. It\n  raises the difficulty of some kinds of signature forging by providing an\n  immutable log: think of it as a sort of \u201cnotary public\u201d for the signing of\n  artifacts. So if you\u2019re relying on <code>cosign<\/code> to verify containers,\n  binaries, and so on? You should make it a priority to make sure you\u2019re using\n  an up-to-date version.\n<\/p>\n<p>In summary, I recommend:<\/p>\n<ul>\n  <li>\n    if you\u2019re using <code>cosign<\/code> to verify things prior to builds or\n    deployments, place a high priority on making sure you\u2019re using a patched\n    version. For most organizations, this isn\u2019t a \u201cdrop everything and patch\u201d\n    scenario, but make sure it happens promptly!\n  <\/li>\n  <li>\n    if you\u2019re using Sigstore \u2013 the public repository or your own private one \u2013\n    for artifact signing, you should check the Rekor entries for your packages\n    to make sure they\u2019re correct. If you see one that\u2019s missing key IDs,\n    metadata, etc. then you may have been attacked and you should start a\n    response.\n  <\/li>\n<\/ul>\n<h2 id=\"supply-chain-integrity-protections-in-pnpm-can-be-bypassed\" class=\"article-anchor\">\n  Supply chain integrity protections in pnpm can be bypassed\n<\/h2>\n<div id=\"CVE-2025-69263\" class=\"cxzero-cve-block\">\n  <p>\n    <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2025-69263\/\" class=\"vulnid\">CVE-2025-69263<\/a>\n    <span class=\"cvss high\">CVSS v3.1 =7.5<\/span>\n    <span class=\"vector\"><a href=\"https:\/\/www.first.org\/cvss\/calculator\/3-1#CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H\">CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H<\/a><\/span>\n    <span class=\"vulndesc\">pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies<\/span>\n  <\/p>\n<\/div>\n<p>\n  If you\u2019re using <strong>pnpm<\/strong> to manage your JavaScript\/TypeScript\n  dependencies, and you use its remote dependency feature (which allows you to\n  pull libraries your app uses from a <code>.tgz<\/code> tarball file [or\n  similar] on a web server at a URL the developer specifies), you should pay\n  attention to this one.\n<\/p>\n<p>\n  Essentially, the <code>pnpm<\/code> tool doesn\u2019t require there to be any\n  integrity data in its lockfiles, which means that if an attacker managed to do\n  anything to serve an unexpected tarball to you, you\u2019d have no protection. An\n  attacker could do this in many ways, such as compromising the web server,\n  compromising a DNS record(s) to point to a server they control, and so on.\n<\/p>\n<p>\n  Starting with version <strong>10.26.0<\/strong>, <code>pnpm<\/code> now computes\n  integrity hashes for these remote dependencies, and checks them on\n  installation. If an attacker replaces a legitimate tarball with something\n  malicious, this should stop the installation. But, importantly,\n  <strong>after you patch, you must regenerate and commit new lockfiles<\/strong>; lockfiles generated with older pnpm versions will still <em>work<\/em>, but\n  they won\u2019t have the integrity protection in place, leaving you vulnerable.\n<\/p>\n<p>\n  Mitigation is possible, but painful. If you can\u2019t update pnpm, you should:\n<\/p>\n<ul>\n  <li>\n    stop using the feature (good luck if it\u2019s adopted widely in your org,\n    though)\n  <\/li>\n  <li>\n    or sandbox your builds and use secondary integrity systems to monitor\n    fetched dependencies\n  <\/li>\n<\/ul>\n<p>\n  The risk here is, thankfully, low for most organizations. But\n  <mark>if you have open-source projects that accept PRs from the public and use\n    pnpm, this is urgent to address<\/mark>. And in that case, don\u2019t just upgrade pnpm. Add a mandatory check to your PR\n  rules, before running <code>pnpm<\/code>, that looks at\n  <code>ppm-lock.yaml<\/code> and stops the build if it finds a pattern like\n  this:\n<\/p>\n<div class=\"sourceCode\" id=\"cb1\">\n  <pre class=\"sourceCode yaml\"><code class=\"sourceCode yaml\"><span id=\"cb1-1\"><a href=\"#cb1-1\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"at\">remote-dynamic-dependency@http<\/span><span class=\"fu\">:\/\/example.com\/pkg.tgz<\/span><span class=\"kw\">:<\/span><\/span>\n<span id=\"cb1-2\"><a href=\"#cb1-2\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"at\">  <\/span><span class=\"fu\">resolution<\/span><span class=\"kw\">:<\/span><span class=\"at\"> <\/span><span class=\"kw\">{<\/span><span class=\"fu\">tarball<\/span><span class=\"kw\">:<\/span><span class=\"at\"> http:\/\/example.com\/pkg.tgz<\/span><span class=\"kw\">}<\/span><\/span>\n<span id=\"cb1-3\"><a href=\"#cb1-3\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"at\">  <\/span><span class=\"fu\">version<\/span><span class=\"kw\">:<\/span><span class=\"at\"> <\/span><span class=\"fl\">1.0.0<\/span><\/span><\/code><\/pre>\n<\/div>\n<p>The safe version of that looks like:<\/p>\n<div class=\"sourceCode\" id=\"cb2\">\n  <pre class=\"sourceCode yaml\"><code class=\"sourceCode yaml\"><span id=\"cb2-1\"><a href=\"#cb2-1\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"at\">remote-dynamic-dependency@http<\/span><span class=\"fu\">:\/\/example.com\/pkg.tgz<\/span><span class=\"kw\">:<\/span><\/span>\n<span id=\"cb2-2\"><a href=\"#cb2-2\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"at\">  <\/span><span class=\"fu\">resolution<\/span><span class=\"kw\">:<\/span><\/span>\n<span id=\"cb2-3\"><a href=\"#cb2-3\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"at\">    <\/span><span class=\"fu\">tarball<\/span><span class=\"kw\">:<\/span><span class=\"at\"> http:\/\/example.com\/pkg.tgz<\/span><\/span>\n<span id=\"cb2-4\"><a href=\"#cb2-4\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"at\">    <\/span><span class=\"fu\">integrity<\/span><span class=\"kw\">:<\/span><span class=\"at\"> sha512-....STUFF....<\/span><\/span>\n<span id=\"cb2-5\"><a href=\"#cb2-5\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"at\">  <\/span><span class=\"fu\">version<\/span><span class=\"kw\">:<\/span><span class=\"at\"> <\/span><span class=\"fl\">1.0.0<\/span><\/span><\/code><\/pre>\n<\/div>\n<p>\n  <mark>That is, if you don\u2019t have the <code>resolution.integrity<\/code> field for\n    a remote dependency, you should break the build.<\/mark>\n<\/p>\n<h2 id=\"ai-workflow-automation-tool-n8n-experiences-ni8mare-unauthenticated-file-access\" class=\"article-anchor\">\n  AI workflow automation tool n8n experiences \u201cni8mare\u201d: unauthenticated file\n  access\n<\/h2>\n<div id=\"CVE-2026-21858\" class=\"cxzero-cve-block\">\n  <p>\n    <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2026-21858\/\" class=\"vulnid\">CVE-2026-21858<\/a>\n    <span class=\"cvss critical\">CVSS v3.1 =10<\/span>\n    <span class=\"vector\"><a href=\"https:\/\/www.first.org\/cvss\/calculator\/3-1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:N\">CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:N<\/a><\/span>\n    <span class=\"vulndesc\">n8n Vulnerable to Unauthenticated File Access via Improper Webhook\n      Request Handling<\/span>\n  <\/p>\n<\/div>\n<p>\n  One of the most useful features of\n  <a href=\"https:\/\/n8n.io\/\"><strong>n8n<\/strong><\/a> is its ability to use\n  webhooks to initiate actions and move data between various components.\n  Unfortunately, there\u2019s\n  <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2026-21858\/\">a pretty nasty weakness in some of those flows<\/a>.\n<\/p>\n<p>\n  The folks at Cyera have\n  <a href=\"https:\/\/www.cyera.com\/research-labs\/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858\">an excellent technical deep dive<\/a>\n  into this issue, so I\u2019ll just give you the highlights: an attacker can send a\n  request to a webhook that expects a file upload, tamper with the\n  <code>Content-Type<\/code> header, and trick that webhook into accessing files\n  on the server. And with some care, this potentially allows the attacker to\n  deploy and execute code remotely, which makes this CVE a potential RCE (Remote\n  Code Execution).\n<\/p>\n<p>\n  Now, you can do a <em>lot<\/em> to mitigate this, including not exposing n8n\n  webhooks to the public Internet (yes, I still capitalize it, even if that\n  shows my age). But if you must, then you really have to either work to update\n  this or, if you can\u2019t, add some validation on your edge devices (though this\n  is\u2026 challenging to maintain, so it\u2019s probably easier to just embrace the\n  upgrade pain).\n<\/p>\n<ul>\n  <li>If you expose n8n webhooks to untrusted networks, patch <em>now<\/em>.<\/li>\n  <li>\n    Otherwise, make sure you don\u2019t delay too much, and ensure you\u2019re closely\n    watching related infrastructure for signs of attack or compromise.\n  <\/li>\n<\/ul>\n<p>\n  I want to point out that the organization behind the n8n product has a\n  reputation for maintaining an outstanding security practice; but this goes to\n  show that there\u2019s no such thing as a perfect AppSec program.\n<\/p>\n\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>","protected":false},"excerpt":{"rendered":"<p>Potentially serious flaws, depending on your uses, in sigstore, n8n, and pnpm made last week in appsec all about tools in the software supply chain.<\/p>\n","protected":false},"author":137,"featured_media":106365,"template":"","zero-category":[1333],"zero-tag":[1069,1487,1342,1484,1485,1486],"class_list":["post-106364","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-security-news","zero-tag-appsec","zero-tag-cosign","zero-tag-last-week-in-appsec","zero-tag-n8n","zero-tag-pnpm","zero-tag-sigstore"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Last Week in AppSec for 15. January 2026 - Checkmarx<\/title>\n<meta name=\"description\" content=\"Potentially serious flaws, depending on your uses, in sigstore, n8n, and pnpm made last week in appsec all about tools in the software supply chain.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Last Week in AppSec for 15. January 2026 - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"Potentially serious flaws, depending on your uses, in sigstore, n8n, and pnpm made last week in appsec all about tools in the software supply chain.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-27T18:38:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-feature_2026-01-15_last-week-in-appsec.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/\",\"name\":\"Last Week in AppSec for 15. January 2026 - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-feature_2026-01-15_last-week-in-appsec.webp\",\"datePublished\":\"2026-01-15T16:54:59+00:00\",\"dateModified\":\"2026-02-27T18:38:02+00:00\",\"description\":\"Potentially serious flaws, depending on your uses, in sigstore, n8n, and pnpm made last week in appsec all about tools in the software supply chain.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-feature_2026-01-15_last-week-in-appsec.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-feature_2026-01-15_last-week-in-appsec.webp\",\"width\":2560,\"height\":1280,\"caption\":\"A graffiti-style image depicting n8n, pnpm, and cosign flaws\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Last Week in AppSec for 15. January 2026 - Checkmarx","description":"Potentially serious flaws, depending on your uses, in sigstore, n8n, and pnpm made last week in appsec all about tools in the software supply chain.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/","og_locale":"en_US","og_type":"article","og_title":"Last Week in AppSec for 15. January 2026 - Checkmarx","og_description":"Potentially serious flaws, depending on your uses, in sigstore, n8n, and pnpm made last week in appsec all about tools in the software supply chain.","og_url":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-02-27T18:38:02+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-feature_2026-01-15_last-week-in-appsec.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/","url":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/","name":"Last Week in AppSec for 15. January 2026 - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-feature_2026-01-15_last-week-in-appsec.webp","datePublished":"2026-01-15T16:54:59+00:00","dateModified":"2026-02-27T18:38:02+00:00","description":"Potentially serious flaws, depending on your uses, in sigstore, n8n, and pnpm made last week in appsec all about tools in the software supply chain.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/last-week-in-appsec-for-15-january-2026\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-feature_2026-01-15_last-week-in-appsec.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/cxzero-feature_2026-01-15_last-week-in-appsec.webp","width":2560,"height":1280,"caption":"A graffiti-style image depicting n8n, pnpm, and cosign flaws"},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/106364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/137"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/106365"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=106364"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=106364"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=106364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}