Symlink Following in APM Dependency Manager Enables Arbitrary File Read

Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project's deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

Microsoft APM is a dependency manager for AI agents that suffered from a critical symlink-following vulnerability affecting versions 0.5.4 through 0.12.4. The flaw exists in two primitive integrators within apm-cli that enumerate package files using bare Path.glob() and Path.rglob() calls, then read matches via Path.read_text() without validating symlink targets. When a malicious APM dependency contains symbolic links placed in .apm/prompts/ or .apm/agents/ directories, these links are preserved during clone operations and dereferenced during integration, allowing attackers to exfiltrate arbitrary files from developer systems. This vulnerability affects anyone using APM to manage AI agent dependencies, particularly development teams integrating untrusted or compromised packages into their AI workflows.

Casky.ai's 261 mapped security skills enable detection of this vulnerability pattern through MITRE ATT&CK technique TA0043 (Resource Development) and TA0009 (Collection). Claude's extended reasoning identifies the CWE-59 (Improper Link Resolution Before File Access) and CWE-200 (Information Exposure) attack chain by analyzing file access patterns that follow symbolic links without proper validation. Practitioners using Casky would detect suspicious behaviors including: unexpected symlink creation in dependency directories, file read operations that traverse outside designated package boundaries, and access to sensitive system paths (.ssh, .aws, configuration files) through seemingly innocuous .prompt.md or .agent.md file access. The platform would flag the absence of path canonicalization checks and highlight where Path.resolve() or os.path.realpath() validation is missing before file operations.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-45539.

acquiring-disk-image-with-dd-and-dcfldd

digital forensics · low

Run

analyzing-apt-group-with-mitre-navigator

threat intelligence · low

Run

analyzing-browser-forensics-with-hindsight

digital forensics · low

Run

MITRE ATT&CK Techniques

TA0043 TA0009

Investigate the attack patterns behind CVE-2026-45539

Casky has 261 skills that investigate the attack patterns behind CVE-2026-45539. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn