Last Week in AppSec for 15. January 2026

This report summarizes three AppSec issues: a cosign bug in Sigstore that weakened Rekor audit-log verification and could allow forged signatures, a pnpm remote-dependency integrity gap that requires lockfile regeneration to gain protections against tampered tarballs, and a critical n8n webhook vulnerability (CVE-2026-21858) enabling unauthenticated file access and potential remote code execution; it highlights affected versions, mitigation steps, and urgency for patching.