A GitHub flaw lets attackers upload executables that appear to be hosted on a company's official repo, such as Microsoft's—without the repo owner knowing anything about it.
The following URLs, for example, make it seem like these ZIPs are present on Microsoft's source code repo:
A threat actor is now advising StackOverflow devs seeking debugging help to install a 'pytoileur'
#Python
package as a "solution" to their code troubles.
🛑DO NOT fall for this, it's a trap—the package has encoded code hidden on line 17 via whitespaces and infects Windows users
EXCLUSIVE:
#Okta
says its GitHub source code repositories were stolen this December in a 'confidential' security notification sent to 'security contacts' that include IT managers at various organizations.
🚨 Apache has disclosed an *actively exploited* Path traversal flaw in the
#opensource
"httpd" server. Over 112,000 exposed Apache servers run version 2.4.49, and should be upgraded now!
New fix checks for encoded path traversal characters e.g. /../.%2E/
Uber won't fix the vulnerability that lets anyone email as "Uber"—this isn't a spoofed email but sent from Uber via an exposed endpoint.
Researcher
@0x21SAFE
states threat actors could abuse this to phish 57 million victims of the 2016 Uber data breach.
Anonymous altered the official knowledgebase of Epik after the alt-right web hosting provider denied that any breach had occurred. Epik has provided services for the Texas GOP, 8chan, Parler, and Gab, among others.
#EpikFail
EXCLUSIVE: Newly discovered
#Azure
flaw lets attackers brute-force Active Directory credentials in an undetected manner.
At this time, there's no way to easily block the endpoints used by Seamless SSO.
#Microsoft
seems to consider this a "design" choice.
GitHub calls these "anonymized URLs" but I'm not sure if that's accurate—considering they appear to be associated with a repo.
By contrast, Discord CDN URLs to "attachments" are truly anonymized and look like:
https://cdn.discordapp[.]com/attachments/XXXXX/XXXX/virus.exe
BREAKING: eFile[.]com, an IRS-authorized U.S. tax return software provider, was caught serving
#JavaScript
malware for weeks—as early as March 17th, and up until at least April 1st.
h/t
@malwrhunterteam
@johullrich
Dev behind popular
#npm
library 'node-ipc' released sabotaged versions that DELETE all data of Russian/Belarusian users by overwriting their files with '❤️'
#opensource
PyTorch reveals malicious dependency chain compromise between Dec 25th & 30th.
The counterfeit 'tortchtrion' stole SSH keys, first 1000 files in $HOME, .gitconfig and other secrets.
2,300+ downloads seen so far on PyPI.
Uninstall now 👇👇👇
#opensource
BREAKING:
#PHP
Git server is the latest victim of a software supply chain attack in which attackers planted a remote code execution
#backdoor
in the PHP source code.
PHP powers almost 8 out of 10 sites on the internet, making this upstream attack noteworthy.
#opensource
#git
CVE-2023-29218 👀
Twitter Recommendation Algorithm... allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking,...
Package is part of a wider ("Cool package") campaign infiltrating Python registries like PyPI since 2023. Multiple such similar typosquatting packages contain hidden obfuscated or encoded code, designed to drop persistent Windows malware as soon as these are installed.
#Golang
,
#Rustlang
"net" library is impacted by the severe IP address validation vulnerability previously found in Netmask. Over 4 million results for "import net" on GitHub.
Kubernetes also cherry-picked the fix.
CVE-2021-29922 & CVE-2021-29923👇👇👇
EXCLUSIVE: Ringleader of a massive fake news empire, 'Hacker X' comes out. Through extensive efforts, he created an untraceable webring of HUNDREDS of 'news' sites to spread conspiracy theories, propaganda to tip the 2016 US Election in Trump's favor.
2022 starts with Y2K22 bug: Emails getting stuck in Microsoft Exchange on-prem servers... 🤯
The cause? The FIP-FS malware scanning service that uses signed 'int32' format and can't fit '2022' 🥵💣
Here's a temporary workaround until MS releases a fix
🇨🇦 Canada's major banks: RBC, CIBC, Scotiabank, TD Bank, BMO all affected by a mysterious, hours-long outage.
Customers report e-transfers getting auto-rejected, access issues with online and mobile banking, and being stuck at grocery store checkouts.
An exposed
#GitHub
repo leaked personal info of some Adafruit users on or before 2019:
* names
* email addresses
* street addresses
* order details
Real data seems to have been used for a training data set that got committed to a public repo.
#DataLeak
Northern Ireland has temporarily suspended its COVID "vaccine passport" certification service following a data leak—some users seeing data of other users.
The incident has been reported to UK's IPO. Not all users are impacted 👇👇👇
#databreach
#dataleak
Phishing actors are targeting verified Twitter users as Twitter has been relentlessly removing blue badges from "incorrectly verified" accounts this week:
Turns out "netmask" has had yet another bug fix made in version 2.0.1 on
#npm
for the critical IP address validation
#vulnerability
as fixes for CVE-2021-28918 were deemed incomplete.
This was spotted by
@ryotkak
and a newer CVE-2021-29418 has now been assigned.
#opensource
One of the largest Vietnamese crypto trading apps, ONUS suffered a
#Log4J
hack, followed by a $5 million extortion demand.
After ONUS refused to pay the ransom, threat actors put up 2 million customer records, databases, & ID/passport images up for sale.
@shukla_tarun
@IndiGo6E
@TurkishAirlines
More power to the crew! They let this obnoxious, self-entitled man off too easy. So wish law enforcement was called to greet the 'unruly passenger' on landing. Baffling.
From fake
#TikTok
livestreams, to Midjourney being abused to make AI art — in this in-depth investigation,
@Hannah_Gelbart
& I delve into all the tricks scammers are playing to exploit the ecological disaster in
#Turkey
and Syria to steal your donations.
#npm
malware stealing Chrome passwords with a real password recovery tool disguised as "TeamViewer.exe" was itself amusing enough.
It just gets better when
#malware
author has a dump of their own plaintext passwords exposed🙃
Research by
@ReversingLabs
.
#opensource
#SupplyChain
HaveIBeenPwned is alerting over 15 million users, including non-Epik customers who are impacted by the data breach.
Epik's multi-gig dump leaked by Anonymous also includes a 16 GB SQL database of scraped WHOIS records.
#EpikFail
#databreach
BREAKING: A secret terrorist watchlist with 2 million "no-fly" records was exposed online, accessible without a password.
Insecure Elasticsearch server was indexed by Censys. Taken offline 3 weeks after
@MayhemDayOne
notified DHS.
#dataleak
#databreach
Researcher refuses Telegram’s
#BugBounty
reward over the terms of agreement, and discloses the flaw with "self-destruct" feature that took months to resolve.
Multiple security vendors,
@CrowdStrike
@SentinelOne
and
@Sophos
have CONFIRMED trojanized 3CX Desktop app binaries being used in a supply chain attack.
The silence from
@3CX
is deafening.
"Upon investigation, we have concluded that such access was used to copy Okta code repositories," writes David Bradbury, the company's Chief Security Officer (CSO) in the email.
Kubernetes 1.24 coming out later today will be the first release to officially use
#Sigstore
—enabling seamless signature verification to protect against supply chain attacks across the 5.6M developer community, explains
@lorenc_dan
of
@chainguard_dev
BREAKING: Atlassian is asking enterprise Jira Data Center customers to patch this critical
#RCE
.
Deserialization
#vulnerability
stems from unrestricted access to ports 40001 and 40011 in an Ehcache RMI network service, that remote attackers can exploit.
Russia-based dev Yaffle altered 'event-source-polyfill'
#npm
package in March to show anti-war messages to Russians, as a a peaceful protest.
This marks the THIRD major
#opensource
self-sabotage of 2022: npm package is downloaded 600K weekly and used by 135,000+ GitHub repos.
1. 35k code hits, not repos.
2.13k of these results are from just one (relatively unimportant) repo.
3. Rest of the repos are clones of projects, not original projects hijacked.
Impact is far smaller than what is hyped here. Granted, still a spammy mess for GitHub to clean up.
⚠️ Just because a library name itself contains a higher version number doesn't mean it's the newer or legit version of an official lib.
'colors-2.0', colors-3.0'... that keep surfacing on
#npm
have nothing to do with 'colors' but pack malware
#Opensource
Too much chatter about an *unconfirmed* RCE in Spring Core — based on 1 minor commit that deprecates Java deserialization in one of the classes.
Spring Core dev
@Sam_Brannen
confirms this is NOT a flaw, but a mere warning to anyone practicing untrusted deseriazation.
Solid work by
@zzwudev
@mdmck10
@malwrhunterteam
reveals 1 operator behind all 4 domains, Polyfill, BootCDN, Bootcss and Staticfile involved in a supply chain attack that is now believed to have impacted anywhere from 100K to "tens of millions" of sites.
@BleepinComputer
@Ax_Sharma
hey mate! i reported same vulnerability back in march 2021 and they closed it as informative and didn't start crying like a baby
In her book "Manipulated," former White House CIO
@TrackerPayton
describes 'Hacker X' in detail, but it is the first time he's being publicly named.
Special thanks to
@packmatt73
, Theresa Payton, and many sources who helped fact-check the story.
NEW: Heavily obfuscated
#Python
#malware
caught on
#opensource
PyPI repo. It pulls now-deleted GitHub scripts to mine cryptocurrency on your computer.
Although deleted, some of the Bash scripts could be recovered after some searching:
via
@sonatype
💩 Sh*t gifting website ShitExpress hacked exposing customer email addresses, orders, and HYSTERICAL personalized messages customers had sent with their "gifts."
The hacker posted the
#dataleak
on a forum:
Python package 'onyxproxy' is an info-stealer using Unicode homoglyphs to evade detection. A real-world example of Trojan Source attack vector used in
#opensource
malware.
Discovery by
@Phylum_IO
Reporting by
@BillToulas
RubyInstaller[.]org's Wikis poisoned since Nov 29th, 2022 with links to malware and IP tracing/logging site, IPlogger.
Malware ZIP: e811cea654c10c0efe2618bf9d20e60c15497e8207cf5d8096aa75bab1e28573
#opensource
TELUS, Canada's second-largest telco, is investigating a potential
#databreach
after sample sets of company's employee data, payroll records, and private GitHub repos appeared on a data breach forum this week.
BREAKING: Researcher
@alxbrsn
hacked Microsoft, Apple, Tesla, Uber, Netflix, more in a novel
#opensource
software supply chain attack via dependency hijacking.
But
@sonatype
's automated
#malware
detection system has been a step ahead, learn how:
Kinda cool. npm package 'speedy-ts-compiler' downloads another package which is empty... but the code simultaneously and elegantly obtains your username via 'npm get cache' and exfiltrates it.
PoC research by
@Ajay_Kulal
#OpenSource
His team created several Facebook groups appealing to the Trump voter base where these "news" articles were shared, boosting the sites' 3 million monthly readership to 30 million. Articles generated by 'Hacker X' were retweeted by prominent personalities and unwary voters alike.
Over 21,000 U.S. driver licenses are up for sale on a hacker forum, along with credit reports. Forum post spotted by
@UnderTheBreach
.
The seller says they have managed to charge $400 for every 10k copies.
#databreach
The '2FA Authenticator' Android app with 10,000+ installs on Google Play did provide real MFA functionality but... ran a hidden 'UpdateService' to download a malicious APK from domain:
⚠️ privacyandroidapp[.]club
PoC exploit now out for Azure Active Directory brute forcing flaw. Microsoft maintains it's not a vulnerability but appears to be working on a solution.
Includes additional commentary from
@DrAzureAD
@Secureworks
.
👇👇👇
GitHub Actions is being abused to mine cryptocurrency on GitHub servers in an automated attack. Attack requires no action by the targeted project that is forked. Cryptominer executes as soon as the Pull Request is filed. -
@Ax_Sharma
"Tracked as CVE-2021-41773, the vulnerability is the result of an incomplete path normalization logic implemented in the Apache HTTP server 2.4.49 that in turn introduced a vulnerability."
"Why aren’t we sending an email to every user?
We evaluated the risk and consulted with our privacy lawyers and legal experts, and took the approach that... mitigated any issues while being open and transparent and did not believe emailing directly was helpful in this case."
BTW, "are" is a legitimate PyPI package from
@andreilapets
-- the researchers meant "aryi" (now removed). Luckily, caught this while writing my report.
8 malicious PyPI packages w/ 30,000 downloads found by
@jfrog
can:
* Steal credit card numbers stored in web browsers
* Steal Discord tokens and sensitive info
* Perform recon. (gather screenshots/files and upload em to Discord webhook)
#Python
#malware
The tainted 'popper.js' file, loaded on almost every eFile[.]com page, contains a base64-encoded one-liner further loading malicious JS from another domain:
Popular GitHub project 'qr.js' used by QR code apps got hit with a "repo hijack."
Although NPM version of 'qr.js' is safe for now, devs including a Facebook engineer are seeking
#opensource
alternatives to this heavily used
#JavaScript
QR code encoder.
Despite stealing Okta's source code, attackers did not gain unauthorized access to the Okta service or customer data, says the company.
"HIPAA, FedRAMP or DoD customers" remain unaffected and no customer action is needed.
And, they were right.
The 'update.js' file eventually loaded by the malicious code contains base64 string which is HTML code with this very SSL error message, as analyzed by
@BleepinComputer
.
Dark web marketplace CanadianHQ 🇨🇦 shut down by CRTC.
The site's patrons traded illicit goods and services including stolen credit card numbers, and illegal drugs.
Images via
@DarkDotFail
Although this may have started out as a peaceful "non-destructive" protest by the developer with 'peacenotwar' module, the addition of blatantly destructive payload to 'node-ipc' raised serious concerns in the community ⚠️ given the dev also maintains ~40 popular npm packages.
The malicious JavaScript file 'update.js', further attempts to prompt users to download next stage payload, depending on whether they are using Chrome [update.exe] or Firefox [installer.exe].
And, it gets worse.
PoC exploits for CVE-2021-41773 reveal it can evolve into full-on Remote Code Execution (RCE) on both Linux and Windows servers.
h/t
@hackerfantastic
@wdormann
@timb_machine
8 malicious PyPI packages w/ 30,000 downloads found by
@jfrog
can:
* Steal credit card numbers stored in web browsers
* Steal Discord tokens and sensitive info
* Perform recon. (gather screenshots/files and upload em to Discord webhook)
#Python
#malware
Newer versions 11.0.0 and above released for 'node-ipc' STILL continue to contain the 'peacenotwar' module that will generate text files propounding "peace" message on the Desktops of infected users:
PSA: CVE-2022-31289 is *NOT* a vulnerability or even a bug. The writeup on it was rushed without following any responsible disclosure and after half-baked "research."
In addition to using drive-by downloads and trojanized 'browser updates' to spread itself,
#LummaC2
crypto-stealer now targets Python developers by imitating popular cryptocurrency libraries like 'crytic-compile'.
The illicit package 'crytic-compilers' drops Lumma ⚠️
PyPI
#malware
'botaa3' - a poor typosquatting attempt at mimicking Amazon AWS SDK for Python 'boto3'. Has XOR-encrypted code to:
* Exfil. data
* Give attacker C2 capabilities: upload, download, browse, delete,...
* Kill itself
on
@sonatype
#opensource
'secretslib' PyPI package drops fileless malware to evade detection. Malicious payload injected in memory is a Monero cryptominer.
Threat actor even used 'Author' info of an engineer working for a U.S. Department of Energy-funded national lab.
#opensource
Just had another (verified) Dish Network employee reach out to me confirming on background that the company has indeed been "cyber attacked."
The employee received a written note from their manager stating, "it was caused by an outside bad actor, a known threat."
Too early to conclude that an incident indeed at TELUS or rule out third-party vendor breach.
Employee names do check out though and correspond to present-day technical staff, like devs.