OpenAI says its safeguards “sufficiently reduce cyber risk” for now, while GPT-5.4-Cyber is a new cybersecurity-focused model.
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 9:40 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Education company McGraw-Hill has confirmed in a statement to BleepingComputer that hackers exploited a Salesforce misconfiguration and accessed its internal data. [...]
One CVE under attack, one already disclosed by angry bug hunter, and 163 more Attackers exploited a spoofing vulnerability in Microsoft SharePoint Server before Redmond issued a fix as part of April's mega Patch Tuesday.…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added half a dozen security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2026-21643 (CVSS score: 9.1) - An SQL injection vulnerability in Fortinet FortiClient EMS that could allow an
More than 100 malicious extensions in the official Chrome Web Store are attempting to steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. [...]
Latest
Tuesday, April 14
In the Github Actions world, it seems that the norm is to reinstall everything on every CI run. After the recent supply chain attacks and trivy, I wrote a small blog post that outlines some techniques to mitigate these risks by pinning as many dependencies as possible using either Nix or Docker.
The company's new software keeps an eye on your agents and backs up data. Keep your agents close and your agent-monitoring software closer. Commvault’s new AI Protect can discover and monitor AI agents running inside AWS, Azure, and GCP environments and even roll back their actions when something goes wrong.…
One CVE under attack, one already disclosed by angry bug hunter, and 163 more Attackers exploited a spoofing vulnerability in Microsoft SharePoint Server before Redmond issued a fix as part of April's mega Patch Tuesday.…
More than 100 malicious extensions in the official Chrome Web Store are attempting to steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. [...]
Hello, I downloaded a sample from Malwarebazaar. It was a .bat file around 208.38 KB. I set it up into [AnyRun](https://any.run), and started the analysis. \--- **Threat Type:** XWorm v6.5 (RAT) + Stealer sold as Malware-as-a-Service. Capabilities include credential theft, keylogging, screenshot capture, file exfiltration, and hijacking of crypto wallets and accounts. **Execution Process:** 1. `.bat` file runs -> checks for sandbox using `findstr.exe` 2. Uses `certutil.exe` to Base64-decode an embedded payload 3. `cscript.exe` executes decoded VBScript, dropping `svchost.exe` (fake) to %TEMP% 4. Payload launches, copies itself to `%APPDATA%\main.exe` and the startup folder for persistence 5. Connects to C2 and sends system fingerprint via Telegram Bot API # IOCs **Dropper SHA256:** dea6cfb3234780ceeea718787e027cc6d2de18cfead1f8cc234e0ad268987868 **Dropped Payload SHA256:** 7f2b0ffbc5b149b4f9858589763bacdebf63ea1b3a00532e9278d613f75462ea * **C2:** `23.160(.)168.174:3212` * **AES Key:** `<666666>` * **Mutex:** `XUH24Sz2TPub4OF4` * **USB drop name:** `XWorm V6.5 by c3lestial(.)fun` Full Analysis: [https://app.any.run/tasks/1cd22443-8259-49c0-8e6e-a0ca93b0371c](https://app.any.run/tasks/1cd22443-8259-49c0-8e6e-a0ca93b0371c)
OpenAI says its safeguards “sufficiently reduce cyber risk” for now, while GPT-5.4-Cyber is a new cybersecurity-focused model.
The people who built an entire subchannel just to call me delusional just watched Perplexity describe my work as "a specialized AI system focused on automated code analysis and vulnerability discovery" — indexed next to Anthropic's Mythos. Google indexed Temporal Trust Gaps as a new vulnerability class. With my name on it. Claude Opus 4.6 verified the findings against current FFmpeg source. The code is there. The gap is there. You spent months trying to bury the signal. The signal got indexed anyway. Keep going. Every post you make about me is another data point the algorithm uses to raise my visibility. — Zahaviel
The UK designated Xinbi Guarantee as an enabler of crypto scammers and human trafficking weeks ago. Telegram is still hosting it in plain sight.
I just launched OSINT Brazil, an open source directory with more than 1,300 investigation tools, organized into 53 categories. The platform is free, searchable and automatically updated via GitHub, available in 30 languages and accessible via the web. It also has an app for Android and PC, automatic language detection, the ability to add tools to favorites, real-time search and different viewing modes. And much more... [https://www.linkedin.com/posts/juan-mathews-rebello-santos-](https://www.linkedin.com/posts/juan-mathews-rebello-santos-) osint-brasil-1300-ferramentas-de-activity-7449875737710350336-l sC?utm source=share&utm medium=member desktop&rcm=ACoAAD5NxlkByo6H9GEA3gsYIu5-Jwg-YPjyXtU
Microsoft has released the Windows 10 KB5082200 extended security update to fix the April 2026 Patch Tuesday vulnerabilities, including 2 zero-days. [...]
Education company McGraw-Hill has confirmed in a statement to BleepingComputer that hackers exploited a Salesforce misconfiguration and accessed its internal data. [...]
Microsoft has released Windows 11 KB5083769 and KB5082052 cumulative updates for versions 25H2/24H2 and 23H2 to fix security vulnerabilities, bugs, and add new features. [...]
Kraken’s Chief Security Officer confirmed an insider threat- “We are currently being extorted by a criminal group threatening to release videos of our internal systems and client data shown if we don’t comply” While they went on to state they won’t negotiate, this incident sounds very closely to what happened to CoinBase last year - https://www.bleepingcomputer.com/news/security/coinbase-confirms-insider-breach-linked-to-leaked-support-tool-screenshots/amp/ While these incidents do point to what seems to be a criminal group trying to cash in on crypto, do you expect to see a rise in insider threats as threat actors try to get footholds in companies? Some have already been caught trying to bribe their way into companies (https://www.bbc.com/news/articles/c3w5n903447o). I imagine with a tightening global economy due to high ten tensions and the war in Iran, people will start to become a little more desperate for money, and some people will be quick to jump on the opportunity to either make ends meet or retire early. What do you think?
> GPU-Z is on basically every gaming PC on earth. TechPowerUp makes it. they also make Sapphire TRIXX. What I found is insane... > both ship TRIXX.sys. IOCTL 0x800060C4 calls HalSetBusDataByOffset with user-controlled bus, device, function, and offset. any local process. no admin. > reprogram any PCI BAR to any physical address. map it. arbitrary physical memory r/W from ring 3. > a GPU info tool with the keys to your entire system. EV cert. valid through April 2028.
A malicious Ledger Live app for macOS available from Apple's App Store has drained approximately $9.5 million in cryptocurrency from 50 victims in just a few days this month. [...]
Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below - CVE-2026-40176 (CVSS
We're all doing our best to keep up with the mess that is unconstrained AI adoption. Really liked this cheat sheet that got passed along by a colleague today. Anyone seeing similar resources out there?
Internal emails obtained by WIRED reveal how a conservative legal group with a direct line into FCC chairman Brendan Carr’s office built the case against Jimmy Kimmel and his employees.
Google has announced the integration of a Rust-based Domain Name System (DNS) parser into the modem firmware as part of its ongoing efforts to beef up the security of Pixel devices and push memory-safe code at a more foundational level. "The new Rust-based DNS parser significantly reduces our security risk by mitigating an entire class of vulnerabilities in a risky area, while also laying
Cybersecurity researchers have unmasked a novel ad fraud scheme that has been found to leverage search engine poisoning (SEO) techniques and artificial intelligence (AI)-generated content to push deceptive news stories into Google's Discover feed and trick users into enabling persistent browser notifications that lead to scareware and financial scams. The campaign, which has been
There’s a lot of noise around the new Axios CVE-2026-40175 claiming “10/10 critical”, IMDSv2 bypass, and full cloud compromise. The reality is that this is only exploitable in very very obscure non typical environments. The media coverage is wildly overblown and wanted to share. Example media [CyberNews](https://cybernews.com/security/axios-exploit-enables-full-cloud-compromise/), [CyberSecurityNews](https://cybersecuritynews.com/axios-vulnerability-poc-released/), [CyberKendra](http://cyberkendra.com/2026/04/critical-axios-flaw-enables-full-cloud.html) When we weren't able to recreate it, we spoke directly with the [researcher](https://www.linkedin.com/in/raulvegadelvalle/) who reported it who confirmed our suspicious (he's awesome and was also very surpirsed by the 10/10 score) The issue relies on CRLF header injection, but Node blocks that at the HTTP layer. The exploit should look like this. http.request({ headers: { "x-test": "hello\r\nInjected: yes" } }); But in all standard Node.js environment it throws this error. TypeError [ERR_INVALID_CHAR]: Invalid character in header content So the request never gets sent, which breaks the exploit chain early. This happens because Node validates header values against the HTTP spec and explicitly rejects CRLF characters to prevent header injection and request smuggling. We confirmed this behavior back to at least Node v4. The vulnerability itself is real at the Axios level, and patching it was the right call (I'm not saying it doesn't exist at all). But the “cloud compromise” narrative depends on bypassing Node’s HTTP stack entirely. The only realistic scenario where this becomes exploitable is if someone is using a custom Axios adapter or manually constructing raw HTTP requests and skipping Node’s built-in validation. (which while possible would be a very edge case senario and would also require multiple mistakes in building that out) axios({ url: "http://example.com", adapter: (config) => { // custom logic writing raw HTTP request } }); For typical Node apps using Axios normally, this isn’t something you’re going to get popped by. Just wanting to share if anyone is madly trying to patch and investigate right now. You can read our full report here - [https://www.aikido.dev/blog/axios-cve-2026-40175-a-critical-bug-thats-not-exploitable](https://www.aikido.dev/blog/axios-cve-2026-40175-a-critical-bug-thats-not-exploitable)
* The multi-stage chain uses obfuscated JS/VBS/PowerShell and legitimate RegSvcs.exe for process injection, making static detection ineffective. * Remcos RAT provides full remote control, keylogging, and data exfiltration — turning one compromised endpoint into a persistent foothold. * Credential harvesting combined with malware delivery creates dual risk: immediate data theft plus long-term network compromise. * Traditional EDR relying on file reputation misses these attacks; behavioral sandboxing and real-time TI are required.
Stolen credentials remain a top breach vector, often leading to unchecked privilege escalation. Specops explains how identity-first Zero Trust limits access, enforces device trust, and blocks lateral movement. [...]
Agents let you build software faster than ever, but securing your environment and the code you write — from both mistakes and malice — takes real effort. Open Web Application Security Project (OWASP) details a number of risks present in agentic AI systems, including the risk of credential leaks, user impersonation, and elevation of privilege. These risks can result in extreme damage to your environments including denial of service, data loss, or data leaks — which can do untold financial and reputational damage. This is an identity problem. In modern development, "identities" aren't just people — they are the agents, scripts, and third-party tools that act on your behalf. To secure these non-human identities, you need to manage their entire lifecycle: ensuring their credentials (tokens) aren't leaked, seeing which applications have access via OAuth, and narrowing their permissions using granular RBAC. Today, we are introducing updates to address these needs: scannable tokens to protect your credentials, OAuth visibility to manage your principals, and resource-scoped RBAC to fine-tune your policies. Understanding identity: Principals, Credentials, and Policies To secure the Internet in an era of autonomous agents , we have to rethink how we handle identity. Whether a request comes from a human developer or an AI agent, every interaction with an API relies on three core pillars: The Principal (The Traveler): This is the identity itself — the "who." It might be you logging in via OAuth, or a background agent using an API token to
Scaling MCP adoption: Our reference architecture for simpler, safer and cheaper enterprise deployments of MCP
We at Cloudflare have aggressively adopted Model Context Protocol (MCP) as a core part of our AI strategy. This shift has moved well beyond our engineering organization, with employees across product, sales, marketing, and finance teams now using agentic workflows to drive efficiency in their daily tasks. But the adoption of agentic workflow with MCP is not without its security risks. These range from authorization sprawl, prompt injection , and supply chain risks . To secure this broad company-wide adoption, we have integrated a suite of security controls from both our Cloudflare One (SASE) platform and our Cloudflare Developer platform , allowing us to govern AI usage with MCP without slowing down our workforce. In this blog we’ll walk through our own best practices for securing MCP workflows, by putting different parts of our platform together to create a unified security architecture for the era of autonomous AI. We’ll also share two new concepts that support enterprise MCP deployments: We are launching Code Mode with MCP server portals , to drastically reduce token costs associated with MCP usage; We describe how to use Cloudflare Gateway for Shadow MCP detection, to discover use of unauthorized remote MCP servers. We also talk about how our organization approached deploying MCP, and how we built out our MCP security architecture using Cloudflare products includ
We have thousands of internal apps at Cloudflare. Some are things we’ve built ourselves, others are self-hosted instances of software built by others. They range from business-critical apps nearly every person uses, to side projects and prototypes. All of these apps are protected by Cloudflare Access . But when we started using and building agents — particularly for uses beyond writing code — we hit a wall. People could access apps behind Access, but their agents couldn’t. Access sits in front of internal apps. You define a policy, and then Access will send unauthenticated users to a login page to choose how to authenticate. Example of a Cloudflare Access login page This flow worked great for humans. But all agents could see was a redirect to a login page that they couldn’t act on. Providing agents with access to internal app data is so vital that we immediately implemented a stopgap for our own internal use. We modified OpenCode’s web fetch tool such that for specific domains, it triggered the cloudflared CLI to open an authorization flow to fetch a JWT (JSON Web Token). By appending this token to requests, we enabled secure, immediate access to our internal ecosystem. While this solution was a temporary answer to our own dilemma, today we’re retiring this workaround and fixing this problem for everyone. Now in open beta, every Access application supports managed OAuth. One click to enab
AI agents have changed how teams think about private network access. Your coding agent needs to query a staging database. Your production agent needs to call an internal API. Your personal AI assistant needs to reach a service running on your home network. The clients are no longer just humans or services. They're agents , running autonomously, making requests you didn't explicitly approve, against infrastructure you need to keep secure. Each of these workflows has the same underlying problem: agents need to reach private resources, but the tools for doing that were built for humans, not autonomous software. VPNs require interactive login. SSH tunnels require manual setup. Exposing services publicly is a security risk. And none of these approaches give you visibility into what the agent is actually doing once it's connected. Today, we're introducing Cloudflare Mesh to connect your private networks together and provide secure access for your agents. We're also integrating Mesh with Cloudflare Developer Platform so that Workers , Durable Objects , and agents built with the Agents SDK can reach your private infrastructure directly. If you’re using Cloudflare One’s SASE and Zero Trust suite , you already have access to Mesh. You don’t need a new technology paradigm to secure agentic workloads. You need a SASE that was built for the agentic era, and that’s Cloudflare One. Cloudflare Mesh is a new experience with a simpler setup that leverages the on-ramps you’re already familiar with: WARP Connector (now called a Cloudflare Mesh node) and WARP Client (now called C
Honey, the skids are fighting again Two rival ransomware gangs have locked horns after 0APT threatened to expose people affiliated with Krybit.…
IOCX v0.6.0 is out. It’s a static IOC extraction engine designed for DFIR, SOC automation, CI/CD, and other blue‑team workflows where deterministic output matters. Key changes in this release: * Stable JSON schema suitable for long‑term, contract‑safe integrations * Deterministic PE metadata (headers, optional headers, TLS, signatures, sections) * Formal analysis levels (basic → deep → full) for performance‑tuned pipelines * End‑to‑end throughput around 28 MB/s, with detector peaks between 150–450 MB/s The focus is on predictable, reproducible extraction that doesn’t break downstream systems. GitHub: [https://github.com/iocx-dev/iocx](https://github.com/iocx-dev/iocx) PyPI: [https://pypi.org/project/iocx/](https://pypi.org/project/iocx/) Example: `pip install iocx` `iocx suspicious.exe -a deep` Open to critiques or suggestions from anyone using deterministic extraction in automated workflows.
Phantom-Evasion-Loader: Phantom-Evasion-Loader is a standalone, pure x64 Assembly injection engine engineered to minimize the detection surface of modern EDR/XDR solutions and Kernel-level monitors like Falco (eBPF). It leverages advanced techniques such as SROP and Zero-Copy Injectio
A nascent Android remote access trojan called Mirax has been observed actively targeting Spanish-speaking countries, with campaigns reaching more than 220,000 accounts on Facebook, Instagram, Messenger, and Threads through advertisements on Meta. "Mirax integrates advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real
OX Security recently analyzed 216 million security findings across 250 organizations over a 90-day period. The primary takeaway: while raw alert volume grew by 52% year-over-year, prioritized critical risk grew by nearly 400%. The surge in AI-assisted development is creating a "velocity gap" where the density of high-impact vulnerabilities is scaling faster than
This post is part of a small blog series covering common Entra ID security findings observed during real-world assessments. Each article explores selected findings in more detail to provide a clearer understanding of the underlying risks and practical implications. Part 1: Privileged Foreign Enterprise Applications Part 2: Privileged Unprotected Groups Part 3: Weak Privileged Identity Management Configuration Conditional Access Policies Conditional Access policies are among the most important security controls in Entra ID. As the name suggests, they define under which conditions access is allowed within a tenant. They are used to enforce protections such as MFA, restrict access based on device state or location, and apply stronger controls to sensitive applications or privileged accounts. At the same time, Conditional Access is a broad and complex topic. The
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I'm starting to become pretty fond of Bruce. Actually, I've had a bit of an epiphany: an AI assistant like Bruce isn't just about auto-responding to tickets in an entirely autonomous manner; it's also pretty awesome at responding with just a little bit of human assistance. Charlotte and I both replied to some tickets today that were way too specific for Bruce to ever do on his own, but by feeding in just a little bit of additional info (such as the number of domains someone was presently monitoring), Bruce was able to construct a really good reply and "own" the ticket. So maybe that's the sweet spot: auto-reply to the really obvious stuff and then take just a little human input on everything else.
A critical security vulnerability impacting ShowDoc, a document management and collaboration service popular in China, has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0520 (aka CNVD-2020-26585), which carries a CVSS score of 9.4 out of 10.0. It relates to a case of unrestricted file upload that stems from improper validation of
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added half a dozen security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2026-21643 (CVSS score: 9.1) - An SQL injection vulnerability in Fortinet FortiClient EMS that could allow an
Monday, April 13
A critical vulnerability in the wolfSSL SSL/TLS library can weaken security via improper verification of the hash algorithm or its size when checking Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. [...]
The FBI Atlanta Field Office and Indonesian authorities have dismantled the "W3LL" global phishing platform, seizing infrastructure and arresting the alleged developer in what is described as the first coordinated enforcement action between the United States and Indonesia targeting a phishing kit developer. [...]
Google Sites lure leads to bogus root certificate Imagine getting asked to do something by a person in authority. An unknown malware slinger targeting open source software developers via Slack impersonated a real Linux Foundation official and used pages hosted on Google.com to steal developers' credentials and take over their systems.…
OpenAI is rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a malicious Axios package during a recent supply chain attack. [...]
Banks and financial institutions in Latin American countries like Brazil and Mexico have continued to be the target of a malware family called JanelaRAT. A modified version of BX RAT, JanelaRAT is known to steal financial and cryptocurrency data associated with specific financial entities, as well as track mouse inputs, log keystrokes, take screenshots, and collect system metadata. "One of the
[](https://www.reddit.com/r/cybersecurity/?f=flair_name%3A%22News%20-%20General%22)Hello everyone, I have just analyzed a Kalim Backdoor sample to better understand its behavior, persistence mechanisms, and remote control capabilities. [Full Report](https://github.com/SalahEldinFikri/Kalim_Backdoor) [Linkedin](https://www.linkedin.com/in/salaheldin-fikri-kamil-1ab233218/) This sample demonstrates how attackers can establish unauthorized access to a compromised system, enabling continuous control, command execution, and stealthy operations without user awareness. Key Findings: \- Remote Command Execution: The backdoor allows attackers to execute commands on the infected system, giving full control over the victim machine. \- Persistence Mechanism: Implements techniques to survive system reboots, ensuring long-term access for the attacker. \- Backdoor Communication: Maintains communication with the attacker, enabling continuous interaction and data exchange. \- System Control Capabilities: Provides the ability to manipulate the system, making it suitable for post-exploitation activities. \- Stealth Techniques: Designed to operate quietly in the background, reducing the chances of detection. \- Detection (YARA): A custom YARA rule was developed based on behavioral indicators. \#CyberSecurity #MalwareAnalysis #ReverseEngineering #ThreatIntelligence #BlueTeam #Research #MalDocs #BlueTeam #Attacks #InfoSec #ThreatIntelligence #CyberThreats #DigitalForensics #BlueTeam
The current version of RAGFlow, a widely-deployed Retrieval Augmented Generation solution, contains a post-auth vulnerability that allows for arbitrary code execution. This post includes a POC, walkthrough and patch. The TL;DR is to make sure your RAGFlow instances aren't on the public internet, that you have the minimum number of necessary users, and that those user accounts are protected by complex passwords. (This is especially true if you're using Infinity for storage.)
More than 70 organizations, including the ACLU, EPIC, and Fight for the Future, say the AI smart glasses feature would endanger abuse victims, immigrants, and LGBTQ+ people.
The U.S. Federal Bureau of Investigation (FBI), in partnership with the Indonesian National Police, has dismantled the infrastructure associated with a global phishing operation that leveraged an off-the-shelf toolkit called W3LL to steal thousands of victims' account credentials and attempt more than $20 million in fraud. In tandem, authorities detained the alleged developer, who has&
Cloudflare has a vast API surface. We have over 100 products, and nearly 3,000 HTTP API operations. Increasingly, agents are the primary customer of our APIs. Developers bring their coding agents to build and deploy applications , agents , and platforms to Cloudflare, configure their account, and query our APIs for analytics and logs. We want to make every Cloudflare product available in all of the ways agents need. For example, we now make Cloudflare’s entire API available in a single Code Mode MCP server that uses less than 1,000 tokens . There’s a lot more surface area to cover, though: CLI commands . Workers Bindings — including APIs for local development and testing. SDKs across multiple languages. Our configuration file . Terraform . Developer docs . API docs and OpenAPI schemas. Agent Skills . Today, many of our products aren’t available across every one of these interfaces. This is particularly true of our CLI — Wrangler . Many Cloudflare products have no CLI commands in Wrangler. And agents love CLIs. So we’ve been rebuild
Travel giant says names, contact details, dates, and hotel messages potentially exposed Booking.com is warning customers that their reservation details may have been exposed to unknown attackers, in the latest reminder that the travel giant still can't quite keep a lid on the data flowing through its platform.…
Root cause: the $forbiddenphpstrings blocklist is only enforced in blacklist mode -> the default whitelist mode never touches it. The whitelist regex is also blind to PHP dynamic callable syntax (('exec')('cmd')). Either bug alone limits impact; together they reach OS command execution. Coordinated disclosure - patch available as of 4/4/2026.
A few weeks ago, we announced Dynamic Workers , a new feature of the Workers platform which lets you load Worker code on-the-fly into a secure sandbox. The Dynamic Worker Loader API essentially provides direct access to the basic compute isolation primitive that Workers has been based on all along: isolates, not containers. Isolates are much lighter-weight than containers, and as such, can load 100x faster using 1/10 the memory. They are so efficient, they can be treated as "disposable": start one up to run a few lines of code, then throw it away. Like a secure version of eval(). Dynamic Workers have many uses. In the original announcement, we focused on how to use them to run AI-agent-generated code as an alternative to tool calls. In this use case, an AI agent performs actions at the request of a user by writing a few lines of code and executing them. The code is single-use, intended to perform one task one time, and is thrown away immediately after it executes. But what if you want an AI to generate more persistent code? What if you want your AI to build a small application with a custom UI the user can interact with? What if you want that application to have long-lived state? But of course, you still want it to run in a secure sandbox. One way to do this would be to use Dynamic Workers, and simply provide the Worker with an RPC API that gives it access to storage. Using bindings , you could give the Dynamic Worker an API that points back to your remote SQL database (perhaps backed by Cloudflare D1 , or a Postgres database you access through Hyperdrive — it's up to you). But Workers a
When we launched Cloudflare Sandboxes last June, the premise was simple: AI agents need to develop and run code, and they need to do it somewhere safe. If an agent is acting like a developer, this means cloning repositories, building code in many languages, running development servers, etc. To do these things effectively, they will often need a full computer (and if they don’t, they can reach for something lightweight !). Many developers are stitching together solutions using VMs or existing container solutions, but there are lots of hard problems to solve: Burstiness - With each session needing its own sandbox, you often need to spin up many sandboxes quickly, but you don’t want to pay for idle compute on standby. Quick state restoration - Each session should start quickly and re-start quickly, resuming past state. Security - Agents need to access services securely, but can’t be trusted with credentials. Control - It needs to be simple to programmatically control sandbox lifecycle, execute commands, handle files, and more. Ergonomics - You need to give a simple interface for both humans and agents to do common operations. We’ve spent time solving these issues so you don’t have to. Since our initial launch we’ve made Sandboxes an even better place to run agents at scale. We’ve worked with our initial partners such as Figma, who run agents in containers with Figma Make : “Figma Make is built to help builders and makers of all backgrounds go from idea to production, faster. To deliver on that goal, we needed an infrastructure solution that could provide reli
Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-sponsored meddling in infrastructure that is finally coming to light. It is one of those mornings where the gap between a quiet shift and a full-blown incident response is basically
As AI Large Language Models and harnesses like OpenCode and Claude Code become increasingly capable, we see more users kicking off sandboxed agents in response to chat messages, Kanban updates, vibe coding UIs, terminal sessions, GitHub comments, and more. The sandbox is an important step beyond simple containers, because it gives you a few things: Security : Any untrusted end user (or a rogue LLM) can run in the sandbox and not compromise the host machine or other sandboxes running alongside it. This is traditionally ( but not always ) accomplished with a microVM. Speed : An end user should be able to pick up a new sandbox quickly and restore the state from a previously used one quickly. Control : The trusted platform needs to be able to take actions within the untrusted domain of the sandbox. This might mean mounting files in the sandbox, or controlling which requests access it, or executing specific commands. Today, we’re excited to add another key component of control to our Sandboxes and all Containers : outbound Workers. These are programmatic egress proxies that allow users running sandboxes to easily connect to different services, add observability , and, importantly for agents, add flexible and safe authentication. How it works Here’s a quick look at adding a secret key to a hea
Anthropic restricted its Mythos Preview model last week after it autonomously found and exploited zero-day vulnerabilities in every major operating system and browser. Palo Alto Networks' Wendi Whitmore warned that similar capabilities are weeks or months from proliferation. CrowdStrike's 2026 Global Threat Report puts average eCrime breakout time at 29 minutes. Mandiant's M-Trends
Names, addresses, dates of birth, and bank details accessed, though not passwords Basic-Fit, Europe's largest gym chain, has confirmed data including the bank details of around a million customers was stolen from its systems.…
ShinyHunters claims it accessed Snowflake metrics via third-party tool ShinyHunters is back, this time pinning Rockstar Games to its leak site and claiming it didn't so much hack its way in as walk through a door someone else left wide open.…
Last April, a hacker hijacked crosswalk announcements to mimic Mark Zuckerberg and Elon Musk. Records obtained by WIRED reveal how unprepared local authorities were.
Benchmarking contract lays groundwork for renegotiating £774M software agreement NHS England is spending £46,000 on "benchmarking" as it gears up for what looks like the next round of negotiations behind one of the UK public sector's biggest software deals.…
The North Korean hacking group tracked as APT37 (aka ScarCruft) has been attributed to a fresh multi-stage, social engineering campaign in which threat actors approached targets on Facebook and added them as friends on the social media platform, turning the trust-building exercise into a delivery channel for a remote access trojan called RokRAT. "The threat actor used two Facebook
Last week, a new BYOVD vulnerability (CVE-2026-29923) was discovered in pstrip64.sys driver, which allows an unprivileged user to escalate privileges to SYSTEM via a crafted IOCTL request. I just published a complete deep-dive on my GitHub covering the entire exploit lifecycle: ▪️Reverse-engineering the vulnerable IOCTL to gain a physical read/write primitive. ▪️ Building the Proof of Concept (PoC) from the ground up. ▪️ Actionable mitigation and detection recommendations for defenders. Enjoy the read, and feel free to DM me if you have any questions! ⚠️ Disclaimer: This write-up and code are provided strictly for educational and defensive research purposes only. Any malicious or unauthorized use is strictly prohibited.
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
PLUS: Toyota wheels out basketball bot; Arm scores AI server win with SK Telecom; India ponders payment pauses to foil fraudsters; And more! Asia In Brief China’s National Data Administration last Friday published its action plan for AI in education which calls for upskilling of the nation’s citizens to ensure they can put the technology to work.…
Sunday, April 12
Cloudflare's mission has always been to help build a better Internet. Sometimes that means building for the Internet as it exists. Sometimes it means building for the Internet as it's about to become. Today, we're kicking off Agents Week, dedicated to building the Internet for what comes next. The Internet wasn't built for the age of AI. Neither was the cloud. The cloud, as we know it, was a product of the last major technological paradigm shift: smartphones. When smartphones put the Internet in everyone's pocket, they didn't just add users — they changed the nature of what it meant to be online. Always connected, always expecting an instant response. Applications had to handle an order of magnitude more users, and the infrastructure powering them had to evolve. The approach the industry converged on was straightforward: more users, more copies of your application. As applications grew in complexity, teams broke them into smaller pieces — microservices — so each team could control its own destiny. But the core principle stayed the same: a finite number of applications, each serving many users. Scale meant more copies. Kubernetes and containers became the default. They made it easy to spin up instances, load balance, and tear down what you didn't need. Under this one-to-many model, a single instance could serve many users, and even as user counts grew into the billions, the number of things you had to manage stayed finite. Agents break this. One user, one agent, one task Unlike every application that came before them, agents are one-to-one. Each agent is a unique instance. Serving one user, running one task. Where a traditional application follows the same execution path reg
drakoarmy/akamai-vm-reverse: Decompiled and cleaned Akamai v3 VM powering the latest sensor_data challenge script.
Unknown threat actors compromised CPUID ("cpuid[.]com"), a website that hosts popular hardware monitoring tools like CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor, for less than 24 hours to serve malicious executables for the software and deploy a remote access trojan called STX RAT. The incident lasted from approximately April 9, 15:00 UTC, to about April 10, 10:00 UTC, with
Saturday, April 11
Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise
Time to start dropping SBOMs FEATURE Two supply chain attacks in March infected open source tools with malware and used this access to steal secrets from tens of thousands – if not more – organizations. We won't know the full blast radius for months.…
Plus: Iran’s internet blackout hits the 1,000-hour mark, cryptocurrency scams result in a record amount of money stolen from Americans, and more.
From AI-generated images to restricted satellite data, the systems used to verify what’s real online are struggling to keep up.
Nearly 800 state logins surfaced in breach data, including defense and NATO-linked accounts Hungary's government has discovered the hard way that the biggest threat to national security might just be its own password choices.…
Friday, April 10
The Kill Chain models how an attack succeeds. The Attack Helix models how the offensive baseline improves. The Tipping Point One person. Two AI subscriptions. Ten government agencies. 150 gigabytes of sovereign data. In December of 2025, a single unidentified operator used Anthropic’s Clau
The Blind Spot As organizations race to deploy LLM-powered chat agents, many have adopted a layered defense model: a primary chat agent handles user interactions while a secondary supervisor agent monitors contextual input (i.e., chat messages) for prompt injection attacks and policy violations. This architecture mirrors traditional security patterns like web application firewalls sitting in front of application servers. But what happens when the supervisor only watches the front door? Indirect prompt injection is a class of attack where adversarial instructions are embedded not in the user’s direct input, but in external data sources that an LLM consumes as context: profile fields, retrieved documents, tool outputs, or database records. Unlike direct prompt injection, where a user explicitly sends malicious instructions through the chat interface, indirect injection hides the payload in data that the application fetches on the user’s behalf—often from sources the system implicitly trusts. During a recent engagement targeting a multi-model AI-integrated customer service solution, our team identified a weakness in the architecture that made it susceptible to indirect prompt injection attacks. The customer service solution consisted of an AI-enabled chat agent that processed user requests and a separate supervisor agent that monitored the chat communications for adversarial instructions and manipulation, including prompts injected into data provided to the agent via the chat window. The supervisor agent was effective in consistently detecting and blocking attempts to attack or manipulate the chat agent. However, by injecting adversarial instructions into user profile fields—such as a user’s name—that the chat agent would retrieve upon request, we were able to bypass supervisor protections and trick the chat agent into misinterpreting our user’s profile data as a prompt and executing our hidden instructions. The root cause is a fundamen
I got tired of juggling 10 different tools for DFIR, so I spent the last 9 months building an open-source alternative.
Hey everyone, I don't know about you, but I was getting seriously frustrated with how fragmented our tools are. Trying to piece together an investigation across Windows, Linux, and Mac artifacts usually means jumping between half a dozen different apps, and the centralized "all-in-one" solutions cost some money So, about 9 months ago, I decided to just try and build the tool I actually wanted to use. It's called **Heimdall DFIR**. **GitHub:** [https://raiseix.github.io/Heimdall-DFIR](https://raiseix.github.io/Heimdall-DFIR) Instead of a bunch of marketing buzzwords, here is what it actually does right now: * **One giant timeline:** It takes your artifacts (EVTX, MFT, Prefetch and other Windows artifacts Linux/Mac logs, etc.) and merges them into a single chronological grid. I spent a lot of time trying to make the output actually human-readable instead of just dumping raw JSON on the screen * **RAM Analysis:** I hooked it up to VolWeb (Volatility 3). You can upload massive memory dumps directly in the UI and it actually handles the stream without crashing the backend * **Collaborative mode:** Investigating alone sucks, so I added a side-chat and an evidence-pinning system so a team can look at the exact same case simultaneously **To be completely transparent with you all:** This is very much a Beta. It’s a massive undertaking and it’s still missing a lot of features I want to add before calling it a complete platform That’s honestly why I’m sharing it today. I’m hoping to get some brutally honest feedback from people who do this daily. What parsers are you constantly missing in open-source tools? What would make you actually want to use this? If anyone wants to spin it up (Docker compose is ready to go), break it, submit bug reports, or even contribute code to help build this out, I would be incredibly grateful. Let me know what you think. If you like the vision, a GitHub ⭐ helps a lot!
Posted by Jiacheng Lu, Software Engineer, Google Pixel Team Google is continuously advancing the security of Pixel devices. We have been focusing on hardening the cellular baseband modem against exploitation. Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities. For Pixel 10, Google is advancing its proactive security measures further. Following our previous discussion on "Deploying Rust in Existing Firmware Codebases" , this post shares a concrete application: integrating a memory-safe Rust DNS(Domain Name System) parser into the modem firmware. The new Rust-based DNS parser significantly reduces our security risk by mitigating an entire class of vulnerabilities in a risky area, while also laying the foundation for broader adoption of memory-safe code in other areas. Here we share our experience of working on it, and hope it can inspire the use of more memory safe languages in low-level environments. Why Modem Memory Safety Can’t Wait In recent years, we have seen increasing interest in the cellular modem from attackers and security researchers. For example, Google's Project Zero gained remote code execution on Pixel modems over the Internet. Pixel modem has tens of Megabytes of executable code. Given the complexity and remote attack surface of the modem, other critical memory safety vulnerabilities may remain in t
Cybersecurity researchers have flagged yet another evolution of the ongoing GlassWorm campaign, which employs a new Zig dropper that's designed to stealthily infect all integrated development environments (IDEs) on a developer's machine. The technique has been discovered in an Open VSX extension named "specstudio.code-wakatime-activity-tracker," which masquerades as WakaTime, a
Keyloggers: A Persistent Threat Nowadays, virtually all digital services rely on logins and authentication, from email inboxes to help desks. These involve login credentials to prove identity, typically at least a username and a password. Initially, this information is confidential from a potential attacker. Whi
Four-week call for evidence intended to help shape laws aimed at devices linked to crime The UK government is seeking views on radiofrequency jammers as it prepares legislation to ban the controversial devices.…
While much of the discussion on AI security centers around protecting ‘shadow’ AI and GenAI consumption, there's a wide-open window nobody's guarding: AI browser extensions. A new report from LayerX exposes just how deep this blind spot goes, and why AI extensions may be the most dangerous AI threat surface in your network that isn't on anyone's
Cut through the noise and understand the real risks, responsibilities, and responses shaping enterprise AI today. Webinar Promo 2025 was the year of AI experimentation. In 2026, the bills are coming due. AI adoption has moved from isolated pilots to autonomous, enterprise wide deployment, bringing with it a sophisticated new generation of security challenges.…
Google has made Device Bound Session Credentials (DBSC) generally available to all Windows users of its Chrome web browser, months after it began testing the security feature in open beta. The public availability is currently limited to Windows users on Chrome 146, with macOS expansion planned in an upcoming Chrome release. "This project represents a significant
Thursday, April 9
Cops bust latest scam, return $12m to bilked victims US, UK, and Canadian law enforcement Thursday said that they disrupted a $45 million global cryptocurrency scam, freezing $12 million in stolen funds and identifying more than 20,000 cryptocurrency wallet addresses linked to fraud victims across 30 countries.…
Possible link to Mr. Raccoon's claimed Adobe break-in A new extortion crew has targeted “several dozen high-value” corporations through phishing and helpdesk social-engineering, according to Google.…
Posted by Ben Ackerman, Chrome team, Daniel Rubery, Chrome team and Guillaume Ehinger, Google Account Security team Following our April 2024 announcement , Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, and expanding to macOS in an upcoming Chrome release. This project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape. Session theft typically occurs when a user inadvertently downloads malware onto their device. Once active, the malware can silently extract existing session cookies from the browser or wait for the user to log in to new accounts, before exfiltrating these tokens to an attacker-controlled server. Infostealer malware families, such as LummaC2, have become increasingly sophisticated at harvesting these credentials. Because cookies often have extended lifetimes, attackers can use them to gain unauthorized access to a user’s accounts without ever needing their passwords; this access is then often bundled, traded, or sold among threat actors. Crucially, once sophisticated malware has gained access to a machine, it can read the local files and memory where browsers store authentication cookies. As a result, there is no reliable way to prevent cookie exfiltration using software alone on any operating system. Historically, mitigating session theft relied on detecting the stolen credentials after the fact using a complex set of abuse heuristics – a reactive approach that persistent attackers could often circumvent. DBSC fundamentally changes the web's capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated c
Threat Model Discrepancy: Google Password Manager leaks cleartext passwords via Task Switcher (Won't Fix) - Violates German BSI Standards
Hi everyone, I’m a Cybersecurity student at HFU in Germany and recently submitted a vulnerability to the Google VRP regarding the Google Password Manager on Android (tested on Pixel 8, Android 16). **The Issue:** When you view a cleartext password in the app and minimize it, the app fails to apply `FLAG_SECURE` or blur the background. When opening the "Recent Apps" (Task Switcher), the cleartext password is fully visible in the preview, *even though* the app actively overlays a "Enter your screen lock" biometric prompt in the foreground. It basically renders its own secondary biometric lock completely useless. **Google's Response:** Google closed the report as *Won't Fix (Intended Behavior)*. Their threat model assumes that if an attacker has physical access to an unlocked device, it's game over. **The BSI Discrepancy:** What makes this interesting is that the German Federal Office for Information Security (BSI) recently published a study on Password Managers. In their Threat Model A02 ("Attacker has temporary access to the unlocked device"), they explicitly mandate that sensitive content MUST be protected from background snapshots/screenshots. So while Google says this is intended, national security guidelines classify this as a vulnerability. (For comparison: The iOS built-in password manager instantly blurs the screen when losing focus). Here is my PoC screenshot: [https://drive.google.com/file/d/1PTGKRpyFj\_jY9S76Jlo62mSCDJ3c6uLO/view?usp=sharing](https://drive.google.com/file/d/1PTGKRpyFj_jY9S76Jlo62mSCDJ3c6uLO/view?usp=sharing) [https://drive.google.com/file/d/1nIJMQbM4R17EMt9f1Ffb4UmCPYY7-GXb/view?usp=sharing](https://drive.google.com/file/d/1nIJMQbM4R17EMt9f1Ffb4UmCPYY7-GXb/view?usp=sharing) What are your thoughts on this? Should password managers protect against shoulder surfing via the Task Switcher, or is Google right to rely solely on the OS lockscreen?
UK and US customers stuck waiting after fleet management SaaS vendor took affected environments offline A cybersecurity incident has knocked FleetWave into a "major outage" across the UK and US after Chevin Fleet Solutions pulled parts of its SaaS platform offline and left customers scrambling for answers.…
Overview Multiple vulnerabilities have been identified in Orthanc DICOM Server version, 1.12.10 and earlier, that affect image decoding and HTTP request handling components. These vulnerabilities include heap buffer overflows, out-of-bounds reads, and resource exhaustion vulnerabilities that may allow attackers to crash the server, leak memory contents, or potentially execute arbitrary code. Description Orthanc is an open-source lightweight Digital Imaging and Communications in Medicine (DICOM) server used to store, process, and retrieve medical imaging data in healthcare environments. The following nine vulnerabilities identified in Orthanc primarily stem from unsafe arithmetic operations, missing bounds checks, and insufficient validation of attacker-controlled metadata in DICOM files and HTTP requests. CVE-2026-5437 An out-of-bounds read vulnerability exists in DicomStreamReader during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic. CVE-2026-5438 A gzip decompression bomb vulnerability exists when Orthanc processes an HTTP request with Content-Encoding: gzip . The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory. CVE-2026-5439 A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded t
We added a new chapter to our Testing Handbook: a comprehensive security checklist for C and C++ code . We’ve identified a broad range of common bug classes, known footguns, and API gotchas across C and C++ codebases and organized them into sections covering Linux, Windows, and seccomp. Whereas other handbook chapters focus on static and dynamic analysis, this chapter offers a strong basis for manual code review. LLM enthusiasts rejoice: we’re also developing a Claude skill based on this new chapter. It will turn the checklist into bug-finding prompts that an LLM can run against a codebase, and it’ll be platform and threat-model aware. Be sure to give it a try when we release it. And after reading the chapter, you can test your C/C++ review skills against two challenges at the end of this post. Be in the first 10 to submit correct answers to win Trail of Bits swag! What’s in the chapter The chapter covers five areas: general bug classes, Linux usermode and kernel, Windows usermode and kernel, and seccomp/BPF sandboxes. It starts with language-level issues in the bug classes section—memory safety, integer errors, type confusion, compiler-introduced bugs—and gets progressively more environment-specific. The Linux usermode section focuses on libc gotchas. This section is also applicable to most POSIX systems. It ranges from well-known problems with string methods, to somewhat less known caveats around privilege dropping and environment variable handling. The Linux kernel is a complicated beast, and no checklist could cover even a part of its intricacies. However, our new Testing Handbook chapter can give you a starting point to bootstrap manual reviews of drivers and modules.
Political candidates are purchasing more home alarms, bulletproof vests, and other protections amid rising fears of political violence.
A look at how Kubernetes CVE-2020-8562 allows attackers to bypass API server proxy protections using DNS rebinding
Public blockchains solved settlement. They didn't solve privacy. Institutions need to protect positions, counterparty relationships, and transaction amounts without abandoning transparency entirely - and every architecture that tried to solve this hit the same wall. Protocol-level privacy locks everything. Permissioned chains recreate centralization. Separate privacy layers fragment liquidity. Stellar's answer is different. Cryptographic primitives baked into the base layer, two production-ready privacy models on top, and the institution decides what to reveal and to whom. Transparent when you want it. Private when you need it.
Wednesday, April 8
In Lebanon, nearly 1 in 5 people has been displaced by Israeli attacks, leaving the government to manage a modern crisis without modern digital infrastructure.
Atomic Stealer (AMOS) macOS Malware Decryption, Anti-VM, Hardware Wallet Trojanization & Persistent Backdoor
Picked up a low-VT AMOS sample on March 12 worth flagging. Aligns with the recent malext variants but layers a few things we haven't seen combined before: * **Custom multi-stage decryption** (hex → ASCII → base64 via custom hash table) serving obfuscated osascript payloads at runtime — static analysis gets you almost nothing * **Anti-VM** via `system_profiler` checking for QEMU/VMware/KVM processor strings and known sandbox hardware serials, run twice before payload delivery * **Payload written to** `/bin/zsh` **child process iteratively via** `write()` **loop** — no plaintext payload on disk * **300+ crypto extension IDs** targeted + full desktop wallet scraping * **Hardware wallet trojanization** — silently replaces Ledger, Trezor, and Exodus with adhoc-signed phishing lookalikes that harvest passwords and seed phrases to `systellis[.]com` * **Three-layer persistence**: root LaunchDaemon (`com.finder.helper`) → `~/.mainhelper` backdoor pulled from C2 → `~/.agent` polling loop that pivots backdoor execution into the active console user's context every second via `stat -f "%Su" /dev/console`
Linux malware often hides in Berkeley Packet Filter (BPF) socket programs, which are small bits of executable logic that can be embedded in the Linux kernel to customize how it processes network traffic. Some of the most persistent threats on the Internet use these filters to remain dormant until they receive a specific "magic" packet. Because these filters can be hundreds of instructions long and involve complex logical jumps, reverse-engineering them by hand is a slow process that creates a bottleneck for security researchers. To find a better way, we looked at symbolic execution: a method of treating code as a series of constraints, rather than just instructions. By using the Z3 theorem prover, we can work backward from a malicious filter to automatically generate the packet required to trigger it. In this post, we explain how we built a tool to automate this, turning hours of manual assembly analysis into a task that takes just a few seconds. The complexity ceiling Before we look at how to deconstruct malicious filters, we need to understand the engine running them. The Berkeley Packet Filter (BPF) is a highly efficient technology that allows the kernel to pull specific packets from the network stack based on a set of bytecode instructions. While many modern developers are familiar with eBPF (Extended BPF), the powerful evolution used for observability and security, this post focuses on "classic" BPF. Originally designed for tools like tcpdump, classic BPF uses a simple virtual machine with just two registers to evaluate network traffic at high speeds. Because it runs deep within the kernel and can "hide" traffic from user-space tools, it has become a favorite tool for malware authors looking to build stealthy backdoors. Creating a contextual representation of BPF instructions
Reverse-engineered the Whoop 4.0 BLE protocol — CRC-32 with non-standard polynomial, 96-byte real-time data packets
[CVE-2026-34980](https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf) and [CVE-2026-34990](https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp)
In Telegram groups, men are sharing thousands of nonconsensual images of women and girls, buying spyware, and engaging in doxing and sexual abuse.
@fairwords npm packages compromised by a self-propagating credential worm - steals tokens, infects other packages you own, then crosses to PyPI
Three @`fairwords` scoped npm packages were hit today by what appears to be the TeamPCP/CanisterWorm campaign. The interesting part isn't just the credential theft, it's what it does with your npm token afterward. **What the postinstall payload does:** * Harvests environment variables matching 40+ patterns (AWS, GCP, Azure, GitHub, OpenAI, Stripe, etc.) * Reads SSH keys, `.npmrc`, `.kube/config`, Docker auth, Terraform credentials, `.git-credentials` * Steals crypto wallet data - Solana keypairs, Ethereum keystores, MetaMask LevelDB, Phantom, Exodus, Atomic Wallet * Decrypts Chrome saved passwords on Linux using the well-known hardcoded PBKDF2 key (`"peanuts"` / `"saltysalt"`) * Scans `/proc/[pid]/environ` for tokens in other running processes **Affected versions:** * `fairwords/websocket` 1.0.38 and 1.0.39 * `fairwords/loopback-connector-es` 1.4.3 and 1.4.4 * `fairwords/encryption` 0.0.5 and 0.0.6 If you have any of these installed, rotate npm tokens, cloud keys, SSH keys immediately and check whether any packages you maintain received unexpected version bumps. Full analysis with IOCs and payload walkthrough in the blog.