Attacks & Vulnerabilities |
Hackers Leak 5.1 Million Panera Bread Records (4 minute read)
Extortion group ShinyHunters stole roughly 14 million records from Panera Bread by compromising a Microsoft Entra SSO code, then leaked a 760GB archive after failed ransom demands. The dump includes 5.1 million unique customer email addresses, along with names, addresses, and phone numbers, creating significant downstream risk of phishing, credential stuffing, and identity-based attacks that can extend far beyond Panera's ecosystem. |
New GlassWorm Attack Targets macOS via Compromised OpenVSX Extensions (2 minute read)
Researchers at Socket Security identified a new set of compromised packages on the OpenVSX marketplace that appear to be infected with the GlassWorm malware. The malware targets macOS users and harvests data from browsers, wallet extensions and wallet apps, macOS keychains, Apple Notes databases, Safari cookies, developer secrets, and documents from the local filesystem. The researchers note that the extensions operated legitimately for two years prior to infection, so it is possible that the developer was compromised. |
Researcher Reveals Evidence of Private Instagram Profiles Leaking Photos (2 minute read)
A security researcher discovered a vulnerability in Instagram that exposed links to private photos and captions in the HTML source code of some private profiles. The researcher found that, in their testing, 28% of the accounts they created or had access to exhibited this issue. Meta responded to the researcher, stating that the issue was caused by a CDN caching problem and has been fixed, but the researcher contends that it's a backend authorization issue. |
|
How To Get Your First Job in Cybersecurity (5 minute read)
Job seekers looking to transition to cybersecurity should begin by identifying the role that is right for them, finding a career mentor to guide them, joining learning communities, and developing the required skills. They should then build their online presence and experience by volunteering with the security team at their current job, telling their network about their career transition, building an online portfolio, and polishing their LinkedIn profile. Finally, it's time to apply for the job and prepare for interviews. |
The rise of Moltbook suggests viral AI prompts may be the next big security threat (8 minute read)
Self-replicating "prompt worms" are emerging as a serious security risk as OpenClaw's autonomous AI agents interact on Moltbook, install unvetted skills, and access private data. Researchers have already found hidden prompt-injection attacks, leaked API keys, and misconfigured databases that could allow attackers to silently execute malicious instructions. With more capable local models coming, today's OpenClaw ecosystem looks like a high-stakes dry run for much larger, harder-to-stop AI agent outbreaks. |
Auditing Outline: Lessons from Manual vs AI Security Testing (10 minute read)
This post shares results from a 60-day audit of Outline's open-source wiki, uncovering seven vulnerabilities ranging from SSRF and CSRF to insecure design and an IDOR in event logging. The authors highlight strong baseline security in Outline's API design, but also note that subtle framework behaviors and outdated dependencies led to real-world issues, including a potential admin account takeover. One finding was uniquely caught by an AI security platform, yet most AI-reported issues were persuasive false positives that consumed 40 hours of validation. The conclusion emphasizes that AI tools are promising assistants, but human expertise remains essential for high‑quality security reviews. |
|
GhostKatz (GitHub Repo)
GhostKatz extracts LSASS credentials directly from physical memory by abusing signed vulnerable kernel drivers with `MmMapIoSpace` read primitives, bypassing traditional user-mode detection mechanisms like EDR hooks on LSASS. Designed as a modular Cobalt Strike BOF, it currently ships with exploits for Toshiba TPwSav and TechPowerUp ThrottleStop drivers and supports extensibility for custom driver research via `utils.c`. Tested across Windows 10, Server 2012 R2 through 2022, the tool supports both logonpasswords and wdigest credential dumping modes, though operators should note the inherent BSOD risk when leveraging vulnerable kernel drivers in production environments. |
RapidFort (Product Launch)
RapidFort provides an automated software supply chain security platform that analyzes and hardens containers, eliminates unused and vulnerable components, and delivers curated, near-zero-CVE base images to reduce attack surface before production deployment. |
OpenMalleableC2 (GitHub Repo)
OpenMalleableC2 is a framework-agnostic library that implements Cobalt Strike's Malleable C2 profile for HTTP transformations. |
|
WhatsApp Encryption, a Lawsuit, and a Lot of Noise (14 minute read)
Cryptographer Matthew Green analyzes a class action lawsuit alleging Meta can secretly read all WhatsApp messages, concluding the claims lack solid evidence and that mass-scale decryption backdoors would be detectable through reverse engineering of the closed-source client app. While acknowledging legitimate privacy concerns around WhatsApp's metadata collection, backup encryption complexity, and new AI-powered "Private Processing" features, Green argues these known limitations are far removed from the deliberate universal plaintext access alleged in the complaint. Security professionals who remain uncomfortable trusting WhatsApp's closed-source implementation are advised to use Signal, which offers open-source code and reproducible builds for independent verification. |
County Pays $600K to Wrongfully Jailed Pen Testers (3 minute read)
In 2019, two Coalfire consultants, legally hired to test an Iowa courthouse's security, were arrested for burglary after a county sheriff overrode officers who had verified their contract. Their prosecution dragged on for months, damaging careers and client relationships, until Dallas County agreed to a $600,000 settlement seven years later. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments