Attacks & Vulnerabilities |
Breaking Down CVE-2026-25049: How TypeScript Types Failed n8n's Security (8 minute read)
CVE-2026-25049 (CVSS 9.4) exploits a type confusion flaw in n8n's expression evaluator, bypassing a prior security patch by sending object inputs instead of strings — since TypeScript types are stripped at compile-time, the runtime sanitizer never executed. Attackers use JavaScript destructuring to access the Function constructor and achieve unauthenticated RCE via public webhook endpoints, exposing stored credentials, API keys, and internal network access. Users should upgrade to n8n versions 1.123.17 or 2.5.2 and implement runtime type validation using typeof checks or a schema validation library such as Zod. |
European Commission Discloses Breach That Exposed Staff Data (2 minute read)
The European Commission is investigating a breach after finding evidence that its mobile device management (MDM) platform was hacked. It has not found any evidence that mobile devices were compromised, but confirmed that attackers have accessed some staff members' personal information, such as names and phone numbers. The European Commission did not disclose how the attackers compromised its MDM system, but the attack shows similarities with other attacks on European institutions that exploit vulnerabilities in Ivanti Endpoint Manager Mobile software. |
BeyondTrust Warns of Critical RCE Flaw in Remote Support Software (2 minute read)
BeyondTrust warned customers to patch a critical vulnerability in its Remote Support and Privileged Remote Access software that could allow unauthenticated attackers to execute arbitrary code via OS command injection. The vulnerability can be exploited by unauthenticated attackers without requiring user interaction by sending specially crafted client requests. BeyondTrust has secured all cloud systems and advises all on-premises customers to patch their systems manually if they haven't enabled auto updates. |
|
The Phantom File System: Inside the Windows ProjFS (14 minute read)
The Windows Projected File System (ProjFS) operates as a minifilter (prjflt.sys) rather than a true filesystem, using reparse points and filter communication ports to project virtual files on demand. Offensively, medium-integrity users can launch ProjFS providers without admin privileges, prevent higher-privileged processes from deleting files, and serve different file contents per process — all potential avenues for evasion and persistence. Defensively, ProjFS offers a lightweight alternative to custom minifilters for deploying canary files with rich callback data, including triggering process ID and image path, particularly relevant as Microsoft moves toward reducing kernel-mode dependencies. |
How to recognize a deepfake: attack of the clones (7 minute read)
This post outlines practical techniques for identifying deepfake scams across video calls, voice messages, and photos. Modern neural networks can clone a voice from just three to five seconds of audio. Key detection methods include requesting head turns to break face-swap algorithms, watching for lip-sync delays of even 100 milliseconds, and using pre-agreed codewords for identity verification. Organizations and individuals are advised to restrict public access to photos and voice recordings, enable 2FA on all accounts, and use content analysis tools such as Sensity AI and Deepware for automated detection. |
Uncovering Threats Through WAF Logs: A Threat Hunter's Lens (5 minute read)
WAF logs are often overlooked in threat hunting because every request must pass through them. Defenders can look for potential reconnaissance patterns, including using non-standard HTTP methods on public pages, CMS helper endpoint exposure, systematic enumeration across multiple sites, and infrastructure-based anomalies such as TOR exit nodes. The article also includes KQL queries for practical threat detection. |
|
PhantomFS (GitHub Repo)
PhantomFS is a Windows ProjFS-based tool that projects virtual files whose content varies by the requesting process, serving AES-256-CBC-encrypted payloads to allowed processes (e.g., cmd.exe) while returning decoy bytes to all others. Inspired by Huntress' recent ProjFS research, the tool runs at medium integrity without admin privileges and blocks delete/rename attempts from non-allowed processes. Detection is possible via ProjFS reparse points, the PrjFlt minifilter at filter altitude 189800, and the Microsoft-Windows-ProjFS ETW provider. |
EvilNeko (GitHub Repo)
EvilNeko is a project to automate container orchestration and operationalize Browser in Browser attacks for red teams. |
|
17% of 3rd-Party Add-Ons for OpenClaw Used in Crypto Theft and macOS Malware (2 minute read)
17% of third-party "skills" for the popular open-source AI tool OpenClaw, which has over 160,000 GitHub stars, are malicious. Over half (54%) of these threats target cryptocurrency users with fake wallet trackers, DEX tools, and Solana/Phantom utilities. One user account, sakaen736jih, is associated with 199 malicious skills that steal private wallet keys and deploy AMOS Stealer malware on macOS. The malware campaign has extended into corporate settings, leading Bitdefender to develop a free AI Skills Checker tool to help users vet add-ons before installing. |
My Top 5 Recommendations on OT Cybersecurity Student Upscaling (3 minute read)
A guide from Lesley Carhart, aka hacks4pancakes, on the skills prospective Operational Technology (OT) students should focus on. Students should focus more on processes and systems of systems rather than hacking individual devices. Start with one process, consider safety and process continuity, since most OT engagements involve critical systems, and get comfortable with older computers. The post also includes a list of free learning resources. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments