Attacks & Vulnerabilities |
CrackArmor: Multiple vulnerabilities in AppArmor (10 minute read)
Qualys identified nine vulnerabilities in Linux AppArmor, which is enabled by default on Ubuntu, Debian, and SUSE. These flaws involve a confused-deputy issue where world-writable pseudo-files allow unprivileged users to manipulate profiles, leading to potential privilege escalation and denial-of-service attacks. Immediate kernel updates and permission audits are recommended to mitigate these risks, with patches already merged into Linus's tree. |
GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers (4 minute read)
Socket identified 72 more malicious Open VSX extensions active since January 31, 2026, as part of an intensified GlassWorm campaign. This campaign exploits `extensionPack` and `extensionDependencies` in `package.json` to chain seemingly harmless extensions into delivery mechanisms for transitive malware once trust is established. The malware continues to exhibit classic GlassWorm features, such as Russian locale checks, Solana transactions used as dead-drop resolvers for C2 resilience, and invisible Unicode characters used to hide payloads. Additionally, it now employs greater obfuscation and wallet rotation to evade detection. Meanwhile, Aikido linked the same actor to LLM-generated cover commits across 151 GitHub repositories and two npm packages (@aifabrix/miso-client, @iflow-mcp/watercrawl-watercrawl-mcp) from March 3 to March 9, 2026, targeting credentials, tokens, and secrets. |
UK Companies House Web Glitch Exposes Corporate Details to Fraudsters (2 minute read)
The UK's Companies House, the agency responsible for incorporating and dissolving the nation's listed companies, has taken its WebFiling dashboard down due to a vulnerability. The vulnerability allowed a user to access other companies' dashboards by selecting "file for another company" and repeatedly pressing the "back" key when prompted for an authentication code, which would redirect them to the other company's dashboard. Attackers could exploit this to view and edit information belonging to other companies. |
|
Decrypting and Abusing Predefined BIOCs in Palo Alto Cortex XDR (10 minute read)
InfoGuard Labs researchers decrypted the AES-256-CBC-encrypted CLIPS rule files shipped with Palo Alto Cortex XDR agents 8.7 and 8.8 (content version 1790-16658), exposing hardcoded global whitelists that exempted any process with `:\Windows\ccmcache` in its command line from roughly half of all BIOC detections, including LSASS dump prevention rules mapped to MITRE ATT&CK T1003/TA0006. The global whitelist has been removed in Cortex XDR Agent 9.1 with content version 2160, though individual rule exceptions remain exploitable by attackers with knowledge of the plaintext rules. Defenders running agents below 9.1 should prioritize upgrading immediately. Those on patched versions should audit process command-line telemetry for ccmcache path injection and treat any closed-box EDR as a single layer rather than a complete control. |
[New Threat Intelligence] European Security Vendor Targeted by Hackers Fronting as Cisco Domain (6 minute read)
Outpost24's threat intel team uncovered a multi-stage phishing campaign that starts with DKIM-validated JP Morgan–themed emails and abused Cisco Secure Email Gateway links, then chains through Nylas tracking, a compromised Indian development company's infrastructure, and a re-registered legacy domain before landing on Cloudflare-protected infrastructure. An anti-bot "human validation" step filters out automated analysis and ultimately delivers a highly convincing Microsoft 365 credential-harvesting page, likely powered by the Kratos Phishing-as-a-Service kit. |
The rise of malicious repositories on GitHub (4 minute read)
GitHub is seeing a surge of malicious repositories that impersonate legitimate projects and offer only infected Windows binaries, often removing build instructions and technical detail while using LLM‑generated text to appear authentic. Some repos target macOS/Linux ecosystems like Homebrew but still ship only Windows executables, suggesting a low‑effort or automated campaign. Attackers abuse README updates and recognizable zip naming patterns to climb search rankings, sometimes using long‑standing or hijacked accounts. While many downloads are now blocked by browser and AV protections, developers still need to verify repos and binaries carefully to avoid compromise. |
|
redStack (GitHub Repo)
redStack is a Terraform-provisioned, boot-to-breach red team lab on AWS that deploys Mythic, Sliver, and Havoc C2 servers behind an Apache redirector with X-Request-ID header validation, URI filtering, and AV/Tor exit blocking, all accessible via a Guacamole portal with an isolated Windows operator workstation. The architecture uses dual VPCs with peering to keep all C2 servers off the public internet and supports OpenVPN integration for closed-lab environments such as HackTheBox, Proving Grounds, and VulnLab. |
YouTube Media Storage (GitHub Repo)
YouTube Media Storage is a tool that allows for storing files on YouTube by encoding them into lossless video and then decoding them back to the original file. |
sigmalite (GitHub Repo)
sigmalite is a Golang package that provides a parser and execution engine for the Sigma detection format. |
|
Hacked data shines light on homeland security's AI surveillance ambitions (6 minute read)
Hacked records from DHS's Office of Industry Partnership, obtained by transparency nonprofit Distributed Denial of Secrets, expose over 1,400 funded contracts worth $845M spanning 2004 to late 2025, including May 2025 awards for mobile biometric harvesting devices, AI-powered airport CCTV passenger profiling systems, and a nationwide 911 call data lake with predictive policing capabilities. The leak also reveals 6,000+ companies that bid with the agency, showing the full breadth of private-sector appetite for DHS surveillance work and technologies considered but never funded. The disclosures arrive amid DHS's $165B funding boost and ongoing controversy over agents collecting visual and biometric data on protesters, reigniting civil liberties debates around AI-assisted behavioral screening programs that have repeatedly failed independent review. |
Meta is Killing End-to-End Encryption in Instagram DMs (2 minute read)
Meta announced it is discontinuing end-to-end encryption in Instagram DMs due to low adoption. The feature had only been rolled out to a subset of users and required opting in for each chat individually. While Meta does support end-to-end encryption in WhatsApp, it has been unclear about the progress made towards it in Messenger and other apps. |
FBI Seeks Victims of Steam Games Used to Spread Malware (2 minute read)
The FBI's Seattle division is requesting that gamers who installed Steam titles containing malware complete a form to provide additional information. Based on the questions in the form, the FBI appears to be investigating the apps for cryptocurrency theft and account takeover. Victims are also requested to include any screenshots of communications with individuals promoting the games. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments