Attacks & Vulnerabilities |
Stored XSS Vulnerability in Jira Work Management Could Enable Full Organization Takeover (2 minute read)
SnapSec researchers discovered a stored XSS vulnerability in Atlassian Jira Work Management's custom priority settings, where the Icon URL field lacked backend validation and output encoding, allowing a malicious JavaScript payload to be persisted to the database. A Product Admin, a low-privilege role with no access to Confluence or Service Management, can plant the payload in the priorities configuration panel, where it silently executes in a Super Admin's browser during organic page visits and issues a hidden organization invitation that grants the attacker full multi-product Atlassian access. Organizations should enforce strict input validation and output encoding across all administrative configuration surfaces and audit access-control models to ensure that partially privileged roles cannot influence global application behavior. |
Hackers Compromise Axios npm Package to Drop Cross-Platform Malware (2 minute read)
Attackers compromised the npm account of the main maintainer of the popular Axios JavaScript package to deploy a malicious version. The malicious version loads a new dependency that runs a post-install script that downloads a payload based on the OS it's running on and eventually downloads a RAT. The compromise does not seem related to the recent TeamPCP attacks, but Google Threat Intelligence Group (GTIG) surmises that the attackers are affiliated with North Korea. |
|
New widespread EvilTokens kit: device code phishing as-a-service – Part 1 (20 minute read)
EvilTokens is a new Phishing-as-a-Service platform that weaponizes Microsoft's OAuth 2.0 Device Authorization Grant flow, tricking victims into entering attacker-controlled user codes at the legitimate microsoft.com/devicelogin endpoint to harvest access and refresh tokens for Microsoft 365 account takeover. The kit automates post-compromise token conversion to Primary Refresh Tokens (PRTs), enabling persistent MFA-bypassing SSO access across Outlook, SharePoint, OneDrive, Teams, Microsoft Graph, and Azure, with over 1,000 affiliated phishing domains detected across Cloudflare Workers infrastructure by March 23. Defenders should monitor for the distinctive X-Antibot-Token HTTP header, block domains matching affiliate Cloudflare Workers patterns, and hunt via urlscan.io using requests to /api/device/start and /api/device/status/, with YARA rules and IOCs published in the Sekoia Community GitHub repository. |
TeamPCP Supply Chain Campaign: A March 2026 Retrospective (16 minute read)
TeamPCP ran a six-phase supply chain attack across five vendor ecosystems in roughly five days. It started with a single Aqua Security PAT stolen via a malicious PR against Trivy's CI pipeline in February — credentials that were never fully revoked. That one token unlocked Trivy, Aqua's internal GitHub org, npm (64+ packages via a self-propagating worm using ICP canisters as C2), LiteLLM's PyPI package, Checkmarx GitHub Actions, and Telnyx. The Telnyx phase hid payloads inside WAV audio files using steganography and meanwhile, a parallel payload wiped filesystems on Iranian infrastructure. |
MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747) (3 minute read)
Researchers at Calif gave Claude a FreeBSD security advisory (CVE-2026-4747) and, roughly 4 hours of active AI work later, had two working remote kernel exploits which both succeeded on the first try. The bug lives in FreeBSD's RPCSEC_GSS NFS implementation: a stack overflow in an int32_t[] buffer with no canary protection and no KASLR, so kernel addresses are fixed. Claude built the full chain, lab setup, multi-packet shellcode delivery across 15 NFS rounds, ROP construction, clean thread exit via kthread_exit(), De Bruijn offset correction, kernel-to-userland process spawning, and a stale debug register fix which ended up producing a reverse shell as uid=0 (root user). |
|
frp (GitHub Repo)
frp is a fast reverse proxy that allows you to expose a local server behind a NAT or firewall to the internet. |
PolarDNS (GitHub Repo)
PolarDNS is a Python-based authoritative DNS server built for security testing of DNS resolvers, clients, libraries, and parsers over both UDP and TCP. It exposes over 70 features and 19 response modifiers to generate malformed, RFC-violating, and otherwise pathological DNS responses, enabling research into cache poisoning, resource exhaustion, sloth domain attacks, and resolver crashes. GitHub Actions workflow templates for BIND9, CoreDNS, Dnsmasq, Knot, PowerDNS, and Unbound are included for automated E2E test suite integration. |
Heretic (GitHub Repo)
Heretic is a tool that removes censorship from transformer-based language models without expensive post-training. |
|
Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly (4 minute read)
Google Quantum AI published updated resource estimates showing that Shor's algorithm can break ECDLP-256, the elliptic curve cryptography underpinning most blockchains and cryptocurrency wallets, using fewer than 500,000 physical qubits and 70 to 90 million Toffoli gates, representing a roughly 20-fold reduction over prior estimates. To disclose the finding without handing attackers a blueprint, Google published a zero-knowledge proof allowing third parties to verify the claims without exposing the underlying quantum circuits. Blockchain operators should begin migrating to post-quantum cryptography now, avoid exposing or reusing wallet addresses that reveal public keys, and follow Google's 2029 PQC migration timeline alongside Coinbase, the Ethereum Foundation, and the Stanford Institute for Blockchain Research. |
Newsom Signs AI Safety Order for California State Contracts (3 minute read)
Californian governor Gavin Newsom has signed a new executive order mandating AI companies to prove that they have safety and privacy protections in place to win government contracts. Companies will need to explain how their technology prevents the exploitation and distribution of illegal contents and demonstrate that their models avoid discriminating bias. The new mandate acts on the state level and can make determinations that are contrary to federal guidelines. |
Google Drive Has Some New Tricks To Help if You Get Hit by a Ransomware Attack (2 minute read)
Google has announced that ransomware detection and file restore for Google Drive is now publicly available after a period in beta. The new features will warn organization administrators if it detects activity that may be caused by ransomware and allow bulk file restore to a previous point before the attack. The file restore feature is available for all users, even on personal accounts, but ransomware detection is only available for certain accounts like Business and Enterprise. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments