Attacks & Vulnerabilities
|
GraphQL RCE: The Kill Chain to Cloud Identity…! (5 minute read)
A missing __builtins__: {} restriction in a SaaS platform's Python exec() sandbox allowed a researcher to inject arbitrary code via a GraphQL createUserDefinedFunction mutation, achieving RCE inside a Google App Engine container running Python 3.13. From there, SSRF to the GCP metadata service at 169.254.169[.]254 yielded a signed OIDC JWT for the production service account, resulting in full cloud identity takeover. Defenders should sandbox user-executed code with {'__builtins__': {}}, block metadata endpoint access from user-code environments at the network layer, and isolate execution in zero-trust micro-VMs such as Firecracker or gVisor.
|
$10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks (3 minute read)
A cheap browser plugin infected Windows machines and ran PowerShell to shut down antivirus, stop updates, and stay hidden using scheduled tasks and WMI. It stored future malware in folders that Microsoft Defender ignores by default. A single unregistered update domain could have let an attacker silently push code to about 25,000 computers in 124 countries, including OT, government, healthcare, and big-company networks.
|
McGraw-Hill Confirms Data Breach Following Extortion Threat (2 minute read)
Following an extortion demand by the Shiny Hunters ransomware group, McGraw-Hill has confirmed that its Salesforce instance was compromised. McGraw-Hill claims that the stolen data was only a limited amount of non-sensitive data that did not include SSNs, financial information, or student data. In contrast, Shiny Hunters claim that the data includes 45M records which include PII.
|
|
Primer on GitHub Actions Security - Threat Model, Attacks and Defenses (Part 1/2) (5 minute read)
Wiz maps the GitHub Actions threat model across three primary attack classes: pull_request_target misconfigurations (the “Pwn Request” class, exploited in the Trivy supply chain compromise), where fork PR authors manipulate checked-out artifacts to gain execution with base-branch secrets, script injection via unsanitized user-controlled context values like github.event.issue.title or github.head_ref injected into run blocks (the Ultralytics/YOLO XMRig incident root cause), and compromised third-party actions, illustrated by the tj-actions attack, which chained four sequential action compromises to target Coinbase across 22,000 affected repositories. Defenses include avoiding pull_request_target where possible, binding all user-controlled inputs to intermediate environment variables before shell execution, and pinning third-party actions to commit SHAs rather than mutable tags.
|
We Dumped a Live Kimsuky C2 and Recovered Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger (15 minute read)
Breakglass Intelligence recovered the complete three-stage Kimsuky (APT43) kill chain after the C2 at check[.]nid-log[.]com was found with directory listing enabled, exposing a CHM dropper that chains hh.exe → PowerShell → certutil → wscript into a fileless VBScript recon payload (bootservice.php), a PowerShell bridge (checkservice.php), and a full keylogger with clipboard monitoring and randomized 100-140 minute exfil via multipart POST to finalservice.php. Two novel endpoints (checkservice.php, finalservice.php), the Global\AlreadyRunning19122345 mutex, typo'd User-Agents (Chremo, Edgo), and a 79-domain infrastructure map across 5 IPs spanning DAOU Technology and LightNode were published for the first time, with cross-campaign links to the previously documented udalyonka/uncork[.]biz cluster. Defenders can hunt for HTTP requests to /bootservice.php?tag=&query=*, responses containing “Million OK !!!!”, scheduled tasks named “Edge Updater” at PT60M intervals, and Office_Config.xml writes under %APPDATA%\Microsoft\Windows\Templates.
|
UK Gov's Mythos AI Tests Help Separate Cybersecurity Threat From Hype (4 minute read)
Anthropic's Mythos Preview model faced UK AI Security Institute tests on capture-the-flag tasks and a 32-step “The Last Ones” network data exfiltration range, where it became the first AI system to complete the full chain in some runs and averaged 22 steps versus Claude 4.6's 16, while still failing a tougher “Cooling Tower” power-plant scenario and operating in ranges without active defenders or realistic detection penalties.
|
|
How Exposed Is Your Code? Find Out in Minutes—for Free (4 minute read)
GitHub's Code Security Risk Assessment is a free, no-configuration CodeQL scan covering up to 20 active repositories that surfaces vulnerabilities by severity, language, and rule class alongside Copilot Autofix eligibility. Paired with the existing Secret Risk Assessment, org admins and security managers on Enterprise Cloud and Team plans now get a unified secrets-and-code exposure dashboard from a single entry point, with Actions minutes excluded from quota.
|
Capsule Security (Product Launch)
Capsule Security monitors AI agents in real time to detect manipulation, abnormal behavior, and data exfiltration, blocking risky commands and exposures across tools and environments while fitting into existing workflows and agent frameworks.
|
|
Fixing Encryption Isn't Enough. Quantum Developments Put Focus on Authentication (5 minute read)
Google research has revised the quantum threat timeline, finding elliptic curve cryptography could be broken with as few as 1,200 logical qubits, prompting both Google and Cloudflare to move their Q-day estimates to 2029. The industry's focus on encrypting data in transit has obscured a more urgent risk: authentication and certificates, where a single compromised quantum-vulnerable key enables full system access and turns software update pipelines into RCE vectors. Enterprises are advised to begin crypto-agility inventories now and treat PQC migration as a dedicated workstream outside normal security operations, given that large-scale migrations can take years.
|
|
Love TLDR? Tell your friends and get rewards! |
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
| Track your referrals here. |
|
|
|
0 Comments