A GitHub flaw lets attackers upload executables that appear to be hosted on a company's official repo, such as Microsoft'sโwithout the repo owner knowing anything about it.
The following URLs, for example, make it seem like these ZIPs are present on Microsoft's source code repo:
A threat actor is now advising StackOverflow devs seeking debugging help to install a 'pytoileur' #Python package as a "solution" to their code troubles.
๐DO NOT fall for this, it's a trapโthe package has encoded code hidden on line 17 via whitespaces and infects Windows users
EXCLUSIVE: #Okta says its GitHub source code repositories were stolen this December in a 'confidential' security notification sent to 'security contacts' that include IT managers at various organizations.
๐จ Apache has disclosed an *actively exploited* Path traversal flaw in the #opensource "httpd" server. Over 112,000 exposed Apache servers run version 2.4.49, and should be upgraded now!
New fix checks for encoded path traversal characters e.g. /../.%2E/
blog.sonatype.com/apache-serversโฆ
Uber won't fix the vulnerability that lets anyone email as "Uber"โthis isn't a spoofed email but sent from Uber via an exposed endpoint.
Researcher @0x21SAFE states threat actors could abuse this to phish 57 million victims of the 2016 Uber data breach.
bleepingcomputer.com/news/security/โฆ
Anonymous altered the official knowledgebase of Epik after the alt-right web hosting provider denied that any breach had occurred. Epik has provided services for the Texas GOP, 8chan, Parler, and Gab, among others.
arstechnica.com/information-teโฆ#EpikFail
EXCLUSIVE: Newly discovered #Azure flaw lets attackers brute-force Active Directory credentials in an undetected manner.
At this time, there's no way to easily block the endpoints used by Seamless SSO. #Microsoft seems to consider this a "design" choice.
GitHub calls these "anonymized URLs" but I'm not sure if that's accurateโconsidering they appear to be associated with a repo.
By contrast, Discord CDN URLs to "attachments" are truly anonymized and look like:
https://cdn.discordapp[.]com/attachments/XXXXX/XXXX/virus.exe
PyTorch reveals malicious dependency chain compromise between Dec 25th & 30th.
The counterfeit 'tortchtrion' stole SSH keys, first 1000 files in $HOME, .gitconfig and other secrets.
2,300+ downloads seen so far on PyPI.
Uninstall now ๐๐๐
bleepingcomputer.com/news/security/โฆ#opensource
BREAKING: #PHP Git server is the latest victim of a software supply chain attack in which attackers planted a remote code execution #backdoor in the PHP source code.
PHP powers almost 8 out of 10 sites on the internet, making this upstream attack noteworthy.
#opensource#git