strobie reeeee 🍓 莓莓 ストロベリ

so our DPRK Contagious Interview friends have advanced in the meantime and now have started reking people for which you only need to _unzip_ a file and run a git checkout or commit operation. so this how the attack works: 1. the attacker distributes the repo as a zip archive (which is pivotal!). this is on purpose because git clone explicitly strips hooks (since cloning goes through git's _own_ protocol which excludes them) from remote sources as a security measure but unzipping is just a _normal_ filesystem ops that git cannot control (yeah fml but also simple fact). the zip restores file permissions exactly as the attacker set them (expect `rwxrwxr-x`), so the two active hooks (`pre-commit` & `post-checkout`) arrive on disk already executable (yeah fml). 2. git _automatically_ runs a hook when two conditions are met at the same time. the file must have the correct bare name with no `.sample` extension _and_ the executable bit must be set (like `rwxrwxr-x`). both of these are already satisfied by the attacker _before_ the zip is distributed. no fucking user action, config change, or approval is needed, git's own hook dispatch system triggers everything lmfaooo. software is great innit? 3. some of the custom `.sample` files in the shipped `.git/hooks` directory are the malicious payloads. they are basically payload components _disguised_ under innocent names. once the victim does anything beyond passively inspecting the repo (e.g. git checkout or git commit), the _active_ hook copies those files into `~/.vscode` (a directory devs usually trust and ignore but well you should not trust it guys) and then starts a detached background process using `nohup` so it does not block or visibly affect the git command. the git operation still completes normally and nothing looks suspicious. fucking evil, but hey here we are! 4. now that background process then bootstraps a node.js runtime if it is not already installed, runs npm install using an attacker controlled package.json, and executes an obfuscated payload (this can ofc differ and change over time). from that point the attacker gains clipboard access, a persistent c2 channel over https://t.co/SZ5Ym88c3r (usually) and the ability to read browser credential dbs

🇰🇵 DPRK loves it when you: - Save your seed phrase in a password manager. - Use hot wallets instead of hardware wallets. - Don't use antivirus, EDR or Lockdown mode in your devices. - Download pirated stuff, install shady apps and play games in your work device. - Accept calls from people without verifying them first. - Use SMS for 2FA. - Sync your passwords, google authenticator and passkeys to your Gmail account - Install lots of browser extensions - Don't update your Operating system and apps. - Repeat passwords. - Don't use a device exclusively for work - Don't verify what you are signing - Run npm install on a "coding challenge" from a recruiter you met on LinkedIn. - Blindly add npm/PyPI packages without checking the publisher, download counts, or recent version history. - Pin your dependencies to "latest" and hope for the best. - Trust any GitHub repo with a slick README and a few stars. - Reuse the same email for crypto, banking, and signing up to random newsletters. - Click "Remind me later" on security updates for weeks. - Disable Windows Defender because it "slows things down." - Plug in random USB drives you found at conferences. - Give every app full disk access without reading the prompt. - Brag about your portfolio size on Twitter under your real name. - Share your screen on Zoom with your main user logged in - Connect your wallet to every airdrop site that promises free tokens. - Approve unlimited token spending so you "don't have to do it again." - Keep your recovery codes in a screenshot in your camera roll. - Trust a Telegram admin who DMs you first. - Run unsigned binaries because "the SHA matches the website. Let's grow up as an industry and start treating security seriously. STAY SAFE

please be aware of this telegram scam, at least couple of people have received messages from this account. it has username in the bio field and no visible actual username. always check you are talking to the right person through other channels. also check common private groups, as well as activity to confirm it's the same account. enable peer id in telegram client settings and have it saved for high value accounts so you could verify.

quick gn tweet So, assuming what we're looking at NFT wise is going to last more than a couple days (surprised both Punks and Miladys are kinda chill, but on another hand that's not TOO surprising), what do we have token-wise? Ignoring APE for obvious reasons, maybe: PENGU, BIRB, maybe DOOD and ANIME? Would be a good time for Opensea to drop but ig they won't. Most of this is really washed up so idk what can effectively play out. There's also a bunch of other interesting situation to monitor: - MSTR mNAV rising up, so we can play that again, as always should Metaplanet follow, i'll prefer that, but i'm already jumping on the wagon with Strategy - Metaplanet is still at 0.86x - We now know at what val Circle is raising for Arc, so surely need to keep a close eye to the interactions with CRCL - LTC situation, even though nobody is really holding that anymore, could still be interesting and could propagate to other older and bad PoWs like DOGE - Polymarket new chain, is really not news, but i'd be surprised aside from some tail spikes, if POL wasn't just going to trend down forever - There's quite some pushback against Thorchain going on and they're really not news to fuckups, so that's another interesting situation to follow, although you could decide to see it both ways: pushback is going to force them to do something or regulatory risk, or AI powered hacking and DPRK frenzy sending revenue up. - bad moment for Trump tokens, with TRUMP dinner gone bad, big holders dumping, WLFI situation on Dolomite, proposed vesting (although still very far) and continuous emissions on both. On the other hand, be careful about events such as today's that already triggered rallies in the past, although it seems that this time nobody is bidding the tokens (well also split offer is always bad for these kind of things) - eETH/stETH peg (good yield) - obviously the Aave situation resulted in a lot of other lending tokens outperforming, especially the ones (one) that benefitted from Aave v3 lindiness and the outflows... unfortunately my buy never got in so rip and you, what are you doing, sell in may and go away or nah? In the last few months (year even?) seasonality really took a beating and it's very likely that on the tradfi side, temporary volatility aside, people will keep beating the drums until we get at least some of the maxi ipos (which will be a massive liquidity/flows blackhole).