Olivia
Online
Talha Tariq
@0xtbt
CTO Security @ Vercel. Previously at HashiCorp. Microsoft, PwC. Security researcher & photographer. Views are my own
Hibernating
Joined July 2012
1.1K Following
481 Followers
125 Posts
The Vercel security and compute teams have conducted an investigation into the malicious takeover of the 𝚊𝚡𝚒𝚘𝚜@𝟷.𝟷𝟺.𝟷 npm package.
• We’ve blocked outgoing access from our build infrastructure to the Command & Control hostname 𝚜𝚏𝚛𝚌𝚕𝚊𝚔.𝚌𝚘𝚖.
• The malicious version of the package has been blocked and unpublished from npm.
• Vercel’s own infrastructure and applications have been unaffected.
• We recommend checking your supply chain for exposure.
For more information, read the full advisory ↓
https://t.co/o394nzLlCw
Today we partnered with Meta to disclose a critical vulnerability in React Server Components, impacting Next.js.
Huge credit to Lachlan Davidson for responsibly reporting this to Meta and to our industry partners for responding quickly to our call-to-action.
This is how open source security is supposed to be: responsible disclosure, fast mobilization, and close collaboration.
Within 72 hours, we patched React, shipped WAF mitigations for all Vercel customers, and coordinated major cloud and security providers to protect their customers in the same way.
The united response across the ecosystem has been incredible. AWS, Microsoft, Cloudflare, Fastly, Akamai, F5, Google, Deno, Netlify, Railway, Fly, and others moved quickly with platform protections and clear guidance to their customers.
As a reminder, if you’re running Next.js 15 or 16, please upgrade immediately to 15.5.7 or 16.0.7. Vercel customers have platform-level protections, but upgrading is still a must.
Ref: https://t.co/Y1cVSAjViO
We’ve got confirmation of a working #react2shell POC being shared.
We’ve verified Vercel’s Web Application Firewall is successfully blocking this known variant.
We are also seeing bad actors attempt exploitation. Upgrading React & frameworks remains a top priority.
Who to follow
Sonar Research
@Sonar_Research
Cutting-edge security research by @SonarSource to educate the world about code security across all software.
We're also at @[email protected] 🦣
Animesh Garg 
@animesh_garg
Foundation Models for Generalizable Autonomy in Robotics. Reinforcement Learning. Faculty in AI Robotics @GeorgiaTech. Prev @nvidia @UCberkeley @stanford
Jana Iris
@janaboruta
I used to own a wolf named Cinderella. Ex-early @HashiCorp, 10th employee thru IPO. Builder of dev communities. Investor at @TQVentures ♥️
Loved speaking with Mandy Andress from @elastic, Mario Duarte, from @SnowflakeDB, and Talha Tariq (@0xtbt) from @HashiCorp about their journies from private to public.
@iconbuzz
@JohnTreadway @armon @QuinnyPig @HashiCorp we do have quiet a bit of automation. There are some manual verification checks that are done by human analysts
@JohnTreadway @armon @QuinnyPig @HashiCorp We do. Our privacy policy covers this and here is the direct link to request data download or deletion of your personal data https://t.co/8UBhFxKCVt
How Drift Detection Helps Maintain a Secure Infrastructure https://t.co/RG5VmYxO8i from @HashiCorp by @0xtbt
We just released our second annual HashiCorp State of Cloud Strategy Survey, with some interesting insight into what enterprises are doing in the cloud. 1/10
@Joseph_Marks_ Basic cybersecurity hygiene matters, ransomware and extortion targets are more than just about money, public and private sector threat information sharing needs to be stronger and supply chain security needs to be top of mind for critical infrastructure
We're thrilled to welcome Talha Tariq (@0xtbt) to our CISO Advisory Board. Talha is the Chief Security Officer at @HashiCorp. He brings 20 years of experience building & scaling security programs from startups to Fortune 100 organizations. Give Talha a warm welcome!
Oregon is beautiful!
@nomadlogicLA @ryanaraine as mentioned in our disclosure there is no evidence of any malicious change or abuse, our key rotation is a proactive measure
@christophetd @armon @HashiCorp @mitchellh The existing .sig files are currently being left as-is to preserve working behavior on existing Terraform releases. We're in the process of producing patch releases for Terraform which will verify against the new key.
@christophetd @armon @HashiCorp @mitchellh All Terraform binary and provider releases have been signed by the rotated key - those signatures are available at the extension SHA256SUMS.72D7468F.sig
We’re excited to announce that Talha Tariq @0xtbt is our day 1 KEYNOTE for SANS #CloudSecNextSummit!
Join Summit chairs @fykim & @emjohn20 for expert talks on building and maintaining a secure cloud infrastructure.
Register for Free: https://t.co/EBN0nQbrZJ
@tomloverro Oh I had no idea - stay blessed and stay healthy ! This world needs people like you
Join us tomorrow for the Nomad 1.0 launch live stream https://t.co/NO4vww0Asp
Until then the Path to 1.0 continues w/ @KentGruber previewing a new feature. Product security is an important aspect of #Nomad, so we'll introduce a feature to help w/ audits https://t.co/rI4M47CGmN
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers