Fabius Manzi

Fresh from the oven 🍞 From what I observed the campaign started ~ 15 Apr and tampered down 17 May. Check if you are impacted ... DeviceEvents | where TimeGenerated > ago(45d) | where ActionType == "AntivirusDetection" | where parse_json(AdditionalFields)["ThreatName"] has "Qwexlafiba!rfn" SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer https://t.co/8tJPSezyir #Cybersecurity #DefenderXDR #SEOPoisoning

🚨A HACKER GROUP JUST STOLE 4,000 OF GITHUB'S OWN PRIVATE REPOSITORIES.. PUT THEM UP FOR SALE FOR $50,000.. AND THE WAY THEY GOT IN IS THE SCARIEST PART.. They didn't hack GitHub's servers.. They poisoned a VS Code extension.. One GitHub employee installed it.. And the attackers walked through the front door using the employee's own credentials.. The group calls themselves TeamPCP.. They name their malware after the sandworms from Dune.. And they've been running the most sophisticated supply chain attack campaign in cybersecurity history.. Here's how the whole thing unfolded.. In March.. They poisoned Trivy.. One of the most trusted security scanners in the world.. Used by over 10,000 development workflows globally.. They injected credential-stealing malware into Trivy's official GitHub Action.. The malware ran silently BEFORE the security scan.. So every log showed "scan completed successfully" while the malware was stealing AWS keys, SSH credentials, database passwords, and Kubernetes tokens in the background.. It took Aqua Security 5 days to fully remove them.. Using the stolen credentials.. They breached Cisco Systems.. Cloned over 300 private repositories.. Including source code for unreleased AI products.. And repositories belonging to Cisco's customers.. Major banks.. Government agencies.. BPO firms.. In April.. They hit Checkmarx.. Another security vendor.. Poisoned 5 official Docker images in 83 minutes.. The scanner worked perfectly.. It just silently sent all your secrets to the attackers.. That automatically cascaded into Bitwarden.. The password manager.. Their CI/CD system pulled the poisoned Docker image.. And the attackers injected malware into Bitwarden's official CLI package published on npm.. One compromised security scanner poisoned a password manager.. Automatically.. No human involved.. In May.. They hit TanStack.. Libraries downloaded millions of times per week.. 84 malicious package versions across 42 packages.. And here's the terrifying part.. The malware scraped the raw memory of GitHub's build servers.. Extracted authentication tokens.. Used those tokens to bypass two-factor authentication.. And then published the infected packages with completely valid cryptographic signatures.. Every security verification tool on earth said the packages were legitimate.. Because they were signed by the real pipeline.. Using real keys.. The attackers just happened to be inside the pipeline when it signed.. They defeated the entire trust model of modern software supply chains.. The same week they hit the Nx Console VS Code extension.. 2.2 million installations.. The malware specifically targeted Claude Code configurations.. Hunting for AI assistant credentials.. That's a first.. Supply chain malware designed to steal your AI's access keys.. Then on May 19.. They revealed the GitHub breach.. 4,000 internal repositories.. Listed for sale at $50,000.. With a warning.. "If nobody buys it.. We leak everything for free".. Their malware is self-propagating.. Once it infects one package.. It automatically finds every other package that developer maintains.. Steals the publish tokens.. And infects all of them.. Then those packages infect the next developer.. And the next.. It jumps between npm and PyPI automatically.. The group doesn't even do the extortion themselves.. They sell stolen credentials to ransomware gangs.. One gang used TeamPCP's data to threaten Cisco with leaking FBI and NASA personnel records.. And the scariest part of all.. They didn't break any encryption.. They didn't find any zero-days.. They exploited the fact that the entire software industry blindly trusts its own build tools.. Every security scanner.. Every Docker image.. Every VS Code extension.. Every GitHub Action.. Is a potential weapon if someone poisons it upstream.. And right now.. Nobody can tell the difference between a legitimate build and a compromised one.. Because the compromised ones have valid signatures too.

🛡️ Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware Source: https://t.co/vTyTL8O3fe Microsoft Defender triggered widespread false positive alerts after a faulty security update caused it to flag two legitimate DigiCert root certificates as malicious, potentially disrupting SSL/TLS validation and code-signing operations across enterprise environments worldwide. On affected systems, Microsoft Defender automatically quarantined the flagged certificate entries as part of its standard remediation workflow, effectively removing them from the Windows trust store. This created a serious downstream risk: without these root certificates in place, systems could fail to validate SSL/TLS connections for websites and break code-signing verification. #cybersecuritynews #Digicert #Microsoft

UYU MUNSI MU MATEKA Ku ya 11 Mata 1994, MINUAR yatereranye Abatutsi bari bahungiye muri ETO Kicukiro, bituma hicwa Abatutsi barenga 2000. Ubwicanyi bw’Abatutsi bwakorewe mu bice bitandukanye bya perefegitura za Byumba, Cyangugu na Kibungo. Kwibuka twiyubaka. --- TODAY IN HISTORY On 11 April 1994, the UNAMIR contingent abandoned Tutsi who had sought refuge in ETO Kicukiro, leading to a massacre of more than 2,000 Tutsi. These massacres also continued in other prefectures including Byumba, Cyangugu and Kibungo. Remember, unite, renew. --- CE JOUR-LÀ DANS L’HISTOIRE Le 11 avril 1994, le contingent de la MINUAR a abandonné les Tutsi qui cherchaient refuge à l’ETO, Kicukiro, entraînant le massacre de 2 000 Tutsi. Les massacres de Tutsi ont également continué dans d’autres préfectures, notamment Byumba, Cyangugu et Kibungo. Se souvenir, bâtir, ensemble. #Kwibuka32

I remember April 1994 as if it were yesterday. This short testimony goes to the youth, but especially to those who dare to speak of a “double genocide.” I was not hunted. But I remember how Tutsis were hunted. I remember conversations with my Tutsi peers. Fear in their eyes. Total despair. Wondering where to hide. I remember Tutsi neighbours trying to return to their places of origin, hoping to find safety, and never making it. Some were killed on the way. Others were killed when they arrived, in places they believed would protect them. I remember churches becoming places of animosity. Places of slaughter. And I remember not understanding how people could suddenly become so cruel. There was a roadblock near our home. People were stopped and asked to present their IDs. If your ID said Tutsi, you were to die. If you had children, they were to die, no matter their age. If you were pregnant, the unborn child was to die first. The unspeakable had become normal. There was a nearby forest. Killers had given it a name, CND. And we would hear them say they had taken people to CND. That is how death was spoken about. Casually. As if it meant nothing. No one questioned it. Those who could ask were the same ones killing or giving the orders. At no point during the Genocide against the Tutsi did I hear of Hutus being hunted for being Hutu. Tutsis were hunted. Systematically. Ruthlessly. Yes, some Hutus were killed because they were mistaken for Tutsi. Yes, some Hutus were killed because they refused to kill, or because they chose to hide and protect Tutsis. Yes, many Hutus died on the way to exile, mostly from cholera. But they were never hunted to death for being Hutu. Let us not distort history. Let us not equalise what was never equal. To the youth, Rwanda was once dead. What you see today did not exist. And yet, we rose. We rebuilt. We chose unity over division. Today, Rwanda stands strong, among the fast-developing nations, guided by visionary leadership under H.E. Paul Kagame. Under Inkotanyi, who stopped the genocide when the international community failed to act. Our dignity was restored. Today, amahanga aratwubaha. This is not something we can ever take for granted. We must stand together to protect our country and our leadership. We must stand together to fight any harm against Rwanda. We must stand together against any form of genocide ideology. We must stand together against denial, so that “Never Again” becomes a reality. Today and forever. As our President said, Rwanda cannot die twice. #Kwibuka32

Thousands of CCTV cameras are exposed to the internet and hackers know exactly how to find them. In this attack, we use Shodan to locate a vulnerable Hikvision DVR login panel exposed at a public IP. Once we confirm the login page, we attempt brute force using common username/password pairs like admin:12345, admin:root, and root:123456. After successful login, we hijack the feed and identify sensitive video streams. Many CCTV setups are rushed, default credentials left unchanged, web ports exposed, and no IP restrictions. Once inside, attackers can record footage, delete logs, or even pivot further into the internal network if the DVR is not sandboxed.

⚡ Security Warning! Attackers can bypass Microsoft Defender for Office 365 by exploiting Teams’ guest access. When users join another organization’s tenant, they lose their home protections — and a malicious tenant can use that gap to deliver phishing or malware. Read ↓ https://t.co/z526R7zFKF

🚨 Hackers found a new way to phish — through browser notifications. A new tool called Matrix Push C2 lets attackers send fake alerts that look like real ones from PayPal, Netflix, or TikTok. No downloads. No malware file. Just one click — and your data’s theirs. Learn more ↓ https://t.co/Ceq3JZU2PF