Nagranie z mojej prezentacji na tegorocznym @CONFidenceConf
"[PL] [CVE-2026-9058] Pełne ominięcie uwierzytelniania w ZUS, e-Sądzie, Usługach Elektronicznych Ochrony Zdrowia i kilku innych systemach administracji publicznej"
https://t.co/4YOK23E7xe
#Cybersecurity
JWT Auth Bypass TestBed
https://t.co/qoYUYTxduT
Test your skills: 18 main tests with variations.
A proprietary tool with 40+ techniques for Brute One will be available this week to spot all these cases in the wild in a matter of seconds.
https://t.co/ThMs09G3Hp
Czego wam najbardziej brakuje podczas pobytu w innych krajach Europy? Mi:
- BLIKa / PayU
- Paczkomatów
- Żabki
- Allegro
- mObywatela
- taniego internetu
- zasięgu 4G / 5G
- restauracji czynnych bez przerwy w środku dnia
Co ważnego pominąłem?
tl;dr When you delete a Google API key, it says it’s immediately deleted. Our testing says ~23 minutes.
During that window, an attacker with a leaked key keeps access to your data and enabled APIs (including Gemini).
Every 3rd website you visit runs Nginx.
18,959,833 of them can be hijacked right now.
A bug from 2008 just got a working exploit.
CVE-2026-42945 (CVSS 9.2)
No login. No access. Just one HTTP request.
→ Heap overflow → Worker process → RCE
Patch ASAP to Nginx 1.31.0 or 1.30.1
PoC is already out:
https://t.co/O4556KGjqD
Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux. The file name transformers.pyz appears deliberately chosen to mimic the widely used Hugging Face Transformers library and blend into ML/dev environments.
The main payload is a credential stealer, but it also includes country-aware logic; it avoids Russian-language environments and contains a geo fenced destructive branch that has 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran.
To mitigate this threat: isolate affected Linux hosts, block 83[.]142[.]209[.]194, hunt for /tmp/transformers.pyz, pgmonitor[.]py, and pgsql-monitor.service, and rotate exposed credentials.