mthcht

🚨 Supply chain attack on the Laravel Lang organization: 700+ historical versions across multiple community-maintained Laravel Lang packages were compromised with an RCE backdoor, including: laravel-lang/lang laravel-lang/http-statuses laravel-lang/attributes Laravel-Lang/actions The payload targets cloud creds, CI/CD secrets, Kubernetes tokens, Vault, browser data, password managers, SSH keys, and more.

🚨 The "𝙼𝚎𝚐𝚊𝚕𝚘𝚍𝚘𝚗" Campaign is live... 𝟻,𝟽𝟷𝟾 malicious commits to 𝟻,𝟻𝟼𝟷 GitHub repositories in a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected 𝙶𝚒𝚝𝙷𝚞𝚋 𝙰𝚌𝚝𝚒𝚘𝚗𝚜 workflows containing 𝚋𝚊𝚜𝚎𝟼𝟺-𝚎𝚗𝚌𝚘𝚍𝚎𝚍 bash payloads that exfiltrate: - CI secrets, - cloud credentials - SSH keys - OIDC tokens - source code secrets Check your repo / Technical details: https://t.co/tua3jYU1wa

🚨 ACTIVE SUPPLY CHAIN ATTACK 🚨 The actions-cool/issues-helper GitHub Action is compromised. Every existing tag in the repo now points to an imposter commit that: ⬇️ Downloads the bun JS runtime 🧠 Reads Runner.Worker process memory to harvest CI/CD secrets in flight 📡 Exfiltrates credentials to t.m-kosche[.]com Any workflow referencing this action by version will pull the malicious code on its next run. If you use it: stop immediately, pin to a known-good commit SHA from before the compromise, and rotate any secrets exposed to recent runs. StepSecurity customers are already protected: 🛡 Real-time Threat Center alert with "Am I Affected?" links for every workflow and every runner that has talked to the IOC domain 🚫 Compromised Actions Policy blocks any run referencing this action before it executes 🌐 Harden-Runner Global Block List now blocks t.m-kosche[.]com automatically, even in audit mode, no config change required 🔍 Imposter Commit detection flags the exact signature of this attack Full advisory and IOCs: https://t.co/D0pYzREDDZ

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

LOLRMM just got a serious upgrade under the hood. ✅ Code-signing certificate data, schema validation, and safety warnings are now part of the dataset. That means better trust signals, cleaner detections, and clearer context on what's legitimate vs what's being abused. This is the kind of foundational work that makes everything else in the project more reliable. https://t.co/fl56QSCkjR

Have you ever wanted to query ETW providers, but didn't want to open a VM? What about checking the difference of ETW providers/events across OS builds? Today I am releasing EtwWatcher - a tool that brings EtwInspector to GitHub pages so that you can query ETW providers, as well as compare them across builds. This is something I wish I had for YEARS but have always opt'd to pull manually through a VM. I plan on being very active in uploading new snapshots as new OS builds come out. Check it out! Blog: https://t.co/zfPJW2PYkX Repo: https://t.co/jr8LOu0Vuq Live site: https://t.co/clWRBnsCgh

💥 Introducing "Dirty Frag" A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail. No race, no panic on failure, fully deterministic. ~9 years latent. Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more. Even if you've applied the "Copy Fail" mitigation, your Linux is still vulnerable to "Dirty Frag". Apply the Dirty Frag mitigation. Details: https://t.co/9nqku4svkY

My new toxic trait: A useful browser extension project every week 😆 It’s been a productive month. I almost replaced every extensions I used with my own. Funny enough, building a good dark reader extension without causing performance issues ended up being the hardest one, some are published now!