LightNews LightNews
ulldma.bsky.social
Peter Stöckli
@ulldma.bsky.social
420 followers 220 following 9 posts
Security Researcher and Software Engineer at GitHub Security Lab
Posts Media Videos Starter Packs
Reposted by Peter Stöckli
github.com
GitHub @github.com · 19d
We're taking action to make the npm supply chain stronger and harder to attack. 🛡️

Check out our plan to create a more secure future for the JavaScript community.👇
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
Our plan for a more secure npm supply chain
GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.
github.blog
1 10 29
Reposted by Peter Stöckli
securitylab.github.com
GitHub Security Lab @securitylab.github.com · 26d
Recent account takeovers and attacks on package registries are a wake-up call: it's time to raise the bar on authentication and secure publishing practices. Find out what npm is doing—and what steps you can take—to help secure the open source supply chain: github.blog/security/sup...
Our plan for a more secure npm supply chain
GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.
github.blog
1 3 3
Reposted by Peter Stöckli
halvarflake.bsky.social
halvarflake.bsky.social @halvarflake.bsky.social · Sep 10
I have often stated that well-implemented memory tagging will be a game changer for memory corruptions. And it seems that with the next iPhone it's finally here: security.apple.com/blog/memory-...
Blog - Memory Integrity Enforcement: A complete vision for memory safety in Apple devices - Apple Security Research
Memory Integrity Enforcement (MIE) is the culmination of an unprecedented design and engineering effort spanning half a decade that combines the unique strengths of Apple silicon hardware with our adv...
security.apple.com
4 16 56
Reposted by Peter Stöckli
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Aug 25
What if attackers could hijack your coding agent through a simple GitHub issue?

Prompt injections are a real and growing threat for VS Code Copilot Agent.

Learn how these attacks work and how you can defend your environment.

Read the full research: github.blog/security/vul...
Safeguarding VS Code against prompt injections
See how to reduce the risks of an indirect prompt injection, such as the exposure of confidential files or the execution of code without the user's consent.
github.blog
2 5
Reposted by Peter Stöckli
jrn.bsky.social
joern @jrn.bsky.social · Aug 19
Today I have a more serious topic than usual, please consider reposting for reach:

My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/4]
1 23 4
Reposted by Peter Stöckli
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Aug 11
🚀 GitHub is on a mission to supercharge open-source security! We've partnered with 71 key open-source projects, giving them tools, funding, and playbooks to boost security. 🔐
Want your project to be part of this effort? Now’s the time to get involved! 💪
🔗 Find out more: github.blog/open-source/...
Securing the supply chain at scale: Starting with 71 important open source projects
Learn how the GitHub Secure Open Source Fund helped 71 open source projects significantly improve their security posture.
github.blog
1 3
Reposted by Peter Stöckli
rikefranke.bsky.social
Ulrike Franke @rikefranke.bsky.social · Aug 11
Never change, Switzerland, never change. 😂

www.nzz.ch/meinung/schw...
Translation: On November 9, 1989, the Berlin Wall fell, triggering a domino effect of world-historical proportions. The path to German unity was suddenly clear, and the Soviet empire collapsed. The following day, the Swiss Foreign Ministry was bombarded with inquiries as to how the Federal Council assessed the caesura in Berlin. The FDFA then issued a communiqué: "It is impossible for Federal Councillor Felber to comment on all political events to journalists. After all, something important happens almost every day."
10 18 130
ulldma.bsky.social
Peter Stöckli @ulldma.bsky.social · Aug 11
"In Deutschland ist eine Mauer umgefallen."

Probleme mit der Infrastruktur kommentieren wir nicht 😉
1 10
ulldma.bsky.social
Peter Stöckli @ulldma.bsky.social · Aug 7
Meinst du CryptPad? github.com/cryptpad/cry...
GitHub - cryptpad/cryptpad: Collaborative office suite, end-to-end encrypted and open-source.
Collaborative office suite, end-to-end encrypted and open-source. - cryptpad/cryptpad
github.com
1
ulldma.bsky.social
Peter Stöckli @ulldma.bsky.social · Jun 10
This time Cupertino started the photocopiers 😅

www.youtube.com/watch?v=N-2C...
Apple WWDC 2006-Windows Vista Copies Mac OS X
YouTube video by JoshuaG
www.youtube.com
1
Reposted by Peter Stöckli
troyhunt.com
Troy Hunt @troyhunt.com · May 27
I'm coming to Switzerland! Join me at the Microsoft Azure Zürich User Group in only a few weeks from now: www.meetup.com/de-DE/micros...
[In Person] Troy Hunt Have I Been Pwned Alpine Grand Tour Zürich , Di., 17. Juni 2025, 18:00 | Meetup
**IN-PERSON** Troy Hunt meetup at **Kraftwerk in Zurich** This meetup is a collaboration between several Swiss User Groups: [Azure Zurich User Group ](https://www.azurezur
www.meetup.com
1 8 18
Reposted by Peter Stöckli
securitylab.github.com
GitHub Security Lab @securitylab.github.com · May 23
Our team member Man Yue Mo is back, showing a new way to bypass MTE protection on Android phones with CVE-2025-0072. github.blog/security/vul...
Bypassing MTE with CVE-2025-0072
See how a vulnerability in the Arm Mali GPU can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled.
github.blog
3 6
ulldma.bsky.social
Peter Stöckli @ulldma.bsky.social · Apr 15
1 3
Reposted by Peter Stöckli
gynvael.bsky.social
Gynvael Coldwind @gynvael.bsky.social · Mar 26
Next Monday I'm doing a 2h webinar on files as seen through the eyes of a cybersecurity researcher. This will cover useful stuff for programmers, more junior pentesters, and other tech enthusiasts who enjoy knowing how stuff works on a computer :)
hexarcana.ch/lp/files/?ut...
Files through the eyes of a hacker
hexarcana.ch
2 1 3
ulldma.bsky.social
Peter Stöckli @ulldma.bsky.social · Mar 13
Note: the payloads displayed in the video have been faked to avoid disclosing details of how to implement a working exploit. The details of how to implement a working exploit have not been released yet.

More info at: github.blog/security/sig...
1
ulldma.bsky.social
Peter Stöckli @ulldma.bsky.social · Mar 13
In this demonstration I show the impact of CVE-2025-25291/CVE-2025-25292, an authentication bypass in ruby-saml used by high profile OSS projects such as GitLab. My team coordinated with both the ruby-saml maintainer and GitLab to get this vulnerability fixed and patches are available at gh.io/glfx
1 3 22
ulldma.bsky.social
Peter Stöckli @ulldma.bsky.social · Mar 12
If you're using ruby-saml or omniauth-saml for SAML authentication make sure to update these libraries as fast as possible! Fixes for two critical authentication bypass vulnerabilities were published today (CVE-2025-25291 + CVE-2025-25292).

github.blog/security/sig...
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
github.blog
1 10 11
Reposted by Peter Stöckli
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Mar 12
In this blog post, we detail newly discovered authentication bypass vulnerabilities in the ruby-saml library used for single sign-on (SSO) via SAML on the service provider (application) side. github.blog/security/sig...
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
github.blog
6 7
Reposted by Peter Stöckli
securitylab.github.com
GitHub Security Lab @securitylab.github.com · Feb 6
Hello from the GitHub Security Lab!
We are a team of security experts who cultivate a collaborative community where developers and security professionals come together to secure open source software.
2 5 10
Reposted by Peter Stöckli
artsploit.com
Michael Stepankin @artsploit.com · Jan 22
Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! github.blog/security/vul...
1 16 28
Reposted by Peter Stöckli
hi.ls
Max Hils @hi.ls · Jan 12
mitmproxy 11.1 is out! 🥳

We now support *Local Capture Mode* on Windows, macOS, and - new - Linux! This allows users to intercept local applications even if they don't have proxy settings.

More details are at mitmproxy.org/posts/local-.... Super proud of this team effort. 😃
Intercepting Linux Applications
mitmproxy.org
2 23 75
Reposted by Peter Stöckli
blazingwind.bsky.social
Sylwia Budzynska @blazingwind.bsky.social · Dec 11
🚀 CodeQL zero to hero part 4: Gradio case study is out! This time we dive into how I wrote CodeQL to support the @hf.co's Gradio framework, scaled the research to a thousand repositories on GitHub, and found 11 vulnerabilities.

gh.io/codeql-part-4
CodeQL zero to hero part 4: Gradio framework case study
Learn how I discovered 11 new vulnerabilities by writing CodeQL models for Gradio framework and how you can do it, too.
gh.io
1 4
Reposted by Peter Stöckli
nastystereo.com
Luke Jahnke @nastystereo.com · Dec 10
My latest blog post is live! Check your Ruby on Rails applications for the use of params[:_json]

nastystereo.com/security/rai...
1 14 34
Reposted by Peter Stöckli
nastystereo.com
Luke Jahnke @nastystereo.com · Nov 27
My latest blog post is live! nastystereo.com/security/cro...

Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
3 29 79
Reposted by Peter Stöckli
steven.srcincite.io
ϻг_ϻε @steven.srcincite.io · Nov 26
I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!

Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties
Recently a past student came to me with a very interesting unauthenticated vulnerability in a Spring application that they were having a hard time exploiting...
srcincite.io
1 36 76