Paul
@ismisepaul.bsky.social
Reposted by Paul
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Towards a secure by default GitHub Actions · community · Discussion #179107
Why are you starting this discussion? Product Feedback What GitHub Actions topic or product is this about? Workflow Configuration Discussion Details Today, GitHub announced upcoming changes to the ...
github.com
November 11, 2025 at 6:38 PM
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Reposted by Paul
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Introduction - OWASP Top 10:2025 RC1
OWASP Top 10:2025 RC1
owasp.org
November 7, 2025 at 12:19 PM
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Reposted by Paul
There's some really big caveats to this. A thread.
New: Google says it has discovered at least 5 malware families that use AI to rewrite their code and generate new capabilities on the fly, suggesting AI-powered malware is finally starting to take off. cloud.google.com/blog/topics/...
Report also has interesting stories about state actors' AI use.
Report also has interesting stories about state actors' AI use.
November 5, 2025 at 3:52 PM
There's some really big caveats to this. A thread.
Reposted by Paul
Just prompt it they way you like. E.g with something like this: docs.vibe-coding-framework.com/document-tem...
Security-Focused Prompts | Vibe Coding Framework
docs.vibe-coding-framework.com
November 1, 2025 at 8:59 AM
Just prompt it they way you like. E.g with something like this: docs.vibe-coding-framework.com/document-tem...
Reposted by Paul
🚨 Open source supply chain attacks are exploding.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
September 30, 2025 at 6:06 PM
🚨 Open source supply chain attacks are exploding.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Reposted by Paul
September 23, 2025 at 11:59 AM
Reposted by Paul
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
socket.dev
September 16, 2025 at 6:15 PM
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Reposted by Paul
#NPM:The popular @ctrl/tinycolor package with over 2mln weekly downloads has been compromised alongside 40+ other NPM packages (including Crowdstirke packages!) in a sophisticated supply chain attack:
#SoftwareSupplyChainSecurity
👇
#SoftwareSupplyChainSecurity
👇
ctrl/tinycolor and 40+ NPM Packages Compromised - StepSecurity
The popular @ctrl/tinycolor package with over 2 million weekly downloads has been compromised alongside 40+ other NPM packages in a sophisticated supply chain attack. The malware self-propagates across maintainer packages, harvests AWS/GCP/Azure credentials using TruffleHog, and establishes persistence through GitHub Actions backdoors - representing a major escalation in NPM ecosystem threats.
www.stepsecurity.io
September 16, 2025 at 2:44 PM
#NPM:The popular @ctrl/tinycolor package with over 2mln weekly downloads has been compromised alongside 40+ other NPM packages (including Crowdstirke packages!) in a sophisticated supply chain attack:
#SoftwareSupplyChainSecurity
👇
#SoftwareSupplyChainSecurity
👇
Reposted by Paul
Hi everyone. The 'next day' busy-ness has fully set in.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
September 9, 2025 at 2:10 PM
Hi everyone. The 'next day' busy-ness has fully set in.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
Reposted by Paul
🚨URGENT: A series of popular packages maintained by qix have just been compromised.
Compromised packages include:
• has-ansi - 12 million weekly downloads - V6.0.1
• supports-hyperlinks - 19m weekly downloads - v4.1.1
• chalk-template - 3.9m weekly downlaods - V1.1.1
Compromised packages include:
• has-ansi - 12 million weekly downloads - V6.0.1
• supports-hyperlinks - 19m weekly downloads - v4.1.1
• chalk-template - 3.9m weekly downlaods - V1.1.1
September 8, 2025 at 3:45 PM
🚨URGENT: A series of popular packages maintained by qix have just been compromised.
Compromised packages include:
• has-ansi - 12 million weekly downloads - V6.0.1
• supports-hyperlinks - 19m weekly downloads - v4.1.1
• chalk-template - 3.9m weekly downlaods - V1.1.1
Compromised packages include:
• has-ansi - 12 million weekly downloads - V6.0.1
• supports-hyperlinks - 19m weekly downloads - v4.1.1
• chalk-template - 3.9m weekly downlaods - V1.1.1
Reposted by Paul
A cryptostealer malware was pushed to a number of npm packages including debug, chalk , and a number of utility packages as a result of the compromise of a single contributor.
We published guidance for customers and non-customers for how to detect if you were affected:
semgrep.dev/blog/2025/ch...
We published guidance for customers and non-customers for how to detect if you were affected:
semgrep.dev/blog/2025/ch...
September 8, 2025 at 5:21 PM
A cryptostealer malware was pushed to a number of npm packages including debug, chalk , and a number of utility packages as a result of the compromise of a single contributor.
We published guidance for customers and non-customers for how to detect if you were affected:
semgrep.dev/blog/2025/ch...
We published guidance for customers and non-customers for how to detect if you were affected:
semgrep.dev/blog/2025/ch...
Reposted by Paul
Is red teaming taking its final breath? www.csoonline.com/article/4012...
The top red teamer in the US is an AI bot
Chatbot “Xbow” tops the leaderboard on HackerOne, revealing just how good AI has gotten at identifying cybersecurity vulnerabilities. Experts say this is both good and bad.
www.csoonline.com
July 2, 2025 at 3:41 PM
Is red teaming taking its final breath? www.csoonline.com/article/4012...
Reposted by Paul
The solo maintainer for libxml2 is no longer accepting embargoed vulnerability reports, citing the unsustainable burden as an unpaid volunteer. Security issues will be treated like any other bug report moving forward.
socket.dev/blog/libxml2... #opensource #cybersecurity
socket.dev/blog/libxml2... #opensource #cybersecurity
libxml2 Maintainer Ends Embargoed Vulnerability Reports, Cit...
Libxml2’s solo maintainer drops embargoed security fixes, highlighting the burden on unpaid volunteers who keep critical open source software secure.
socket.dev
June 18, 2025 at 1:20 AM
The solo maintainer for libxml2 is no longer accepting embargoed vulnerability reports, citing the unsustainable burden as an unpaid volunteer. Security issues will be treated like any other bug report moving forward.
socket.dev/blog/libxml2... #opensource #cybersecurity
socket.dev/blog/libxml2... #opensource #cybersecurity
Reposted by Paul
🚨 Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. The payload is identical across all 60 packages: socket.dev/blog/60-mali... #JavaScript #NodeJS
60 Malicious npm Packages Leak Network and Host Data in Acti...
Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, an...
socket.dev
May 23, 2025 at 1:45 AM
🚨 Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. The payload is identical across all 60 packages: socket.dev/blog/60-mali... #JavaScript #NodeJS
Reposted by Paul
Our investigation of the #GitHub workflow vulnerability wrapped up on May 12, and we've confirmed that there has been no code modification, unauthorized access to production systems, exposure of customer data, or access to personal information.
Here's a summary of what happened and what's next.
Here's a summary of what happened and what's next.
Grafana security update: post-incident review for GitHub workflow vulnerability and what's next | Grafana Labs
/static/assets/img/blog/grafana-security-fix.png
grafana.com
May 17, 2025 at 8:30 AM
Our investigation of the #GitHub workflow vulnerability wrapped up on May 12, and we've confirmed that there has been no code modification, unauthorized access to production systems, exposure of customer data, or access to personal information.
Here's a summary of what happened and what's next.
Here's a summary of what happened and what's next.
Reposted by Paul
Reposted by Paul
The waiting time is over. OWASP® Cornucopia Website App 2.1 & Mobile App 1.1 have been released! see: dev.to/owasp/owaspr...
Want developers to do threat modeling, but don't see how?
Play OWASP Cornucopia!
The 2.1 release is here!
#appsec #threatmodeling #cybersec #owasp
Want developers to do threat modeling, but don't see how?
Play OWASP Cornucopia!
The 2.1 release is here!
#appsec #threatmodeling #cybersec #owasp
February 17, 2025 at 11:22 AM
The waiting time is over. OWASP® Cornucopia Website App 2.1 & Mobile App 1.1 have been released! see: dev.to/owasp/owaspr...
Want developers to do threat modeling, but don't see how?
Play OWASP Cornucopia!
The 2.1 release is here!
#appsec #threatmodeling #cybersec #owasp
Want developers to do threat modeling, but don't see how?
Play OWASP Cornucopia!
The 2.1 release is here!
#appsec #threatmodeling #cybersec #owasp
Reposted by Paul
New blog post with @shubs.io:
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel
On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United State...
samcurry.net
January 23, 2025 at 5:44 PM
New blog post with @shubs.io:
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
Reposted by Paul
The "ADR" format (architectural decision records) is a good form for keeping this lightweight yet useful. For example, adr.github.io/madr/
About MADR
adr.github.io
December 27, 2024 at 5:30 PM
The "ADR" format (architectural decision records) is a good form for keeping this lightweight yet useful. For example, adr.github.io/madr/
Reposted by Paul
Hey BlueSky!
I case you missed it:
I've created cspbypass.com
A site where you can search for known CSP bypass gadgets to gain XSS.
It already contains a bunch of useful gadgets with contributions from your favourite hackers.
If you have some CSP bypasses to share, feel free to contribute!
I case you missed it:
I've created cspbypass.com
A site where you can search for known CSP bypass gadgets to gain XSS.
It already contains a bunch of useful gadgets with contributions from your favourite hackers.
If you have some CSP bypasses to share, feel free to contribute!
November 14, 2024 at 2:57 PM
Hey BlueSky!
I case you missed it:
I've created cspbypass.com
A site where you can search for known CSP bypass gadgets to gain XSS.
It already contains a bunch of useful gadgets with contributions from your favourite hackers.
If you have some CSP bypasses to share, feel free to contribute!
I case you missed it:
I've created cspbypass.com
A site where you can search for known CSP bypass gadgets to gain XSS.
It already contains a bunch of useful gadgets with contributions from your favourite hackers.
If you have some CSP bypasses to share, feel free to contribute!
Reposted by Paul
I put together a VERY limited (for now) list of web hackers in a Starter pack:
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
December 18, 2024 at 12:54 AM
I put together a VERY limited (for now) list of web hackers in a Starter pack:
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
Reposted by Paul
Read more about what OWASP TEA WG together with @oej.edvina.net is doing and why it is essential for your #CRA (Cyber Resilience Act) certification and managing your #tech-debt here: owasp.org/blog/2024/11...
#cybersec #appsec #infosec
#cybersec #appsec #infosec
Lifecycle events are part of the secure supply chain | OWASP Foundation
Lifecycle events are part of the secure supply chain on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
owasp.org
December 9, 2024 at 7:14 AM
Read more about what OWASP TEA WG together with @oej.edvina.net is doing and why it is essential for your #CRA (Cyber Resilience Act) certification and managing your #tech-debt here: owasp.org/blog/2024/11...
#cybersec #appsec #infosec
#cybersec #appsec #infosec
Reposted by Paul
(someone used a carefully crafted branch name to inject a crypto miner into a popular Python package: github.com/ultralytics/...)
Discrepancy between what's in GitHub and what's been published to PyPI for v8.3.41 · Issue #18027 · ultralytics/ultralytics
Bug Code in the published wheel 8.3.41 is not what's in GitHub and appears to invoke mining. Users of ultralytics who install 8.3.41 will unknowingly execute an xmrig miner. Examining the file util...
github.com
December 6, 2024 at 3:28 AM
(someone used a carefully crafted branch name to inject a crypto miner into a popular Python package: github.com/ultralytics/...)