Security

Publication croisée depuis https://programming.dev/post/41331208

"Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.

The malicious code exfiltrates the stolen information by creating a GitHub Action runner named SHA1HULUD, and a GitHub repository description Sha1-Hulud: The Second Coming.. This suggests it may be the same attacker behind the "Shai-Hulud" attack observed in September 2025.

And now, over 27,000 GitHub repositories were infected."

Other source with list of compromised package available

Publication croisée depuis https://programming.dev/post/41331208

"Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.

The malicious code exfiltrates the stolen information by creating a GitHub Action runner named SHA1HULUD, and a GitHub repository description Sha1-Hulud: The Second Coming.. This suggests it may be the same attacker behind the "Shai-Hulud" attack observed in September 2025.

And now, over 27,000 GitHub repositories were infected."

Other source with list of compromised package available

A good overview of their tests and findings surrounding Flock cameras. Goes through some approaches on manipulating and monitoring the cameras themselves, but also the hosted Flock platform, police, shared data, and politics.

How can I check to see if a given Onion Service is still in-use?

To be clear: I'm not asking about just Onion Services bound to port 80. Of course I can just curl it, but that won't tell me if the Onion Service is running something on another port.

I'm trying to find an XMPP server that uses an Onion Service. I found several lists of XMPP servers and their .onion names, but I expect most of these services are offline.

2n3tvihf4n27pqyqdtcqywl33kbjuv2kj3eeq6qvbtud57jwiaextmid.onion
32qywqnlnqzbry42nmotr47ebts3k6lhiwfob6xniosmepz2tsnsx7ad.onion
4colmnerbjz3xtsjmqogehtpbt5upjzef57huilibbq3wfgpsylub7yd.onion
6voaf7iamjpufgwoulypzwwecsm2nu7j5jpgadav2rfqixmpl4d65kid.onion
6w5iasklrbr2kw53zqrsjktgjapvjebxodoki3gjnmvb4dvcbmz7n3qd.onion
7drfpncjeom3svqkyjitif26ezb3xvmtgyhgplcvqa7wwbb4qdbsjead.onion
ae3w7fkzr3elfwsk6mhittjj7e7whme2tumdrhw3dfumy2hsiwomc3yd.onion
chillingguw3yu2rmrkqsog4554egiry6fmy264l5wblyadds3c2lnyd.onion
fzdx522fvinbaqgwxdet45wryluchpplrkkzkry33um5tufkjd3wdaqd.onion
gku6irp4e65ikfkbrdx576zz6biapv37vv2cmklo2qyrtobugwz5iaad.onion
gois4b6fahhrlsieupl56xd6ya226m33abzuv26vgfpuvv44wf6vbdad.onion
j4dhkkxfcsvzvh3p5djkmuehhgd6t6l7wmzih6b4ss744hegwkiae7ad.onion
jabjabdea2eewo3gzfurscj2sjqgddptwumlxi3wur57rzf5itje2rid.onion
jaswtrycaot3jzkr7znje4ebazzvbxtzkyyox67frgvgemwfbzzi6uqd.onion
jeirlvruhz22jqduzixi6li4xyoweytqglwjons4mbuif76fgslg5uad.onion
jukrlvyhgguiedqswc5lehrag2fjunfktouuhi4wozxhb6heyzvshuyd.onion
mrbenqxl345o4u7yaln25ayzz5ut6ab3kteulzqusinjdx6oh7obdlad.onion
nixnet54icmeh25qsmcsereuoareofzevjqjnw3kki6oxxey3jonwwyd.onion
qawb5xl3mxiixobjsw2d45dffngyyacp4yd3wjpmhdrazwvt4ytxvayd.onion
qwikoouqore6hxczat3gwbe2ixjpllh3yuhaecixyenprbn6r54mglqd.onion
qwikxxeiw4kgmml6vjw2bsxtviuwjce735dunai2djhu6q7qbacq73id.onion
razpihro3mgydaiykvxwa44l57opvktqeqfrsg3vvwtmvr2srbkcihyd.onion
rurcblzhmdk22kttfkel2zduhyu3r6to7knyc7wiorzrx5gw4c3lftad.onion
szd7r26dbcrrrn4jthercrdypxfdmzzrysusyjohn4mpv2zbwcgmeqqd.onion
xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion
xiynxwxxpw7olq76uhrbvx2ts3i7jagqnqix7arfbknmleuoiwsmt5yd.onion
xmppccwrohw3lmfap6e3quep2yzx3thewkfhw4vptb5gwgnkttlq2vyd.onion
ynnuxkbbiy5gicdydekpihmpbqd4frruax2mqhpc35xqjxp5ayvrjuqd.onion
yxkc2uu3rlwzzhxf2thtnzd7obsdd76vtv7n34zwald76g5ogbvjbbqd.onion

I don't want to eliminate them just for not running an HTTP server (eg port 80, 443, 8080, etc). Nor do I want to eliminate them for not running on a common XMPP port (5222, 5223, 5269, 5298, 8010). I'm trying to find something that checks if an Onion Service has been used in the past days/weeks without requiring me to test a connection on a given port.

My understanding is that Onion Services will (by default) generate and publish hidden service descriptors (HSDir).

Is there some way I can query the Tor directory of HSDirs to see if a given Onion Service is still active?

Freund wasn’t looking for a backdoor when he noticed SSH connections to his Debian testing system taking 500 milliseconds longer than usual. As a database engineer benchmarking PostgreSQL performance, he initially dismissed the anomaly. But the engineer’s curiosity persisted.

The backdoor’s technical sophistication was breathtaking. Hidden across multiple stages, from modified build scripts that only activated under specific conditions to obfuscated binary payloads concealed in test files, the attack hijacked SSH authentication through an intricate chain of library dependencies. When triggered, it would grant the attacker complete remote access to any targeted system, bypassing all authentication and leaving no trace in logs.

The backdoored versions 5.6.0 and 5.6.1 had been released in February and March 2024, infiltrating development versions of Fedora, Debian, openSUSE, and Arch Linux. Ubuntu’s upcoming 24.04 LTS release, which would have deployed to millions of production systems, was mere weeks away.

The technical backdoor was merely the final act of a three-year psychological operation that began not with code, but with studying a vulnerable human being.

Even after users change their account password, however, it remains valid for RDP logins indefinitely. In some cases, Wade reported, multiple older passwords will work while newer ones won’t. The result: persistent RDP access that bypasses cloud verification, multifactor authentication, and Conditional Access policies.

Source: Oligo Security

Abstract:

When a website is accessed, a connection is made using HTTPS to ensure that it ends with the website owner and that subsequent data traffic is secured. However, no further assurances can be given to a user. It is therefore a matter of trust that the site is secure and treats the information exchanged faithfully. This puts users at risk of interacting with insecure or even fraudulent systems. With the availability of confidential computing, which makes execution contexts secure from external access and remotely attestable, this situation can be fundamentally improved.

In this paper, we propose browser-based site attestation that allows users to validate advanced security properties when accessing a website secured by confidential computing. This includes data handling policies such as the data provided being processed only during the visit and not stored or forwarded. Or informs the user that the accessed site has been audited by a security company and that the audited state is still intact. This is achieved by integrating remote attestation capabilities directly into a commodity browser and enforcing user-managed attestation rules.

Some excerpts:

Such a secured context is encrypted at all times, but is decrypted within the CPU only when the context is about to be executed. Thus, code and data are now also protected from unwanted access during execution. In order to validate that confidential computing applies to a secured context, remote attestation must be performed. During this process, a request is sent to a secured context, which in turn requests an attestation report from a Hardware Root of Trust (HRoT) local to the platform.

We argue that end users could also benefit greatly from the extended guarantees of confidential computing when accessing a secured website. However, there are two main obstacles: First, there is no standardized way for users to detect a secured context and perform remote attestation. Second, if remote attestation is enabled, users must be able to interpret an attestation result to decide whether the remote site is trustworthy.

In this paper, we present site attestation, which takes advantage of confidential computing to improve trust and security when surfing the Web.

7 CONCLUSION

Today, when accessing websites, users have to trust that the remote system is secure, respects data protection laws, and is benevolent. With the availability of confidential computing, remote execution contexts can be secured from external access and become attestable. Site attestation proposes to secure websites through confidential computing and perform remote attestation with trustworthiness policies while surfing the Web, reducing the need to blindly rely on the website’s reputation.

GitHub repo with Nginx, httperf, and Firefox code

Long live Julian Assange.

Microsoft is creating new capabilities that will let security vendors operate outside of the root of Windows operating systems.

Researchers still don’t know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.

cross-posted from: https://lemmy.ml/post/18512730

DroidFS is an Android application providing rootless support for gocryptfs and CryFS encrypted file systems. It features an encrypted camera, biometric unlocking, integrated secure file viewers and allows decrypted files to be exposed to other applications. It is 100% FLOSS and developed voluntarily.

This new version...

• aims to improve the user interface
• implements a foreground service to keep volumes open in the background
• allows tweaking the file export method used for sharing content with other apps
• adds new Turkish, Simplified Chinese and Hebrew translations
• and of course, fixes a few bugs

Official APKs are available for download now. It should land on F-Droid very soon, with a new per-ABI APKs split which will reduce quite a bit the download as well as the installed app size.

Feel free to give some feedback, open bug reports, ask for help, contribute, or just discuss about the project!

Hey Community, I figured that I could strengthen existing automated unit test generation quality by integrating mutation testing results as a metric to determine the quality of my unit tests. Figured everyone should be unit testing their code now especially after the recent Crowdstrike fiasco.

Check it out here https://github.com/codeintegrity-ai/mutahunter

Please star if you like it :)

Caused by security firm CrowdStrike that issued an update.

Regression in signal handler.

This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd's privileged code, which is not sandboxed and runs with full privileges.

Contrary to what is stated on the polyfill.io website, Cloudflare has never recommended the polyfill.io service or authorized their use of Cloudflare’s name on their website. We have asked them to remove the false statement, and they have, so far, ignored our requests. This is yet another warning sign that they cannot be trusted.

If it ain't 'murican we ban 'em!

Guess all foreign cars should be next, what with all the telemetry and all...