Ilay Goldman

We immediately disclosed these vulnerabilities to the Jenkins team in January 2023, and they responded quickly by issuing a patch for the Jenkins server and the Jenkins Update Center.Read our blog for more information (blog.aquasec.com/jenkins-server…) #jenkins #cve (5/5)🧵

אמ;לק: @YakirKad, @GoldmanIlay מ @AquaSecTeam עשו מחקר מרתק על סיקרטים שלא ניתנים לאיתור ע״י הסורקים הנפוצים כיום. הצוות גילה קרדנשילס לסביבות ענן, תשתיות פנימיות, פלטפורמות טלמטריות, רשתות, מצלמות ועוד, חשופים לעולם. מחקתם את הסיקרט? חושבים שזה מספיק? אולי כדאי לכם לצלול >>

🛑 Ubuntu users, beware! Hackers can exploit a #vulnerability in the command-not-found utility to recommend and trick you into installing rogue packages via snap repositories. Learn more: thehackernews.com/2024/02/ubuntu… Double-check sources before installation. #Linux #Cybersecurity

We also found that 26% of the apt packages' commands could be impersonated by attackers! Understand our findings, implications, and defenses for developers and users alike on our blog. (3/3) 🧵

In our research, we delve into how attackers can manipulate the 'command-not-found' package into suggesting their malicious snap packages. We explain how the suggestion mechanism works and the dangers of installing malicious snap packages. (2/3) 🧵

🚨 Snap Trap: The Hidden Dangers Within Ubuntu’s Package Suggestion System 🚨 Attackers could manipulate the package suggestion mechanism in Ubuntu to fool users into installing malicious packages. aquasec.com/blog/snap-trap… @AquaSecTeam (1/3) 🧵 #Ubuntu #SSC #CyberSecurity

I’m gonna give 10 random people that repost this and follow me $25,000 for fun (the $250,000 my X video made) I’ll pick the winners in 72 hours

In this blog, we detail our criteria for npm package deprecation and introduce Dependency-Deprecated-Checker, our new open-source tool. This tool scans your package.json file and alerts you about deprecated packages. (4/4) 🧵

Moreover, these developers sometimes archived the corresponding repository instead of officially deprecating the package at npm. This behavior led to a discrepancy between the official deprecation status of the package at npm, to the actual deprecation of the package. (3/4) 🧵

🚨Deceptive Deprecation: The Truth About npm Deprecated Packages - new research🚨 8.2% of popular npm packages are officially deprecated. However, our study suggests the real number is closer to 21.2%! @AquaSecTeam @YakirKad blog.aquasec.com/deceptive-depr… (1/4) 🧵 #npm #cve

In this #RSAC 2023 presentation, speakers @YakirKad and @GoldmanIlay elaborate on the many attack vectors in the supply chain ecosystem, including integrated development environment (IDE), source code management (SCM), package managers and CI/CD. spr.ly/6014u022j

Open-source vulnerability disclosure: Exploitable weak spots - helpnetsecurity.com/2023/11/09/ope… - @AquaSecTeam @GoldmanIlay @YakirKad #OpenSource #GitHub #VulnerabilityDisclosure #Cybersecurity #CybersecurityNews #InfosecNews

Have you heard of GitHub RepoJacking? 💀 @goldmanilay and @YakirKad from @AquaSecTeam have discovered 37k vulnerable repositories that are at risk of RepoJacking, posing a significant threat to organizations. #bugbounty #bugbountytip #applicationsecurity

🔐 Unlock the secrets of supply chain vulnerabilities! Check out this informative session from BlackHat Asia 2023, "Breaking the Chain", where the attacker's perspective is examined across 5 phases of the cloud development flow. 👀 Watch now: youtube.com/watch?v=mWgcJx… Presented by: @YakirKad & @GoldmanIlay #supplychainsecurity #cloudsecurity #blackhatasia2023

Even though the video quality isn't the best, I can assure you that the content is the best.

In our blog, we delve into Microsoft's lack of protection regarding impersonation of popular packages. Additionally, we explore how attacker's unearth hidden packages, potentially exposing secrets. These flaws were confirmed by Microsoft, but they still persist! (2/2) 🧵

🚨PowerShell Gallery: Security Alert- New Research🚨 The PowerShell Gallery stands as a vital registry for modules and scripts (over 9 Billion downloads). However, it is not as protected as we thought it to be. blog.aquasec.com/powerhell-acti… (1/2) 🧵

@clintgibler @YakirKad Thanks!

⚔️ GitHub Repositories Vulnerable to RepoJacking Obtaining remote code execution on 37K GitHub repos via RepoJacking: * Exploitation Scenarios * RepoJacking Restrictions and Bypasses * Summary and Mitigations + more! By @goldmanilay and @YakirKad blog.aquasec.com/github-dataset…

@McPanceton @YakirKad @TheHackersNews You also have a section there that emphasizes that difference between this research and other studies 😀

@YakirKad @TheHackersNews Thank you for further clarifying.

🚨 Attention developers & organizations! MILLIONS of software repositories on #GitHub are at risk of RepoJacking, a supply chain #vulnerability that allows attackers to publish trojanized versions of repositories. Learn how this attack works: thehackernews.com/2023/06/alert-… #hacking