tuckner

4.9K posts

tuckner banner
tuckner

tuckner

@tuckner

Finding bad software extensions at @SocketSecurity (acquired @secureannex)

Kansas City, MO Katılım Mayıs 2008
848 Takip Edilen3K Takipçiler
AndrewMohawk⁽ⁿᵘˡˡ⁾
AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk·
Codex ALSO found the Next.js SSRF without *any* harness (reported 10+ days ago, soon to be another duplicate!). The next wave of bugs is going to hurt a lot more as we move out of the harness making a huge diff to the model counts. Then its just a token crunching game for $/bug
AndrewMohawk⁽ⁿᵘˡˡ⁾ tweet media
English
4
1
19
1.9K
tuckner
tuckner@tuckner·
@handotdev At least they change every couple years to keep their attention
English
0
0
1
950
Han Wang
Han Wang@handotdev·
overheard from someone in sales: "there are only so many fortune 500 companies"
English
21
2
233
27.5K
xpl0itrs
xpl0itrs@xpl0itrs·
Back from hiatus. @Sportradar too bad you acknowledged us far too late. We noticed the only posts that X had requested us to remove were the ones regarding your breach. Trying to save face? Lol xD Apart from that, hello nuvidio (attachment). More to come.
xpl0itrs tweet media
English
3
7
22
9.9K
tuckner
tuckner@tuckner·
@mattjay The metaverse was supposed to solve this
English
1
0
1
65
tuckner retweetledi
Andras Bacsai
Andras Bacsai@heyandras·
We made a fake repo with fake bounties, and the bots are applying fake PRs, so we know who is fake, and we can ban them from the Coolify repo. IQ over 1000
Andras Bacsai tweet mediaAndras Bacsai tweet media
English
194
499
10.6K
497K
Jose Enrique Hernandez
Jose Enrique Hernandez@_josehelps·
Aside from pinning package builds (which still a dubious fix) and having hope that the EDR has signatures for what’s about to get dropped. How else can defenders prevent a bad package install wreck their environments? Assuming execution?? ..starts with app and ends with control
The Haag™@M_haggis

🪱 preinstall. postinstall. payload. Would your detections catch it? With npm supply-chain attacks continuing to evolve, I wanted a safe way to emulate the behaviors attackers actually use, from workflow injection to staged payload downloads and token theft. That’s why I built: 🧪 github.com/MHaggis/NPM-Th… A lightweight toolkit for safely testing: • malicious npm install behavior • postinstall/preinstall execution • workflow tampering • staged downloads & mock exfiltration • EDR/SIEM/CI visibility I also wrote Splunk detections covering npm supply-chain compromise behaviors: 📖 research.splunk.com/stories/npm_su… These attacks aren’t going away, but defenders can absolutely get ahead of them. ⚔️

English
3
1
9
1.8K
tuckner retweetledi
Socket
Socket@SocketSecurity·
💎 New GemStuffer Campaign: Socket detected a RubyGems registry abuse campaign stuffing scraped UK council portal pages into junk gems. PoC worm, scraper, or spam? Low downloads, repeated publishing, and 155 artifacts tracked so far. New Research → socket.dev/blog/gemstuffer
English
2
15
30
5.8K
Adel Ka
Adel Ka@0x4D31·
was hoping D&R or literally anything would replace “SOC” because it gives 2000s room-with-12-monitors-and-a-broken-SIEM vibes. instead we got “AI SOC” everywhere :’(
Adel Ka tweet media
English
4
2
26
37.6K
Milo Smith
Milo Smith@mil000·
The company is Pocket, the hardware device that records meetings and calls. They basically lied and multiplied normal hardware revenue by 12 to make it into ARR when that’s not how ARR works.
English
28
8
707
204.7K
tuckner
tuckner@tuckner·
@0x4D31 @ejcx_ Evan already skinning runreveal for April fools next year
English
1
0
3
136
tuckner
tuckner@tuckner·
@mattjay By EOD the news articles will be calling it AI driven supply chain attacks
English
0
0
5
174
Matt Johansen
Matt Johansen@mattjay·
"is it vibe coded? yes. Does it work? Let the results speak." - TeamPCP on their multiple wave very successful npm and PyPi worms. The code for their exploit kit was open source briefly, it is now taken down.
Adnan Khan@adnanthekhan

Not sharing the repo as we don't need more chaos - but it appears TeamPCP released an open-source version of their Shai-Hulud malware. Valuable for building detections. Treat the build code itself as backdoored unless proven otherwise.

English
4
4
39
8.3K
tuckner retweetledi
Nick Frichette
Nick Frichette@Frichette_n·
Malicious skills are evolving, and attackers are finding ways to execute them before model-level defenses even activate. In the first post of our new series, I’ll show you how dynamic context in coding agents can introduce new supply chain risks: securitylabs.datadoghq.com/articles/malic…
English
7
11
40
2.8K
tuckner
tuckner@tuckner·
@adnanthekhan Either it's burning the tradecraft or meant to spawn copy cats making attribution harder
English
1
0
3
640
Adnan Khan
Adnan Khan@adnanthekhan·
Not sharing the repo as we don't need more chaos - but it appears TeamPCP released an open-source version of their Shai-Hulud malware. Valuable for building detections. Treat the build code itself as backdoored unless proven otherwise.
Adnan Khan tweet media
English
8
4
57
13.9K
tuckner retweetledi
Adnan Khan
Adnan Khan@adnanthekhan·
PSA - GitHub is planning on hardening Actions Caching github.com/orgs/community… Please chime in to share how the new cache model should be secure by default instead of requiring opting-in to secure settings! Short term discomfort > this supply chain attack agony.
English
2
26
95
13.6K
Zack Korman
Zack Korman@ZackKorman·
Too many cybersecurity companies claim they're using AI when they aren't. So, I want to be transparent and show exactly how Embroidery uses AI to catch AI agent threats. We added a new feature showing every step that led to an alert. Details in the thread below.
Zack Korman tweet media
English
10
10
132
7.7K
tuckner retweetledi
Adnan Khan
Adnan Khan@adnanthekhan·
This attack leveraged GitHub Actions Cache Poisoning. Payload deployed here: github.com/TanStack/route… It looks like it detonated here: #step:26:2" target="_blank" rel="nofollow noopener">github.com/TanStack/route…
TANSTACK@tan_stack

SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.

English
10
37
410
576.4K
tuckner retweetledi
Socket
Socket@SocketSecurity·
🚨 BREAKING: 84 TanStack npm packages were compromised in an ongoing Mini Shai-Hulud supply chain attack, adding suspected CI credential-stealing malware. Socket flagged every malicious version within six minutes of publication. This is a developing story.
Socket tweet media
English
72
371
1.6K
820.4K
tuckner
tuckner@tuckner·
@rekdt But mythos is on the call with them
English
0
0
1
143

Keşfet

@AndrewMohawk @handotdev @xpl0itrs @Sportradar @xploitrsturtle2 @intelkink @mattjay @_josehelps