Scott Dutton

@TanmayMishu @braedencreative @TheHackersNews @enunomaduro Mostly its adding to .env.example, so that the auto copy happens and puts the same value in. The linked repo in the CVE is exactly this. Adding secrets to the .env.example

You invite a junior dev, they remove .env from .gitignore, and then run git push. Some people accidentally copy the content of .env to .env.example (typically while copying from production server to local machine) and forget to undo the changes in .env.example, and then run git push.

🚨 260K Laravel APP_KEYs exposed on GitHub — over 600 apps vulnerable, and ~120 at immediate risk of remote code execution. With keys + URLs leaked, attackers can hijack servers via deserialization. Most devs likely unaware. Full story + what to do → thehackernews.com/2025/07/over-6…

@julian_center @snapey @TheHackersNews Its really common to put real creds into .env.example. The linked CVE shows exactly that. Secrets used everywhere put into .env.example, build copys .env from .env.example

@snapey @TheHackersNews Bet it‘s >90%

@_remsio_ A PR you may be interested in github.com/laravel/larave…

Ever wondered if Laravel secrets used for encryption are usually correctly managed? Well, we made statistics from all the internet regarding this specific topic during an entire year and summed up everything in this blog post, Hope you enjoy it! 😁

@TanmayMishu @TheHackersNews @enunomaduro github.com/laravel/larave… was rejected, was designed to stop exactly this

@enunomaduro could this be within the scope of pest Arch Test? arch()->expectFile(‘.env’)->toBeGitIgnored(); Could be included in: arch()->preset()->security(); Those who will want to push the .env to VCS, will eventually push them anyway 🤦‍♂️, but might come in handy as a soft preventive measure

@PatricioOnCode @MrPunyapal I provided a PR here (in 2021) and was rejected github.com/laravel/larave…

@MrPunyapal 260k apps is a lot. I’m betting its apps being deployed to the /public folder in shared hosting environments, combined with lack of hosting experience

Laravel by default put .env in .gitignore so it's dumb devs not Laravel. 👍

@alexellisuk Looks great. Out of interest why 3.5 turbo over 4o-mini. Mini usually gives better results for me and is cheaper

We've been seeing more and more cold emails getting through Google's spam filter.. so we took matters into our own hands with @openfaas and @OpenAI Link in next message..

@dc441244 What time is this?

Hey Everone, we are very excited about the first meet up of the Chester Defcon group DC441244 next week on Thursday evening (3rd April 2025) at the City Tavern on Frodsham Street in Chester. The content will be excellent and the company even better. We can’t wait to see ya there!

@theoboldalex /** @var MyObject[] */ Will work with tools like phpstan, not native but very good Can also wrap it in a new object with ArrayAccess implemented. not quite the same but works well

@matthewmincher @theoboldalex

@theoboldalex bet i can finish it first

@beattie282 @matthewmincher That is a lot of filament

@exusssum @matthewmincher I've only got a few lol 🙃

buying spools of pla has become my new sideproject domain registration

@theoboldalex or en.wikipedia.org/wiki/Shakespea… would looks great

@theoboldalex en.wikipedia.org/wiki/Whitespac…

I have been laughing at this entirely too long...

@jwage @symfony @psalmphp I have used github.com/matthiasnoback… before and it worked really well

What’s the best setup for detecting dead code in @symfony? I tried to use @psalmphp but I got a ton of incorrect results from listeners and other things that do get used by the container.

@vaugenwake The future ❤️

Got a pack of NFC tags coming tomorrow. They about to be everywhere 😂😂

@theoboldalex On thinkpads you can swap these in BIOS

Another year. Another @HTempestPhoto poor quality school photo