Jay Townsend

@SocketSecurity My package-checker program can check if you are compromised to this(php/laravel), pypi,golang,npm github.com/L1ghtn1ng/pack…

🚨 Supply chain attack on the Laravel Lang organization: 700+ historical versions across multiple community-maintained Laravel Lang packages were compromised with an RCE backdoor, including: laravel-lang/lang laravel-lang/http-statuses laravel-lang/attributes Laravel-Lang/actions The payload targets cloud creds, CI/CD secrets, Kubernetes tokens, Vault, browser data, password managers, SSH keys, and more.

@mubix 1password.com/blog/from-magi… But there has been audits on clawbot skills, and you can check things on here as well skills.sh/audits

@jay_townsend1 This is the only reference to malicious skills: snyk.io/blog/toxicskil… Do you know of others? Have any links handy?

Have we seen malicious CLAUDE\.md files or malicious AI skills yet? This feels like the new “don’t copy and paste random command line or bash scripts from the internet”

@eastdakota @CloudflareHelp can some please take a look at these tickets one is nearly a month old with no updates on and another one got opened the other day. It’s causing some major issues. 02087298 and 02136751

🚨 ACTIVE SUPPLY CHAIN ATTACK 🚨 The actions-cool/issues-helper GitHub Action is compromised. Every existing tag in the repo now points to an imposter commit that: ⬇️ Downloads the bun JS runtime 🧠 Reads Runner.Worker process memory to harvest CI/CD secrets in flight 📡 Exfiltrates credentials to t.m-kosche[.]com Any workflow referencing this action by version will pull the malicious code on its next run. If you use it: stop immediately, pin to a known-good commit SHA from before the compromise, and rotate any secrets exposed to recent runs. StepSecurity customers are already protected: 🛡 Real-time Threat Center alert with "Am I Affected?" links for every workflow and every runner that has talked to the IOC domain 🚫 Compromised Actions Policy blocks any run referencing this action before it executes 🌐 Harden-Runner Global Block List now blocks t.m-kosche[.]com automatically, even in audit mode, no config change required 🔍 Imposter Commit detection flags the exact signature of this attack Full advisory and IOCs: stepsecurity.io/blog/actions-c…

🧊 Big release for #JavaScript supply chain security: @pnpmjs 11 now defaults to a 1-day Minimum Release Age, blocks exotic subdependencies, and adds a new Allow Builds model. A strong step toward reducing exposure to fast-moving npm attacks → socket.dev/blog/pnpm-11-a… #nodejs

@Carlos_Perez can you look at getting this setup for DNSrecon please? @laramies this for theHarvester as well

With everything going on in supply chain madness lately the cli @SocketSecurity software firewall tool along with my traceguard program(Linux only) in block mode if you just block everything outbound and then stick what you need in the allow list should anything get past sockets tool should help control the blast radius github.com/L1ghtn1ng/trac… #infosec #cybersecurity

We’re tracking 73 Open VSX sleeper extensions tied to the GlassWorm campaign, with at least 6 already activated to deliver malware. These cloned extensions initially appear benign, then later become malware delivery vehicles through normal updates. socket.dev/blog/73-open-v…

Bitwarden identified and contained a malicious package briefly distributed through the npm delivery path for the Bitwarden CLI in connection with the broader Checkmarx supply chain incident. No user vault data or production systems were compromised or at-risk. Additional details and updates are available here: community.bitwarden.com/t/bitwarden-st…

The Checkmarx TeamPCP campaign has now spread to npm! Package @bitwarden/cli (78K weekly downloads) v2026.4.0 steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains & as GitHub commits Payload looks very similar to the attack discovered yesterday by Docker, which affected Checkmarx docker images & VSCode extensions More details in this thread shortly 🧵

TeamPCP apparently used a malicious workflow to publish the malicious bitwarden CLI: github.com/bitwarden/clie…

To check if your Google Workspace has been compromised by the same tool that compromised Vercel: 1. Go to admin.google.com/ac/owl/list?ta… - This is Google Admin Console > Security > Access and Data Control > API Controls > Manage app access > Accessed Apps 2. Filter by ID = …v79i7bbvqj.apps.googleusercontent.com - This is the ID of the compromised OAuth app If you see an app after filtering, you have potentially been compromised

Anyone know why the Linux kernel has eBPF hash maps have a fixed limit of 8192? Would love for it to be able to be unlimited if possible? Cc @Linus__Torvalds #linuxkernel #infosec #linux

The GitHub Actions 2026 security roadmap covers three layers in a shift toward making secure behavior the default. Here’s what’s coming next, and when. ⬇️ github.blog/news-insights/…

Okay thanks for that info, sounds like there could be some enhancements to the meta tag, aka location reporting for example in the spec as that seems like an oversight imo and or @astrodotbuild and @angular could look at improving their csp implementations more to overcome the drawbacks like not being able to support all primatives etc?

@jay_townsend1 @snyksec @securityheaders @astrodotbuild The limitation on the location in the DOM makes sense. If the browser had to wait to parse the entire DOM before acting or loading any resources, it'd result in a terrible experience. The CSP can only take effect from the moment it's parsed out of the meta tag.

@Scott_Helme @snyksec why does a csp setting also not get picked up when a site uses the meta tag for it in html on @securityheaders to me at least it would make sense to also pick it up from there as well?

Found out about the frame acestors directive and was not aware about the DOM stuff, what’s the point of the meta-tag for it if it’s not treated the same exactly? Reason I ask as part of the flasgo.dev website @astrodotbuild supports generating the csp for you and and so does @angular so would be good to get your take on them both

@jay_townsend1 @snyksec @securityheaders There’s no reporting, so you can’t get any feedback on the policy. There are also limitations on which directives you can use. The biggest has to be that it only applies to resources loaded after it in the DOM, so malicious activity before the meta tag is fair game!

@Scott_Helme @snyksec @securityheaders Fair enough, what are they and maybe have it as a fallback detection maybe? Just thinking of a good enhancement that could be added

@jay_townsend1 @snyksec @securityheaders There are quite a few limitations to CSP in a meta tag, and the primary focus of the site has always been to analyse the response headers.

Just shipped the flasgo website would love it if people had a look 👀 #python #webframework #development Flasgo Documentation | Flasgo Docs flasgo.dev