mthcht

🚨 Supply chain attack on the Laravel Lang organization: 700+ historical versions across multiple community-maintained Laravel Lang packages were compromised with an RCE backdoor, including: laravel-lang/lang laravel-lang/http-statuses laravel-lang/attributes Laravel-Lang/actions The payload targets cloud creds, CI/CD secrets, Kubernetes tokens, Vault, browser data, password managers, SSH keys, and more.

🚨 The "𝙼𝚎𝚐𝚊𝚕𝚘𝚍𝚘𝚗" Campaign is live... 𝟻,𝟽𝟷𝟾 malicious commits to 𝟻,𝟻𝟼𝟷 GitHub repositories in a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected 𝙶𝚒𝚝𝙷𝚞𝚋 𝙰𝚌𝚝𝚒𝚘𝚗𝚜 workflows containing 𝚋𝚊𝚜𝚎𝟼𝟺-𝚎𝚗𝚌𝚘𝚍𝚎𝚍 bash payloads that exfiltrate: - CI secrets, - cloud credentials - SSH keys - OIDC tokens - source code secrets Check your repo / Technical details: safedep.io/megalodon-mass…

🚨 ACTIVE SUPPLY CHAIN ATTACK 🚨 The actions-cool/issues-helper GitHub Action is compromised. Every existing tag in the repo now points to an imposter commit that: ⬇️ Downloads the bun JS runtime 🧠 Reads Runner.Worker process memory to harvest CI/CD secrets in flight 📡 Exfiltrates credentials to t.m-kosche[.]com Any workflow referencing this action by version will pull the malicious code on its next run. If you use it: stop immediately, pin to a known-good commit SHA from before the compromise, and rotate any secrets exposed to recent runs. StepSecurity customers are already protected: 🛡 Real-time Threat Center alert with "Am I Affected?" links for every workflow and every runner that has talked to the IOC domain 🚫 Compromised Actions Policy blocks any run referencing this action before it executes 🌐 Harden-Runner Global Block List now blocks t.m-kosche[.]com automatically, even in audit mode, no config change required 🔍 Imposter Commit detection flags the exact signature of this attack Full advisory and IOCs: stepsecurity.io/blog/actions-c…

We’re continuing to work with Microsoft and GitHub to investigate the impact of the malicious Nx Console version 18.95.0. I'll share any updates on X (@jeffbcross and @NxDevTools) as well as in our security advisory: github.com/nrwl/nx-consol…. Initially, Microsoft indicated to us that there were 28 installs of the malicious version 18.95.0. Based on our own analytics for the compromised version, we currently believe the number of users who received the malicious package may be significantly higher; potentially over 6k installs. We’ll keep working to determine the actual impact and exposure, and I don’t want to speculate beyond the facts we have right now. But I also don’t want to minimize the situation. This is my top priority right now. Our team has been, and continues to be focused on understanding exactly what happened, helping affected users, hardening our systems and release processes, and being as transparent as possible throughout the investigation.

or maybe rwl.angular-console thehackernews.com/2026/05/compro…

The malicious vscode extension could be one of these extensions recently removed from the store DevCrew.devc-python-toolkit🤔? not shared yet by microsoft, check vsxsentry.github.io and use marketplace.visualstudio.com/items?itemName… to automatically block and uninstall these

💠VSXSentry💠 vsxsentry.github.io VS Code Extensions threat intel feeds for multiple platforms, VSIX analyzer, scripts & policy generator, remediation and forensic traces guide

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

CISA Admin Leaked AWS GovCloud Keys on Github krebsonsecurity.com/2026/05/cisa-a…

@_dirkjan Did you commit this arg? I’d like to test it. I think I’m already catching this behavior through request-count anomalies on a specific endpoint uri, in addition to the classic pattern of many distinct endpoints uris queried in a short time window

And now you don't 🙃

🚨 UPDATE: Mini Shai-Hulud has crossed from @npmjs into @pypi and is still spreading. Newly confirmed compromised artifacts: @​opensearch-project/opensearch: 3.5.3, 3.6.2, 3.7.0, 3.8.0 (1.3M weekly downloads) mistralai: 2.4.6 on PyPI guardrails-ai: 0.10.1 on PyPI additional @​squawk/* packages on npm guardrails-ai 0.10.1 executes malicious code on import. On Linux, it downloads git-tanstack[.]com/transformers.​pyz, writes it to /tmp/transformers.​pyz, and runs it with python3 without integrity verification. The git-tanstack.​com domain displayed a message signed “With Love TeamPCP,” along with: “We've been online over 2 hours now stealing creds Regardless I just came to say hello :^)” The page also linked to a YouTube video and you can probably guess which one.

LOLRMM just got a serious upgrade under the hood. ✅ Code-signing certificate data, schema validation, and safety warnings are now part of the dataset. That means better trust signals, cleaner detections, and clearer context on what's legitimate vs what's being abused. This is the kind of foundational work that makes everything else in the project more reliable. github.com/magicsword-io/…

Have you ever wanted to query ETW providers, but didn't want to open a VM? What about checking the difference of ETW providers/events across OS builds? Today I am releasing EtwWatcher - a tool that brings EtwInspector to GitHub pages so that you can query ETW providers, as well as compare them across builds. This is something I wish I had for YEARS but have always opt'd to pull manually through a VM. I plan on being very active in uploading new snapshots as new OS builds come out. Check it out! Blog: jonny-johnson.medium.com/etwwatcher-f65… Repo: github.com/jonny-jhnson/E… Live site: jonny-jhnson.github.io/EtwWatcher/

💥 Introducing "Dirty Frag" A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail. No race, no panic on failure, fully deterministic. ~9 years latent. Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more. Even if you've applied the "Copy Fail" mitigation, your Linux is still vulnerable to "Dirty Frag". Apply the Dirty Frag mitigation. Details: dirtyfrag.io

CTI and SOC folks, you’ll like this one! ThreatCheck lets you select IOCs from any web page, bulk-extract and dedupe them, then pivot across 29 threat intel platforms with optional auto API enrichment. chromewebstore.google.com/detail/threatc… github.com/mthcht/threatc…

My new toxic trait: A useful browser extension project every week 😆 It’s been a productive month. I almost replaced every extensions I used with my own. Funny enough, building a good dark reader extension without causing performance issues ended up being the hardest one, some are published now!

Together with @bzvr_, @2igosha and Anton Kargin, we identified that the DAEMON Tools software has been compromised in a complex supply chain attack since April 8. We see thousands of infections across 100+ countries. If you use DAEMON Tools, run a malware scan immediately! [1/7]

Adding VSXSentry-Guard A VS Code extension that automatically blocks and removes malicious extensions from the VSXSentry feed. No enterprise policy management needed - one click and you're protected. marketplace.visualstudio.com/items?itemName…

default chvancooten.code-needle on vsxsentry.github.io

@TheCloudLover every appid has the reference link indicated, this script github.com/oauthsentry/oa… update the feeds with my risky and malicious list from github.com/mthcht/awesome… and comliance first party apps from github.com/merill/microso…

@mthcht2 Ok! Is there a list of sources that feeds into this list?

Launching oauthsentry.github.io Look up any OAuth app ID and find out what it actually is across thousands of legitimate, risky, and malicious apps (Entra, Google, GitHub). Multiple feeds, API, detection ideas and remediation guidance. Still improving the detections a bit 🦾