Pat Mayer

🇨🇦 Canada - Threat actor claims sale of “canadalife.com” database containing 5.5 million records. An underground forum post is advertising a database allegedly associated with Canada Life. The actor claims the dataset contains approximately 5.5 million lines of data and shared screenshots showing what appears to be CRM-style record structures. Based on the visible headers, the alleged dataset may include: • Full names • Email addresses • Phone numbers • Physical addresses • Company and employment information • Geographic/location data • CRM metadata and account identifiers • User account attributes and preference fields The structure shown in the screenshots resembles enterprise CRM/Salesforce-related exports, though this has not been independently verified. At this stage: • The claims remain unverified • There is no confirmation of a direct compromise of Canada Life systems • The authenticity, origin, and freshness of the data are currently unknown Large CRM-style datasets are commonly used by threat actors for: • Business email compromise (BEC) campaigns • Credential attacks • Targeted phishing and impersonation • Corporate reconnaissance • Identity enrichment and fraud operations It is also possible that: • The dataset originates from a third-party vendor or partner • The information is recycled from older leaks • The listing is exaggerated or partially fabricated for visibility on underground forums Organizations handling insurance, healthcare, or financial services data remain high-value targets due to the extensive personal and corporate information they maintain. Daily Dark Web is continuing to monitor underground communities for additional samples, validation evidence, or official statements related to this claim. #DDW #Intelligence #Canada #CanadaLife #DataLeak #CyberSecurity #DarkWeb #ThreatIntelligence #OSINT

Create a folder called (calc). Shift+Right click « Open PowerShell Window here » and boom you have a command injection. @podalirius_ found two command injection vulnerabilities in Windows Explorer's context menus, both exploitable since 9 years. ghst.ly/42ImlI6

while Anthropic quietly removed Claude Code from the $20 Pro plan (now $100+ Max only) we just released OpenClaude v0.6.0 completely free & open-source.

do you understand what just happened to one of the most used npm packages on the internet? → axios gets downloaded over 100 million times a week and today it got compromised → an attacker hijacked the npm credentials of a lead axios maintainer… changed the account email to an anonymous ProtonMail address… and manually published two poisoned versions → axios@1.14.1 and axios@0.30.4… neither version contains a single line of malicious code inside axios itself. instead they inject a fake dependency called plain-crypto-js that drops a remote access trojan on your machine → the fake dependency was staged 18 hours in advance… three separate payloads were pre-built for macOS, Windows, and Linux… both release branches were hit within 39 minutes. every trace was designed to self-destruct after execution too → there’s no tag in the axios GitHub repo for 1.14.1. it was published outside the normal release process entirely... bypassed CI/CD completely → StepSecurity called it one of the most operationally sophisticated supply chain attacks ever against a top 10 npm package → a routine npm install silently opens a backdoor… no warning… no suspicious code visible in axios itself this is the wake up call all vibe coding bros need to hear right now: → if you installed either version… assume your system is compromised → pin to axios@1.14.0 or axios@0.30.3 → rotate all secrets, API keys, SSH keys, and credentials on affected machines → check network logs for C2 connections → add –ignore-scripts to CI npm installs going forward 100 million weekly downloads and one compromised maintainer account… that’s all it took to wreak absolute havoc and I imagine we see a whole lot more of these… crazy times ahead for cybersecurity and vibe coding be safe out there y’all

Not a week passes that I don't find more evidence that Copilot was a rush job from Microsoft and has serious limitations for enterprises. learn.microsoft.com/en-us/purview/…

Hi hashtag#OSINT people. Just a quick 🚨warning note🚨 to let you know that someone is typosquatting on the whatsmyname.xxx domain names. They have made several apps that use the WhatsMyName data from my project but don't give attribution (violating our license), ...

🚨 Threat Actor Storm-1516 uses uncensored, self-hosted LLMs (Llama-3.1-8B variants: dolphin-2.9, Lexi-Uncensored) to rewrite news & mass produce pro-Russian narratives! They are poisoning current & future AI models with these narratives. Looks like the next phase of influence ops: they are corrupting AI ingestion to manipulate the future information space 🤔 👉 Via @RecordedFuture : recordedfuture.com/research/copyc…

🚨Alert: Internet Archive abused as hosting service for stealthy malware delivery 🔍This delivery chain is another example of legitimate and trusted services being abused for malware delivery: it starts with a JScript loader launching a PowerShell script which then downloads a PNG image file from the Internet Archive (archive.org). The PowerShell loader then extracts and launches an obfuscated .NET loader in memory, which launches Remcos RAT. In a nutshell: 📜PowerShell loader launched via JScript pulls .NET loader - embedded in an image - from archive.org 🌐.NET loader is encoded in RGB values of individual pixels of a Bitmap contained in the original PNG 🔑.NET loader creates persistence via registry key and launches final Remcos RAT payload 🔐 payload uses "Duck DNS" DynDNS provider for C2 Check out VMRay's Dynamic Analysis report to get insights on behavior and detections: vmray.com/analyses/_vt/6… Sample SHA256: 655025f2ea7fd15e7ee70b73b2e35f22b399b19130139345344f7a34fd592905 .NET loader SHA256: a777f34b8c2036c49b90b964ac92a74d4ac008db9c3ddfa3eb61e7e3f7c6ee8a Remcos payload (memory dump) SHA256: ca68cc3f483f1737197c12676c66b7cc9f836ba393ac645aa5d3052f29cdb2e0

Microsoft’s Digital Crimes Unit (DCU) shares the insider story of the successful global takedown of Lumma Stealer—a stealthy, customizable malware that quietly infected nearly 400,000 Windows devices worldwide, stealing passwords and sensitive data. msft.it/6010sGHEi

Our legal battle is over. A few years back, some idiot used our VPN to do idiot things. Greece then decided to charge the Windscribe CEO @yegor for the crimes because it was his name on the VPN server bill. No logs existed of anything. Case dismissed. windscribe.com/blog/windscrib…

📣@technisette has just completely updated her very popular Instagram Basics course for 2025, and she's created an all-new 15 minute crash course on Threads! Both are included in our All OSINT Course bundle! See all of our Social Media courses here: myosint.training/collections/so…

@cyb_detective Sad news ! Hope you’ll back on Substack

Today my Substack account was blocked (and I don't know what for). 1. Don't forget to export your Substack subscribers 2. Don't forget to archive your Twitter data (any platform can suddenly delete an account) 3. Where would you recommend doing your newsletter now?

Pretty incredible to see this grow to such a wide audience! I love hearing from people who have found some value in the page, makes me smile every time.

The wayback machine has been compromised. See you all in HIBP!

You can Crawl entire website with Claude 3.5 or GPT4 with @firecrawl 💯 Its open-sourced and code in github - Turn entire websites into LLM-ready markdown or structured data. Scrape, crawl and extract with a single API. - Crawls all accessible subpages and give you clean data for each. No sitemap required. - The greatest benefit is that the extracted data is catered for LLM-based pipelines. - The api is self hostable and opensource ----- Some benefits of firecrawl 1. handles crawling (with or without sitemaps) 2. runs headless browsers scalably 3. handles bot protections and proxies 4. a team of dedicated engineers to solve the millions of edge-cases on the web for you 5. quality formatting to markdown by default Beautiful soup doesn't generalize, thats why we built firecrawl

My updated #DFIR parseUSBs tool can now auto-resolve Windows permission restrictions for a mounted image & get connected USB info Steps (Win): 1. Mount volume read-only (eg E:/) 2. Open cmd as Administrator 3. Run: python3 parseUSBs.py -v E:/ github.com/khyrenz/parseu…

A GitHub flaw lets attackers upload executables that appear to be hosted on a company's official repo, such as Microsoft's—without the repo owner knowing anything about it. The following URLs, for example, make it seem like these ZIPs are present on Microsoft's source code repo: https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip But they are not. These ZIPs are #malware. An attacker, while commenting on any GitHub commit/PR, can "attach" a file that gets assigned a URL slug containing the name of the repo where the comment was made. Even if the comment is never actually posted or later deleted by the attacker, the link to the file remains live! And, the repo owner (Microsoft in this case) would have no knowledge of or control over such files. Threat actors have been abusing this flaw to distribute malicious executables under the false pretense that these are coming from credible organizations' code repos.

@vxunderground @InvictusIR Awesome 👏🏻

We are happy to announce our friends at @InvictusIR have hooked us up 2 seats to their Microsoft Cloud Incident Response course. Comment below for a chance to win:) This is $3,274 of IR material 😭🙏 Course details: academy.invictus-ir.com/advanced-incid…

Opencorporates API (@opencorporates) is a tool that allows you to get a lot of data about companies all over the world and automate this process. You can read more about it in a detailed guide by Katherine de Tolly and @bellingcat. bellingcat.com/resources/2023… #osint #corpint

Today EUROPOL in conjunction with the Ukraine National Police arrested individuals operating a ransomware group out of Ukraine. The group is believed to be behind the ransoming of 'over 1,000 servers'. They released footage of some of the arrests