Preston Thornburg

Socket's Threat Research team has identified a campaign involving 108 Chrome extensions tied to a shared C2 infrastructure collecting user data and enabling browser-level abuse. Observed behaviors across the 108 extensions: • 54 steal Google account identity via OAuth2 • 1 exfiltrates Telegram web sessions every 15 seconds • 1 includes staged Telegram session theft infrastructure • 2 strip YouTube security headers and inject ads • 1 strips TikTok headers and injects ads • 2 inject scripts into every page visited • 1 proxies all translation requests through attacker infrastructure • 45 include a universal browser backdoor that opens arbitrary URLs on startup

O snap

Drift Protocol just released their thread on the $280 million hack It's worse than anyone thought too There was no code exploit. It wasn’t a flash loan. It wasn’t even a traditional key theft. Solana has a feature called "durable nonces" that lets you sign a transaction today but execute it days or weeks later Sound familiar EVM critics? 😏 Think of it like writing a signed check and leaving it in someone's drawer until they decide to cash it. The attacker used this to build a time bomb inside Drift's own governance system. So I was wrong and Solana’s architecture did in fact play a role in this exploit occurring. Similar to how a hacker exploits approvals on EVM chains. Here's how it played out: March 23: The attacker sets up four of these delayed-execution accounts. Two are tied to real Drift Security Council members and two belong to the attacker. At some point, the attacker tricks two of Drift's five council members into signing transactions they didn't fully understand. Blind signing is something I have called out a lot and it is a major issue with many of these chains Drift calls it "transaction misrepresentation” 🤨 But in reality they were socially engineered into signing their own robbery Those signatures sat dormant for nine days! March 27: Drift rotates its security council. New members, fresh setup. Doesn't matter. The attacker compromises two of the five new signers too. April 1: Drift runs a routine test transaction. Sixty seconds later, the attacker cashes those pre-signed checks. Two transactions, four Solana slots apart. Full admin control. Every withdrawal limit removed. Every vault drained. $280 million. Gone. Two out of five signatures is all it took 🤦‍♂️ But also clearly some major planning and patience for this elaborate attack Blind signing Durable nonces which function similarly to approvals Poor key management Insecure infrastructure Everything worked as it was designed to work and this was just an incredibly well orchestrated and thought out attack

🚨 Among the packages that rely on axios: - auth0 - alchemy-sdk - @tavily/core - @slack/web-api - aws-crt - contentful-management - @coinbase/cdp-sdk - postmark - @sap-cloud-sdk/core - fastmcp - mcp-proxy - swagger-client - wagmi - gatsby - wait-on - posthog-node

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

@ZackKorman Why not just leverage new Apple IDs instead? Can iMessage emails.

Please don't use Claude Code's iMessage plugin. Phone numbers can be spoofed, and protection for that isn't always reliable. So you're literally giving the entire world full access to your Claude Code. A phone number doesn’t prove identity.

W

@BarrettJ Great work man, keep going!!💪 💪

Is it a lot of weight? No, not really. But as the skinny computer nerd who waited until age 40 to see the advantage of weight-lifting, 3 sets of 3 reps at 200lb is pretty damn cool. Onwards and upwards!

@atmoio the rise of clawds changes nothing as supercell spam farms (vol) have existed for 10yr+. the real issue is the rise of LLMs (qual) and human gullibility. we trained a generation to laugh at misspelled phishing. for defense, the metadata can be more important than the content.

The internet is dying

this.

BONKfun is back and here’s what happened 👇 On March 11, the BONKfun website was hijacked by a malicious actor via a social engineering targeting our domain service provider. This resulted in the domain being transferred to an external registrar. The domain service provider has accepted responsibility for transfer, and we have confirmed this incident was not the result of any compromise of BONK or BONKfun internal systems, codebase, or team accounts. Upon identifying the breach, we immediately took action to: 1) Disable the site 2) Coordinate with wallet providers to flag the domain as malicious 3) Contain further user impact We’d like to thank @phantom, @solflare, @MetaMask, @_SEAL_Org and all other security partners that helped spread the word quickly. We estimate the total customer losses at $30,000 and we will be reimbursing affected users at 110% of losses to account for opportunity cost. As a result of this social engineering on the domain service provider, the BONKfun domain was transferred to an external registrar, and that transfer greatly inhibited our ability to move quickly with relaunching the site in a secure manner. The domain and domain registration were fully transferred back around 5:00 pm Eastern time on 3/18. Full functionality with major wallet providers was restored late on 3/19, which has now enabled us to safely and securely relaunch the site. The main BONKfun domain is still experiencing flags from several antivirus software providers, we are working to remove these flags as soon as possible. For users experiencing issues with BONK.fun due to anti-virus software, letsBONK.fun is also live now and contains the same functionality as the main site.

This is wisdom. Fantastic writeup. All founders should be reading this.

down goes cloudflare

Scanning skills is a no brainer. Stuff like this is picked up by clawdgawd and flagged immediately for malicious intent

The contents of your files don’t necessarily stay local. In order to serve you, the agents must understand context. All files touched by the agent should be considered at risk of data exposure/leakage/used to train future models. This is why separation is so important. Vibe coding on your daily driver is insanity.

Because it's Cowork, Claude runs code in a sandbox on your machine. Your files stay local. You approve what Claude touches before it acts. It feels pretty magical to give Claude a mission on my computer and getting occasional updates, like creating reports from internal dashboards or finding me a better seat on my next flight. Everything Claude can do on your computer - files, browser, tools - are reachable from wherever you are.

We're shipping a new feature in Claude Cowork as a research preview that I'm excited about: Dispatch! One persistent conversation with Claude that runs on your computer. Message it from your phone. Come back to finished work. To try it out, download Claude Desktop, then pair your phone.

@PressSec @benshapiro Kinda weird to use his name in every paragraph tho 👀

There are many false claims in this letter but let me address one specifically: that "Iran posed no imminent threat to our nation."   This is the same false claim that Democrats and some in the liberal media have been repeating over and over.   As President Trump has clearly and explicitly stated, he had strong and compelling evidence that Iran was going to attack the United States first.   This evidence was compiled from many sources and factors. President Trump would never make the decision to deploy military assets against a foreign adversary in a vacuum.   Iran is the world’s leading state sponsor of terrorism. The Iranian regime is evil. It proudly killed Americans, waged war against our country, and openly threatened us all the way up to the launch of Operation Epic Fury.   Iran was aggressively expanding their short-range ballistic missiles to combine with their naval assets to give themselves immunity – meaning they would have a degree of a capabilities that would give them immunity to hold us and the rest of the world hostage.   The regime aimed to use those ballistic missiles as a shield to continue achieving their ultimate goal – nuclear weapons.   The President, through his top negotiators, gave the regime every single possible opportunity to abandon this unacceptable course by permanently giving up their nuclear ambitions in exchange for sanctions relief, free nuclear fuel, and potential economic partnerships with our country.   But they would not say yes to peace because obtaining nuclear weapons was their fundamental goal.   President Trump ultimately made the determination that a joint attack with Israel would greatly reduce the risk to American lives that would come from a first strike by the terrorist Iranian regime and address this imminent threat to America’s national security interests.   All of this led to President Trump arriving at the determination that this military operation was necessary for U.S. national security, which is why he launched the massively successful Operation Epic Fury. The Commander-in-Chief determines what does and does not constitute a threat, because he is the one constitutionally empowered to do so - and because the American people went to the ballot box and entrusted him and him alone to make such final judgments. And finally, the absurd allegation that President Trump made this decision based on the influence of others, even foreign countries, is both insulting and laughable. President Trump has been remarkably consistent and has said for DECADES that Iran can NEVER possess a nuclear weapon. As someone who actually witnesses President Trump’s decision-making process on a daily basis, I can attest to the fact that he is always looking to do what’s in the best interest of the United States of America — period. America First.

this is something clawdgawd.ai does rather well for claude skill security scanning. huge vector that doesn't get enough love

the urge to run a standalone open sourced model

Learning curve up and to the right with a gig like this

'tax the agents' - andrew yang 🫨