Looking for #LastWeekInAppSec for 5. Aug? We're taking a bye week on it to hang out at #BHUSA and #DEFCON -- look for us to get back on it next week! Meanwhile, keep an eye out for your friendly researchers (and Darren) around Las Vegas.
05.08.2025 21:08 β π 1 π 0 π¬ 2 π 0
Removing leaks from git history is complicated, and may be impossible if you use a hosted git service.
π
ββοΈ Prevent leaks by running secrets scanners as pre-commit hooks
π Regularly examine your repositories for leaked secrets
π¨βπ§ leaked creds MUST be rotated so the leaked secret is no longer valid
05.08.2025 14:48 β π 0 π 0 π¬ 0 π 0
Why GitHub Commits Arenβt as Private as You Think | HackerNoon
GitHub's repo network can expose deleted or private commits. Learn how forks, SHAs, and metadata can leak your secrets even after cleanup.
This article by Shelkovnikov is a great summary of git commit privacy, and why it's so important to prevent sensitive data from leaking to git. Rewriting git history after you leak a credential doesn't always remove it; you should treat it as essentially impossible "unleak" data
buff.ly/sv8gmwb
05.08.2025 14:48 β π 1 π 0 π¬ 1 π 0
Marx Bros Groucho and Chico ham it up in the "Password Sceneβ from the 1932 comedy classic "Horse Feathers." Groucho βoutsmartsβ his genial goof brother into spilling the speakeasy password in anβ¦
Marx Brothers - Password Scene - Horse Feathers - Chico Groucho (1932 #grouchomarx #comedymovies)
buff.ly/0O9oeSP
01.08.2025 15:32 β π 0 π 0 π¬ 0 π 0
Vulnerability Hunt - The Snippets Edition | AppSecVillage
Raphael Silva
Come play with us at #DEFCON! A couple of our Checkmarx Zero members will be hosting an interactive Vulnerability Hunt challenge pod at #AppSecVillage:
ποΈ Friday 08. Aug 13:00β15:00 : buff.ly/2IL2if8
ποΈ Saturday 09. Aug 13:00β15:00 : buff.ly/cQjPSNG
ποΈ Sunday 10. Aug 11:00β13:00 : buff.ly/4UHc3oM
01.08.2025 14:19 β π 1 π 1 π¬ 0 π 0
Want to see a free, #OpenSource, developer-friendly tool for preventing secrets leaks? Checkmarx Zero's Tal Folkman will be on-site BlackHat #Arsenal (#BHUSA) to demo Too Many Secrets (2MS), available from buff.ly/Yng76l5
Mark your calendar! 2pm (local time) on 6th August, at Arsenal Station 5
31.07.2025 14:13 β π 2 π 2 π¬ 0 π 0
π Patch: Upgrade to BentoML version 1.4.19
π‘οΈ Implement strict validation for all user-provided URLs, especially in file upload functionalities.
π Internal exposure is dangerous; attackers can compromise all hosted code and or services! (𧡠3/3)
30.07.2025 15:53 β π 0 π 0 π¬ 0 π 0
This allows attackers to force the server to make arbitrary HTTP requests to internal networks, cloud metadata endpoints, and other restricted resources. This feature is explicitly promoted in the documentation, making it a default exposure for deployed services. (𧡠2/3)
30.07.2025 15:53 β π 0 π 0 π¬ 1 π 0
Image summarizing the contents of this thread
#CVE-2025-54381 β #BentoML versions 1.4.0 to 1.4.18 are vulnerable to an unauthenticated Server-Side Request Forgery (#SSRF) due to improper validation of user-provided URLs in file upload handlers. CVSSv3 base 9.9, EPSS prediction 6.02% buff.ly/0zoOTvB (𧡠1/3)
30.07.2025 15:53 β π 0 π 0 π¬ 1 π 0
Use with caution, be aware it can make things up or "lie", and always put a skeptical and competent human between it and anything important.
30.07.2025 14:42 β π 0 π 0 π¬ 0 π 0
Replit AI's whole recent incident with going rogue and causing problems with deleting databases, making up users, and other frustrating and potentially harmful activities is a good reminder that AI is very far from ready to make decisions on its own.
30.07.2025 14:42 β π 1 π 0 π¬ 1 π 0
Code Execution Through Deception: Gemini AI CLI Hijack | Tracebit
Tracebit discovered a silent attack on Gemini CLI where, through a toxic combination of prompt injection, misleading UX and missing validation, inspecting untrusted code consistently leads toβ¦
This is a pretty cool find by Tracebit β abusing the developer trust, then using prompt injection to get Gemini to silently run malicious commands. Weaponization of this attack would be hard, but we'll see them get more capable and easier to execute. buff.ly/Eh7qF8T #AI #LLM #CyberSecurity
30.07.2025 14:42 β π 1 π 0 π¬ 0 π 0
On July 23, 2025, the popular #NPM package #stylus was mistakenly flagged as malicious. For about 12 hours, builds broke, developers scrambled, and the ripple effects were felt across the JavaScript ecosystem.
What happened? Why did it happen? And what can we learn from it? buff.ly/4uVvajn
29.07.2025 21:08 β π 1 π 0 π¬ 0 π 0
CVE-2025-54371 - GitHub Advisory Database
Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data
Popular JavaScript HTTP library #axios is impacted by a serious #vulnerability in a downstream library. The advisory has been withdrawn for Axios itself; bug is still present in the transitive dependency form-data. Fix either by updating axios 1.11.0, or override form-data to 4.0.4. buff.ly/BhK0lyV
29.07.2025 14:42 β π 0 π 0 π¬ 0 π 0
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2025-54379 - DevHub
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. In versions before 2.2.1, there is a critical SQL Injection vulnerabilityβ¦
Go package ekuiper, a moderately popular server and framework for IoT data analytics and stream processing, has a SQL Injection flaw (GHSA-526j-mv3p-f4vv and CVE-2025-54379), allowing attackers to perform damaging SQL operations; the example given drops the users table entirely. buff.ly/jOZPMBT
29.07.2025 14:42 β π 0 π 0 π¬ 1 π 0
It's time for another #LastWeekInAppSec (29. July 2025) -- AppSec items of interest you might have missed in the last week. buff.ly/1b2laNf
29.07.2025 14:42 β π 0 π 0 π¬ 1 π 0
Good news: the `stylus` package has been restored to NPM thanks to the efforts of the package maintainers and NPM reps working together
23.07.2025 16:29 β π 0 π 0 π¬ 0 π 0
UPDATE: it appears one of the dev accounts associated with Stylus published a *different* malicious package; stylus does not appear to have been compromised. The stylus team is updating the community via their project GitHub page, and working with NPM to restore service for the package.
23.07.2025 15:52 β π 0 π 0 π¬ 0 π 0
Dev alert: #stylus npm package flagged as malicious but maintainer disputes it. GitHub advisory vs. contested evidence = confusion. Donβt rush to βfixesβ - attackers love chaos! Stick with your security team until thereβs solid consensus. #npm #cybersecurity #dev
23.07.2025 12:49 β π 2 π 1 π¬ 2 π 0
Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access
Active SharePoint exploits since July 7 target governments and tech firms globally, risking key theft and persistent access.
π₯ SharePoint #RCE (#CVE-2025-53770) exploited since July 7. Attackers stealing crypto keys via web shells to forge ViewState tokens. 9K+ servers at risk. AppSec lessons: deserialization = danger, and adversaries find bypasses to incomplete patches.
22.07.2025 21:08 β π 1 π 0 π¬ 1 π 0
Critical Vulnerabilities Blue SDK OpenSynergy | PCA Advisory
PCA Cyber Security researchers identified and announced critical vulnerabilities in the Bluetooth stack of Blue SDK. PCA Researchers name the discovered vulnerability chain PerfektBlue. PerfektBlue -β¦
π #BLUETOOTH STACK ATTACK: PCA Cyber Security found a devastating attack chain in OpenSynergy's #BlueSDK - memory corruption + logic bugs = device compromise for millions of devices. #PerfektBlue
Mobile phones, media devices, cars
#CVE: 2024-45431, 45432, 45433, 45434
Details: buff.ly/oxDZ07L
22.07.2025 14:42 β π 0 π 0 π¬ 1 π 0
π¨ This week in #AppSec: Major Bluetooth stack vulnerabilities affecting millions of devices, NVIDIA container escape flaw, and Grafana XSS requiring only anonymous access. buff.ly/sxy6OAC
Three critical security stories you need to know about π
#CyberSecurity #InfoSec #VulnerabilityManagement
22.07.2025 14:42 β π 0 π 0 π¬ 1 π 0
Definitely on our radar; we're identifying and reporting additional malware resulting from this campaign, like bsky.app/profile/chec...
21.07.2025 18:22 β π 1 π 1 π¬ 1 π 0
The got-fetch issue is part of an ongoing and previously reported phishing campaign targeting NPM package maintainers.
21.07.2025 18:01 β π 2 π 0 π¬ 0 π 0
Supply Chain Phishing Campaign Drops More Malware Into NPM: got-fetch 5.1Β - Checkmarx
Ariel Harush and Tal Folkman of Checkmarx Zero discover malware in NPM package βgot-fetchβ, resulting from a previously-uncovered phishing campaign targeting NPM developers
π #Malware found in NPM got-fetch (5.1.11-5.1.12); migrate to native `fetch` or upgrade/downgrade to a safe version to avoid this information-stealer malware in this #SoftwareSupplyChain attack. More: buff.ly/H8VFlAc
21.07.2025 18:01 β π 5 π 4 π¬ 1 π 2
#LastWeekInAppSec
β The Kubernetes package manager Helm has a high-severity Code Injection vulnerability CVE-2025-53547.
π The Conductor open-source microservices workflow orchestrator is vulnerable to a Remote Code Execution #RCE (CVE-2025-26074)
More details: buff.ly/BXWkoeF
16.07.2025 14:42 β π 0 π 0 π¬ 0 π 0
Looking for #LastWeekInAppSec? Us too! We had some technical difficulties publishing to our site, which we're working to rectify. Watch this space!
15.07.2025 21:08 β π 0 π 0 π¬ 0 π 0
