Security News
The researcher reached out to BleepingComputer stating that by hijacking these packages he hopes to get a job. Yesterday, a researcher with the pseudonym 'neskafe3v1' reached out to BleepingComputer stating he had taken over fourteen Packagist packages, with one of them having over 500 million installs.
Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol that could be weaponized to achieve a denial-of-service condition on vulnerable BGP peers. The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms.
On April 25, security researchers Tommy Mysk and Talal Haj Bakry, who are known collectively on Twitter as Mysk, warned users of Google's Authenticator 2FA app to not turn on a new syncing feature. The change came about when Google enabled its 2FA Authenticator app to sync credentials across different devices.
The Google Authenticator 2FA app has featured strongly in cybersecurity news stories lately, with Google adding a feature to let you backup your 2FA data into the cloud and then restore it onto other devices. The six-digit codes commonly generated by 2FA apps get calculated right on your phone, not on your laptop; they're based on a "Seed" or "Starting key" that's stored on your phone; and they're protected by the lock code on your phone, not by any passwords you routinely type in on your laptop.
"We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite. Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors, and customers," Camp continued. Organizations often recycle aging tech through third-party companies that are charged with verifying the secure destruction or recycling of digital equipment and the disposal of the data contained therein.
The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode. The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15 on Friday.
In yet another sign that Telegram is increasingly becoming a thriving hub for cybercrime, researchers have found that threat actors are using the messaging platform to peddle phishing kits and help set up phishing campaigns. "To promote their 'goods,' phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, 'What type of personal data do you prefer?'," Kaspersky web content analyst Olga Svistunova said in a report published this week.
The answer, our researchers discovered, is that so-called active adversaries might be able to shake loose at least some queued-up data from at least least some access points. The researchers figured out various ways of tricking some access points into releasing those queued-up network packets.
Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer that could lead to unauthenticated remote code execution. Tracked as CVE-2023-23383, the issue has been dubbed "Super FabriXss" by Orca Security, a nod to the FabriXss flaw that was fixed by Microsoft in October 2022.
An unknown Chinese state-sponsored hacking group has been linked to a novel piece of malware aimed at Linux servers. "The rootkit has a limited set of features, mainly installing a hook designed for hiding itself."