Whoa, this is seriously messed up! Just finished reading an article about the compromised GitHub Action `tj-actions/changed-files`. Get this – over 23k repos were affected! That's a huge deal, right?

Turns out, CI/CD Secrets (think AWS Keys, Tokens, the whole shebang) were snatched. It's CVE-2025-30066 – a full-blown Supply Chain Attack!

So, what happened? Well, the attacker modified the code and tampered with the version tags. Then, the Action diligently packed Secrets into Build-Logs… ouch!

And why is this so bad? Supply Chain, folks! Open Source is fantastic, no doubt, but keeping things in check is absolutely crucial! It kinda reminds me of a Pentest we did where we nearly missed something...

Alright, here's what you gotta do: Update to 46.0.1 *immediately*! Plus, take a look at your workflows from the 14th-15th. I just had this issue pop up with a client... Update done, problem solved! Also, remember the Least Privilege Principle! Keep a close eye on Open Source stuff, always!

Open-Source Security is still incredibly important! You've got to take Supply Chain risks seriously! Because, security is a continuous process, not a product you just buy! It's like those customers who think ISO 27001 solves all their problems...

So, have you guys experienced similar horror stories? What tools do you use for Supply Chain Security? What are your biggest Open-Source nightmares? Share them below!

A simple C++ Windows tool to get information about processes exposing named pipes

https://github.com/p0dalirius/FindProcessesWithNamedPipes

Hey everyone, does this sound familiar? You install a Python package and suddenly feel like you've been robbed blind?

Right now, there's a nasty campaign going on targeting PyPI, and it's misusing "time" utilities to swipe cloud credentials. Get this – it's already had over 14,000 downloads! The malware hides in packages that are *supposed* to just check the time. But instead, they're snatching cloud keys (AWS, Azure, the works) and sending them straight to the bad guys.

Honestly, it reminds me of a pentest we did where we *almost* missed a similar camouflage trick. Seriously creepy! So, heads up: Double-check your dependencies, run those scans, review your cloud configurations, and above all, be suspicious! And hey, just a friendly reminder: automated scans are no substitute for a manual pentest!

Have you run into anything similar? What tools are you using to beef up your security? Let's chat about it!

Alright everyone, let's talk microsegmentation – seriously crucial, but it's easy to overlook! A lot of folks assume a firewall's enough, but what happens when an attacker's *already* inside your network? That's where microsegmentation comes to the rescue. Think of it as having a second, third, or even fourth firewall *within* your network.

Our clients *always* appreciate it when we demonstrate the need for this through penetration tests. Of course, it's often a question of budget, but honestly, security shouldn't be compromised!

So, how are *you* segmenting your networks? Got any experiences, preferred tools, or insights to share? Let's hear 'em! Go!

Ransomware totally sucks, right? But ignoring it? That's just not gonna cut it. Just finished watching a webinar, "From Breach to Ransom" – basically, it walks you through how they go from finding a hole in your system to demanding a payout.

And why is this stuff important, you ask? Well, it really shines a light on how attackers *actually* operate. Think exploits, lateral movement within your network... As a pentester, I'm constantly seeing companies get tripped up by outdated software. Honestly, some of it's just mind-blowing! And let's be real, automated vulnerability scans? Those aren't the same as a proper pentest. Not even close.

So, what are your biggest ransomware worries? I'm curious, share your experiences in the comments below!

Seriously, backups... still such a headache, right? Just stumbled across some stats that suggest a ton of companies are WAY overconfident about their recovery readiness. Seriously, WTF?!

Yeah, the cloud's great and all, but let's be real – if you don't have a Plan B (and C, D...), you're toast. Sorry, not sorry, for being blunt.

As a pentester, I see this all the time: Backups are there, sure, BUT... they've never actually been tested. Or they're secured with super old, outdated credentials. Hello, ransomware!

Here's my two cents: Backups HAVE to be an integral part of your security strategy, not just some afterthought. We're talking regular testing, preferably automated. And those cloud backups? You've gotta double-check those access permissions! Shadow IT is a HUGE risk!

What do you guys think? Are backups just a pain in the butt compliance thing, or are they more like a vital insurance policy?

Alright folks, gotta share something kinda alarming I just read: SSRF attacks are seriously picking up steam! For those who don't know, SSRF (Server Side Request Forgery) is nasty business. Basically, attackers can trick your server into making requests *for* them. Think internal network snooping, stealing cloud credentials... you know the drill.

And get this – it's hitting tons of systems at once (DotNetNuke, Zimbra, VMware, GitLab, Ivanti, you name it!). It almost feels like a coordinated attack, doesn't it?

It's especially dicey in the cloud because SSRF can be used to access internal metadata APIs. Yikes!

I'm telling you, I once did a pentest where we almost completely missed an SSRF vulnerability being used to compromise internal AWS resources. It was a super close call!

So, here's what you should do, pronto:

* **Patch like your life depends on it!** (Seriously, this isn't optional)
* **Restrict outgoing connections** (Least Privilege is your best friend here!)
* **Monitor those outgoing requests** (Gotta catch any suspicious behavior)
* **Network segmentation** (This can seriously limit the damage)

AI can be helpful for spotting anomalies, but remember: AI is NOT a pentest! Automated scans are nice, but they're no replacement for actual human expertise.

Are you seeing more SSRF attacks lately? What tools are you using to detect them? Let me know in the comments.

I wrote a blog post series about bypassing web filters / proxies. Part one is about SNI spoofing. You can read it here: https://blog.compass-security.com/2025/03/bypassing-web-filters-part-1-sni-spoofing/

Steganography's seriously sneaky! Hiding malware *inside* seemingly innocent pictures? Yep, that's a thing. And guess what? Most antivirus software and similar tools? They completely miss it. I just read about how XWorm's doing it: they're using PDF phishing to distribute a REG file, which then triggers PowerShell to pull a DLL payload from an image. BOOM! Data theft's about to happen.

You know, clients I've helped have been so grateful when we've uncovered stuff like this. It's a constant process, though. Always gotta be on the lookout!

So, what do *you* think? Are automated scans enough to catch this stuff, or do we need more human expertise to really stay secure? Let me know what you think!
#ITSec #Pentest #Malware

Hey #redteam and #pentest ers, what security controlsnon endpoints and servers make your life miserable on an engagement?

App allow listing?
DEP?
Powershell execution policies?
Hostbased firewall?

A Windows standalone executable tool that allows you to change the password of user/computer accounts in Active Directory (AD) via MS-SAMR protocol

https://github.com/decoder-it/ChgPass

Chrome Extensions: Masters of Disguise at Work!

Heads up, folks! There's a seriously nasty new wave of attacks going around: fake Chrome extensions are out there, and they're stealing your data! These things are so good at mimicking the icons and pop-ups of your favorite add-ons, you might not even realize what's happening. And it affects Chrome, Edge, basically everything!

Here's the really sneaky part: the extension doesn't *immediately* do anything bad. Instead, it quietly figures out which add-ons you're using. Then, BAM! It transforms itself, temporarily disabling the real extension. Next thing you know – login credentials stolen, account gone!

Speaking as a pentester, I've gotta say, this is some impressive social engineering. Automated scans won't catch this stuff because, hey, the extension appears to be "working" just fine. So, a bit of human intelligence and healthy skepticism are absolutely essential here.

My advice? Always take a *very* close look at new extensions before you install them. Double-check the permissions they're asking for! Does it *really* need access to *everything*? And remember, regular pentests are worth their weight in gold.

So, have you had any experiences with these fake extensions? How do *you* protect yourself? What tools do you use to spot suspicious Chrome extensions? Let's share some tips in the comments!
#infosec #pentest #chrome

Alright folks, let's talk AI. It's cool and all, but a lot of people are overlooking something crucial: Security *has* to be baked in from the start! Seriously, you can't just add it later when things go south.

I just had a client who was all, "Oh, we'll worry about security down the road." Well, guess what? Data breach and a *massive* fine. Devs need to be embracing security, not just ticking it off a list. Oh, and automated scans? They are *not* a substitute for a real pentest!

So, what do you think is the biggest hurdle when it comes to weaving security into the development process? I'm curious to hear your thoughts.

Whoa, this week was a total rollercoaster in cybersecurity! Seriously, state-sponsored hackers, ransomware attacks, and phishing attempts were all over the place. Things are definitely escalating quickly!

Sure, a firewall is important – no doubt about it. But honestly, it's just not enough these days. We've gotta build awareness, learn to spot patterns, and connect the dots. Otherwise, vendors will just keep pushing solutions we don't even need. It is important to start thinking more critical about that.

You know, binary whitelisting is a relatively easy win when dealing with "Living off the Land" attacks! And by the way, Open Source totally rocks!

So, what are your biggest cybersecurity worries right now? Let's chat about it! What keeps you up at night?

\#infosec \#pentest \#cybersecurity

An article about the security implications of abandoned third-party JavaScript libraries

https://blog.fraktal.fi/examining-external-dependencies-in-web-applications-0846894cecdd

Ragnar Loader... another one of those things you see and initially think, "Okay, nothing special." But then you realize just how wild this thing really is.

Loaders aren't exactly groundbreaking, but Ragnar Loader seriously takes it to the next level. Various ransomware gangs are using it almost like a "Malware-as-a-Service" platform. And get this – they're constantly developing and improving it.

Reverse shell capabilities, privilege escalation, stealth... it's got the works. As a pentester, sadly, you see this kinda stuff all the time. It just highlights how crucial security awareness and routine checks really are. Updates are non-negotiable! And yeah, I know, "Updates are annoying," but hey, I think paying a ransom is even more annoying.

What's your take on this? Are automated vulnerability scans enough, or do we need to step it up? #infosec #pentest #ragnarloader

Whoa, check this out! A million devices infected via malvertising! Seriously scary stuff. You know, those illegal streaming sites? Total playground for cybercriminals.

Malvertising is a real nasty piece of work, isn't it? They sneak malware in through ads. Gotta remember: even "free" stuff comes with a cost, right?

This Lumma Stealer thing grabs your passwords, and these RATs (Remote Access Trojans) let them control your system remotely. And get this – they're abusing GitHub to host the malware. Ugh.

It actually reminds me of a pentest we did where we almost missed an attack chain just like this. You really gotta stay vigilant!

So, what does it mean for you? Well, a firewall's great, but it's not a magic bullet. Double-check your downloads, and be super skeptical of any links.

Microsoft's calling these guys "Storm-0408." Apparently, they're using PowerShell, messing with Defender, and even faking AI chatbot sites! Sneaky!

Bottom line: steer clear of those shady streaming sites. Be wary of links! Keep your antivirus updated. Keep an eye on PowerShell. And most importantly: run regular pentests!

Ever had a run-in with malvertising? How do *you* stay safe? Share your tips!

If you're using the #Cubro EXA48200 network packet broker, you should update to V5.0R14.5P4-V3.3R1.

Our expert, Tim Wörner, discovered a broken access control vulnerability in the user management API, which leads to privilege escalation (CVE-2024-55570).

Read the full details here: https://herolab.usd.de/en/security-advisories/usd-2024-0014/

AppSec – Let's be real, it can be a real headache, right? Everyone's constantly preaching about how crucial it is, but honestly, who actually tells you *how* to do it right? So, have you heard about ASPM (Application Security Posture Management)? I know, it sounds like just another buzzword, but it might genuinely be a game-changer.

Essentially, it's all about getting your AppSec tools to play nice together. We're not just talking about sifting through reports. It's about getting that holistic view. You know, when I'm doing pentests, I often see companies drowning in security tools, but nobody seems to know what actually matters. It's a mess!

Now, ASPM could actually help you spot and fix vulnerabilities super early – *before* those threat actors even get a chance to strike. And you know what? Clients are always so grateful when I don't just point out the problems, but also offer some solid solutions. I love that!

So, are you folks already using ASPM or similar tools? I'd really like to know what your experiences have been. Or is it just another hype train we're all jumping on?