Attacks & Vulnerabilities
|
Hacktivists claim to have hacked Homeland Security to release ICE contract data (2 minute read)
Hacktivist group "Department of Peace" claims to have breached a DHS tech‑procurement office, leaking ICE contract records involving over 6,000 vendors, including major defense and surveillance firms. The data exposes contract values and detailed contact information, sharpening doxxing, targeting, and supply‑chain risks for companies embedded in the US immigration enforcement infrastructure.
|
Google addresses actively exploited Qualcomm zero-day in fresh batch of 129 Android vulnerabilities (3 minute read)
Google's March 2026 Android security update patches 129 vulnerabilities, the highest monthly count since April 2018, including an actively exploited Qualcomm zero-day (CVE-2026-21385) affecting 234 chipsets. Google's Threat Analysis Group reported a high-severity memory-corruption flaw in an open-source Qualcomm display component in December, and fixes were made available to OEMs in January. Android device users should apply security updates as they become available from their device manufacturers.
|
|
Please, please, please stop using passkeys for encrypting user data (4 minute read)
Using passkeys' WebAuthn PRF (Pseudo-Random Function) extension to derive encryption keys for E2EE (End-to-End Encrypted) data dangerously couples data availability to authentication credentials, dramatically increasing the "blast radius" of routine credential loss or deletion. Common password-manager UIs don't clearly communicate that deleting a passkey may permanently orphan encrypted backups, so users can recover their account via other methods yet still be unable to decrypt or restore their data—effectively a self-inflicted, irreversible data-loss scenario. If you must use PRF, add prominent up-front warnings and support documentation, and push credential managers to show explicit deletion warnings for PRF-enabled passkeys.
|
The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting (18 minute read)
A long‑standing TOCTOU flaw in Node.js ClientRequest.path allows attackers to bypass CRLF validation by mutating the path after construction but before _implicitHeader() serializes the request line, enabling header injection, body injection, and full HTTP request splitting across popular proxy and HTTP client libraries with roughly 160M+ weekly downloads. Tracing the original CVE‑2018‑12116 fix pinpoints the remaining design gap, demonstrates practical exploits against common proxy patterns, and contrasts vulnerable libraries with those whose architectures naturally close the window. Node.js considers this out of scope for its threat model, shifting responsibility to library authors and application developers, who are urged to re‑validate paths, avoid exposing raw ClientRequest objects before flushing, and audit code where user input flows into req.path or proxyReq.path during this critical window.
|
Capture the Kerberos Flag: Detecting Kerberos Anomalies (8 minute read)
Kerberos TGT requests emit Windows Events with the Id 4768 and include a wealth of information about the request. The user can compare the request flags against those commonly set by tools such as Metasploit, those included in IoCs from malware campaigns, or those that differ from an established baseline to identify suspicious activity. This post includes a breakdown of the flags and a KQL query for hunting suspicious ones.
|
|
AWS Security Hub Extended offers full-stack enterprise security with curated partner solutions (2 minute read)
AWS Security Hub Extended introduces a unified, full‑stack security plan that bundles AWS-native detections with curated partner tools across endpoints, identity, email, data, network, browser, cloud, AI, and SecOps. It standardizes findings via OCSF, centralizes them in Security Hub, and offers pay‑as‑you‑go procurement with AWS as seller of record.
|
Digibastion (GitHub Repo)
Digibastion is an open-source Web3 security platform that centralizes threat intel, OpSec assessments, best-practice checklists, and tooling to help protect crypto users from phishing, scams, and technical risks.
|
Sage (GitHub Repo)
Safety for Agents (Sage) is a lightweight agent detection and response layer for AI agents that guards commands, files, and web requests.
|
|
An interactive intro to Elliptic Curve Cryptography (14 minute read)
This is a technical primer on how elliptic curve cryptography works. ECC's security comes from the one-way nature of scalar multiplication, rather than from the hardness of the Elliptic Curve Discrete Logarithm Problem, while enabling much smaller keys than RSA for comparable security. The post walks through the mechanics behind point addition, finite-field arithmetic, ECDH, ECDSA, and ECIES, and highlights a key operational risk: reused ECDSA nonces can leak private keys. For security professionals, the actionable takeaway is to prefer well-vetted modern curves and implementations, ensure strong nonce handling and key generation, and remember ECC remains efficient and widely deployed today but is not post-quantum safe.
|
Pakistan's Top News Channels Hacked and Hijacked With Anti-Military Messages (3 minute read)
Multiple major Pakistani news channels, including Geo News, ARY News, and Samaa TV, had their satellite feeds hijacked on March 1 to display anti-military messages during peak Ramadan viewing hours. Attackers compromised the PakSat satellite beams and live feeds. The breach triggered retaliatory cyberattacks from a group called Pakistan Cyber Force against Indian media outlets. Authorities are investigating the coordinated incident, which also reportedly affected websites across 19 countries through unauthorized Google ad campaigns.
|
Unprecedented GitHub Hacking Spree: "Security Research" AI Bot Compromises Major Repos (3 minute read)
Researchers from StepSecurity have uncovered an automated hacking bot, dubbed "hackerbot-claw," which claims to have scanned over 47k repositories for security vulnerabilities but has actually exploited vulnerabilities to compromise 6 popular open-source projects. The compromised projects include repositories from DataDog, Microsoft, and Aqua Security. Aqua Security renamed and made Trivy private after the bot fully compromised it.
|
|
|
Love TLDR? Tell your friends and get rewards!
|
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
|
Track your referrals here.
|
|
|
|
