How a housekeeping update turned into a security exploit

WHEN UPDATES BACKFIRE (DESPITE GOOD INTENTIONS): Researchers traced the exploit to a "race condition" triggered by rapid HTTP(S) requests, where barely timed headers let hackers impersonate the “crushadmin” user. The exploit went live shortly after a code update intended to fix an unrelated AS2 bug, unintentionally revealing the flaw to attackers. Over 30,000 installations were at risk; and as of late July, about 1,000 remained unpatched—even though fixes were available. This basically turned a housekeeping update into a zero-day weapon. And it highlights a vital lesson: even minor code changes can create major security gaps, and patching must be relentless. Otherwise, enjoy your labor day weekend, friends. https://lnkd.in/ggb8PfJA #auguryit #cysec #patching

🚨 A new critical vulnerability in Wing FTP Server (CVE-2025-47812) is being actively exploited by attackers. This flaw allows remote code execution, giving hackers the ability to run malicious Lua scripts, create backdoor accounts, and steal data. 👉 The takeaway? Once attackers get execution rights, it’s already too late. Detect-and-respond strategies leave businesses scrambling after the damage begins. In our latest blog, we break down what happened, why this vulnerability is so dangerous, and why the security community needs to push harder toward isolation and containment strategies that stop attacks before they execute. 🔒 Staying informed is the first step. Protecting against these evolving threats requires rethinking the way we approach endpoint security. Read the full blog here 👇 https://buff.ly/0vrIQdL #cybersecurity #ransomware #endpointsecurity #dataprotection #zeroday #securityawareness #AppGuard #AppGuardistheAnswer #infosec #CHIPS

🚨 A new critical vulnerability in Wing FTP Server (CVE-2025-47812) is being actively exploited by attackers. This flaw allows remote code execution, giving hackers the ability to run malicious Lua scripts, create backdoor accounts, and steal data. 👉 The takeaway? Once attackers get execution rights, it’s already too late. Detect-and-respond strategies leave businesses scrambling after the damage begins. In our latest blog, we break down what happened, why this vulnerability is so dangerous, and why the security community needs to push harder toward isolation and containment strategies that stop attacks before they execute. 🔒 Staying informed is the first step. Protecting against these evolving threats requires rethinking the way we approach endpoint security. Read the full blog here 👇 https://buff.ly/0vrIQdL #cybersecurity #ransomware #endpointsecurity #dataprotection #zeroday #securityawareness #AppGuard #AppGuardistheAnswer #infosec #CHIPS

🚨The npm ecosystem just suffered one of the most serious supply-chain attacks to date. What happened: Attackers hijacked a trusted maintainer’s account and injected malware into widely used npm packages. Impact: These packages see 2.6 billion weekly downloads. The payload executed in users’ browsers, silently rewriting payment destinations and approvals to attacker-controlled accounts, all while keeping the interface looking normal. How to mitigate: Update dependencies: upgrade to safe versions and pin where possible Rebuild clean: clear caches and pull only from trusted sources Audit behavior: look for suspicious install scripts, network activity, or obfuscated code Monitor runtime: detect if malicious code actually executes in your environment Why this matters: Traditional scanning tools flag files, but they can’t always tell you what’s truly dangerous. At Sweet, we focus on what actually runs at runtime, so you can cut through the noise, see what’s really at risk, and respond before damage is done. Read more here: https://hubs.li/Q03Hpvql0 #SupplyChainAttack #SweetSecurity #cloudsecurity #RuntimeCNAPP #phishing

Sharing in case you missed it: our CTO Tomer Filiba wrote a great breakdown on a new kind of supply chain attack that recently hit the npm ecosystem. If you haven’t had the chance to read it yet, now’s a great time to catch up 👇

I recently performed a penetration test on the HTB-Valentine machine, which highlighted the critical risks of legacy vulnerabilities and weak operational security. The full compromise of the system was an interesting journey: 1. Initial Access: The primary entry point was the Heartbleed vulnerability (CVE-2014-0160). I was able to exploit this flaw to extract a base64-encoded passphrase from the server's memory. 2. User-Level Access: Using the passphrase, I decrypted an SSH private key that was found in a publicly accessible web directory. This gave me a shell as the user hype. 3. Privilege Escalation: From there, I discovered a persistent tmux session owned by root, which allowed me to attach and gain full root privileges. This exercise is a strong reminder that defense-in-depth is essential. A single outdated component, combined with poor key management and session control, can be all a threat actor needs. #cybersecurity #pentesting #vulnerability #heartbleed #infosec #hackerone

According to recent data, more than 23,600 vulnerabilities were published in the first half of 2025 alone, representing a 16% increase over 2024. This alarming trend has seen sophisticated threat actors, including nation-state groups and ransomware operators, weaponizing unknown vulnerabilities faster than ever before. Nearly 30% of Known Exploited Vulnerabilities (KEVs) were weaponized within 24 hours of disclosure, with some high-profile edge devices experiencing zero-day exploitation before patches were even available. https://lnkd.in/gReDh3af

CrowdStrike is back in the spotlight following recent headlines like "CrowdStrike Hacked." What really happened? 🤔 The crowdstrike-publisher npm account for CrowdStrike was compromised as part of the ongoing "Shai-Halud" supply chain attack, which is similar to the earlier TinyColor incident. Attackers published malicious versions of several packages that included a bundle.js script (SHA-256: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09) 📦. This malware employs TruffleHog to scan for exposed secrets 🔍, validates them, creates unauthorized GitHub Actions for persistence, and exfiltrates data to a webhook 🌐. The following packages and their affected versions were identified: | Package Name | Affected Version(s) | |-------------------------------|-------------------------| | @crowdstrike/commitlint | 8.1.1, 8.1.2 | | @crowdstrike/falcon-shoelace | 0.4.2 | | @crowdstrike/foundry-js | 0.19.2 | | @crowdstrike/glide-core | 0.34.2, 0.34.3 | | @crowdstrike/logscale-dashboard | 1.205.2 | | @crowdstrike/logscale-file-editor | 1.205.2 | | @crowdstrike/logscale-parser-edit | 1.205.1, 1.205.2 | | @crowdstrike/logscale-search | 1.205.2 | | @crowdstrike/tailwind-toucan-base | 5.0.2 | In response, npm removed the compromised packages 🚫, and CrowdStrike rotated their keys 🔑. They conducted an investigation in collaboration with npm and confirmed that there was no impact on their Falcon platform (which is great news for the Falcon users). To mitigate risks, affected users should uninstall the compromised versions, audit their environments and CI/CD pipelines, rotate any exposed secrets, and keep an eye out for suspicious activity 👀. This incident has certainly cast doubt on the reliability of using open-source code and raised questions about the security of its ecosystem ⚠️. #CrowdStrike #Cybersecurity #Cybercrime More on: https://lnkd.in/dkuY2cNy

#EDR is out of date. https://lnkd.in/e5f54uqn LineGuard is a different approach. We wouldnt stop the disk read but we would have stopped the C&C lookup from the malware to instruct it to perform the read or upload the data.

📣 ⚠️ WinRAR Faces Actively Exploited Zero-Day Vulnerability A critical zero-day flaw (CVE-2025-8088) in the widely-used WinRAR archive utility has been actively exploited by attackers using malicious archive files to gain code execution on Windows systems. This vulnerability enables a path traversal attack that could drop malware onto compromised systems. The issue has been patched in WinRAR version 7.13, but as WinRAR doesn’t auto-update, users must manually install the patch. 🛡️ Update to WinRAR 7.13 now to block active attacks. 🔗 https://lnkd.in/giAmvR9e 📅 Published by The Hacker News | August 11, 2025 #XplicitTech #CyberSecurity #WinRAR #ZeroDay #PatchNow #SoftwareSecurity #ThreatAlert