Intro
Hey everyone!
My son was born this weekend, and I’m incredibly proud! I spent a few days in the hospital taking care of my wife and our little one. I’m proud of both of them — the birth went smoothly, and they both did an amazing job. That’s why this edition is a little later than usual.
In the coming months, I may have less time for my side projects, but to keep this project alive, I’ve automated a few additional steps in the process of releasing DevSec Selection. So, I’m not expecting any issues with future releases.
In this edition, you’ll find some cool research conducted by the socket.dev team on the rising issue of fake GitHub stars in malicious repositories. In this context, I’ve also added a cool tool — GuardDog for detecting malicious PyPI, npm packages, and Go modules.
You’ll also find some fascinating exploitation articles. For example, did you know that a simple SQL injection in airline security systems could allow unauthorized individuals to bypass security screening and access cockpit areas? There’s also an article about RCE in Moodle, which is a great example of the art of hacking web applications.
As usual, there are a few more articles. Last but not least, don’t miss the Reddit thread: “Worst security practices you’ve seen in the workplace.”
Enjoy the materials and stay secure!
Materials
📃 3.7 Million Fake GitHub Stars: A Growing Threat Linked to Scams and Malware
What important discovery related to GitHub has Socket researchers made? How do fake GitHub stars impact the software supply chain security? Socket researchers have uncovered a growing threat of fake GitHub stars, with 3.7 million detected. Fake stars can lead to scams, fraud, and spreading of malware in repositories, highlighting risks to software security.
🛠️ DataDog/guarddog
What tool can help identify malicious PyPI and npm packages through heuristics on source code and metadata? GuardDog. It offers installation methods, usage samples, and custom rule options. Useful for developers concerned about package security in Python, JavaScript, or Go ecosystems.
📃 Bypassing airport security via SQL injection
How did researchers were able to bypass security screening and access cockpit areas? The article highlights how SQL injection was used to manipulate airline authorization systems, leading to a significant security breach. This article is relevant to airline security professionals, cybersecurity experts, and individuals interested in security vulnerabilities within the aviation industry.
📃 Back to School – Exploiting a Remote Code Execution Vulnerability in Moodle
Do you know Moodle? This article presents a great RCE exploitation process in this learning platform, providing step by step guide about the techniques used. The audience might include pentesters, bug bounty hunters and developers concerned with security.
📃 $14.4K bounty paid for WordPress plugin vulnerability
What critical security issue was found in the LiteSpeed Cache plugin affecting millions of sites? The article discusses a severe unauthenticated privilege escalation vulnerability in the LiteSpeed Cache plugin, allowing attackers to gain admin-level access and install malicious plugins. The vulnerability has been assigned CVE 2024-28000 and was fixed in version 6.4 of the plugin.
📃 Exploiting HuggingFace’s Assistants to Extract Users’ Data
The article discusses the potential vulnerabilities like Sleepy Agent and Image Markdown Rendering, allowing malicious extraction of user data. It emphasizes the importance of understanding these risks, particularly on open source platforms like HuggingFace, to protect personal information and privacy.
📃 CVE Hunting Made Easy
What can you discover by automating CVE hunting in WordPress plugins? The article outlines a methodology involving SAST scans, database storage, and exploitation validation. By focusing on breadth rather than depth, numerous high-impact CVEs were uncovered, emphasizing the importance of proactive security testing.
🧵 Worst security practices you’ve seen in the workplace?
What are some epic security fails in the workplace? This Reddit thread discusses embarrassing security blunders encountered at work, encouraging anonymous sharing of stories and how they were resolved. Aimed at technical professionals interested in cybersecurity practices.
📃 Is DevSecOps Part of SecOps? No, of Course Not!
Why is DevSecOps distinct from SecOps in modern software development? This article presents the shared goal of secure software development, contrasting SecOps as bridging the gap between IT security and operations, while DevSecOps integrates security into the development process. Aimed at software developers and cybersecurity enthusiasts seeking clarity on these buzzwords.
📃 Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information
The article describes a vulnerability in Microsoft 365 Copilot that allows for the theft of a user’s emails and personal information through prompt injection and data exfiltration techniques combining ASCII smuggling and automatic tool invocation. The exploit chain involves manipulating Copilot to search for sensitive information and render hidden data within clickable links, enabling potential theft of enterprise data.
📃 CISA: New SolarWinds Vulnerability Actively Exploited in the Wild
What urgent cybersecurity alert has CISA issued on SolarWinds, and why should organizations act quickly? CISA warns of CVE-2024-28986 vulnerability in SolarWinds Web Help Desk, allowing remote code execution. Urges patch by Sept. 5. All sectors advised to prioritize fixing to reduce cyberattack risks.