Intro
Hi everyone!
Over the past few days, the application security world has been anything but boring. Google acquired Wiz for $32 billion. In the announcement released by Google, we read that Google will continue working with Wiz, which will still be available to customers through a number of partners and marketplaces.
We also witnessed another supply-chain attack on an open-source component used by thousands of repositories. This time, the “tj-actions/changed-files” GitHub Action was compromised. Attackers injected malicious code into the action, causing it to print all secrets into the logs. This incident is yet another example of why CI/CD security is just as important as securing the environment where an application runs. Supply-chain attacks are no longer sophisticated threats limited to APT groups targeting critical infrastructure—they should already be factored into your risk analysis and threat modeling exercises.
Last but not least, in this edition, I included more open-source projects than usual. Take a look at them, and remember—they can be attacked too! 😉
Enjoy the materials and stay secure!
Materials
👾 Compromised tj-actions/changed-files GitHub Action
Are you aware of the recent supply chain attack performed via tj-actions/changed-files GitHub Action? This research details a critical compromise that could lead to exposure of secrets in CI/CD workflows, affecting over 23,000 repositories.
🕵️ Prompt Injection in LLMs using emojis
What sohpisticated attacks might your AI systems face? This article explores the concept of Prompt Injection using emojis, detailing how attackers can manipulate LLM outputs by embedding hidden messages using Unicode Variation Selectors. Ideal for AI developers and security professionals, it discusses encoding methods, implications, and mitigation strategies.
🛠️ Orbit Scanner
Looking for a solution to automate your scanning process with Nuclei? Orbit Scanner is a platform designed for efficient large-scale Nuclei scans, featuring modern web interfaces and robust backend integrations. It’s a promising solution for internal teams focused on security automation and bug bounty hunters.
🛠️ CRADLE – Open-Source Collaborative Threat Intelligence Hub
CRADLE is an open-source web application designed to empower Cyber Threat Intelligence (CTI) analysts. The platform streamlines threat analysis workflows through collaborative note-taking, visual relationship mapping, and comprehensive report generation.
🛠️ OWASP Faction – PenTesting Report Generation and Collaboration Framework
Are you looking for a solution to collaborate on security assessment and report generation? FACTION is an all-in-one assessment workflow solution that automates penetration testing and security assessment reporting while enabling real-time collaboration, peer reviews, and seamless integration with other tools. With customizable templates, vulnerability tracking, and team management features, FACTION streamlines the entire assessment process for organizations.
🕵️ Pre-authentication SQL injection to RCE in GLPI (CVE-2025-24799/CVE-2025-24801)
This article presents an interesting SQL injection vulnerability (CVE-2025-24799) identified in GLPI, a popular software among French companies, and how it can be exploited for unauthorized access and remote code execution. Recommended for pentesters and bug bounty hunters.
🕵️ Client-Side Path Traversal Guide
What are the risks of Client Side Path Traversal vulnerabilities? This guide describes the security threats posed by these vulnerabilities in web applications, detailing how they can lead to unauthorized file access and code execution. It’s aimed at developers and cybersecurity professionals looking to enhance their understanding of this vulnerability.
👾 Malicious Go Package Exploits Go Module Proxy Caching for Persistence
The research describes a malicious campaign targeting Linux and macOS developers, where fake Go packages install hidden malware. The content is particularly relevant for software developers and security professionals.
📄 Long-Running Trade-Secret Theft & Corporate Espionage Against Competitor
What happens when competition turns into corporate espionage? A recent lawsuit reveals that Deel, a $12 billion unicorn, allegedly conducted a brazen campaign to steal confidential information from competitor Rippling through a corporate spy. This article will interest cybersecurity enthusiasts as the post presents a “honeypot” technique to identify involved people.
