Intro
Hi everyone!
I hope you had a wonderful holiday season and a fantastic start to 2025! After the Christmas break, I’m back with several interesting security articles and news updates to share.
To summarize 2024, I highly recommend checking out the 2024 CVE Data Review article. It provides essential statistics about CVEs published throughout the year. In 2024, exactly 40,009 CVEs were published—a 38% increase compared to 2023. With AI becoming increasingly popular and more developers adopting various code assistants, 2025 may pose even greater challenges in terms of open-source vulnerabilities and overall vulnerability management.
On the topic of AI development, just before Christmas, I dedicated some time to creating an AI agent and wrote an article about the experience. If you’re skeptical about AI or haven’t had the chance to develop such a tool, I highly recommend taking a look. It might serve as inspiration for your projects.
For bug bounty hunters, there’s an exciting story about an accidental IDOR discovery in Google Slides, which earned a $3,133.70 reward. Additionally, you may find the report on a dependency confusion vulnerability in one of the AWS SDKs intriguing. This vulnerability was introduced multiple times over four years.
At the beginning of 2025, an intriguing situation took place—a researcher identified a malicious NPM package targeting Cursor, the AI code editor widely used by developers. Potentially, this package could be deployed to test for dependency confusion vunerability. Shortly after publication, it was revealed that the package had been created by the Snyk Security Labs Team as part of a security research project. It was promptly deleted after being detected.
Enjoy the materials and stay secure!
Materials
🛠️ Building AI Agents to Solve Security Challenges
Is it challenging to develop AI Agent solving security challenges? In this article, I present the practical implementation of AI Agent using CrewAI framework to identify and remediate security vulnerabilities implemented as a part of Damn Vulnerable RESTaurant API Game. Dedicated for AI enthusiasts, security engineers and developers.
📃 I accidentally found an IDOR bug in Google slides and rewarded $3,133.70
How did a casual afternoon turn into a rewarding discovery of a security vulnerability in Google Slides? This article presents a process of identifying an IDOR bug while preparing for a presentation. Ideal for cybersecurity enthusiasts and bug bounty hunters, it details the process of finding, testing, and reporting the bug to Google, along with insights on effectively communicating security risks.
📃 Hat Trick: AWS introduced same RCE vulnerability three times in four years
What recurring security oversight has Amazon made with its AWS Neuron SDK? This article discusses a Remote Code Execution vulnerability caused by dependency confusion issue while installing Python packages. Primarily aimed at developers and cybersecurity professionals, it highlights the importance of using package managers securely.
🕵️ Snyk security researcher deploys malicious NPM packages targeting Cursor.com
Did Snyk researchers exploit Cursor AI by supply chain attack? The security researcher identified a malicious NPM packages targetting Cursor AI tool. Shortly after publication of the finding, Snyk Security Researchers confirmed that they deployed this as a part of their research and deleted the package from NPM.
📈 2024 CVE Data Review
What does 2024 CVE data reveal about security trends? 2024 set a record with 40,009 CVEs published, marking a 38% increase over 2023. May was the busiest month, and Tuesdays saw the most releases. The average CVSS score was 6.67, with 231 vulnerabilities scoring a perfect 10. Notably, five CVE Authorities accounted for 43.67% of all CVEs, highlighting the key role of open-source projects and WordPress security. Recommended especially for security professionals.
🛠️ Kubernetes Security Architecture Cheatsheet
This repository contains a Kubernetes security diagram cheatsheet to help teams understand security within Kubernetes. Aimed at developers and security teams.
🛠️ BugGPT
Are you looking to enhance your web security skills? BugGPT is an open-source project that generates vulnerable web applications for security practitioners and developers. With features like automated generation of various vulnerabilities and realistic testing environments, it might be an interesting playground for cybersecurity enthusiasts and ethical hackers.
📃 The less you reveal the better – an overview of frequently overlooked User Enumeration Vulnerability
What might be one of the most common and underestimated user enumeration vulnerability? This article by Aleksa Majki explores the often-overlooked user enumeration vulnerability, detailing its risks and real-world examples, including Zenodo. It offers developers actionable advice on enhancing security for their systems, making it valuable for cybersecurity professionals and web developers.
📃 Reduce supply chain risk with smarter vulnerability prioritization
How can you effectively reduce supply chain risks in your applications? This article discusses an approach to more efficient vulnerability prioritization, helping application security teams streamline remediation and improve collaboration. It is geared toward developers and security professionals.
🕵️ Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal
How can file upload restrictions be effectively bypassed in web applications? This article explores techniques for manipulating file validations to achieve client-side path traversal exploits. Geared toward security engineers and developers, it provides insights on circumventing common MIME type and structure checks to upload JSON files disguised as other formats.
🕵️ Cascading Spy Sheets: Exploiting the Complexity of Modern CSS for Fingerprinting
Could modern CSS be the next frontier in user tracking? This article explores how advanced CSS techniques can facilitate fingerprinting, even in environments like email where JavaScript is disabled. It targets cybersecurity professionals and researchers, presenting innovative CSS-based methods for tracking and potential defenses to enhance privacy.
🕵️ Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the Popular Vulnerability Scanner
What vulnerabilities might be hiding in your security tools? This article by Wiz highlights a high-severity signature verification bypass discovered in Nuclei, a popular open-source vulnerability scanner (CVE 2024 43405). Readers will learn about the implications and technical details of the flaw, making it relevant for cybersecurity researchers.
👾 Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents
A major breach at the U.S. Treasury Department was attributed to a suspected Chinese APT group exploiting a compromised API key from BeyondTrust’s remote support service. The attackers accessed unclassified documents and user workstations, with the breach targeting sensitive offices like OFAC and the Treasury Secretary. BeyondTrust has since mitigated the issue and addressed critical vulnerabilities in its software.
