Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mas.to is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hello! mas.to is a fast, up-to-date and fun Mastodon server.

Administered by:

Server stats:

12K
active users

mas.to: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#cve

206 posts37 participants22 posts today
Continued thread
Public
Chuck

If the compromised package "worked" to the extent that it did what it said it does until someone asks it to do something different, it could conceivably migrate into non adversary controlled repositories and from there into the greater network.

So crazy talk or CVE? Hard to tell the difference these days.
#infosec #cve
3/3

Continued thread
Public
Chuck

By filling a pipeline of repositories, giving them "popularity" with a spambot army, the adversary could "inject" (this being the CVE) into the CoPilot model that the package with the back door was a valid solution to some common coding "want." #infosec #cve

2/3

Public *
Chuck

This potential exploit came up in conversation this weekend.

Theoretically, one way to weaponize slopsquatting, which is to create many (number to be determined) repositories on Github that use a loadable package that promises one thing but has a back door in it to enable an adversary to take control. #infosec #cve

1/3

Public
Josh Bressers

I had a chat with Aaron Frost from HeroDevs about #EOL and #CVE. It's a surprisingly complicated topic

If you're unsure an old version is affected, should you assume it is or isn't affected by a vulnerability?

opensourcesecurity.io/2025/202

Open Source Security · CVE for EOL with Aaron FrostAaron Frost explores the overly complex world of vulnerability identifiers for end of life software. We discuss how incomplete CVE reporting creates blind spots for users while arming attackers with knowledge. The conversation uncovers the ethical tensions between resource constraints and security transparency, highlighting why the “vulnerable until proven otherwise” approach is the best path forward for end of life software. Episode Links This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Public
lazarusholic

"APT그룹 추적 보고서 - Larva-24005" published by Ahnlab. #CVE-2019-0708, #Larva-24005, #RandomQuery, #DPRK, #CTI asec.ahnlab.com/ko/87453/

ASEC · APT그룹 추적 보고서 - Larva-24005 - ASEC    1)   소개   안랩 ASEC(AhnLab SEcurity intelligence Center)은 침해 사고 조사 과정에서 Kimsuky 그룹과 연관된 새로운 오퍼레이션을 발견하고 Larva-24005로 명명했다.[1] 이들은 RDP 취약점으로 최초 침투 후 MySpy 악성코드로 시스템 설정을 변경하고, RDPWrap을 설치해 지속적인 원격 접근 환경을 만들었다. 또, 사용자의 키보드 입력을 저장하는 키로거를 감염시켰다.   포렌식 분석을 통해 확인된 위협 정보는 ATIP을 […]
ExploreLive feeds
About