Latest News

Wagenius posted about hacking more than 15 telecom providers on the Telegram messaging service.

New episode “In The Trend of VM” (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches. The competition for the best question on the topic of VM continues. 😉🎁 📹 Video on YouTube, LinkedIn🗞 Post on Habr (rus)🗒 Digest on the PT website Content: 🔻 00:29 Spoofing – Windows […]

A recent claim that a critical zero-day vulnerability existed in the popular open-source file archiver 7-Zip has been met with skepticism from the software's creator and other security researchers.

Ethical hacking group Chaos Computer Club uncovered exposed data of electrical vehicle owners across the company's VW, Audi, Seat, and Skoda brands.

A novel technique to stump artificial intelligence (AI) text-based systems increases the likelihood of a successful cyberattack by 60%.

Details have emerged about three now-patched security vulnerabilities in Dynamics 365 and Power Apps Web API that could result in data exposure. The flaws, discovered by Melbourne-based cybersecurity company Stratus Security, have been addressed as of May 2024. Two of the three shortcomings reside in Power Platform's OData Web API Filter, while the third vulnerability is rooted in the FetchXML

### Summary This is a POC for a path-sanitizer [npm package](https://www.npmjs.com/package/path-sanitizer). The filters can be bypassed and can result in path traversal. Payload: `..=%5c` can be used to bypass this on CLI (along with other candidates). Something similar would likely work on web apps as well. ### PoC Here's the code to test for the filter bypass: ```js const sanitize = require("path-sanitizer") const path = require("path") const fs = require("fs") // Real scenario: function routeHandler(myPath) { // Lets just assume that the path was extracted from the request // We want to read a file in the C:\Users\user\Desktop\myApp\ directory // But the user should be able to access C:\Users\user\Desktop\ // So we need to sanitize the path const APP_DIR = "/var/hacker" const sanitized = path.join(APP_DIR, sanitize(myPath)) // Now we would usally read the file // But in this case we just gonna print the path // console.log(sanitized) return sanitized } fu...

In the past year, cross-domain attacks have gained prominence as an emerging tactic among adversaries. These operations exploit weak points across multiple domains – including endpoints, identity systems and cloud environments – so the adversary can infiltrate organizations, move laterally and evade detection. eCrime groups like SCATTERED SPIDER and North Korea-nexus adversaries such as FAMOUS

Cybersecurity researchers have discovered a malicious package on the npm package registry that masquerades as a library for detecting vulnerabilities in Ethereum smart contracts but, in reality, drops an open-source remote access trojan called Quasar RAT onto developer systems. The heavily obfuscated package, named ethereumvulncontracthandler, was published to npm on December 18, 2024, by a user

German prosecutors have charged three Russian-German nationals for acting as secret service agents for Russia. The individuals, named Dieter S., Alexander J., and Alex D., have been accused of working for a foreign secret service. Dieter S. is also alleged to have participated in sabotage operations as well as taking pictures of military installations with an aim to endanger national security.