#git

Cybersecurity is a must as online threats rise. Businesses must train employees, back up data, and adopt strong…

Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia's tendrils around the world.

A team Microsoft calls BadPilot is acting as Sandworm's “initial access operation,” the company says. And over the last year it's trained its sights on the US, the UK, Canada, and Australia.

Etsy sellers are being targeted by scammers that use a legitimate Etsy domain to host their dodgy PDFs.

More than half of attacks on Indian businesses come from outside the country, while 45% of those targeting consumers come from Cambodia, Myanmar, and Laos.

In a letter to a US senator, a Florida-based data broker says it obtained sensitive data on US military members in Germany from a Lithuanian firm, revealing the global nature of online ad surveillance.

Privacy, security, and unrestricted access are the promises of a personal VPN. But what does it actually do,…

Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

### Impact Systems running registry version > `3.0.0-beta.1` with token authentication enabled. ### Patches Update to at least `v3.0.0-rc.3` ### Workarounds There is no way to work around this issue without patching if your system requires token authentication. ### References The issue lies in how the JWK verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. Here's the problematic flow: 1. An attacker generates their own key pair 2. They create a JWT and include their public key in the JWK header 3. They set the `kid` in the JWK to match one of the trusted keys' IDs (which they could potentially discover) 4. They sign the JWT with their private key 5. The registry only checks if the `kid` exists in the trusted keys map but then uses the attacker's public key from the JWK to verify the signature