Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Hackers Hide Malware in Fake DeepSeek PyPI Packages

Malicious DeepSeek packages on PyPI spread malware, stealing sensitive data like API keys. Learn how this attack targeted developers and how to protect yourself.

HackRead
#mac#git#auth
GHSA-qwp8-x4ff-5h87: ZX Allows Environment Variable Injection for dotenv API

### Impact This vulnerability is an **Environment Variable Injection** issue in `dotenv.stringify`, affecting `google/zx` version **8.3.1**. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to **arbitrary command execution** or **unexpected behavior** in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through `dotenv.stringify` are particularly vulnerable. ### Patches This issue has been **patched** in version **8.3.2**. Users should **immediately upgrade** to this version to mitigate the vulnerability. ### Workarounds If upgrading is not feasible, users can mitigate the vulnerability by **sanitizing user-controlled environment variable values** before passing them to `dotenv.stringify`. Specifically, avoid using `"`, `'`, and backticks in values, or enforce strict validation of environment variables before u...

'Constitutional Classifiers' Technique Mitigates GenAI Jailbreaks

Anthropic says its Constitutional Classifiers approach offers a practical way to make it harder for bad actors to try and coerce an AI model off its guardrails.

Your Health Information Was Compromised. Now What? 

The healthcare industry has become increasingly reliant on technology to enhance patient care, from advanced image-guided surgery to…

AI Malware Dressed Up as DeepSeek Packages Lurk in PyPi

Adversaries looking to ride the DeepSeek interest wave are taking advantage of developers in a rush to deploy the new technology, by using AI-generated malware against them.

Online gaming safety for kids: learn how to protect your children

Children love online gaming, and it’s no surprise they do it, considering it offers them fun and interactive…

GHSA-rpmj-rpgj-qmpm: rust-openssl ssl::select_next_proto use after free

### Impact `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `server` buffer's lifetime is shorter than the `client` buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. ### Patches `openssl` 0.10.70 fixes the signature of `ssl::select_next_proto` to properly constrain the output buffer's lifetime to that of both input buffers. ### Workarounds In standard usage of `ssl::select_next_proto` in the callback passed to `SslContextBuilder::set_alpn_select_callback`, code is only affected if the `server` buffer is constructed *within* the callback. For example: Not vulnerable - the server buffer has a `'static` lifetime: ```rust builder.set_alpn_select_callback(|_, client_protos| { ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK) }); ``` Not vulnerable - the serve...

GHSA-r3r4-g7hq-pq4f: CometBFT allows a malicious peer to stall the network by disseminating seemingly valid block parts

Name: ASA-2025-002: Malicious peer can stall network by disseminating seemingly valid block parts Component: CometBFT Criticality: High (Catastrophic Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes, Users ### Description A bug was identified in the CometBFT validation of block part indices and the corresponding proof part indices that can lead to incorrect processing and dissemination of invalid parts, which in turn could lead to a network halt. Additional validation was added to prevent this condition from happening. ### Patches The new CometBFT releases [v1.0.1](https://github.com/cometbft/cometbft/releases/tag/v1.0.1) and [v0.38.17](https://github.com/cometbft/cometbft/releases/tag/v0.38.17) fix this issue. Unreleased code in the main branch is patched as well. ### Workarounds There are no known workarounds for this is...

WhatsApp says Paragon is spying on specific users

WhatsApp has accused professional spyware company Paragon of spying on a select group of users.