Latest News

Massive Twitter (X) data breach exposes details of 2.8 billion users; alleged insider leak surfaces with no official response from the company.

Plus: Alleged Snowflake hacker will be extradited to US, internet restrictions create an information vacuum in Myanmar, and London gets its first permanent face recognition cameras.

Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey. "Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging,"

Palo Alto, USA, 29th March 2025, CyberNewsWire

In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract

shopxo v6.4.0 has a ssrf/xss vulnerability in multiple places.

ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) via image upload function.

ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) in Email Settings.

### Impact The library used to extract archives (github.com/jaredallard/archives) was vulnerable to the "zip slip" vulnerability. This is used to extract native extension archives and repository source archives. A native extension or repository archive could be crafted in such a way where a remote code execution or modification/reading of a file is possible using the user who is running stencil. The severity is marked as "medium" because native extensions have always considered to be "unsafe" to run when not trusted. Native extensions are arbitrary code being ran, which could always do this same exploit with less steps. The medium severity is to reflect that this could be done even when a user is _not_ using a native extension, for example a repository source archive. However, one would need to mutate the archives provided by Github or perform some hackery with links, which may not be possible. Thus, "medium" is used out of an abundance of caution where I would've labeled this as "lo...

## Summary In a TUF repository, the targets role’s signature indicates which target files are trusted by clients. The role can delegate full or partial trust to other roles, meaning that that role is trusted to sign target file metadata. Delegated roles can further delegate trust to other delegated roles. When searching for metadata about a given target, tough failed to detect cyclical role delegations. ## Impact When interacting with TUF repositories which contain cyclical role delegations, tough will fail to detect the cycles and will exhaust its stack while recursively searching the delegation graph. The exhausted call stack will cause the process to abort. Impacted versions: < v0.20.0 ## Patches A fix for this issue is available in tough version 0.20.0 and later. Customers are advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes. ## Workarounds There is no recommended work around. Customers are advise...