Latest News

### Summary The `fast-jwt` library does not properly validate the `iss` claim based on the RFC https://datatracker.ietf.org/doc/html/rfc7519#page-9. #### Details The `iss` (issuer) claim validation within the fast-jwt library permits an array of strings as a valid `iss` value. This design flaw enables a potential attack where a malicious actor crafts a JWT with an `iss` claim structured as `['https://attacker-domain/', 'https://valid-iss']`. Due to the permissive validation, the JWT will be deemed valid. Furthermore, if the application relies on external libraries like `get-jwks` that do not independently validate the `iss` claim, the attacker can leverage this vulnerability to forge a JWT that will be accepted by the victim application. Essentially, the attacker can insert their own domain into the `iss` array, alongside the legitimate issuer, and bypass the intended security checks. #### PoC Take a server running the following code: ```js const express = require('express') const ...

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

### Summary `reviewdog/action-setup@v1` was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` would also be compromised, regardless of version or pinning method: - reviewdog/action-shellcheck - reviewdog/action-composite-template - reviewdog/action-staticcheck - reviewdog/action-ast-grep - reviewdog/action-typos ### Details Malicious commit: https://github.com/reviewdog/action-setup/commit/f0d342d fix/retag via version upgrade: https://github.com/reviewdog/action-setup/commit/3f401fe See the detailed report from Wiz Research: [Wiz Blog Post](https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup) and reviewdog maintainer annoucement: [reviewdog #2079](https://github.com/reviewdog/reviewdog/issues/2079)

The recently leaked trove of internal chat logs among members of the Black Basta ransomware operation has revealed possible connections between the e-crime gang and Russian authorities. The leak, containing over 200,000 messages from September 2023 to September 2024, was published by a Telegram user @ExploitWhispers last month. According to an analysis of the messages by cybersecurity company

With financial stress at an all-time high, people are desperately seeking relief. Sadly, scammers know this all too well.

Hackers are using .VHD files to spread VenomRAT malware, bypassing security software, reveals Forcepoint X-Labs. Learn how this stealthy attack works and how to protect yourself.

Austin, TX, United States, 19th March 2025, CyberNewsWire

Sperm donor giant California Cryobank has announced it has suffered a data breach that exposed customers' personal information.

In today’s digital world, security breaches are all too common. Despite the many security tools and training programs available, identity-based attacks—like phishing, adversary-in-the-middle, and MFA bypass—remain a major challenge. Instead of accepting these risks and pouring resources into fixing problems after they occur, why not prevent attacks from happening in the first place? Our upcoming

Top 10 Passwords hackers use to breach RDP revealed! Weak credentials cause successful cyberattacks- check if yours is on the list and secure your system now.