Security
Headlines
HeadlinesLatestCVEs

Latest News

LockBit Developer Rostislav Panev Extradited from Israel to the US

The US extradites LockBit ransomware developer, Rostislav Panev, from Israel. Learn how his arrest impacts the fight against…

HackRead
Open in Source
#web#auth
GHSA-pwf9-q62p-v7wc: Wire has Uncontrolled Recursion on Nested Groups

Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt.

GHSA-jrqj-6vq2-7r63: onos-lib-go allows an index out-of-range panic

Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an index out-of-range panic in asn1/aper GetBitString via a zero value of numBits.

Cybersecurity in Crypto: Best Practices to Prevent Theft and Fraud

Cybersecurity tips to protect your cryptocurrency from hackers, scams, and fraud. Learn best practices for securing digital assets…

End-to-End Encrypted Texts Between Android and iPhone Are Coming

Plus: A nominee to lead CISA emerges, Elon Musk visits the NSA, a renowned crypto cracking firm’s secret (and problematic) cofounder is revealed, and more.

GHSA-mrrh-fwg8-r2c3: tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs.

tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were not originally affected, but were modified by a threat actor to point at commit 0e58ed8, which contains the malicious updateFeatures code.)

Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal

Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as "time" related utilities, but harboring hidden functionality to steal sensitive data such as cloud access tokens. Software supply chain security firm ReversingLabs said it discovered two sets of packages totaling 20 of them. The packages

ClickFix: How to Infect Your PC in Three Easy Steps

A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed "ClickFix," the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware.

GHSA-6m2c-76ff-6vrf: Qiskit allows arbitrary code execution decoding QPY format versions < 13

### Impact A maliciously crafted QPY file containing can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats < 13. A python process calling Qiskit's `qiskit.qpy.load()` function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of specially constructed payload. ### Patches Fixed in Qiskit 1.4.2 and in Qiskit 2.0.0rc2

GHSA-r8gc-qc2c-c7vh: Post-Quantum Secure Feldman's Verifiable Secret Sharing has Inadequate Fault Injection Countermeasures in `secure_redundant_execution`

**Description:** The `secure_redundant_execution` function in feldman_vss.py attempts to mitigate fault injection attacks by executing a function multiple times and comparing results. However, several critical weaknesses exist: 1. Python's execution environment cannot guarantee true isolation between redundant executions 2. The constant-time comparison implementation in Python is subject to timing variations 3. The randomized execution order and timing provide insufficient protection against sophisticated fault attacks 4. The error handling may leak timing information about partial execution results These limitations make the protection ineffective against targeted fault injection attacks, especially from attackers with physical access to the hardware. **Impact:** A successful fault injection attack could allow an attacker to: 1. Bypass the redundancy check mechanisms 2. Extract secret polynomial coefficients during share generation or verification 3. Force the acceptance of inva...