In a new wrinkle for adversary tactics, the Storm-2603 threat group is abusing the digital forensics and incident response (DFIR) tool to gain persistent access to victim networks.

Chinese Hackers Use Velociraptor IR Tool in Ransomware Attacks

The more sensitive data that companies have to collect and store, the greater the consequences for users if it’s breached.

Apple has raised concerns about a new Texas state law, SB 2420, which introduces age assurance requirements for app stores and app developers.

One of its main objections is that the requirements are over the top and don’t take into account what the user is actually trying to do. Apple stated:

> “We are concerned that SB2420 impacts the privacy of users by requiring the collection of sensitive, personally identifiable information to download any app, even if a user simply wants to check the weather or sports scores.”

Starting January 1, 2026, anyone creating a new Apple account will need to confirm they’re over 18. Users under 18 will have to join a Family Sharing group and get parental consent to download or buy apps, or make in-app purchases.

With age verification comes the requirement for companies to collect, store, and manage sensitive documents or data points (such as government IDs or parental authority details). The more of this data that’s stored, the greater the consequences if it’s breached.

Apple’s pushback against SB2420 is an explicit call to consider the inherent privacy risks of increased age verification mandates. It argues the requirement should only apply to apps and services where age checks are genuinely needed.

Adding to the complexity, individual states are making their own laws to protect minors online, but all using different methods of implementation. Apple reportedly warned developers that similar laws will take effect in Utah and Louisiana later in the year, so they should be prepared.

**Discord’s data breach highlights the risks of age verification**

An illustration of Apple’s concerns was the recent third-party breach at a customer support provider for Discord. Discord stated that cybercriminals targeted a firm that helped to verify the ages of its users. Discord did not name the company involved, but has revoked the provider’s access to the system that was targeted in the breach.

The compromise exposed sensitive government ID images for around 70,000 users who submitted age-verification data. The criminals claim to have stolen the data of 5.5 million unique users from the company’s Zendesk support system instance, including government IDs and partial payment information for some people.

We agree with Apple that regulators should be aware of the risks that come with implementing different sets of requirements. We don’t want to see regulatory pressure to collect sensitive information lead to the kind of breaches that everyone’s afraid of.

When sensitive information like government ID photos, full names, and contact details are exposed in a breach, criminals gain powerful tools for identity theft. With access to these details, a fraudster can impersonate someone to access their bank accounts, open new credit lines, or make major purchases in their name. Access to government-issued IDs enables attackers to create convincing fake documents, pass verification checks at financial institutions, and sell authentic-looking identities on the dark web to other criminals. The resulting identity theft can cause victims long-term financial and personal damage.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Apple voices concerns over age-check law that could put user privacy at risk 

Fortinet warns of Stealit, a MaaS infostealer, now targeting Windows systems and evading detection by using Node.js’s SEA feature while hiding in fake game and VPN installers.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have issued a warning about an active MaaS (malware-as-a-service) operation distributing a dangerous data-stealing malware called Stealit.

This malicious program is designed to take over a victim’s computer and steal private information. The campaign is current, actively targeting Microsoft Windows users across all organisations, and has been classified with a Medium severity level.

Stealit Homepage (Source: Fortinet)

****A New Way to Hide****

The advanced tactics employed by the Stealit campaign show the malware is now using a highly deceptive new method to bypass security measures.

FortiGuard Labs’ investigation revealed that the campaign is leveraging a feature in the Node.js development platform called Single Executable Application (SEA). This is a crucial detail, as older versions of the malware used a different tool named Electron. The purpose of this change is to make the malware harder to spot and block.

The new SEA approach packs all the necessary malicious files into one simple program. This means the program can run even on a computer that does not have the Node.js software installed. The researchers explained that this allows the malware to run “without requiring a pre-installed Node.js runtime or additional dependencies.”

Threat actors are likely taking advantage of the SEA feature’s novelty, hoping to catch security programs and analysts off guard. The malware is further protected by heavy code obfuscation and numerous anti-analysis checks designed to detect and terminate execution if it detects a debugger, a virtual environment, or suspicious processes.

****A Professional Cybercrime Service****

Stealit operators are running this as a full commercial service, advertising “professional data extraction solutions” through various subscription plans. They have relocated their Command-and-Control (C2) server multiple times, switching from the domain stealituptaded.lol to iloveanimals.shop. Moreover, they offer clear pricing for lifetime access: around $500 for the Windows version and $2,000 for the Android version.

Malware’s Subscription Pricing (Source: Fortinet)

The malware’s USP is its extensive list of remote access capabilities, including:

*   File extraction

*   Ransomware deployment

*   Live screen monitoring and webcam control

*   Remote system management (shutdown/restart)

*   The ability to push fake alert messages to the victim.

****What’s At Risk****

According to FortiGuard Labs’ blog post shared with Hackread.com ahead of publishing on Friday, Stealit operators are distributing the malware by hiding it as installers for popular games and VPN applications. They upload these files (packaged in common compressed archives or as PyInstaller) to file-sharing sites such as Mediafire and Discord.

When successfully installed, the malicious program extracts a wide range of information, including sensitive data like login credentials and cryptocurrency wallets from various applications, which can then be used in future attacks.

The researchers noted that the malware’s authors quickly shift tactics, sometimes reverting to the older Electron framework for payload delivery to keep security teams guessing.

This campaign highlights how quickly threat actors adapt by weaponising legitimate software features, like Node.js SEA, to remain undetected. With the malware being distributed via lures like games and VPNs, users must exercise extreme caution with software downloads from unofficial sources.

_“_This is great research tracking the evolution of a focused campaign,_“_ said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity.

_“_The targeted user population is what’s most interesting to me – gamers generally have high-performance hardware, and are accustomed to running all kinds of random software in support of their gaming, and the gaming ecosystem is a mess of binaries and network connections BEFORE you start adding in helpers, performance mods, and cheating resources_,”_ Ford explained.

Ford warned that when IT professionals use the same devices or networks for both gaming and work, it creates a vulnerable environment that attackers could exploit for coordinated cyber operations.

_“_There is a large population of privileged IT workers that are avid gamers (many moved into IT thanks to a passion for gaming) – meaning hardware used for work and play, lateral network access to their laptop, and extortionary material on those users are all levers to be used for coordinated adversarial development._“_

Stealit Malware Using Node.js to Hide in Fake Game and VPN Installers

Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the  reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-37727

**Elasticsearch: Insertion of Sensitive Information into Log File via reindex API**

Moderate severity GitHub Reviewed Published Oct 10, 2025 to the GitHub Advisory Database • Updated Oct 11, 2025

**Package**

maven org.elasticsearch:elasticsearch (Maven)

**Affected versions**

\>= 7.0.0, < 8.18.8

\>= 8.19.0, < 8.19.5

\>= 9.0.0-beta1, < 9.0.8

\>= 9.1.0, < 9.1.5

**Patched versions**

8.18.8

8.19.5

9.0.8

9.1.5

**Description**

Published to the GitHub Advisory Database

Oct 10, 2025

Last updated

Oct 11, 2025

GHSA-56r7-h6mw-rcfv: Elasticsearch: Insertion of Sensitive Information into Log File via reindex API

Two AI "girlfriend" apps have blabbed millions of intimate conversations from more than 400,000 users.

Cybernews discovered how two AI companion apps, Chattee Chat and GiMe Chat, exposed millions of intimate conversations from over 400,000 users.

This is not the first time we have to write about AI “girlfriends” exposing their secrets—and it probably won’t be the last. This latest incident is a reminder that not every developer takes user privacy seriously.

This was not a sophisticated hack that required a skilled approach. All it took was knowing how to look for unprotected services. Researchers found a publicly exposed and unprotected streaming and content delivery system—a Kafka Broker instance.

Think of it like a post office that stores and delivers confidential mail. Now, imagine the manager leaves the front doors wide open, with no locks, guards, or ID checks. Anyone can walk in, look through private letters and photos, and grab whatever catches their eye.

That’s what happened with the two AI apps. The “post office” (Kafka Broker) was left open on the internet without locks (no authentication or access controls). Anyone who knew its address could enter and see every private message, photo, and the purchases users made.

The Kafka broker instance was handling real-time data streams for two apps, which are available on Android and iOS: **Chattee Chat – AI Companion** and **GiMe Chat – AI Companion**.

The exposed data belonged to over 400,000 people and included 43 million messages and over 600,000 images and videos. The content shared with and created by the AI models was not suitable for a work environment (NSFW), the researchers found.

One of the apps—Chattee—was particularly popular, with over 300,000 downloads, mostly in the US. Both apps were developed by Imagime Interactive Limited, a Hong Kong-based developer, though only Chattee gained significant popularity.

While the apps didn’t reveal names or email addresses, they did expose IP addresses and unique device identifiers, which attackers could combine with data from previous breaches to identify users.

The researchers concluded:

> “Users should be aware that conversations with AI companions may not be as private as claimed. Companies hosting such apps may not properly secure their systems. This leaves intimate messages and any other shared data vulnerable to malicious actors, who leverage any viable opportunities for financial gain.”

It doesn’t take a genius cybercriminal with access to data from other breaches to turn the information they found here into something they can use for sextortion.

Another thing that the information shows is that the developer’s revenue from the apps exceeded $1 million. If only they had spent a few of those dollars on security. Securing a Kafka Broker instance is not technically difficult or especially costly. Setting up proper security mostly requires configuration changes, not major purchases.

Leaks like this one can lead to harassment, reputational damage, financial fraud, and targeted attacks on users whose trust was abused—which does not make for happy customers.

****Protecting yourself after a data breach****

The leak has been closed after responsible disclosure by the researchers, but there is no guarantee they were the first to find out about the exposure. If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA****).** If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring**, which alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Millions of (very) private chats exposed by two AI companion apps 

Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign.
The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy

Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign.

The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed **Beamglea** targeting more than 135 industrial, technology, and energy companies across the world, according to Socket.

"While the packages' randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure," security researcher Kush Pandya said.

The packages have been found to use npm's public registry and unpkg.com's CDN to host redirect scripts that route victims to credential harvesting pages. Some aspects of the campaign were first flagged by Safety's Paul McCarty late last month.

Specifically, the library comes fitted with a Python file named "redirect\_generator.py" to programmatically create and publish an npm package with the name "redirect-xxxxxx," where "x" refers to a random alphanumeric string. The script then injects a victim's email address and custom phishing URL into the package.

Once the package is live on the npm registry, the "malware" proceeds to create an HTML file with a reference to the UNPKG CDN associated with the newly published package (e.g., "unpkg\[.\]com/redirect-xs13nr@1.0.0/beamglea.js"). The threat actor is said to be taking advantage of this behavior to distribute HTML payloads that, when opened, load JavaScript from the UNPKG CDN and redirect the victim to Microsoft credential harvesting pages.

The JavaScript file "beamglea.js" is a redirect script that includes the victim's email address and the URL to which the victim is navigated in order to capture their credentials. Socket said it found more than 630 HTML files that masquerade as purchase orders, technical specifications, or project documents.

In other words, the npm packages are not designed to execute malicious code upon installation. Instead, the campaign leverages npm and UNPKG for hosting the phishing infrastructure. It's currently not clear how the HTML files are distributed, although it's possible they are propagated via emails that trick recipients into launching the specially crafted HTML files.

"When victims open these HTML files in a browser, the JavaScript immediately redirects to the phishing domain while passing the victim's email address via URL fragment," Socket said.

"The phishing page then pre-fills the email field, creating a convincing appearance that the victim is accessing a legitimate login portal that already recognizes them. This pre-filled credential significantly increases the attack's success rate by reducing victim suspicion."

The findings once again highlight the ever-evolving nature of threat actors who are constantly adapting their techniques to stay ahead of defenders, who are also constantly developing new techniques to detect them. In this case, it underscores the abuse of legitimate infrastructure at scale.

"The npm ecosystem becomes unwitting infrastructure rather than a direct attack vector," Pandya said. "Developers who install these packages see no malicious behavior, but victims opening specially crafted HTML files are redirected to phishing sites."

"By publishing 175 packages across 9 accounts and automating victim-specific HTML generation, the attackers created a resilient phishing infrastructure that costs nothing to host and leverages trusted CDN services. The combination of npm's open registry, unpkg.com's automatic serving, and minimal code creates a reproducible playbook that other threat actors will adopt."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign

With the mercenary spyware industry booming, Apple VP Ivan Krstić tells WIRED that the company is also offering bonuses that could bring the max total reward for iPhone exploits to $5 million.

Since launching its bug bounty program nearly a decade ago, Apple has always touted notable maximum payouts—$200,000 in 2016 and $1 million in 2019. Now the company is upping the stakes again. At the Hexacon offensive security conference in Paris on Friday, Apple vice president of security engineering and architecture Ivan Krstić announced a new maximum payout of $2 million for a chain of software exploits that could be abused for spyware.

The move reflects how valuable exploitable vulnerabilities can be within Apple's highly protected mobile environment—and the lengths the company will go to to keep such discoveries from falling into the wrong hands. In addition to individual payouts, the company's bug bounty also includes a bonus structure, adding additional awards for exploits that can bypass its extra secure Lockdown Mode as well as those discovered while Apple software is still in its beta testing phase. Taken together, the maximum award for what would otherwise be a potentially catastrophic exploit chain will now be $5 million. The changes take effect next month.

“We are lining up to pay many millions of dollars here, and there’s a reason,” Krstić tells WIRED. “We want to make sure that for the hardest categories, the hardest problems, the things that most closely mirror the kinds of attacks that we see with mercenary spyware—that the researchers who have those skills and abilities and put in that effort and time can get a tremendous reward."

Apple says that there are more than 2.35 billion of its devices active around the world. The company's bug bounty was originally an invite-only program for prominent researchers, but since opening to the public in 2020, Apple says that it has awarded more than $35 million to more than 800 security researchers. Top-dollar payouts are very rare, but Krstić says that the company has made multiple $500,000 payouts in recent years.

In addition to higher potential rewards, Apple is also expanding the bug bounty's categories to include certain types of one-click “WebKit” browser infrastructure exploits as well as wireless proximity exploits carried out with any type of radio. And there is even a new offering known as “Target Flags” that puts the concept of capture the flag hacking competitions into real-world testing of Apple's software to help researchers demonstrate the capabilities of their exploits quickly and definitively.

Apple's bug bounty is just one of many long-term investments aimed at reducing the prevalence of dangerous vulnerabilities or blocking their exploitation. For example, after more than five years of work, the company announced a security protection last month in the new iPhone 17 lineup that aims to nullify the most frequently exploited class of iOS bugs. Known as Memory Integrity Enforcement, the feature is a big swing aimed at protecting a small minority of the most vulnerable and highly targeted groups around the world—including activists, journalists, and politicians—while also adding defense for all users of new devices. To that end, the company announced on Friday that it will donate a thousand iPhone 17s to rights groups that work with people at risk of facing targeted digital attacks.

“You can say, well, that seems like a very large effort to protect only that very small number of users that are being targeted by mercenary spyware, but there is just this incontrovertible track record described by journalists, tech companies, and civil society organizations that these technologies are constantly being abused,” Krstić says. “And we feel a great moral obligation to defend those users. Despite the fact that the vast majority of our users will never be targeted by anything like this, this work that we did will end up increasing protection for everyone.”

Apple Announces $2 Million Bug Bounty Reward for the Most Dangerous Exploits

New research shows that North Koreans appear to be trying to trick US companies into hiring them to develop architectural designs using fake profiles, résumés, and Social Security numbers.

Talented North Korean coders and developers have, for years, been getting hired for remote jobs at Western tech firms. Thousands of these so-called IT workers have earned billions for North Korea’s authoritarian regime by developing apps, working on cryptocurrency projects, and infiltrating Fortune 500 companies—when they get paid, they send their earnings home. But the scale and scope of these fraudulent job schemes likely extends beyond most people’s understanding.

New analysis of exposed online accounts and files linked to suspected Democratic People's Republic of Korea (DPRK) digital laborers shows that at least one group has been working in a very different field: architecture and civil engineering. Over recent years, the cluster of workers has been masquerading as freelance structural engineers and architects, according to a report shared with WIRED by cybersecurity firm Kela, which dug into one network it links to North Korea.

Files linked to the alleged North Korean operatives show 2D architectural drawings and some 3D CAD files for properties in the United States, Kela researchers say. In addition to the plans, the scammers were also seen claiming to advertise a range of architectural services and using, or creating, architectural stamps or seals, which can act as legal certification that drawings follow local building regulations.

“These operatives are active not only in technology and cybersecurity but also in industrial design, architecture, and interior design, accessing sensitive infrastructure and client projects under fabricated identities,” Kela writes in a blog post. The United Nations estimates that thousands of IT workers raise between $250 million and $600 million for North Korea each year, with money being used to support the country’s nuclear weapons programs and sanctions evasion efforts.

Kela’s security researchers focused on a GitHub account linked to one suspected North Korean IT network, before analyzing further accounts and profiles. The GitHub profile, plus some connected personas and some architectural work, was first identified by DPRK researchers on X earlier this year. Github, which is owned by Microsoft, did not respond to WIRED’s request for comment about the account or suspected links to North Korea.

The GitHub account publicly listed a series of Google Drive files that could be downloaded by anyone and contained a treasure trove of information linked to the potential scammers. The files included details of work being pursued by the DPRK-linked accounts, duplicate and false CVs, images that could be used as profile pictures, and details of the personas used to find work.

“There were so many emails, data, and profiles that we saw,” says a Kela researcher who asked not to be named due to the sensitivity of the findings. “It was really massive,” they add, saying some spreadsheets appeared to show hundreds of email addresses that may have been used by the scammers. (Google had not responded to a request for comment at the time of writing).

Publicly available files reviewed by WIRED show the breadth—and productivity—of the suspected DPRK scammers and the links to potential architectural work. In most cases, the scammers appear to have been using freelance work websites to solicit potential jobs. Numerous text files within the documents—which sit alongside CVs—advertise the potential architectural services that people could purchase, with documents claiming architects are licensed across multiple (or sometimes all) states across the US. “We can provide you with all construction docs (site plan, structural analysis report, stamp) and we can help you to get permission for construction docs,” one text file says. Some files appear to show correspondence with people potentially seeking the work.

Files seen by WIRED also include floor plans and designs for a deck, a farm house, a custom tree house, swimming pools, and more. One text file appears to include a request asking if existing plans for a restaurant patio could be redrawn. WIRED could not immediately verify whether these plans had physically been drawn up by the alleged North Korean accounts or if any work was completed. However, previous reporting and other researchers indicate this could be possible.

The Kela researchers say that they reported their findings to the FBI and other law enforcement bodies. The FBI did not immediately respond to WIRED’s request for comment.

In July, Canadian public broadcaster CBC reported that the seal of one architect in Toronto had likely been altered and impersonated by North Korean IT workers and the details were included on plans not worked on by that architect. The architect told CBC that the signature used did not match his own and the seal contained differences to his official version. One document seen by WIRED in the cache of files listed websites for generating engineer and architect seals.

“The plans are being used and being built,” says Michael “Barni” Barnhart, a leading authority in North Korean hacking and cyber threats, who works for insider threat security firm DTEX. Along with other DPRK researchers, who call themselves a “Misfit” alliance, Barnhart has seen this cluster of workers conducting architectural work and says similar other efforts have been detected. “They will do the CAD renderings, they’ll do the drawings,” he says. “It’s not like a hypothetical—those physical things do exist out there.”

Barnhart—who previously found North Korean animators appearing to work on Amazon and Max shows—says that he has also seen potential front companies set up to help run the operations and provide a veneer of legitimacy. The findings raise questions about the quality of the structural work and concerns about safety, if structures are created in the physical world. “In some of our investigations, these plans and these products that they’re making for these remodels and renderings, they’re not getting good reviews,” Barnhart says. “We do have indications that also they’re being hired to do critical infrastructure.”

One 24-minute long screen recording seen by WIRED shows how the freelance operation could work. In the video, a person signs up to a freelance work website and sets up a new profile where they write that they are a “licensed structural engineer/architect in the USA.” They pick a profile image from a folder of potentially downloaded files, translate text between English and Korean, and access a Social Security number generator website during the sign-up process.

When their account is created, the video shows them start to message online requests for work, with one message saying: “I can provide you \[sic\] permit drawing plan set for your residential home design within a few days.”

Other screen recordings show the workers having conversations with potential clients, and in at least one instance there is a recording of an online call discussing possible work. The Kela researcher, who asked not be named for security reasons, says it appeared some prospective customers returned to the scammers after likely having work completed. The researchers say some kinds of work appeared to be priced from a few hundred dollars up to around $1,000 per job.

“This is an opportunistic nation,” DTEX’s Barnhart says. While many companies have started to figure out that North Korea’s IT workers are often applying for remote tech jobs, using false identities, deepfakes on video calls, and local workers to run their operations, they are consistently changing their approaches. Barnhart says it appears that architectural work has been successful for the alleged DPRK workers and that evidence shows the IT workers program can be more subtle than trying to get hired at companies.

“They’re moving to places where we're not looking,” Barnhart says. “They're also doing things like call centers. They're doing HR and payroll and accounting. Things that are just remote roles and not necessarily remote hires.”

North Korean Scammers Are Doing Architectural Design Now

### Summary

bbot's `gitdumper.py` insufficiently sanitises a `.git/config` file, leading to Remote Code Execution (RCE).

bbot's `gitdumper.py` can be made to consume a malicious `.git/index` file, leading to arbitrary file write which can be used to achieve Remote Code Execution (RCE).

### Impact

A user who uses bbot to scan a malicious webserver may have arbitrary code executed on their system.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-h6m2-r6h9-4c44: BBOT's insufficient sanitization issues in gitdumper.py can lead to RCE

### Summary

Due to unsafe URL handling, bbot's `git_clone.py` can be made to leak a user's github.com API key to an attacker-controlled webserver.

### Impact

A user who has placed their github.com API key in the configuration for any of the following modules:

* `github_codesearch`
* `github_workflows`
* `gitlab`
* `git_clone`
* `github_usersearch`
* `github_org`

may leak it to an untrustworthy server.

Tag

#git