#git

The U.S. Department of Justice (DoJ) said it has filed a civil forfeiture complaint in federal court that targets over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets allegedly linked to a global IT worker scheme orchestrated by North Korea. "For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S.

New research by Infoblox Threat Intel exposes a hidden alliance between major cybercrime groups like VexTrio and seemingly…

The emerging threat group attacks the supply chain via weaponized repositories posing as legitimate pen-testing suites and other tools that are poisoned with malware.

### Summary Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of **recursive groups**, **recursive messages** or **a series of [`SGROUP`](https://protobuf.dev/programming-guides/encoding/#groups) tags** can be corrupted by exceeding the Python recursion limit. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [ecosystem@trailofbits.com](mailto:ecosystem@trailofbits.com) Affected versions: This issue only affects the [pure-Python implementation](https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends) of protobuf-python backend. This is the implementation when `PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python` environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default. This is a Python variant of a [previous issue affecting protobuf-java](https://github.com/protocolbuffers/...

### Impact When a user who hasn't logged in to the system before (i.e. doesn't exist in the authd user database) logs in via SSH, the user is considered a member of the root group in the context of the SSH session. That leads to a local privilege escalation if the user should not have root privileges. ### Patches Fixed by https://github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab ### Workarounds Configure the SSH server to not allow authenticating via authd, for example by setting `UsePAM no` or `KbdInteractiveAuthentication no` in the `sshd_config` (see https://documentation.ubuntu.com/authd/stable/howto/login-ssh/#ssh-configuration).

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server via the `_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName` parameter.

### Impact The audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. ### Patches This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/15102. ### References Thanks to [micael1](https://hackerone.com/micael1) for reporting this [issue at HackerOne](https://hackerone.com/reports/3179850).

### Impact The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. ### Patches This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918. ### References Thanks to [obscuredeer](https://hackerone.com/obscuredeer) for reporting this [issue at HackerOne](https://hackerone.com/reports/3150564).

European law enforcement agencies have dismantled Archetyp Market, a long-running dark web platform used primarily for drug sales,…

Right now, everyone seems ready to throw down. More than ever, it’s important to fight smart—and not give up until you land a decisive blow.