#git

**Pre-requisites:** * Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret) * Somehow, manage to create an arbitrary file in Craft’s `/storage/backups` folder. With those two pieces in place, you could create a specific, malicious request to the `/updater/restore-db` endpoint to execute CLI commands remotely. Fixed in https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57 ----- Reported by Marco O. (segfault)

A new report by VulnCheck exposes a critical command injection flaw (CVE-2025-53652) in the Jenkins Git Parameter plugin.…

In versions before `0.15.0`, `@workos-inc/authkit-remix` exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning them from the `authkitLoader`. This caused them to be rendered into the browser HTML. ### Impact Exposure of these artifacts could lead to session hijacking in environments where cross-site scripting (XSS), malicious browser extensions, or local inspection is possible. ### Patches Patched in [https://github.com/workos/authkit-remix/releases/tag/v0.15.0](https://github.com/workos/authkit-remix/releases/tag/v0.15.0) In patched versions: - `sealedSession` and `accessToken` are no longer returned by default from the `authkitLoader`. - A secure server-side mechanism is provided to fetch an access token as needed.

In versions before `0.7.0`, `@workos-inc/authkit-react-router` exposed sensitive authentication artifacts — specifically `sealedSession` and `accessToken` by returning them from the `authkitLoader`. This caused them to be rendered into the browser HTML. ### Impact This information disclosure could lead to session hijacking in environments where cross-site scripting (XSS), malicious browser extensions, or local inspection is possible. ### Patches Patched in [https://github.com/workos/authkit-react-router/releases/tag/v0.7.0](https://github.com/workos/authkit-react-router/releases/tag/v0.7.0) In patched versions: - `sealedSession` and `accessToken` are no longer returned by default from the `authkitLoader`. - A secure server-side mechanism is provided to fetch an access token as needed.

Cybersecurity researchers are drawing attention to a new campaign that's using legitimate generative artificial intelligence (AI)-powered website building tools like DeepSite AI and BlackBox AI to create replica phishing pages mimicking Brazilian government agencies as part of a financially motivated campaign. The activity involves the creation of lookalike sites imitating Brazil's State

### Impact OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. ### Patches OpenBao v2.3.2 will patch this issue. In patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change. ### Workarounds TOTP code verification is a privileged action; only trusted systems should be verifying codes. Ensure that all codes are first normalized before submitting to the OpenBao endpoint. ### References This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets: - https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036 - https://nvd.nist.gov/vuln/detail/CVE-2025-6014

A new, coordinated cybercrime campaign called "GreedyBear" has stolen over $1 million from crypto users. Learn how the group uses malicious extensions, malware, and fake websites in an industrial-scale attack uncovered by Koi Security.

A newly discovered campaign dubbed GreedyBear has leveraged over 150 malicious extensions to the Firefox marketplace that are designed to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets. The published browser add-ons masquerade as MetaMask, TronLink, Exodus, and Rabby Wallet, among others, Koi Security researcher Tuval Admoni said. What makes the

Spreadsheets, Slack messages, and files linked to an alleged group of North Korean IT workers expose their meticulous job-planning and targeting—and the constant surveillance they're under.

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.