Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Scammers are still sending us their fake Robinhood security alerts

Fake alerts claim your Robinhood account is at risk. The link leads to a convincing copy of the site—but it’s built to steal your login.

Malwarebytes
Open in Source
#web#git#auth
Over 100 VS Code Extensions Exposed Developers to Hidden Supply Chain Risks

New research has uncovered that publishers of over 100 Visual Studio Code (VS Code) extensions leaked access tokens that could be exploited by bad actors to update the extensions, posing a critical software supply chain risk. "A leaked VSCode Marketplace or Open VSX PAT [personal access token] allows an attacker to directly distribute a malicious extension update across the entire install base,"

Satellites leak voice calls, text messages and more

Scientists have revealed a gaping hole in global telecom security, intercepting personal and business data from geostationary satellites.

How Attackers Bypass Synced Passkeys

TLDR Even if you take nothing else away from this piece, if your organization is evaluating passkey deployments, it is insecure to deploy synced passkeys. Synced passkeys inherit the risk of the cloud accounts and recovery processes that protect them, which creates material enterprise exposure. Adversary-in-the-middle (AiTM) kits can force authentication fallbacks that circumvent strong

When Face Recognition Doesn’t Know Your Face Is a Face

An estimated 100 million people live with facial differences. As face recognition tech becomes widespread, some say they’re getting blocked from accessing essential systems and services.

Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped

Microsoft on Tuesday released fixes for a whopping 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild, as the tech giant officially ended support for its Windows 10 operating system unless the PCs are enrolled in the Extended Security Updates (ESU) program. Of the 183 vulnerabilities, eight of them are non-Microsoft

GHSA-9f2h-7v79-mxw3: Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

### Summary Prototype pollution capabilities on various APIs. ### Details Injection of malicious payload allows attacker to remotely execute arbitrary code. `Parse.Object` and internal APIs are affected, specifically: - `ParseObject.fromJSON` - `ParseObject.pin` - `ParseObject.registerSubclass` - `ObjectStateMutations` (internal) - `encode`/`decode` (internal) ### PoC Demonstrative tests added as part of the fix. ### References - https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-9f2h-7v79-mxw3 - Patch https://github.com/parse-community/Parse-SDK-JS/releases/tag/7.0.0-alpha.1

GHSA-5rrx-jjjq-q2r5: Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability

# Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 10.0 , ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability. Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/announcements/issues/372 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any ASP.NET Core 10.0 application running on ASP.NET Core 10.0.0-rc.1.25451.107 or earl...

GHSA-hrhf-2vcr-ghch: CometBFT's invalid BitArray handling can lead to network halt

Name: ASA-2025-003: Invalid BitArray handling can lead to network halt Criticality: High (Considerable Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: `<= v0.38.18`, `<= v0.37.15`, and `main` development branches Affected users: Validators, Full nodes, Users ### Description A bug was discovered in CometBFT's handling of `BitArray`'s that have a mismatch between the `BitArray`'s expected number of `Elems` for the specified number of `Bits`. Additional validation was added to prevent processing `BitArray`'s in this invalid state, as well as guards to prevent panics on `BitArray` methods if one of these invalid states is processed. ### Impact `BitArray`'s are present in a number of messages received from peers. When handling these messages, insufficient validation was applied to prevent processing messages the aforementioned invalid state. In the worst case, nodes will gossip messages t...