#git

What Flock's ALPR cameras really collect, how they’re used in neighborhoods, and what you can do to stay in control.

Holiday deals are flooding your phone, and scammers are too. Watch for fake listings, phishing texts, and offers that seem just a little too good to be true.

Trustwave SpiderLabs warns of Eternidade Stealer, a new banking trojan spreading via personalised WhatsApp messages. Find out how this malicious software bypasses security checks and deploys fake login screens for major banks and wallets.

This week has been crazy in the world of hacking and online security. From Thailand to London to the US, we've seen arrests, spies at work, and big power moves online. Hackers are getting caught. Spies are getting better at their jobs. Even simple things like browser add-ons and smart home gadgets are being used to attack people. Every day, there's a new story that shows how quickly things are

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.6 ATTENTION: Low attack complexity Vendor: Automated Logic Equipment: WebCTRL Premium Server Vulnerabilities: Open Redirect, Cross-site Scripting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a remote attacker to deceive a legitimate user into running malicious scripts or redirecting them to malicious websites. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Automated Logic products are affected: Automated Logic WebCTRL Server: Version 6.1 Automated Logic WebCTRL Server: Version 7.0 Automated Logic WebCTRL Server: Version 8.0 Automated Logic WebCTRL Server: Version 8.5 Carrier i-Vu: Version 6.1 Carrier i-Vu: Version 7.0 Carrier i-Vu: Version 8.0 Carrier i-Vu: Version 8.5 Automated Logic SiteScan Web: Version 6.1 Automated Logic SiteScan Web: Version 7.0 Automated Logic SiteScan Web: Version 8.0 Automated Logic SiteScan Web: Version 8.5 Automated Logic WebCTRL for OEMs: Version 6.1 Automated Logic WebCTR...

Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting. The development is a sign that the lines between state-sponsored cyber attacks and kinetic warfare are increasingly blurring, necessitating the need for a new category of warfare, the tech giant's

Threat actors are leveraging bogus installers masquerading as popular software to trick users into installing malware as part of a global malvertising campaign dubbed TamperedChef. The end goal of the attacks is to establish persistence and deliver JavaScript malware that facilitates remote access and control, per a new report from Acronis Threat Research Unit (TRU). The campaign, per the

When running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. Thank you to Benjamin Faller, Redguard AG and Michael Hess for reporting this issue!

### Summary The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the `?module` query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using `${...}` expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. **Root Cause:** The CSS module conversion logic (`router.go:1112-1119`) performs incomplete sanitization - it only checks for backticks (\`) but fails to escape template literal expressions (`${...}`), allowing arbitrary JavaScript execution when the CSS content is inserted into a template literal string. ### Details **File:** `server/router.go` **Lines:** 1112-1119 ...

### Summary The esm.sh CDN service is vulnerable to a Path Traversal (CWE-22) vulnerability during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., `package/../../tmp/evil.js`). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. Uploading files containing `../` in the path is not allowed on official registries (npm, GitHub), but the `X-Npmrc` header allows specifying any arbitrary registry. By setting the registry to an attacker-controlled server via the `X-Npmrc` header, this vulnerability can be triggered. ### Details **file:** `server/npmrc.go` **line:** 552-567 ```go func extractPackageTarball(installDir string, pkgName string, tarball io.Reader) (err error) { pkgDir := path.Join(installDir, "node_modules", pkgName) tr := tar.NewReader(unziped) for { h, err := tr.Next...