Security
Headlines
HeadlinesLatestCVEs

Tag

#mac

GHSA-w8jq-xcqf-f792: Zip Flag Bit Exploit Crashes Picklescan But Not PyTorch

### Summary PickleScan fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model. ### Details PickleScan relies on Python’s zipfile module to extract and scan files within ZIP-based model archives. However, certain flag bits in ZIP headers affect how files are interpreted, and some of these bits cause PickleScan to fail while leaving PyTorch’s loading mechanism unaffected. By modifying the flag_bits field in the ZIP file entry, an attacker can: - Embed a malicious pickle file (bad_file.pkl) in a PyTorch model archive. - Flip specific bits (e.g., 0x1, 0x20, 0x40) in the ZIP metadata. - Prevent PickleScan from scanning the archive due to errors raised by zipf...

ghsa
Open in Source
#vulnerability#mac#google#backdoor
Over 1000 Malicious Packages Found Exploiting Open-Source Platforms

Over 1,000 malicious packages found using low file counts, suspicious installs, and hidden APIs. Learn key detection methods…

How ads weirdly know your screen brightness, headphone jack use, and location, with Tim Shott (Lock and Code S06E05)

This week on the Lock and Code podcast, we speak with Tim Shott about his attempt to find his location data following a major data breach.

Fake CAPTCHA websites hijack your clipboard to install information stealers

An increasing number of websites use a clipboard hijacker and instruct victims on how to infect their own machine.

Navigating Crypto Without Sacrificing Your Privacy

Cryptocurrency offers financial freedom, but it also comes with privacy challenges. Unlike traditional banking, where transactions remain relatively…

Microsoft Dismantles Malvertising Scam Using GitHub, Discord, Dropbox

Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, the…

PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors

Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025. "The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines," Cisco Talos researcher Chetan Raghuprasad said in a technical

Who is the DOGE and X Technician Branden Spikes?

At 49, Branden Spikes isn't just one of the oldest technologists who has been involved in Elon Musk's Department of Government Efficiency (DOGE). As the current director of information technology at X/Twitter and an early hire at PayPal, Zip2, Tesla and SpaceX, Spikes is also among Musk's most loyal employees. Here's a closer look at this trusted Musk lieutenant, whose Russian ex-wife was once married to Elon's cousin.

Trump’s Spy Chief Urged to Declassify Details of Secret Surveillance Program

Tulsi Gabbard, the director of national intelligence, has long held anti-surveillance views. Now she oversees a key surveillance program she once tried to dismantle.

Bitcoin and Cybersecurity: Protecting Digital Assets in a Decentralized World

One of the many advancements in the financial system is the adoption of Bitcoin, which has shifted the…