#mac

The growing ecosystem of agents, chatbots, and machine credentials that outnumber human users by an order of magnitude is creating a poorly understood but potentially major security issue.

### Summary This affects e.g. `create-hash` (and `crypto-browserify`), so I'll describe the issue against that package Also affects `create-hmac` and other packages Node.js `createHash` works only on strings or instances of Buffer, TypedArray, or DataView. Missing input type checks in npm `create-hash` polyfill of Node.js `createHash` lead to it calculating invalid values, hanging, rewinding the hash state (including turning a tagged hash into an untagged hash) on malicious JSON-stringifyable input ### Details See PoC ### PoC ```js const createHash = require('create-hash/browser.js') const { randomBytes } = require('crypto') const sha256 = (...messages) => { const hash = createHash('sha256') messages.forEach((m) => hash.update(m)) return hash.digest('hex') } const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe') const receivedMessage = JSON.parse(payload) // e....

Apple has released security updates to patch a zero-day vulnerability tracked as CVE-2025-43300 for all platforms

Apple has released security updates to address a security flaw impacting iOS, iPadOS, and macOS that it said has come under active exploitation in the wild. The zero-day out-of-bounds write vulnerability, tracked as CVE-2025-43300, resides in the ImageIO framework that could result in memory corruption when processing a malicious image. "Apple is aware of a report that this issue may have been

Exposure of APIs, sensitive data, and corporate documents are just some of the security issues that the purveyor of Big Macs was cooking up.

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources. Users are recommended to upgrade to version 1.12.0 or use the master branch, which fixes this issue.

The EVE X1 server suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'passwd' HTTP POST parameter in /ajax/php/login.php script.

A 22-year-old Oregon man has been arrested on suspicion of operating "Rapper Bot," a massive botnet used to power a service for launching distributed denial-of-service (DDoS) attacks against targets -- including a March 2025 DDoS that knocked Twitter/X offline. The Justice Department asserts the suspect and an unidentified co-conspirator rented out the botnet to online extortionists, and tried to stay off the radar of law enforcement by ensuring that their botnet was never pointed at KrebsOnSecurity.

Ransomware attackers continue to primarily target small and medium-sized manufacturing businesses in Japan.