#web

Calendar spam is a growing problem, often arriving as email attachments or as download links in messaging apps.

At New Zealand's Kawaiicon cybersecurity convention, organizers hacked together a way for attendees to track CO2 levels throughout the venue—even before they arrived.

A China-nexus threat actor known as APT24 has been observed using a previously undocumented malware dubbed BADAUDIO to establish persistent remote access to compromised networks as part of a nearly three-year campaign. "While earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24 has recently pivoted to using more sophisticated vectors targeting

An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage.

Samsung is under fire again for shipping phones in parts of the world with a hidden system app, AppCloud, that users can’t easily remove.

In March 2024, Mozilla said it was winding down its collaboration with Onerep -- an identity protection service offered with the Firefox web browser that promises to remove users from hundreds of people-search sites -- after KrebsOnSecurity revealed Onerep's founder had created dozens of people-search services and was continuing to operate at least one of them. Sixteen months later, however, Mozilla is still promoting Onerep. This week, Mozilla announced their partnership with Onerep will officially end next month.

Martin muses on how agentic AI is bringing efficiency improvements to the business of cyber crime.

When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external <path>/node_modules outside the current working directory.

A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) in OSV-SCALIBR.

### Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of **md-to-pdf** library, resulting in remote code execution. ### Details **md-to-pdf** uses the gray-matter library to parse front-matter. Gray-matter exposes a JavaScript engine that, when enabled or triggered by certain front-matter delimiters (e.g. ---js or ---javascript), will evaluate the front-matter contents as JavaScript. If user-supplied Markdown is fed to md-to-pdf and the front-matter contains malicious JS, the converter process will execute that code. ### PoC ``` const { mdToPdf } = require('md-to-pdf'); var payload = '---javascript\n((require("child_process")).execSync("calc.exe"))\n---RCE'; (async () => { await mdToPdf({ content: payload }, { dest: './output.pdf'}); })(); ``` Running the PoC on Windows launches the calculator application, demonstrating arbitrary code execution. #...