Discussions about information security and privacy

Main

infosec

Vibe coding is the future 🤣 https://t.co/wfoZIThtOF

https://x.com/ai_for_success/status/1977075519641600157?s=46&t=dO0uo_CgV6MrB7N3NkVjDA

Latest research from Anthropic finds that just 250 documents are needed to backdoor an LLM *regardless of model size or training data volume*

Latest research from Anthropic finds that just 250 documents are needed to backdoor an LLM *regardless of model size or training data volume*
https://www.anthropic.com/research/small-samples-poison

Oh wow, another SGX vulnerability?

shockedpikachu.jpeg

https://wiretap.fail/

A 35 mile radius around the UN HQ is massive and includes ~20M people. 

I’m curious what the specific attack would be. Not saying there isn’t one, it’s just unclear to me.

The Secret Service dismantled a network of more than 300 SIM servers and 100,000 SIM cards in the New York-area that were capable of crippling telecom systems and carrying out anonymous telephonic attacks, disrupting the threat before world leaders arrived for the UN General https://t.co/sZKUeGqvGY

A 35 mile radius around the UN HQ is massive and includes ~20M people. 

I’m curious what the specific attack would be. Not saying there isn’t one, it’s just unclear to me. 
https://x.com/secretservice/status/1970445933667082482?s=46&t=dO0uo_CgV6MrB7N3NkVjDA

https://socket.dev/blog/malicious-fezbox-npm-package-steals-browser-passwords-from-cookies-via-innovative-qr-code?utm_medium=feed

ETHSecurity Community

Samsung device users urged to update software due to critical security flaw!

Vulnerability – CVE-2025-21043 – could be exploited by an attacker to remotely gain access to devices and install malicious code without the users knowing it. If left unfixed, cyber criminals could steal confidential data and drain bank accounts.

Devices that need to be updated include Samsung’s flagship devices such as the Galaxy S25 and the Galaxy Z Fold7, as well as the Galaxy A56 5G.

Lithp or die! | He/him | Bluesky: @aerique.bsky.social | Mastodon: @aerique@genart.social | Nostr: @aerique (npub1hua:vstpamsh)

Neat. Leaked documents, source code, and package repositories for the Great FIrewall of China, if anyone else was curious about how any of that works.

Neat. Leaked documents, source code, and package repositories for the Great FIrewall of China, if anyone else was curious about how any of that works.
https://gfw.report/blog/geedge_and_mesa_leak/en/

Cursed week out there for phishing and malware. Rules to live by:

Never join a call with someone you don't know on their terms (also a good Business Power Move)

Never download anything from a DM or chat. That "game" or "chat app" they want to share with you is always malware.

Distrust by default, don't even engage if you can't check references.

Don't let FOMO or urgency fool you.

Stay noided!

https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf2c

Round two. Stay safe y'all.

seems bad

https://x.com/P3b7_/status/1965094840959410230?t=hhC2j1yyy0OEycyPKumdOg&s=19

yeesh

https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Fern has been killing it lately with their hacker documentaries.

Fern has been killing it lately with their hacker documentaries.
https://youtu.be/imCjhNEovL4?feature=shared

Urgent! Just by receiving an image in your iPhone or Mac, your device can be FULLY compromised. Update your devices ASAP!

Also recommended:

• Disable auto download of images in Telegram;
• Disable the auto download of images in WhatsApp;
• Disable iMessage for complete or, if you wanna keep it, enable Lockdown mode.

Some more context about the below https://www.theregister.com/2025/08/21/apple_imageio_exploit/

"And you know they don't give a shit because none of those leaks were caused by some nation-state-sponsored l33t h4x0r deploying the latest and greatest exploits. This was some rando with a Python script."

"And you know they don't give a shit because none of those leaks were caused by some nation-state-sponsored l33t h4x0r deploying the latest and greatest exploits. This was some rando with a Python script."

https://crankysec.com/blog/savvy/

Feels so good to interact with the infosec community as a whole, I cant imagine why we have bad reputation as not being welcoming!

https://expel.com/blog/poisonseed-downgrading-fido-key-authentications-to-fetch-user-accounts/ pretty interesting using cross device sign in ( https://www.passkeycentral.org/design-guidelines/optional-patterns/cross-device-sign-in ) to bypass fido2 hurdle, effectively turning the hardware token into QR code and asking the user to scan it