Attacks & Vulnerabilities |
Public GitLab repositories exposed more than 17,000 secrets (2 minute read)
Security researcher Luke Marshall examined all 5.6 million public GitLab Cloud repositories with TruffleHog and found 17,430 verified active secrets across 2,804 distinct domains. This exposure is nearly three times that found in a similar scan of Bitbucket. The leaked credentials included over 5,200 Google Cloud Platform keys, MongoDB credentials, Telegram bot tokens, and OpenAI keys. Some secrets date back to 2009 and are still valid today. Although many organizations revoked their credentials after receiving automated alerts—earning the researcher $9,000 in bug bounties—some secrets continue to be exposed on GitLab repositories. |
Upbit admits security flaw that could have allowed attackers to infer private keys after $30m hack (3 minute read)
South Korean crypto exchange Upbit suffered a $30 million breach on November 27 when attackers drained assets from a Solana hot wallet. North Korea's Lazarus Group is suspected of being the threat actor. Post-incident analysis revealed a critical vulnerability that allowed inference of a private key from publicly disclosed blockchain wallet transactions, though Upbit's CEO did not explicitly confirm that this flaw enabled the breach. The exchange has suspended deposits and withdrawals for a complete wallet system overhaul and will cover all customer losses using company assets. $1.5 million of the stolen funds have already been frozen. |
New Albiriox Malware Attacking Android Users to Take Complete Control of their Device (2 minute read)
A new Malware-as-a-Service called Albiriox has been observed providing customers with remote access to victim Android devices. Victims typically receive messages promising them discounts or prizes for an app. The links lead to fake versions of legitimate apps that request permissions to install applications, then fetch and install the malware. In addition to traditional infostealer capabilities, Albiriox includes a VNC module that streams the victim's device screen to the attacker. |
|
Inside Valkyrie Stealer: Capabilities, Evasion Techniques, and Operator Profile (20 minute read)
Valkyrie Stealer is a C++ infostealer developed by threat actor "Lawxsz" that employs Themida protection, ChaCha20-encrypted payload with reflective DLL loading, and comprehensive anti-VM defenses. The malware targets Chromium browsers by extracting AES master keys and parsing SQLite databases using an embedded engine, steals Discord and Telegram sessions, harvests credentials from 20+ gaming platforms, and exfiltrates cryptocurrency wallets from MetaMask, Exodus, Atomic Wallet, and Electrum. Stolen data is compressed using dual-method ZIP packaging, encrypted with AES-GCM using hardcoded keys, and exfiltrated to C2 servers resolved dynamically via Steam profile scraping. The operator maintains active distribution channels on Telegram, GitHub, YouTube, Discord, and Signal under the Prysmax Software brand. |
Cache Poisoning Case Studies Part 1: Foundational Attacks Behind a $100K+ Vulnerability Class (7 minute read)
Cache poisoning is a web security vulnerability in which attackers trick caching systems, such as CDNs or proxies, into storing malicious responses, serving them to other users, and causing widespread harm. Early real-world examples from platforms such as HackerOne, GitHub, and Shopify show that unvalidated headers like X-Forwarded-Host or Content-Type can trigger global redirects, denial-of-service attacks, or stored XSS across multiple domains. These foundational cases, often yielding bounties of $2,500 to $6,300, highlight risks such as method overrides in cloud storage and social media amplification via Open Graph tags. |
|
PAM without vaults (Sponsor)
If engineer access to resources means passwords, vaults, or tickets, your PAM is slowing you down. Teleport removes access blockers by replacing vaulted credentials and ticket queues with short-lived, cryptographic identity and ephemeral authorization. No more standing privileges, access friction, or credential handling. Try Teleport for yourself. |
LUMEN (GitHub Repo)
LUMEN is a browser-based Windows Event Log analyzer built with React and WebAssembly that processes EVTX files entirely client-side without uploading logs to external servers. It supports files up to 500MB with both binary EVTX and XML exports. The tool features a curated SIGMA detection engine with platform-specific rule loading, automated event correlation that chains related activities into investigative storylines, IOC extraction with optional VirusTotal integration, and AI-powered analysis. Security teams can perform guided investigations while maintaining complete data privacy through local-only processing with session persistence via localStorage and no telemetry or data transmission. |
Proximity (GitHub Repo)
Proximity scans MCP servers to discover tools, prompts, and resources. It provides a detailed analysis of server capabilities and optional security evaluation using NOVA rules. |
GMSGadget (WebApp)
Give Me a Security Gadget (GMSGadget) is a collection of JavaScript gadgets that can be used to bypass XSS mitigations like Content Security Policy (CSP) and HTML sanitizers like DOMPurify. |
|
HashJack Attack Uses URL '#' to Control AI Browser Behavior (2 minute read)
HashJack is a novel indirect prompt injection technique that embeds malicious commands in URL fragments (after the # symbol) to manipulate AI browser assistants such as Google Gemini, Microsoft Copilot, and Perplexity Comet. The attack takes advantage of AI assistants' handling of full URLs, letting threat actors weaponize legitimate websites without compromising them and execute malicious instructions that bypass traditional security controls, enabling credential theft, data exfiltration, and more. Microsoft and Perplexity updated their products by October-November, but Google considered the Gemini vulnerability as expected behavior and chose not to fix it, leaving users vulnerable to this emerging AI security threat. |
Brit telco Brsk confirms breach as bidding begins for 230K+ customer records (2 minute read)
Brsk, a UK broadband provider, is investigating a cyberattack after criminals advertised more than 230,000 customer records for sale, allegedly including contact details, installation data, location information, phone numbers, and flags for vulnerable customers. It says only basic contact data was accessed. No passwords or payment details were taken. The company is offering affected users 12 months of credit monitoring while regulators and law enforcement investigate. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
| Want to advertise in TLDR? š° If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.
Want to work at TLDR? š¼ Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them!
If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile
|
|
| |
VHAVENDA I.T SOLUTIONS
![[Happening Next Week!] From Silence to Disclosure: Rethinking the Measurement of Intimate Partner Violence](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uqkwl36RB-WVt3Y0Td1_nAFw5xP0sVSDWpBIDUj7EAi5QdV-QEtHQ7TggfjH-0J_DZvFxqTNgApVsALC-wz6d2k_e99pz5E0A81QZg69N9tK_tniMUYhBYVYUlGhbdVLMEE2-jcgHVaJvc_G2a45D9QovKOKHBcly6Pvb6IdzxSBEx5fqdG75a0NwUCnPpZZugt2eiF3UyV9dtzqZIpSrLENgsilxfV1jcxKxvtnToHg=w72-h72-p-k-no-nu)
0 Comments
VHAVENDA IT SOLUTIONS AND SERVICES WOULD LIKE TO HEAR FROM YOUš«µš¼š«µš¼š«µš¼š«µš¼