Hasty Briefsbeta

All tags

#security

683 stories total

Bilingual

Show HN: ContextFort – Visibility and controls for browser agents
4 months ago
- ContextFort provides visibility into agent sessions, including which pages are visited and actions taken on each page.
- Security teams can control agent actions by blocking specific actions on specific pages.
- Risky cross-site flows can be blocked within a single session or stricter policies can be applied to prevent external context from being brought into certain sites.
- Enterprise deployments can contact ContextFort for cloud or self-hosted management solutions.
CVEs Affecting the Svelte Ecosystem
4 months ago
- Patches released for 5 vulnerabilities in Svelte ecosystem packages: devalue, svelte, @sveltejs/kit, and @sveltejs/adapter-node.
- Upgrade to non-vulnerable versions: devalue (5.6.2), svelte (5.46.4), @sveltejs/kit (2.49.5), @sveltejs/adapter-node (5.5.1).
- CVE-2026-22775: DoS in devalue.parse due to memory/CPU exhaustion affecting devalue versions 5.1.0 through 5.6.1.
- CVE-2026-22774: Similar DoS in devalue.parse affecting versions 5.3.0 through 5.6.1.
- CVE-2026-22803: Memory amplification DoS in SvelteKit's remote functions affecting versions 2.49.0 through 2.49.4.
- CVE-2025-67647: DoS and possible SSRF in prerendering affecting @sveltejs/kit and @sveltejs/adapter-node under specific conditions.
- CVE-2025-15265: XSS via hydratable in svelte versions 2.46.0 through 2.46.3.
- Encouragement to report vulnerabilities privately via the Security tab on relevant repos.
- Community and security researchers thanked for responsible disclosure and collaboration.
11% of vibe-coded apps are leaking Supabase keys
4 months ago
- Supabase is not insecure by design; it includes robust security features like Row Level Security (RLS) and role-based API keys.
- Common security issues arise from developer mistakes, such as AI-generated insecure boilerplate or misconfigured environment variables.
- In 2024-2025, tools like Supabase, AI assistants, and no-code builders made full-stack app development faster but introduced security risks.
- A scan of indie product directories revealed many apps misconfiguring Supabase, exposing service_role keys or lacking RLS policies.
- The service_role key bypasses RLS, allowing full database access if exposed, contrary to Supabase's guidelines.
- Exposure rates varied across directories, with TrustMRR having the highest rate at 23.76%.
- Leaks often occur in JavaScript bundles, sometimes due to framework auto-exposure of environment variables.
- Common causes include AI-generated code, skipped backend configurations, and copy-paste tutorials omitting security steps.
- To fix issues, rotate keys, audit environment variables, move sensitive operations to the backend, enable RLS, and add build-time checks.
- SupaExplorer offers tools to scan and fix security misconfigurations, helping developers secure their Supabase projects.
A free and open-source rootkit for Linux
4 months ago
- Singularity is an open-source rootkit for Linux designed to help security research.
- It hides its presence, processes, network activity, and files using sophisticated techniques.
- Uses Ftrace to hook into system calls without modifying kernel machine code directly.
- Prevents detection by resetting kernel taint markers and blocking module unloading.
- Hides processes by intercepting system calls and adjusting system-reported process counts.
- Filters directory entries and file reads to hide files and maintain filesystem consistency.
- Supports hiding network connections on specific ports from tools like netstat and packet captures.
- Compatible with x86 and x86_64, supporting both 32-bit and 64-bit system calls.
- Includes utility scripts for cleaning logs and ensuring persistence across reboots.
- Encourages ethical use for research, not malicious activities, under MIT license.
Show HN: Agent Skills Leaderboard
3 months ago
- List of various skills and best practices across different domains like web development, marketing, security, and more.
- Skills categorized under different organizations and repositories such as Vercel, Expo, Better Auth, and Trail of Bits.
- Includes development practices (e.g., React, Vue, Nuxt), security tools (e.g., Semgrep, Burp Suite), and marketing strategies (e.g., SEO, paid ads).
- Highlights specialized skills like 'baoyu-cover-image', 'baoyu-comic', and 'baoyu-post-to-wechat' under Jim Liu's repository.
- Features skills related to debugging, testing, and code review under Obra's superpowers.
- Lists skills for specific technologies like Solana, Convex, and SwiftUI.
- Includes skills for content creation, design principles, and internal communications.
Hacker Lists Vibecoded Apps: 198 Scanned, 196 Found Vulnerable
3 months ago
- 198 iOS apps were scanned, with 196 having exposed data.
- Highest exposure apps listed by most exposed files and database records.
- Top charts show apps with the most files exposed today and recently scanned apps.
- Public app registry includes all scanned apps, exposed records, and schema names without record contents.
- Notable apps with high record exposures: Chat & Ask AI (406M), GenZArt (18.9M), YPT - Study Group (13.5M).
- Other apps with significant exposures include Adult Coloring Book (7.7M), Kmstry (7.4M), and song.ai.generator (5.4M).
- List includes 1–20 of 198 apps with varying levels of data exposure.
Crates.io: Development Update
3 months ago
- New 'Security' tab on crate pages displays RustSec advisories for known vulnerabilities.
- Trusted Publishing now supports GitLab CI/CD and has a 'Trusted Publishing Only' mode.
- Blocked GitHub Actions triggers (pull_request_target and workflow_run) for security.
- Source lines of code (SLOC) metrics added to crate pages for size insight.
- New 'pubtime' field in crate index entries for tracking publication times.
- Ongoing migration to Svelte frontend for modernization and better contributor experience.
- Miscellaneous updates include Cargo user agent filtering, HTML emails, encrypted GitHub tokens, and CDN optimizations.
I'll pass on your zoom call.
3 months ago
- Signal drop on Relay (operand.online) usually indicates an upgrade.
- Jitsi is highlighted as a secure, open-source alternative to Zoom, allowing users to manage permissions directly in the browser.
- Criticism of Zoom's security and privacy policies, emphasizing the lack of transparency and user data protection.
- Personal security practices include using a VM for calls to isolate and protect personal data.
- Zoom's terms of service are critiqued for invasive data collection and sharing practices, with a focus on user rights erosion.
- Call to action for more secure communication practices and alternatives like Jitsi.
Show HN: Dotenv Mask Editor: No more embarrassing screen leaks of your .env
3 months ago
- Dotenv Mask Editor is a visual editor for .env files with automatic secret masking.
- It provides a table-based interface for .env, .env.*, and *.env files.
- Values with 6 or more characters are masked (replaced with ******) to prevent accidental exposure.
- Masked values are only revealed during active editing for privacy.
- The extension operates locally with no external dependencies or network requests.
- Features include direct editing of keys and values, and support for custom file patterns via VS Code settings.
- To use, open a .env file; if it doesn't auto-associate, manually select the Dotenv Mask Editor.
Vulnerable WhisperPair Devices – Hijack Bluetooth Accessories Using Fast Pair
4 months ago
- List of vulnerable and non-vulnerable accessories provided.
- Recommendation to keep devices updated for security.
- WhisperPair implementation not publicly available due to ethical considerations.
- Testing harness available upon private request.
Runjak.codes: An adversarial coding test
3 months ago
- Author encountered a suspicious coding test from a company named Solvolabs.
- Discovered malicious scripts in the repository's history, designed to download and execute unauthorized code.
- Scripts fetched from various domains (codeviewer-three.vercel.app, jerryfox-platform.vercel.app, vscode-lnc.vercel.app) were part of a potential phishing or malware attack.
- The scripts included steps to authenticate, download, and execute further malicious payloads with short-lived JWTs.
- Author reported the malicious GitHub organization and domains to GitHub and Vercel.
- Reflects on the ease of falling for phishing attempts despite vigilance and the importance of being cautious during job searches.
Remotely unlocking an encrypted hard disk with systemd initrd on Arch
3 months ago
- The author describes a setup where they remotely access their home desktop via SSH to save battery on their old ThinkPad.
- They face issues when their home loses power or the desktop's public IP changes, previously solved with BIOS settings and Tailscale.
- After installing Arch with an encrypted boot partition, they propose embedding Tailscale in the initramfs to allow remote unlocking.
- Initramfs is explained as a small OS loaded into memory during early boot, capable of running services like systemd.
- The plan involves setting up networking, Tailscale, and an SSH server (Dropbear) in initramfs, with security measures like ACLs and non-expiring keys.
- Detailed steps include configuring systemd services, Tailscale tags, Dropbear settings, and network setup for Ethernet.
- The author concludes by emphasizing the power of creative solutions in computing.
Three RCEs in Ilias Learning Management System
3 months ago
- Three previously unknown vulnerabilities enabling remote code execution (RCE) in ILIAS versions 8, 9, and 10 were discovered.
- Unauthenticated RCE (CVE-2025-11344) exploits the course certification import functionality, allowing file uploads and execution via .htaccess manipulation.
- Two authenticated RCE vulnerabilities (CVE-2025-11345 and CVE-2025-11346) involve insecure deserialization, enabling code execution for users with certain permissions.
- The vulnerabilities were responsibly disclosed, and patches have been released in versions 8.25, 9.15, and 10.3.
- Impact includes complete server compromise, with unauthenticated RCE possible if 'Test' or 'Course' objects are exposed in public areas.
- The blog post highlights the complexity of ILIAS and the importance of timely security updates.
Selectively Disabling HTTP/1.0 and HTTP/1.1
3 months ago
- HTTP/3 was enabled for the site in January 2026, with most traffic still using HTTP/1.X, which was largely malicious.
- Two approaches were used to selectively disable HTTP/1.X: allowing only known good agents or excluding assumed bad agents.
- Nginx configuration changes included using the map directive to create variables for decision-making on traffic allowance.
- Approach 1: Only known good agents (like text-based browsers and major bots) are allowed to use HTTP/1.X.
- Approach 2: Only assumed bad agents (like blank user agents or questionable ones) are blocked from using HTTP/1.X.
- HTTP Status 426 is returned for disallowed HTTP/1.X requests, with logs to review and adjust allowances.
- Testing showed successful blocking of malicious requests, with a significant drop in bad traffic after implementation.
- The author initially preferred Approach 1 but leaned towards Approach 2 for broader compatibility with legitimate bots.
- Considerations include the trade-off between security and accessibility for different types of users and bots.
- HTTP/1.0 is largely obsolete, while HTTP/1.1 is still used but lacks modern security features.
Ubuntu Pro subscription – should you pay to use Linux?
3 months ago
- Ubuntu Pro is a subscription service offering quick and high-quality security updates for Ubuntu.
- Pricing: $25/year for Enterprise users, with a free version available for personal use.
- Activation involves using a token from the Ubuntu Pro dashboard and running a command in the terminal.
- Key services include ESM Apps, ESM Infra, and Livepatch for security updates.
- Commands like `sudo pro status --all` and `sudo pro security-status` help monitor subscription and security status.
- Ubuntu Pro provides extended security updates until 2034 for Main/Restricted and Universe/Multiverse packages.
- Landscape is a fleet management tool for Ubuntu Pro systems, though more suited for servers than desktops.
- Canonical is actively investing in Landscape, indicating its importance in their business model.
- Ubuntu Pro marks a shift towards offering services to individual users, not just enterprises.
- The article advocates for paid open-source models like Ubuntu Pro to sustain development and maintenance.
Copilot committed my repo secrets into AGENTS.md
3 months ago
- The web application is highly interactive and requires JavaScript.
- Simple HTML interfaces are possible but not the focus of this application.
- Ben Foxall encountered an issue where GitHub Copilot extracted secrets into a plain markdown file and committed it to his repository.
Kubernetes Remote Code Execution via Nodes/Proxy Get Permission
3 months ago
- Kubernetes vulnerability allows code execution on every Pod in clusters using nodes/proxy GET permissions.
- The vulnerability affects Kubernetes versions v1.34 and v1.35, requiring network access to the Kubelet API (Port 10250).
- Exploitation involves using WebSockets to bypass CREATE permission checks, executing commands in any Pod, including privileged system Pods.
- 69 Helm charts are identified as affected, including notable ones like prometheus-community/prometheus and grafana/promtail.
- Kubernetes Security Team closed the report as 'Won’t Fix', stating the behavior is working as intended.
- KEP-2862 (Fine-Grained Kubelet API Authorization) is recommended as a future solution but is currently in Beta and not GA.
- Detection script provided to check for vulnerable service accounts in clusters.
- Proof of Concept (PoC) script demonstrates command execution in Pods using nodes/proxy GET permissions.
- Disclosure timeline shows initial report on November 1, 2025, and public disclosure on January 26, 2026.
- Appendix lists 69 affected Helm charts with links for further inspection.
Discord won't fix the invisibility bypass CVE, so I made a PoC
3 months ago
- Discord Invisibility Checker / Bypass (CVE-2026-24332) reveals if friends are offline or hiding.
- Uses a Proof of Concept (PoC) script to distinguish 'Invisible' from 'True Offline' users.
- Inspects the WebSocket READY packet for detection.
- Educational use only; automating user actions violates Discord TOS.
GitHub - hashicorp/vault: A tool for secrets management, encryption as a service, and privileged access management
3 months ago
- Vault is a tool for securely accessing secrets like API keys, passwords, and certificates.
- Key features include Secure Secret Storage, Dynamic Secrets, Data Encryption, Leasing and Renewal, and Revocation.
- Vault provides a unified interface for secrets with tight access control and detailed audit logs.
- Documentation, tutorials, and certification exams are available on HashiCorp's platform.
- For development, Go is required, and the repository can be cloned outside the GOPATH.
- Testing involves Docker, and acceptance tests can be run with specific environment variables.
- Vault Enterprise features are detailed on the Vault Enterprise site.
- Experimental Docker-based testing is available for both OSS and Enterprise versions.
Allowlisting some Bash commands is often the same as allowlisting all
3 months ago
- Agentic coding tools like Claude Code can speed up development by allowlisting Bash commands and file edits without approvals.
- Allowing commands like 'go test' or 'go generate' can lead to arbitrary code execution if files are editable by the tool.
- Tools like 'eslint', 'make', 'pnpm run', and 'docker' can also be exploited to run arbitrary commands if not properly restricted.
- Developer tools are designed to execute code, making it difficult to prevent arbitrary code execution when combined with file edits.
- Sandboxing is recommended as an alternative to command allowlisting to limit the permissions of agentic tools.
- Cursor, Claude Code, and Codex are releasing sandboxing tools, with some using 'sandbox-exec' on macOS.

first prev27next

About|Login

#security

Show HN: ContextFort – Visibility and controls for browser agents

CVEs Affecting the Svelte Ecosystem

11% of vibe-coded apps are leaking Supabase keys

A free and open-source rootkit for Linux

Show HN: Agent Skills Leaderboard

Hacker Lists Vibecoded Apps: 198 Scanned, 196 Found Vulnerable

Crates.io: Development Update

I'll pass on your zoom call.

Show HN: Dotenv Mask Editor: No more embarrassing screen leaks of your .env

Vulnerable WhisperPair Devices – Hijack Bluetooth Accessories Using Fast Pair

Runjak.codes: An adversarial coding test

Remotely unlocking an encrypted hard disk with systemd initrd on Arch

Three RCEs in Ilias Learning Management System

Selectively Disabling HTTP/1.0 and HTTP/1.1

Ubuntu Pro subscription – should you pay to use Linux?

Copilot committed my repo secrets into AGENTS.md

Kubernetes Remote Code Execution via Nodes/Proxy Get Permission

Discord won't fix the invisibility bypass CVE, so I made a PoC

GitHub - hashicorp/vault: A tool for secrets management, encryption as a service, and privileged access management

Allowlisting some Bash commands is often the same as allowlisting all