What I'm listening to today: "RK 5000 bucket chain excavator - timelapse"
Why does this go so hard
Here's another crates.io security advisory, again many thanks to Socket!
Malicious crates `finch-rust` and `sha-rust` have been removed; they appeared to try to exfiltrate credentials stored in local files.
Our official announcement: https://blog.rust-lang.org/2025/12/05/crates.io-malicious-crates-finch-rust-and-sha-rust/
Socket's blog post with more technical analysis: https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials
Also we're having discussions in Zulip in `t-crates-io
> how to announce takedowns?` about possible changes to these announcements.
Yesterday, after various bogus AI slopped "PoC"s, eventually a functional PoC for the React RCE emerged:
https://github.com/msanft/CVE-2025-55182
We now have a PoC from the reporter of the vulnerability as well:
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
🔴 We're going live with Binary Ninja, at 10am EST (3pm GMT / 4pm CET / 11pm SGT). Join us here: https://www.youtube.com/live/nzar2L4GUJ8
#cybersecurity #reverseengineering #binary #softwareengineering
You fail to realize you are on a honeypot.
https://any.run/cybersecurity-blog/lazarus-group-it-workers-investigation/
Since I started to analyze #CVE-2025-55182 (#React, #NextJS #RCE) at work today, I decided to publish my analysis findings so far, given all the fuzz about the vulnerability: https://github.com/msanft/CVE-2025-55182
Feel free to contribute to the search for a proper RCE sink!
The ChatGPT outage the other day made me wonder if we will see DDoS crews hold AI services for ransom. Many of them have deep pockets and being down a day or two would hurt.
NEW: Staffers at notorious spyware maker Intellexa had live remote access to their customers' surveillance systems.
This allowed them to see the personal data of targets hacked with Intellexa's spyware Predator, according to new research based on a leaked training video.
Needless to say, this is bad for several reasons.
Workforce shortage: a developer changed career to mine stone for Great Leader after infecting his own machine for testing, turning your operation into an online version of the imperialist video game Uplink.