Update to 4.11.1 now if you use it

CVE-2025-43515
https://support.apple.com/en-us/125693

https://infosec.exchange/@codecolorist/115385827463979240

Whoopsie.

Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in untrusted project directories. The vulnerability allows an attacker to execute arbitrary code by placing a malicious .sfw.config file in a project directory. When a developer runs Socket Firewall commands (e.g., sfw npm install) in that directory, the tool loads the .sfw.config file and populates environment variables directly into the Node.js process. An attacker can exploit this by setting NODE_OPTIONS with a --require directive to execute malicious JavaScript code before Socket Firewall's security controls are initialized, effectively bypassing the tool's malicious package detection. The attack vector is indirect and requires a developer to install dependencies for an untrusted project and execute a command within the context of the untrusted project. The vulnerability has been patched in Socket Firewall version 0.15.5. Users should upgrade to version 0.15.5 or later. The fix isolates configuration file values from subprocess environments. Look at sfw --version for version information. If users rely on the recommended installation mechanism (e.g. global installation via npm install -g sfw) then no workaround is necessary. This wrapper package automatically ensures that users are running the latest version of Socket Firewall. Users who have manually installed the binary and cannot immediately upgrade should avoid running Socket Firewall in untrusted project directories. Before running Socket Firewall in any new project, inspect .sfw.config and .env.local files for suspicious NODE_OPTIONS or other environment variable definitions that reference local files.

https://github.com/SocketDev/firewall-release/security/advisories/GHSA-6c5p-vqrh-h6fp

The video for my TalosCon 2025 keynote, "The Complexity of Simplicity", is now up:

https://www.youtube.com/watch?v=Cum5uN2634o

Slides:

https://speakerdeck.com/bcantrill/the-complexity-of-simplicity

Huge Ws for Rust adoption in Android!

Historically, security improvements often came at a cost. More security meant more process, slower performance, or delayed features, forcing trade-offs between security and other product goals. The shift to Rust is different: we are significantly improving security and key development efficiency and product stability metrics.

https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html

In our latest blog we speak with Marion Marschalek of @blackhoodie on how community fuels career, how one challenge led to many opportunities and how you can get involved.
https://hex-rays.com/blog/blackhoodie-interview-2025

OK, it seems I found it (although not very useful, acceptable value formats are not documented for example), at the end of the article about...publishing. Because somehow in the CLI's world there is just *no way* I won't update my code to GitHub :P

https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#about-qlpackyml-files

@GitHubSecurityLab

Is it my weak search-fu again, or the new qlpack.yml format for #CodeQL is not officially documented? @GitHubSecurityLab

The best resource I could find is this one by @trailofbits:

https://appsec.guide/docs/static-analysis/codeql/advanced/#creating-new-query-packs

@campuscodi I'm really curious if the RXSS will get caught ItW!

https://github.com/v-p-b/xss-reflections

AWS dug through its honeypot data and confirmed that CVE-2025-5777 (Cisco ISE RCE) and CVE-2025-5777 (memory leak in Citrix NetScaler) were exploited as zero-days before their patches.

Nothing new here except the confirmation that an APT was behind the attacks

https://aws.amazon.com/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/

@freddy you needed to use mouse and shit for that. these days you just explain what you want:

https://www.youtube.com/watch?v=JeNS1ZNHQs8

"DiaSymbolView is a tool for visually inspecting debug information recorded in .pdb files. It relies on MSDIA API and presents a hierarchy of debug symbols and their 200+ properties."

https://github.com/diversenok/DiaSymbolView

#fromBsky

@freddy You mean Claude? :)

I bet I can use Atomic Rockets to calculate the kinetic energy of an IBM PS/2 Model 80 dropped from low orbit

Making .NET Serialization Gadgets by Hand https://www.vulncheck.com/blog/making-dotnet-gadgets

@freezr @GustavinoBevilacqua On the bright side seeing "AI" and "quantum" in the same post is a great way to identify complete fools on LinkedIn.

@aleksorsist By total coincidence, I have this tab open: https://www.joelonsoftware.com/2000/04/06/things-you-should-never-do-part-i/ :)

@GustavinoBevilacqua I guess they will figure out a way to squeeze a bunch of Nvidia chips in there too. The line must go up!

LibAFL 0.15.4 has just been released 🎉

Of the 30 Contributers for this release, almost half are new faces <3

https://github.com/AFLplusplus/LibAFL/releases/tag/0.15.4

#Fuzzing #LibAFL #AFLplusplus

The open-source FFmpeg project, used by companies like Google for multimedia processing, urged Google to fund its volunteer developers. FFmpeg is overwhelmed by bugs reported by Google's AI security tools and lacks resources to fix them quickly. https://thenewstack.io/ffmpeg-to-google-fund-us-or-stop-sending-bugs/