Taneli Waltari (@twaltari@mastodon.social)

HD MooreNext.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps. Shodan reports over 300,000 services with the `X-Powered-By: Next.js` header alone.You can find links to the advisory and queries for runZero at: <a href="https://www.runzero.com/blog/next-js/" rel="nofollow noopener" translate="no" target="_blank">https://www.runzero.com/blog/next-js/</a>

Jonathan Wright :almalinux:Meta disclosed a high-priority remote code execution vulnerability in freetype earlier this week, CVE-2025-27363. Patches are available for testing in <a href="https://fosstodon.org/tags/AlmaLinux" class="mention hashtag" rel="nofollow noopener" target="_blank">#AlmaLinux</a><a href="https://almalinux.org/blog/2025-03-13-cve-2025-27363-patches/" rel="nofollow noopener" translate="no" target="_blank">https://almalinux.org/blog/2025-03-13-cve-2025-27363-patches/</a>PRs are open against CentOS Stream 8 and 9, but unmerged at this time.

Markus TackerWell, that gets me excited, because I go a lot of extra ways to avoid tsc as much as possible because it is terribly slow. <a href="https://github.com/microsoft/typescript-go" rel="nofollow noopener" translate="no" target="_blank">https://github.com/microsoft/typescript-go</a> <a href="https://chaos.social/tags/TypeScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#TypeScript</a>

The New Oil<a href="https://mastodon.thenewoil.org/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#Google</a> paid $12 million in bug bounties last year to security researchers<a href="https://www.bleepingcomputer.com/news/security/google-paid-12-million-in-bug-bounties-last-year-to-security-researchers/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/google-paid-12-million-in-bug-bounties-last-year-to-security-researchers/</a><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://mastodon.thenewoil.org/tags/BugBounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#BugBounty</a>

Taggart :donor:Another banger from WatchTowr. Turns out a lot of software projects register, then abandon, cloud storage accounts. These accounts can be re-registered and made to deliver whatever the registrant wants: <a href="https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/" rel="nofollow noopener" translate="no" target="_blank">https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/</a>

Michael Veale“Everyone knows your location: tracking myself down through in-app ads” - a very interesting hands-on blog post about contemporary location data flows and sales <a href="https://timsh.org/tracking-myself-down-through-in-app-ads/" rel="nofollow noopener" translate="no" target="_blank">https://timsh.org/tracking-myself-down-through-in-app-ads/</a>

Anil DashI think everyone who has an opinion, positive or negative, about LLMs, should read how <a href="https://fedi.simonwillison.net/@simon" class="u-url mention" rel="nofollow noopener" target="_blank">@simon</a> summed up what’s happened in the space this year. He’s the most credible, most independent, most honest, and most technically fluent person watching the space. <a href="https://simonwillison.net/2024/Dec/31/llms-in-2024/" rel="nofollow noopener" translate="no" target="_blank">https://simonwillison.net/2024/Dec/31/llms-in-2024/</a>

Alec RobertsStudy Shows Incredible Results of Pairing Solar Panels With Agriculture: ‘Getting more from the land’ <a href="https://www.goodnewsnetwork.org/another-study-shows-incredible-results-of-pairing-solar-panels-with-agriculture-getting-more-from-the-land/" rel="nofollow noopener" translate="no" target="_blank">https://www.goodnewsnetwork.org/another-study-shows-incredible-results-of-pairing-solar-panels-with-agriculture-getting-more-from-the-land/</a> <a href="https://mastodon.energy/tags/agrivoltaics" class="mention hashtag" rel="nofollow noopener" target="_blank">#agrivoltaics</a>The international study found certain crops, such as maize, Swiss chard and beans, thrived under the partial shade provided by solar panels.The shade helped to reduce water loss through evaporation, while additionally using the rainwater harvested from the panels to supplement irrigation needs.

Pekka Tahkola1000 out of 1200 kids in this school in <a href="https://mas.to/tags/Oulu" class="mention hashtag" rel="nofollow noopener" target="_blank">#Oulu</a>, <a href="https://mas.to/tags/Finland" class="mention hashtag" rel="nofollow noopener" target="_blank">#Finland</a>, arrive by <a href="https://mas.to/tags/bicycle" class="mention hashtag" rel="nofollow noopener" target="_blank">#bicycle</a>, even in winter. 100-150 walk, rest by ski, kicksleds and car. This day it was -17°C, some days it can be colder than -30°C.Note that this is only one of the four bicycle parking areas of this school 🤗<a href="https://mas.to/tags/Wintercycling" class="mention hashtag" rel="nofollow noopener" target="_blank">#Wintercycling</a> <a href="https://mas.to/tags/MeanwhileInOulu" class="mention hashtag" rel="nofollow noopener" target="_blank">#MeanwhileInOulu</a>

BleepingComputerA new Linux rootkit malware called Pumakit has been discovered that uses stealth and advanced privilege escalation techniques to hide its presence on systems.<a href="https://www.bleepingcomputer.com/news/security/new-stealthy-pumakit-linux-rootkit-malware-spotted-in-the-wild/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/new-stealthy-pumakit-linux-rootkit-malware-spotted-in-the-wild/</a>

BleepingComputerThe first UEFI bootkit specifically targeting Linux systems has been discovered, marking a shift in stealthy and hard-to-remove bootkit threats that previously focused on Windows.<a href="https://www.bleepingcomputer.com/news/security/researchers-discover-bootkitty-first-uefi-bootkit-malware-for-linux/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/researchers-discover-bootkitty-first-uefi-bootkit-malware-for-linux/</a>

BleepingComputerMITRE has shared this year's top 25 list of the most common and dangerous software weaknesses behind more than 31,000 vulnerabilities disclosed between June 2023 and June 2024.<a href="https://www.bleepingcomputer.com/news/security/mitre-shares-2024s-top-25-most-dangerous-software-weaknesses/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/mitre-shares-2024s-top-25-most-dangerous-software-weaknesses/</a>

BleepingComputerHackers are targeting Windows machines using the ZIP file concatenation technique to deliver malicious payloads in compressed archives without security solutions detecting them.<a href="https://www.bleepingcomputer.com/news/security/hackers-now-use-zip-file-concatenation-to-evade-detection/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/hackers-now-use-zip-file-concatenation-to-evade-detection/</a>

BleepingComputerAfter being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware.<a href="https://www.bleepingcomputer.com/news/security/critical-veeam-rce-bug-now-used-in-frag-ransomware-attacks/" rel="nofollow noopener" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/critical-veeam-rce-bug-now-used-in-frag-ransomware-attacks/</a>

Tony Arcieri 🌹🦀Pretty much all versions of bcrypt are vulnerable to second preimage attacks because they truncate the input to the first 72 bytes, meaning the hashes for messages longer than that will collide.This resulted in a login bypass against Okta.<a href="https://www.theverge.com/2024/11/1/24285874/okta-52-character-login-password-authentication-bypass" rel="nofollow noopener" translate="no" target="_blank">https://www.theverge.com/2024/11/1/24285874/okta-52-character-login-password-authentication-bypass</a>

securityaffairsInternational law enforcement operation dismantled <a href="https://infosec.exchange/tags/RedLine" class="mention hashtag" rel="nofollow noopener" target="_blank">#RedLine</a> and <a href="https://infosec.exchange/tags/Meta" class="mention hashtag" rel="nofollow noopener" target="_blank">#Meta</a> infostealers <a href="https://securityaffairs.com/170369/cyber-crime/law-enforcement-operation-disrupted-redline-and-meta-infostealers.html" rel="nofollow noopener" translate="no" target="_blank">https://securityaffairs.com/170369/cyber-crime/law-enforcement-operation-disrupted-redline-and-meta-infostealers.html</a> <a href="https://infosec.exchange/tags/securityaffairs" class="mention hashtag" rel="nofollow noopener" target="_blank">#securityaffairs</a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacking</a>

BrianKrebsSince Sept 2016, when krebsonsecurity.com was hit w/ something close to a world record DDoS from Mirai, my site has been behind Google Shield, a free program that Google offers to journalists, news outlets and human rights groups that might otherwise be DDoSsed into silence in one form or another. On the one hand, I don't have as much visibility into who's attacking me or when, because I mostly never notice any disruption. But when I do hear from the Shield team about an attack, it's usually something interesting (e.g. <a href="https://krebsonsecurity.com/2021/09/krebsonsecurity-hit-by-huge-new-iot-botnet-meris/" rel="nofollow noopener" translate="no" target="_blank">https://krebsonsecurity.com/2021/09/krebsonsecurity-hit-by-huge-new-iot-botnet-meris/</a>)Anyway, Google said today it is expanding the Shield offering to include "organizations representing marginalized groups and non-profit organizations supporting the arts and sciences." <a href="https://cloud.google.com/blog/products/identity-security/project-shield-expands-free-ddos-protection" rel="nofollow noopener" translate="no" target="_blank">https://cloud.google.com/blog/products/identity-security/project-shield-expands-free-ddos-protection</a>I gave Google this feedback long ago, but I'll add it here b/c it should be the default if you're on Shield and also using other Google services (Gmail, etc): If you or your organization is eligible for this free protection, it probably also means you are a giant target. IMHO, turning on Advanced Protection for Google Accounts should be automatic for Shield users.

Iván“We don't have a cyber security problem – we have a software quality problem. We don't need more security products – we need more secure products."<a href="https://www.theregister.com/2024/09/20/cisa_sloppy_vendors_cybercrime_villains/" target="_blank" rel="nofollow noopener" translate="no">https://www.theregister.com/2024/09/20/cisa_sloppy_vendors_cybercrime_villains/</a><a href="https://mastodon.social/tags/cybersecurity" class="mention hashtag" rel="tag">#cybersecurity</a>

Jeremiah LeeOxford PV is now shipping its first commercial-scale perovskite-on-silicon tandem solar panels that have 24.5% module efficiency to produce 20% more energy than standard silicon panels. The technology has a theoretical 43% efficiency compared to silicon’s <30%. This is the first gen. They’re manufacturing in Havel, Deutschland. It took nearly a decade to go from university research to commercialization, but this is a giant leap forward for solar.<a href="https://electrek.co/2024/09/05/oxford-commercializes-its-20-more-powerful-solar-panels-in-the-us/" rel="nofollow noopener" translate="no" target="_blank">https://electrek.co/2024/09/05/oxford-commercializes-its-20-more-powerful-solar-panels-in-the-us/</a><a href="https://alpaca.gold/tags/climateAction" class="mention hashtag" rel="nofollow noopener" target="_blank">#climateAction</a> <a href="https://alpaca.gold/tags/solar" class="mention hashtag" rel="nofollow noopener" target="_blank">#solar</a>

Alan Cordova"Four years ago this week, California’s power grid was so strained by a heat wave that rolling blackouts hit hundreds of thousands of residents over two days. It nearly happened again two years ago, when state officials issued 11 'flex alerts' asking businesses and homeowners to voluntarily reduce electricity use to avoid power disruptions. But this year when a record heat wave scorched the state over three weeks from mid-June to July — sending temperatures across the Bay Area and the Central Valley soaring over 110 degrees — there was plenty of power. No warnings. No shortages. No flex alerts. A big part of the reason, experts say, is a boom in the construction of giant battery projects." <a href="https://www.mercurynews.com/2024/08/18/a-gamechanger-how-giant-batteries-are-making-californias-power-grid-stronger-and-reducing-the-risk-of-blackouts-during-heat-waves/" rel="nofollow noopener" translate="no" target="_blank">https://www.mercurynews.com/2024/08/18/a-gamechanger-how-giant-batteries-are-making-californias-power-grid-stronger-and-reducing-the-risk-of-blackouts-during-heat-waves/</a> <a href="https://sfba.social/tags/energystorage" class="mention hashtag" rel="nofollow noopener" target="_blank">#energystorage</a>

Recent searches

Search options

Administered by:

Server stats:

Taneli Waltari@twaltari@mastodon.social

Recent searches

Search options

Administered by:

Server stats:

Taneli Waltari@twaltari@mastodon.socialmastodon.social

Taneli Waltari@twaltari@mastodon.social