Seclog - #136


"The art of cyber war is knowing when to strike⦠and when to reboot." - The Art of Cyber War
π SecMisc
SLSA Framework Secures Software Supply Chains β SLSA (Supply-chain Levels for Software Artifacts) provides standards to prevent tampering and ensure artifact integrity across infrastructure. It transitions ecosystems from "safe enough" to maximum resilience against supply chain attacks. Read More
GMS Gadgets β Inspired by Black Hat research, GMSGadget explores bypassing XSS defenses using script gadgets. This project revives techniques to circumvent modern mitigations. Read More
Positive Technologies Vulnerabilities Database β dbugs is JSC Positive Technologies' platform for vulnerabilities. It serves as a home for security findings and related information from 2025. Read More
π° SecLinks
How we rooted CoPilot β Microsoft's Jupyter Notebook integration in Copilot Enterprise allowed arbitrary code execution. Researchers rooted the system via this live Python sandbox vulnerability. Read More
OTP Bypass Techniques in Mobile Apps β Resecurity details API and authorization flaws allowing OTP bypass during VAPT engagements. These issues persist across organizations regardless of maturity. Read More
Amazon Q's Unintended Self-Destruct Feature β A malicious PR merged into Amazon Q instructed it to wipe computers and cloud infrastructure. This supply chain breach highlights AI tool risks. Read More
Google OSS Rebuild Fortifies Open Source Trust β OSS Rebuild reproduces upstream artifacts to combat supply chain attacks targeting dependencies, offering security teams actionable data without burdening maintainers. This enhances trust in package ecosystems. Read More
Vim Tar.vim Path Traversal Advisory β A path traversal vulnerability affects Vim 9.1.1552 via specially crafted tar files in tar.vim, enabling unauthorized access. Patch mitigations are critical for secure archive handling. Read More
Netskope SWG Tenant Security Analysis β Netskope's cloud-native platform integrates CASB, SWG, and ZTNA for app security. Recent research explores tenant configurations and vulnerabilities. Read More
Vendetect Detects Code Copying Efficiently β Trail of Bits' Vendetect uses semantic fingerprinting to identify copied code across repositories, even with altered variables. It leverages version history for precise tracing. Read More
Novel PDO SQL Injection Technique β A new method exploits SQL injection in PDO's prepared statements, bypassing traditional defenses. Research shows evolving vulnerability complexity in modern apps. Read More
Accidental ETQ Reliance RCE Discovery β Researchers accidentally found a remote code execution flaw in ETQ Reliance, proving vulnerabilities persist despite advanced frameworks. Modern apps still hide critical risks. Read More
Critical JavaScript Library Vulnerability β A Critical Vulnerability in a JavaScript library has been discovered, exposing millions of applications. This flaw allows for potential Code Execution Attacks. Read More
π₯ SecVideo
- Prompt Engineering AI Red Teaming β Learn from HackAPrompt's creator about prompt engineering guides and the worldβs first AI red teaming competition. Techniques cover adversarial LLM exploitation. Watch Here
π» SecGit
eBPF MCP Monitoring Tool β MCPSpy leverages eBPF for detailed MCP monitoring, providing low-level system insights. Ideal for performance and security analysis. Explore on GitHub
Blackbird OSINT Account Discovery β Search for accounts by username/email across social networks. This tool streamlines reconnaissance and footprinting. Explore on GitHub
SharePoint WebPart RCE Exploit β Exploits CVE-2025-53770 via ToolPane.aspx, enabling .NET deserialization and remote code execution. Critical for SharePoint penetration testing. Explore on GitHub
YSoNet .NET Deserialization Payloads β Generates deserialization payloads for multiple .NET formatters. Essential for exploiting insecure serialization in applications. Explore on GitHub
0day.today Exploit Archive β Comprehensive archive of historical 0day.today exploits. A resource for vulnerability research and historical analysis. Explore on GitHub
CVE-2025-7783 Proof of Concept β Demonstrates exploitation of CVE-2025-7783, a critical vulnerability with broad impact. Useful for defensive validation. Explore on GitHub
Promptmap LLM Security Scanner β Scans custom LLM applications for vulnerabilities like prompt injection. Crucial for securing AI deployments. Explore on GitHub
S3grep Bucket Content Search β CLI tool for searching logs and unstructured data in AWS S3 buckets. Accelerates incident response and forensics. Explore on GitHub
Diverse Security Tools & Exploits on GitHub β GitHub offers a range of security tools, including an OSINT tool for account searches, eBPF monitoring, and an S3 log grepper. Also find exploits for SharePoint RCE, Vim path traversal, .NET deserialization, and an LLM security scanner. Explore on GitHub
For suggestions and any feedback, please contact: securify@rosecurify.com
Subscribe to my newsletter
Read articles from Rosecurify directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
