✍️ Haik-scuse me for the brief intro

It is late so I will leave you with just a haiku (and a meme on the web version):

Midnight screen glows blue
Deadline looms like APT
tl;dr sec

Sponsor

📣 The CISO Guide to Detecting and Preventing Identity Attacks

This CISO guide address the key questions:

• How much visibility does the security team have into human and non-human identity-related activities and potential threats within your organization?

• What do cloud identity attacks look like across different cloud environments, and how do they differ from traditional on-premise identity attacks?

• What best practice strategies are available for detecting, preventing, and remediating identity-based attacks?

• Plus many more!

👉 Download 👈

AppSec

edoardottt/pphack
By Edoardo Ottavianelli: A client-side prototype pollution scanner. It uses chromedp, a library to drive browsers using the Chrome DevTools Protocol in Go without external dependencies.

Advanced Nginx Hardening
Fivesec’s Jens Schmidt describes Nginx configuration options that simplify monitoring, enhance performance, and strengthen security, including JSON logging, request parameterization, limiting requests, limiting the allowed HTTP methods to only the necessary ones, simple protection against bots, and more.

A Deep Dive into JS Trusted Types Violations
Google’s Jen Ozmen, Kian Jamali, and Aaron Shim describe the challenges encountered when rolling out Trusted Types to Gmail and AppSheet, which was challenging due to having a large codebase, diverse OSS and OSS legacy stack, and the code was not written following Google standard practices. To find violations early in the development process they built safety-web, an ESLint plugin for Trusted Types and CSP compatibility, and provided developers with a wrapper library around dangerous DOM APIs (safevalues) that makes safer uses of these APIs more natural than the potentially unsafe uses.

The post also describes their detective process for finding the root cause of TrustedTypes violations: searching for the script-sample, reproducing the violation via runtime analysis, and analyzing minified JS.

Sponsor

📣 How to Conduct an AI Risk Assessment

[Free Guide]

Nudge Security has discovered over 1,000 unique GenAI tools in customer environments to date, with new ones like DeepSeek popping up daily. While GenAI is clearly here to stay, IT and security teams need to take a proactive approach to mitigating AI risks.

Download this guide to learn how to:

• Discover the AI tools in use in your org

• Conduct security reviews for AI vendors

• Determine where AI tools are connected to other apps

• Educate your workforce on safe and compliant AI use

👉 Get the Guide 👈

Discovering what AI tools your org is using and what they’re connecting to is non trivial. And it’s super useful to know what data is going where 😅

Cloud Security

RansomWhen??? I Never Even Noticed It…
Permiso’s Bleon Proko introduces RansomWhen, an open source tool for detecting potential KMS-based ransomware attacks in AWS environments. The tool enumerates identities with privileges to perform 13 different attack scenarios and analyzes CloudTrail logs for suspicious events related to KMS key creation, S3 bucket encryption, and IAM role/user manipulation.

💡 Shout-out to Permiso for releasing a bunch of open source tools recently 👍️ 

CopyObjection: Fending off ransomware in AWS
Red Canary’s Jesse Griggs describes his experiment in detecting ransomware targeting S3 buckets using server-side encryption with customer-managed keys and auto-remediating the situation with a Lambda function (either disabling the access key of the IAM user or applying a deny-all policy to the user). The primary limiting factor of the auto-remediation was the delivery of CloudTrail logs to his log group (~6 minutes), which is consistent with AWS’ documentation, which states that logs are delivered around every 5 minutes.

The Complete Guide to Cloud-Native Ransomware Protection in Amazon S3 and KMS
Fog Security’s Jason Kao covers how to prevent ransomware and provides resources & code for 11 different ransomware prevention use cases so you can ensure preventative controls are in place to prevent against types of ransomware attacks targeting AWS S3, including:

• Blocking Customer-provided encryption (SSE-C) using Resource Control Policies and Bucket Policies

• Preventing public access to S3 data through account settings and RCPs

• Preventing data deletion using bucket policies and versioning or object lock

• Enforcing AWS KMS encryption (non SSE-C and non-S3 Managed)

Introducing Finders Keypers: A Open Source Tool to Discover Usage and Blast Radius of Encryption Keys in AWS
Fog Security’s Jason Kao announces Finders Keypers, a new open source tool for analyzing AWS KMS key usage across 28 resource types in 21 AWS services. Use cases:

• Determining the blast radius of specific KMS keys and potentially impacted resources (e.g. data in S3, databases like RDS and DynamoDB, etc.)

• Determining encryption access control and which principals potentially have access to data and resources.

• Understanding the impact of key lifecycle management including key rotation and lifecycle management such as updates or key retirement or deletion.

• Checking default settings in AWS for new resource creation and encryption settings.

Supply Chain

OpenSSF Releases Security Baseline for Open Source Projects
New project by the OpenSSF, Open Source Project Security Baseline, which aims to enhance the security of open source projects by providing guidance/a checklist on implementing a minimum set of best practices. There are 3 tiers of requirements, covering topics like the use of MFA, policies around who can contribute code and how, access control and least privilege, code hosting provider settings, etc.

💡 It’s nice to define what “good” looks like, but in my opinion, developers probably care less about a document with a long list of things they should do, and would prefer automated diagnosis “where am I falling short and how do I fix it” and even better “fix it for me.”

How to bypass GitHub’s Branch Protection
Mercari’s @iso describes 7 different attack scenarios in which a malicious user could try to bypass GitHub branch protection rules, such as pushing a commit to a PR created by another user, creating a PR and having a GitHub Action approve it, and more. In short, you can prevent most of the attack scenarios by enabling the GitHub setting "Require approval of the most recent reviewable push" and disabling the "Allow GitHub Actions to create and approve pull requests" setting.

However, there is no current way to block the case of an attacker using GitHub Actions to add malicious code to a PR created by another user, then merging the PR themselves.

Guard your Codebase: Practical Steps and Tools to Prevent Malicious Code
Apiiro’s Matan Giladi et al analyzed thousands of malicious code samples and identified two key anti-patterns common in malicious code but rare in benign code:

1. Obfuscated source code (66.8% of detections): Hard-encoded states and configurations, Base64 and other encoding, runtime reconstruction loops, function chaining, etc.

2. Naive dynamic code execution (24.5% of detections): Using eval(), exec(), and similar functions to load and run code at runtime.

Apiiro has released a malicious code detection Semgrep ruleset and PRevent, an open source GitHub app for scanning PRs for malicious code.

💡 Building off open source tools and contributing back to the community, this is the way 🌈 See also of course Datadog’s GuardDog, which leverages Semgrep to find malicious dependencies.

Blue Team

certsocietegenerale/FIR
By CERT Société Générale: A cybersecurity incident management platform designed with agility and speed in mind, allowing for easy creation, tracking, and reporting of cybersecurity incidents.

Understanding the Incident Response Hierarchy of Needs
PreDefender’s Roger Johnsen discusses Swannman's Incident Response Hierarchy of Needs, a 10-layer pyramid model for building effective security operations. The model emphasizes establishing foundational layers like asset inventory and telemetry to more sophisticated, proactive capabilities (rest of the 10 in increasing maturity: detection, triage, threats, behaviors, hunt, track, act). Roger also discusses a complementary plateaus model tracking organizational security maturity across 5 levels, from basic detection and awareness to full operational maturity.

💡 This page is just one of a free threat hunting book/guide, covering fundamentals, setting up a lab, tips and tricks, and more. Awesome!

Modelling Behaviors is a Critical Thrunting Prerequisite
Palo Alto Networks’ Jamie Williams argues for the importance of modeling adversary behaviors as interconnected series of techniques rather than isolated events when planning threat hunts. He illustrates this approach using examples of remote exploitation and lateral movement, demonstrating how breaking down complex behaviors into their constituent parts can help hunters connect malicious activities to available telemetry sources.

💡 Don’t @ me, but “thrunting” sounds like some niche Folsom Street Fair activity I’m not hip enough to know about. Also, don’t Google Folsom Street Fair at work.

Red Team

captainGeech42/implant.js
By Zander Work: A proof-of-concept modular implant platform leveraging the v8 JavaScript engine. DistrictCon slides and recording.

RITRedteam/StreetCred
A tool created for the red team to test default credentials on SSH and WinRM and then execute scripts if logging in was successful.

redr0nin/bloudstrike
By John Jackson: A semi-retired CrowdStrike bypass loader. The script leverages fileless execution using memfd_create to load ELF binaries directly into memory, preventing writing the malware on disk.

AI + Security

Quicklinks

• Jason Murrell - DeepSeek AI ~ A Glimpse into the Future of Data Privacy (or Lack Thereof?!)

• Andrej Karpathy - How I use LLMs

• Andrew Wilkinson’s AI-powered Getting Things Done workflow - Todoist → task title sent to OpenAI (title improved, adds context label, adds to the correct project) → automatically places tasks on calendar based on priority using Reclaim 🔥 

How to Hack AI Agents and Applications
Nicely detailed post by my friend Joseph Thacker covering how to get up to speed, attack scenarios, mitigations, and an AI hacking methodology overview. I liked the sections on the AI App Responsibility Model (like the cloud, who is responsible for what?), vulnerabilities (traditional vulns triggered by prompt injection, prompt injection, multi modal prompt injection, …) and various mitigations to prevent these types of vulnerabilities.

faizann24/rogue
By Meta’s Faizan Ahmad: A web vulnerability scanner agent powered by LLMs. It uses LLMs to understand application context and identify potential security weaknesses, creates test payloads tailored to the target application, analyzes app behavior and responses to guide testing, validates findings to eliminate false positives, and more.

faizann24/baby-naptime
By Meta’s Faizan Ahmad: A simple open source implementation inspired by Google's Project Naptime, a vulnerability analysis tool that uses LLMs to discover and exploit native vulnerabilities, with automated exploit generation to prove concepts and integrated GDB debugging with security-focused analysis capabilities.

Misc

Censorship as a Service | Leak Reveals Public-Private Collaboration to Monitor Chinese Cyberspace
SentinelOne’s Alex Delamotte, Aleksandar Milenkoski and Dakota Cary share insights from analyzing a 7000+ document leak from TopSec, a prominent Chinese cybersecurity firm, that’s exposed details about the company’s probable involvement in Internet censorship for the Chinese government.

• Healthy Gamer GG - How Shadow Work Can Save You From Yourself

• Sad Alex - 2 days into college (10 year version)

• SNL Weekend Update - Jane Wickline Gives Dating Advice

• Ali Abdaal shares some insights from Anne-Laure Le Cunff’s book Tiny Experiments: How to Live Freely in a Goal-Obsessed World

• Fireship - I replaced my entire tech stack with Postgres… - Huh, definitely a few things here I didn’t know you could do 😂 

• DOOM on Google Sheets

• XenonRecomp - Converts Xbox 360 executables into C++ code so you can run them on any OS

• How Steph Ango, the CEO of Obsidian, uses Obsidian

• Andrej Karpathy - Agency > Intelligence

• Becoming a dance world champion

• Popular Twitch stars under siege - Yikes. Some of Twitch’s biggest female stars were chased down in public, another robbed at gunpoint. Fame comes with a heavy cost.

• How North Korea pulled off a $1.5 billion crypto heist - I was snarky about crypto and losing money when I originally referenced this event, but to be fair, this was a technically impressive hack.

• Former CISA Director Jen Easterly has put together a matching site for CISA alumni and prospective employers.

• Defense Secretary Pete Hegseth last week ordered U.S. Cyber Command to stand down from all planning against Russia, including offensive digital actions. Because Russia’s intelligence groups and organized crime are definitely ramping down their efforts on attacking America 🙃

• Interesting post by Jason Jay Smart on how Russian propaganda is sophisticated: it convinces people to unknowingly support Russian interests without mentioning Russia itself by convincing people they’re serving their own interests.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler