17 apps installed over 19 million times

The information is relayed on different news website:

• https://cybernews.com/security/password-managers-autofill-credentials-for-attackers
• [#todo]

It was unveiled with a presentation at the DEFCON 2025 https://marektoth.com/blog/dom-based-extension-clickjacking/

The unpaid work of volunteers for core libraries is unsustainable. We can all agree on that.

There is few comments suggesting sustainable models.

Securam ProLogic ne réglera pas cette porte dérobée.

Source: https://archive.is/20250808202909/https://www.wired.com/story/securam-prologic-safe-lock-backdoor-exploits/

Les raccourcisseurs d'URLs sont une fausse bonne idée dans la plupart des cas:

1. Les URLs raccourcies ne sont pas toujours générées aléatoirement
2. Le phishing rendu possible
3. La dépendance au service, qui peut fermer, comme ici avec goo.gl

Here we go again. A small package is is abused.

The transcription makes it clear how it works:

1. Expose node's require with a get "switch"() { return require; }
2. Load os and ws modules from this['switch']
3. Connect to the websocket
4. new Function(data)(); // remote code execution of a WebSocket message.

About using C code:

• there obviously the potential bugs and vulnerabilities in the C code itself and in the code wrapping the C code.
• specific C toolchains, which makes things hard when you do cross compilation.
• you (sometimes) need to deploy the dynamically-linked C library (OpenSSL). It prevents you from using secure FROM scratch container images.
• can't compile it for WebAssembly.
• maintenance! it's hard to review a 2000 line implementation of an encryption algorithm

Pure Rust cryptography is usually around 10-25% slower than an ultra optimized C or assembly code.

Source: https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/

Diffusé via de la publicité malveillante redirigeant sur un faux site de KeePass afin de déchiffrer les mots de passes.

Update ASAP to Firefox 139

Maybe too much

Press article of https://shaarli.lyokolux.space/#x6SmSw

ENISA is mandated to develop and maintain the European vulnerability database.

All that's required is to create a malicious software package under a hallucinated package name and then upload the bad package to a package registry or index like PyPI or npm for distribution. Thereafter, when an AI code assistant re-hallucinates the co-opted name, the process of installing dependencies and executing the code will run the malware.

Aboukhadijeh explained that _Iain "automated the creation of thousands of typo-squatted packages (many targeting crypto libraries) and even used ChatGPT to generate realistic-sounding variants of real package names at scale. He shared video tutorials walking others through the process, from publishing the packages to executing payloads on infected machines via a GUI. It’s a clear example of how attackers are weaponizing AI to accelerate software supply chain attacks."

Not in France.

3.5 millions fines after a ransomware attack because no security measure was set.