About ?page=1 that can become /?page=1 OR 1=1

A phishing attack is running on crates.io

Ce qui étonne vraiment les chercheurs, c’est la cohérence de l’ensemble car tous les composants utilisent les mêmes techniques : DLL sideloading, chiffrement RC4/XOR, exécution exclusivement en mémoire. Ça sent la team de développeurs bien rodée avec des process industriels, et pas des amateurs qui bricolent dans leur garage.

It's a team work.

Source: "EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company " https://www.bitdefender.com/en-us/blog/businessinsights/eggstreme-fileless-malware-cyberattack-apac

My honest assessment is that the Rust / Cargo leadership need to be bold, deprecate packages publishing to crates.io and move to a decentralized package distribution architecture.

There is no other way around. Rust needs to copy Go, it's as simple as that.

The second part of the solution, way harder and more expensive to implement is to release an extended standard library. We need to reduce the amount of third-party developers that we need to trust to release our software.

A workaround from now is to import rust crates from git itself, such as ring = { git = "https://github.com/briansmith/ring", version = "0.12" }

17 apps installed over 19 million times

The information is relayed on different news website:

• https://cybernews.com/security/password-managers-autofill-credentials-for-attackers
• [#todo]

It was unveiled with a presentation at the DEFCON 2025 https://marektoth.com/blog/dom-based-extension-clickjacking/

The unpaid work of volunteers for core libraries is unsustainable. We can all agree on that.

There is few comments suggesting sustainable models.

Securam ProLogic ne réglera pas cette porte dérobée.

Source: https://archive.is/20250808202909/https://www.wired.com/story/securam-prologic-safe-lock-backdoor-exploits/

Les raccourcisseurs d'URLs sont une fausse bonne idée dans la plupart des cas:

1. Les URLs raccourcies ne sont pas toujours générées aléatoirement
2. Le phishing rendu possible
3. La dépendance au service, qui peut fermer, comme ici avec goo.gl

Here we go again. A small package is is abused.

The transcription makes it clear how it works:

1. Expose node's require with a get "switch"() { return require; }
2. Load os and ws modules from this['switch']
3. Connect to the websocket
4. new Function(data)(); // remote code execution of a WebSocket message.

About using C code:

• there obviously the potential bugs and vulnerabilities in the C code itself and in the code wrapping the C code.
• specific C toolchains, which makes things hard when you do cross compilation.
• you (sometimes) need to deploy the dynamically-linked C library (OpenSSL). It prevents you from using secure FROM scratch container images.
• can't compile it for WebAssembly.
• maintenance! it's hard to review a 2000 line implementation of an encryption algorithm

Pure Rust cryptography is usually around 10-25% slower than an ultra optimized C or assembly code.

Source: https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate/

Diffusé via de la publicité malveillante redirigeant sur un faux site de KeePass afin de déchiffrer les mots de passes.

Update ASAP to Firefox 139

Maybe too much