https://github.com/aquasecurity/trivy/discussions/10265

„Trivy has been attacked today via GitHub Actions, along with other popular projects: https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation “

#infosec #trivy

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things lmao.

Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system. Is nothing safe anymore? 😭

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

#noai #microslop #microsoft #windows #programming #writing #windows11 #enshittification #cybersecurity #infosec #technology

OpenSSH runs a large number of tests via Github Runners, both Github supplied ones on a public repo, and on selfhosted runners on a private repo. The latter covers a bunch of platforms Github doesn't support, and is private not because we don't want it accessible (in fact we would prefer it be public) but because as far as we can tell, making it public would represent a significant security risk.

Github have announced that they will begin charging per-minute fees for Github Actions self-hosted runners starting next year. These fees apply only to runners on private repos, but "actions will remain free in public repositories."[0] This is going to be a significant problem for us.

Github's own documentation points out allowing selfhosted runners on public repositories is unsafe, because it's a potential remote code execution vector via running arbitrary workflows in modified pull requests:

"As a result, self-hosted runners should almost never be used for public repositories on GitHub, because any user can open pull requests against the repository and compromise the environment."[2]

There are some controls[1], but the documentation on them doesn't exactly instill confidence (emphasis on the weasel words added):

"Anyone can fork a public repository, and then submit a pull request that proposes changes to the repository's GitHub Actions workflows. [...] To *help* prevent this, workflows on pull requests to public repositories from *some* outside contributors will not run automatically, and *might* need to be approved first. Depending on the "Approval for running fork pull request workflows from contributors" setting, workflows on pull requests to public repositories will not run automatically and *may* need approval if: The pull request is created by a user that requires approvals based on the selected policy.[or] The pull request event is triggered by a user that requires approvals based on the selected policy."

All of this uncertainty could be addressed by completely disabling pull requests on a repo, but while that has been requested many many times over the course of a decade([3] [4]), this is still not possible.

It *is* possble to *temporarily* disable pull requests on a repository via Interaction Limits[5], but using this as a security control that (silently?) fails open after some amount of time is problematic to say the least. The required functionality is almost there, it just needs a "forever" option.

So, in summary: self-hosted runners remain free as long as you run them on public repos, which you shouldn't because it's unsafe, unless you also disable pull requests, which you probably can't.

[0] https://resources.github.com/actions/2026-pricing-changes-for-github-actions/
[1] https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories
[2] https://docs.github.com/en/actions/reference/security/secure-use
[3] https://github.com/orgs/community/discussions/8907
[4] https://github.com/dear-github/dear-github/issues/84
[5] https://docs.github.com/en/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

4.7 billion+ domain database.

Enter IP/IP range/domain to find associated domains and subdomains.

You also may just do GET-requests from command line.

https://ip.thc.org/

Contributor @thc

THC Release 💥: The world’s largest IP<>Domain database: https://ip.thc.org

All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.

Updated monthly.

Try: curl https://ip.thc.org/1.1.1.1

Raw data: https://ip.thc.org/docs/bulk-data-access

(The fine work of messede 👌)

What does everyone think? Need feedback before release tomorrow :)

NEW STORY OUT 🔥 🔥 🔥

+++Palantir blitzt 9 Mal ab in der Schweiz, beim Bund und bei der Schweizer Armee. Die Angst vor Datenweitergabe an die Geheimdienste und Reputationsschaden ist zu gross+++

Zu den Palantir-Kundinnen gehören Sicherheits­behörden, Militärs und Geheim­dienste auf der ganzen Welt. Die Produkte der Firma sind unter anderem in Israel, der Ukraine, Litauen, Spanien sowie in drei deutschen Bundesländern im Einsatz.

Nicht nur wegen den Hetz­jagden auf Migrantinnen durch ICE-Agenten gerät die Firma regelmässig in die Schlag­zeilen. Sondern auch weil die Palantir-Mitgründer, der rechts­libertäre Milliardär Peter Thiel und der heutige CEO Alex Karp, keinen Hehl daraus macht, dass die Software als tödliche Kriegs­waffe genutzt wird.

Karp schreckt auch nicht vor Kriegs­rhetorik zurück. In einem Call mit Investoren sagte er: «Palantir ist hier, um zu stören. (…) Und, wenn nötig, um unsere Feinde zu erschrecken und gelegentlich auch, um sie zu töten.»

Peter Thiel wiederum, einer der ersten prominenten Unterstützer Trumps aus dem Silicon Valley, ist bekannt für seine Aussage, Freiheit und Demokratie seien nicht miteinander vereinbar.

Nicht bekannt war bisher, ob auch Schweizer Sicherheits­behörden oder sogar die Schweizer Armee Kunden von Palantir sind.

Arbeiten auch sie mit dem US-Unternehmen zusammen?

Das famose WAV Recherchekollektiv (Lorenz Naegeli, Jennifer Steiner, Marguerite Meyer Balz Oertli) und ich haben recherchiert...

Wir konnten folgende Marketing-und Verkaufskampagne von Palantir von 2018-2025 in der Schweiz rekonstruieren:

➡️ Palantir versuchte während sieben Jahren, die Schweizer Bundesbehörden mit einer grossen Verkaufs­kampagne als Kunden zu gewinnen. Dabei blitzte sie mindestens neunmal sofort ab. Die Gründe: kein Bedarf für Palantir-Software – oder ein drohender Reputations­schaden.

➡️ Weiter kam Palantir einzig beim Verteidungs­departement (VBS): Das dort angesiedelte Bundesamt für Rüstung (Armasuisse) prüfte die Beschaffung von Palantir-Software für sein «Informatik­system Militärischer Nachrichten­dienst». Doch auch hier kam es zu keiner Zusammen­arbeit.

➡️ Die Schweizer Armee, die ebenfalls zum VBS gehört, interessierte sich sogar noch im letzten Jahr für den Einkauf von Palantir-Software. Ein interner Bericht zeigt: Die Angst, dass Palantir vertrauliche Daten der Schweizer Armee an die amerikanischen Geheimdienste CIA und NSA weitergibt, hielt den Stab der Armee davon ab, das Projekt weiterzuverfolgen.

https://www.republik.ch/2025/12/08/wie-hartnaeckig-palantir-die-schweiz-umwarb

Anyone running a #honeypot in their #homelab to monitor suspicious activity? Which solution do you use?

#selfhosted #security
Cc: @homelab

#LearnLockpickingWithAlice, lesson 1: Get yourself a decent starter set.

You'll want some good turning tools. My favorites are the red/white/blue set from Red Team Tools for a few reasons: they're a good range of thicknesses, they're color-coded, they're smooth, and the short ends are slimmed down for top of the keyway tensioning or for smaller locks. Turning tools are the most important part of your kit.

You'll want a couple good hooks. I recommend a thin-shank short hook, and a sturdy short/medium hook. The thin one will be your friend in tight keyways and for small locks. The sturdy one will let you bully most other locks.

Finally, you'll want a couple wave rakes. My favorites are the triple-peak w-shape and m-shape (in that order). They're easy to work with, don't get hung up on the keyway, and can be maneuvered to more precisely hit specific pins.

Oh, and you'll need some locks to practice on. Clear locks are great *for your first day*, but you'll run into trouble if you start to rely on seeing the pins. Grab some cheap Master No.3, Master No.140, and/or Brinks padlocks. They're satisfying to open, and they'll teach you the basics. Beware dollar store locks—the manufacturing is usually shit and some have plastic cores, which feel like garbage to pick, and break easily.

Everything else is icing on the cake.

Most starter sets will include a "city rake" or "L rake", and several other mostly useless picks. Ignore them. They're filler and you'll spend days just trying to find a valid reason to carry them—because they *have* to be good for *something*, right? ...right?

Here's the kit I currently recommend: https://www.redteamtools.com/essential-lock-pick-set/ (with the book https://www.redteamtools.com/practical-lock-picking-a-physical-penetration-testers-training-guide-by-deviant-ollam-signed) It's ~$60, solid, no fluff, and well made. I love the book, the turning tools are part of my everyday carry, and I use the picks whenever I teach lockpicking in person.

Disclaimer: @deviantollam (Red Team Tools' founder) is a friend of mine, but I don't recommend anything that I don't personally use.