Lightnews — Scholar-powered news

Checkmarx Zero @checkmarxzero.bsky.social · 3d

There's no patch yet; rip it out of anything where untrusted users can choose branch names. #CICD #SupplyChainSecurity #ApplicationSecurity

1

Checkmarx Zero @checkmarxzero.bsky.social · 3d

Use the popular `check-branches` NPM package in your CI? This tool checks for conflicts with other git branches, but it treats branch names as safe when passing to `git` commands, leading to command injection buff.ly/q3yjuvM (CVSSv4 9.3).

#CICD #SupplyChainSecurity #ApplicationSecurity

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2025-11148 - DevHub

All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git…

devhub.checkmarx.com

1 1 1

Checkmarx Zero @checkmarxzero.bsky.social · 3d

Buzz indicates this issue is being actively exploited. See their advisory for more information including how to find out if you've been attacked: buff.ly/JUwP3Tv #DevSecOps 🧵2/2

Deserialization Vulnerability in GoAnywhere MFT's License Servlet

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object,…

buff.ly

Checkmarx Zero @checkmarxzero.bsky.social · 3d

📢 ACTIVE VULNERABILITY 🚨 Fortra is warning that their #GoAnywhere Managed File Transfer (#MFT) system has a serious flaw that can allow attackers to inject commands. Requires a forged or valid license, but that's not a very high bar.

#CyberSecurity #DevSecOps #SupplyChainSecurity 🧵1/2

Deserialization Vulnerability in GoAnywhere MFT's License Servlet

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object,…

www.fortra.com

1

Checkmarx Zero @checkmarxzero.bsky.social · 4d

Even if you aren't impacted by these vulnerabilities, they're excellent case studies for #AppSec teams on the challenges of avoiding even common weaknesses (like SQLi) and ensuring that designs are reviewed alongside implementations.

Checkmarx Zero @checkmarxzero.bsky.social · 4d

In this week's #LastWeekInAppSec (07. Oct 2025): Django allowing SQLi when backed by MySQL or MariaDB; FreshRSS letting anyone self-register as an admin. buff.ly/6aRh6uN

#InfoSec #CyberSecurity #WebSecurity #DevSecOps #VulnerabilityManagement #SQLi #Django #FreshRSS #PatchManagement #CVE

checkmarx.com

1

Checkmarx Zero @checkmarxzero.bsky.social · 10d

Recommended actions:
- Do NOT install or run `@lanyer640/mcp-runcommand-server`
- Block traffic to or from 45[.]115.38.27 on your network
- Search your package inventory in your #SCA tool
- Search your system logs and CIs for installs of the package or connections to the IP above

🧵 2/2

Checkmarx Zero @checkmarxzero.bsky.social · 10d

🚨 ALERT: Malicious #NPM package 🚨 `@lanyer640/mcp-runcommand-server` disguises itself as a legitimate MCP server but spawns a hidden interactive shell to IP 45[.]115.38.27 when executed.

We also Reported this package to NPM.

#Malware #OpenSource #DevOps #DevSecOps #ApplicationSecurity #AppSec 🧵1/2

1 1

Checkmarx Zero @checkmarxzero.bsky.social · 11d

🔒 Three new #OpenSSL CVEs today:
• CVE-2025-9230 OOB read/write (CMS decrypt)
• CVE-2025-9231 SM2 side-channel (ARM64)
• CVE-2025-9232 OOB read (HTTP client)

Fixes in 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18. Update now.

Details: www.openssl.org/news/secadv/...

#AppSec #SupplyChainSecurity #OpenSource

1 1

Checkmarx Zero @checkmarxzero.bsky.social · 11d

Need more detail? Get the 3-minute read with links and mitigations: buff.ly/dR3PQZJ
#AppSec #DevSecOps #Kubernetes #GoLang #SAML 🧵5/5

1

Checkmarx Zero @checkmarxzero.bsky.social · 11d

Actions: upgrade Rancher to 2.12.2 / 2.11.6 / 2.10.10 / 2.9.12. Enforce allowlists for SAML params, shorten token TTLs, and train admins to verify login URLs. Review audit logs for suspicious re-auth flows. #SecurityEngineering #BlueTeam #IncidentResponse 🧵4/5

1

Checkmarx Zero @checkmarxzero.bsky.social · 11d

Rancher (Manager + CLI): phishing + a malicious URL with attacker-controlled requestId/publicKey can force SAML re-auth and leak tokens. CVE-2024-58267. #Kubernetes #Rancher #SAML #Identity 🧵3/5

1

Checkmarx Zero @checkmarxzero.bsky.social · 11d

go-mail: a casting mistake let crafted recipient addresses smuggle SMTP commands to the server. Severity CVSSv4 8.2. Fix: upgrade to v0.7.1 and sanitize untrusted addresses; watch logs for odd RCPT TO:/DATA sequences. #GoLang #EmailSecurity #SupplyChainSecurity 🧵2/5

1

Checkmarx Zero @checkmarxzero.bsky.social · 11d

Got 3 minutes? Catch up on the #AppSec news you might have missed #LastWeekInAppSec : buff.ly/dR3PQZJ

This week: go-mail #opensource library has SMTP injection; Rancher subject to SAML flow abuse in Manager & CLI. Read for full details including remediation and mitigation advice. #DevSecOps 🧵1/5

Last Week in AppSec for 30. September 2025 - Checkmarx

go-mail SMTP injection and Rancher SAML phishing vector with escalation of privilege: Last Week In AppSec

buff.ly

1 1

Checkmarx Zero @checkmarxzero.bsky.social · 11d

We've seen attackers promote unpublished and malicious extensions as "early access" before, with some success. 🧵5/5

Checkmarx Zero @checkmarxzero.bsky.social · 11d

Most of these were in an "unpublished" state, meaning they would not have appeared in Marketplace searches, and this hopefully has limited the likelihood of compromise. However, unpublished extensions can still be installed (though it requires extra steps). 🧵4/5

1

Checkmarx Zero @checkmarxzero.bsky.social · 11d

Since removal from the Marketplace does not uninstall the packages locally, check to see if any of these were installed on developer workstations. if found, be aware that sensitive data including ChatGPT access keys may have been exfiltrated and respond accordingly 🧵3/5

1

Checkmarx Zero @checkmarxzero.bsky.social · 11d

VSAnalysistest.mycodegpt-assistant
VSAnalysistest.clipboard-helper-vscode
VSAnalysistest.discord-helper-test
VSAnalysistest.global-state-test
dontdownloadthis.dontdownloadthis
automated1ogic.automated1ogic
automatedlogic.automatedlogic
webctrl[.]live

^ #VSCode packages identified as malicious 🧵2/5

1 1

Checkmarx Zero @checkmarxzero.bsky.social · 11d

📢 malicious VisualStudio Code (#VSCode & #VSCodium) packages identified. Checkmarx Zero identified the packages below and reported them to Microsoft before they were widely distributed. Microsoft responded promptly and has removed them from the Visual Studio Marketplace. 🧵1/5

1

Checkmarx Zero @checkmarxzero.bsky.social · 17d

Track your PDF toolchains, check your dependencies, and update Ghostscript as patches land (especially in containers). This is a reminder to treat indirect dependencies with the same care as the ones you code directly.
#CVE202559798 #Ghostscript #PDF #AppSec #SupplyChainSecurity 🧵3/3

Checkmarx Zero @checkmarxzero.bsky.social · 17d

Because Ghostscript is embedded so widely, a flaw here can ripple across countless apps and services. A “medium” score can become high-impact when the dependency is so widely adopted; price of success, in a way. 🧵2/3

1

Checkmarx Zero @checkmarxzero.bsky.social · 17d

Ghostscript has a stack-based buffer overflow in versions 9.* and 10.*. It’s rated only Medium, but Ghostscript underpins many PDF apps and libraries. Think of it like the “ImageMagick of PDFs.”
buff.ly/GJ7Mpfj 🧵1/3

Stack-based Buffer Overflow - CVE-2025-59798 - DevHub

Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdf_write_cmap in devices/vector/gdevpdtw.c.

devhub.checkmarx.com

1

Reposted by Checkmarx Zero

Dor Tumarkin @dortumarkin.bsky.social · 26d

Ori Ron and I found a cool way to attack the HITL, by convincing it to inject content and markup right after commands. Anyone would press Yes if the attackers control the question.

Checkmarx Zero @checkmarxzero.bsky.social · 26d

Using AI agents or coding assistants? You might have a LITL problem.

“Lies in the loop” can bypass defenses that rely on a human-in-the-loop check.

Learn more: buff.ly/whnCtFv 🧵1/4

#CheckmarxZero #AppSec #AI #AISecurity #MachineLearning #AIagents #SecureCoding

Bypassing AI Agent Defenses With Lies-In-The-Loop - Checkmarx

Lies-in-the-loop is a new attack that bypasses AI agent's "human-in-the-loop" defenses to run malicious code on user machines. Learn what it does and how we uncovered it.

checkmarx.com

1 1

Checkmarx Zero @checkmarxzero.bsky.social · 18d

🧊 #Kubernetes C# client cert validation (#CVE-2025-9708). Impact: potential man-in-the-middle when using custom CA configurations. Fix: v17.0.14+. Interim: move custom #CA from kubeconfig into system trust store to raise exploit difficulty. #ProdSec #MitM 🧵 3/3

1

Checkmarx Zero @checkmarxzero.bsky.social · 18d

☕️ Jenkins + Jenkins Core HTTP/2 DoS when using embedded web server (#CVE-2025-5115). Impact: unauth DoS when HTTP/2 is enabled. Fix: Jenkins 2.524/LTS 2.516.3. Interim: disable HTTP/2 or run behind Tomcat instead of using the bundled Jetty server. #AppSec #CI 🧵 2/3

1