Fran Donoso
@francisck.com
I'm an infosec person who currently works as the CTO of a security services firm. Have done DevSecOps, Red Teaming, and reverse engineering. I reversed some of the tooling leaked by the Shadow Brokers and spoke about it publicly
Pinned
Fran Donoso
@francisck.com
· Nov 14
Hey new folks, welcome to BlueSky! My name is Fran and I run the following #cybersecurity feed:
bsky.app/profile/did:...
I'll be working keep it spam free & good.
If you're curious here are the keywords I'm looking for:
gist.github.com/francisck/d8...
Please provide feedback if you have any.
bsky.app/profile/did:...
I'll be working keep it spam free & good.
If you're curious here are the keywords I'm looking for:
gist.github.com/francisck/d8...
Please provide feedback if you have any.
Reposted by Fran Donoso
patch ye MongoDB, there's an exploit for a vuln which has been in the product for over a decade that allows the remote, unauth read of any memory - which includes plaintext creds.
Somebody posted an exploit on Christmas Day, Merry Christmas!
doublepulsar.com/merry-christ...
Somebody posted an exploit on Christmas Day, Merry Christmas!
doublepulsar.com/merry-christ...
Merry Christmas Day! Have a MongoDB security incident.
Somebody from Elastic Security decided to post an exploit for CVE-2025–14847 on Christmas Day.
doublepulsar.com
December 26, 2025 at 10:57 PM
patch ye MongoDB, there's an exploit for a vuln which has been in the product for over a decade that allows the remote, unauth read of any memory - which includes plaintext creds.
Somebody posted an exploit on Christmas Day, Merry Christmas!
doublepulsar.com/merry-christ...
Somebody posted an exploit on Christmas Day, Merry Christmas!
doublepulsar.com/merry-christ...
This channel started to get recommended to me recently. I watched a bit of one video, realized it’s AI generated, and then just removed the channel from my recommendations. Pretty crummy quality, and whoever is making this is just pumping a ton of content out.
December 26, 2025 at 2:54 PM
This channel started to get recommended to me recently. I watched a bit of one video, realized it’s AI generated, and then just removed the channel from my recommendations. Pretty crummy quality, and whoever is making this is just pumping a ton of content out.
Reposted by Fran Donoso
HARDEN YO' N8N - [CVSS 10.0 RCE] Remote Code Execution via Expression Injection m.cje.io/4qhl2JX
cc: @networkchuck @danielmiessler @jhaddix
cc: @networkchuck @danielmiessler @jhaddix
Remote Code Execution via Expression Injection
### Impact n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users dur...
m.cje.io
December 20, 2025 at 12:36 AM
HARDEN YO' N8N - [CVSS 10.0 RCE] Remote Code Execution via Expression Injection m.cje.io/4qhl2JX
cc: @networkchuck @danielmiessler @jhaddix
cc: @networkchuck @danielmiessler @jhaddix
Yep, that also tracks with the data we have (owned by a large cyber insurer). Akira is by far the most active and impactful for our clients. Responsible for most incidents in Q3 for sure.
November 14, 2025 at 7:12 PM
Yep, that also tracks with the data we have (owned by a large cyber insurer). Akira is by far the most active and impactful for our clients. Responsible for most incidents in Q3 for sure.
November 1, 2025 at 2:34 AM
This is one of my favorite sci-fi books and my fav Andy Weir book! I was cautiously excited when I saw they were making a movie
October 15, 2025 at 3:21 AM
This is one of my favorite sci-fi books and my fav Andy Weir book! I was cautiously excited when I saw they were making a movie
Yooooo idk what you’re talking about. That stuffed animal looks awesome!
October 5, 2025 at 9:39 PM
Yooooo idk what you’re talking about. That stuffed animal looks awesome!
I’ve been reading further and it seems like it was a third party provider who was like a business process outsourcer.
This is similar to the recent Air France and stellantis breaches but no idea if they’re related.
This is similar to the recent Air France and stellantis breaches but no idea if they’re related.
October 4, 2025 at 4:39 AM
I’ve been reading further and it seems like it was a third party provider who was like a business process outsourcer.
This is similar to the recent Air France and stellantis breaches but no idea if they’re related.
This is similar to the recent Air France and stellantis breaches but no idea if they’re related.
I think this is probably Salesforce compromised via Salesloft drift?
It aligns with the salesloft drift stuff we’ve seen. Most of the other parties were also using SalesForce for support ticketing and had salesforce auth tokens stolen from drift.
It aligns with the salesloft drift stuff we’ve seen. Most of the other parties were also using SalesForce for support ticketing and had salesforce auth tokens stolen from drift.
October 3, 2025 at 11:23 PM
I think this is probably Salesforce compromised via Salesloft drift?
It aligns with the salesloft drift stuff we’ve seen. Most of the other parties were also using SalesForce for support ticketing and had salesforce auth tokens stolen from drift.
It aligns with the salesloft drift stuff we’ve seen. Most of the other parties were also using SalesForce for support ticketing and had salesforce auth tokens stolen from drift.
I encourage cybersecurity professionals to read this report to understand the type of capabilities that can be deployed against citizens at scale by autocratic regimes.
Organizations designing products that support privacy should understand these capabilities and design to protect users from them.
Organizations designing products that support privacy should understand these capabilities and design to protect users from them.
September 14, 2025 at 6:20 PM
I encourage cybersecurity professionals to read this report to understand the type of capabilities that can be deployed against citizens at scale by autocratic regimes.
Organizations designing products that support privacy should understand these capabilities and design to protect users from them.
Organizations designing products that support privacy should understand these capabilities and design to protect users from them.
"The requirements for future development also mention adding the ability to check which users are connected to specific mobile base stations in order to support location triangulation through these stations and detect when a large number of people congregate in a particular area"
September 14, 2025 at 6:19 PM
"The requirements for future development also mention adding the ability to check which users are connected to specific mobile base stations in order to support location triangulation through these stations and detect when a large number of people congregate in a particular area"
" It uses the in-path injection capability in TSG to effectively recruit unsuspecting users' computers to participate in the attack, thereby creating a botnet"
September 14, 2025 at 6:18 PM
" It uses the in-path injection capability in TSG to effectively recruit unsuspecting users' computers to participate in the attack, thereby creating a botnet"
"however, a closer examination reveals that it is actually a platform for launching DDoS attacks against websites and other internet services deemed politically undesirable. This would appear to be Geedge's own implementation of China's Great Cannon, as described in a 2015 Citizen Lab report"
September 14, 2025 at 6:18 PM
"however, a closer examination reveals that it is actually a platform for launching DDoS attacks against websites and other internet services deemed politically undesirable. This would appear to be Geedge's own implementation of China's Great Cannon, as described in a 2015 Citizen Lab report"
"TSG's in-path injection capability system allows for sophisticated targeting of this malicious code for the specific user, facilitating on-the-fly modifications across a variety of file formats [...] complemented by Cyber Narrator [...] hijack in order to infect specific individuals."
September 14, 2025 at 6:17 PM
"TSG's in-path injection capability system allows for sophisticated targeting of this malicious code for the specific user, facilitating on-the-fly modifications across a variety of file formats [...] complemented by Cyber Narrator [...] hijack in order to infect specific individuals."
"TSG is also capable of modifying HTTP sessions in realtime through techniques such as spoofing redirect responses, altering headers, injecting scripts, replacing text, and overriding response bodies."
September 14, 2025 at 6:16 PM
"TSG is also capable of modifying HTTP sessions in realtime through techniques such as spoofing redirect responses, altering headers, injecting scripts, replacing text, and overriding response bodies."
From the report:
"Cyber Narrator is a powerful tool capable of tracking network traffic at the individual customer level and can identify the geographic location of mobile subscribers in real time [..]. The system also allows the government client to see aggregated network traffic."
"Cyber Narrator is a powerful tool capable of tracking network traffic at the individual customer level and can identify the geographic location of mobile subscribers in real time [..]. The system also allows the government client to see aggregated network traffic."
September 14, 2025 at 6:16 PM
From the report:
"Cyber Narrator is a powerful tool capable of tracking network traffic at the individual customer level and can identify the geographic location of mobile subscribers in real time [..]. The system also allows the government client to see aggregated network traffic."
"Cyber Narrator is a powerful tool capable of tracking network traffic at the individual customer level and can identify the geographic location of mobile subscribers in real time [..]. The system also allows the government client to see aggregated network traffic."
This report from @interseclab.bsky.social on how a Chinese company is exporting some of the capabilities of "The Great Wall of China" to other autocratic countries is INSANELY INTERESTING:
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
interseclab.org
September 14, 2025 at 6:15 PM
This report from @interseclab.bsky.social on how a Chinese company is exporting some of the capabilities of "The Great Wall of China" to other autocratic countries is INSANELY INTERESTING:
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
Incredible work, Yael!
September 10, 2025 at 3:21 AM
Incredible work, Yael!
Plex was hacked. It included usernames, emails, and hashed passwords.
Change your passwords when you can,
Change your passwords when you can,
September 8, 2025 at 10:37 PM
Plex was hacked. It included usernames, emails, and hashed passwords.
Change your passwords when you can,
Change your passwords when you can,
Reposted by Fran Donoso
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
August 26, 2025 at 3:38 PM
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
Reposted by Fran Donoso
SentinelOne and Beazley Security have discovered a new Windows infostealer used in the wild named PXA Stealer, most likely the work of a Vietnamese-speaking cybercrime group.
www.sentinelone.com/labs/ghost-i...
labs.beazley.security/articles/gho...
www.sentinelone.com/labs/ghost-i...
labs.beazley.security/articles/gho...
August 5, 2025 at 11:47 AM
SentinelOne and Beazley Security have discovered a new Windows infostealer used in the wild named PXA Stealer, most likely the work of a Vietnamese-speaking cybercrime group.
www.sentinelone.com/labs/ghost-i...
labs.beazley.security/articles/gho...
www.sentinelone.com/labs/ghost-i...
labs.beazley.security/articles/gho...
I mean I’ve been urging people to toss their sonicwall devices into a shredder for years now 🤷🏻♂️
SonicWall is urging customers to take some VPN devices offline after multiple security firms discovered a campaign of ransomware attacks over the last two weeks
SonicWall did not explain if the ransomware gangs are using a zero-day
therecord.media/sonicwall-po...
SonicWall did not explain if the ransomware gangs are using a zero-day
therecord.media/sonicwall-po...
SonicWall urges customers to take VPN devices offline after ransomware incidents
Multiple cybersecurity incident response firms are warning about the possibility that a zero-day vulnerability in some SonicWall devices is allowing ransomware attacks.
therecord.media
August 4, 2025 at 8:39 PM
I mean I’ve been urging people to toss their sonicwall devices into a shredder for years now 🤷🏻♂️
Our team collaborated with our friends at @sentinellabs.bsky.social to identify and disrupt a PXA infostealer campaign that has an intricate and complex delivery chain:
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
BSL - Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem
labs.beazley.security
August 4, 2025 at 5:58 PM
Our team collaborated with our friends at @sentinellabs.bsky.social to identify and disrupt a PXA infostealer campaign that has an intricate and complex delivery chain:
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
labs.beazley.security/articles/gho...
Thanks for the fantastic collab SentinelLabs team!
Look forward to seeing you!!!
July 30, 2025 at 12:55 AM
Look forward to seeing you!!!