Peter Stöckli
@ulldma.bsky.social
Security Researcher and Software Engineer at GitHub Security Lab
Reposted by Peter Stöckli
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Towards a secure by default GitHub Actions · community · Discussion #179107
Why are you starting this discussion? Product Feedback What GitHub Actions topic or product is this about? Workflow Configuration Discussion Details Today, GitHub announced upcoming changes to the ...
github.com
November 11, 2025 at 6:38 PM
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Reposted by Peter Stöckli
🎉 It’s Friday at #EkoParty!
Join us at the GitHub booth at 15:30 for the GitHub Quiz 🧠
Test your security knowledge, win exclusive GitHub swag, grab some stickers, and chat with our experts!
👉 gh.io/eko
Join us at the GitHub booth at 15:30 for the GitHub Quiz 🧠
Test your security knowledge, win exclusive GitHub swag, grab some stickers, and chat with our experts!
👉 gh.io/eko
GitHub Security Lab
Securing open source software, together.
gh.io
October 24, 2025 at 2:10 PM
Reposted by Peter Stöckli
We're taking action to make the npm supply chain stronger and harder to attack. 🛡️
Check out our plan to create a more secure future for the JavaScript community.👇
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
Check out our plan to create a more secure future for the JavaScript community.👇
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
Our plan for a more secure npm supply chain
GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.
github.blog
September 30, 2025 at 3:55 PM
We're taking action to make the npm supply chain stronger and harder to attack. 🛡️
Check out our plan to create a more secure future for the JavaScript community.👇
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
Check out our plan to create a more secure future for the JavaScript community.👇
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
Reposted by Peter Stöckli
Recent account takeovers and attacks on package registries are a wake-up call: it's time to raise the bar on authentication and secure publishing practices. Find out what npm is doing—and what steps you can take—to help secure the open source supply chain: github.blog/security/sup...
Our plan for a more secure npm supply chain
GitHub is strengthening npm's security with stricter authentication, granular tokens, and enhanced trusted publishing.
github.blog
September 23, 2025 at 4:11 PM
Recent account takeovers and attacks on package registries are a wake-up call: it's time to raise the bar on authentication and secure publishing practices. Find out what npm is doing—and what steps you can take—to help secure the open source supply chain: github.blog/security/sup...
Reposted by Peter Stöckli
I have often stated that well-implemented memory tagging will be a game changer for memory corruptions. And it seems that with the next iPhone it's finally here: security.apple.com/blog/memory-...
Blog - Memory Integrity Enforcement: A complete vision for memory safety in Apple devices - Apple Security Research
Memory Integrity Enforcement (MIE) is the culmination of an unprecedented design and engineering effort spanning half a decade that combines the unique strengths of Apple silicon hardware with our adv...
security.apple.com
September 10, 2025 at 8:06 AM
I have often stated that well-implemented memory tagging will be a game changer for memory corruptions. And it seems that with the next iPhone it's finally here: security.apple.com/blog/memory-...
Reposted by Peter Stöckli
What if attackers could hijack your coding agent through a simple GitHub issue?
Prompt injections are a real and growing threat for VS Code Copilot Agent.
Learn how these attacks work and how you can defend your environment.
Read the full research: github.blog/security/vul...
Prompt injections are a real and growing threat for VS Code Copilot Agent.
Learn how these attacks work and how you can defend your environment.
Read the full research: github.blog/security/vul...
Safeguarding VS Code against prompt injections
See how to reduce the risks of an indirect prompt injection, such as the exposure of confidential files or the execution of code without the user's consent.
github.blog
August 25, 2025 at 5:53 PM
What if attackers could hijack your coding agent through a simple GitHub issue?
Prompt injections are a real and growing threat for VS Code Copilot Agent.
Learn how these attacks work and how you can defend your environment.
Read the full research: github.blog/security/vul...
Prompt injections are a real and growing threat for VS Code Copilot Agent.
Learn how these attacks work and how you can defend your environment.
Read the full research: github.blog/security/vul...
Reposted by Peter Stöckli
Today I have a more serious topic than usual, please consider reposting for reach:
My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/4]
My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/4]
August 19, 2025 at 8:34 AM
Today I have a more serious topic than usual, please consider reposting for reach:
My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/4]
My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/4]
Reposted by Peter Stöckli
🚀 GitHub is on a mission to supercharge open-source security! We've partnered with 71 key open-source projects, giving them tools, funding, and playbooks to boost security. 🔐
Want your project to be part of this effort? Now’s the time to get involved! 💪
🔗 Find out more: github.blog/open-source/...
Want your project to be part of this effort? Now’s the time to get involved! 💪
🔗 Find out more: github.blog/open-source/...
Securing the supply chain at scale: Starting with 71 important open source projects
Learn how the GitHub Secure Open Source Fund helped 71 open source projects significantly improve their security posture.
github.blog
August 11, 2025 at 5:28 PM
🚀 GitHub is on a mission to supercharge open-source security! We've partnered with 71 key open-source projects, giving them tools, funding, and playbooks to boost security. 🔐
Want your project to be part of this effort? Now’s the time to get involved! 💪
🔗 Find out more: github.blog/open-source/...
Want your project to be part of this effort? Now’s the time to get involved! 💪
🔗 Find out more: github.blog/open-source/...
Reposted by Peter Stöckli
August 11, 2025 at 8:49 AM
Reposted by Peter Stöckli
I'm coming to Switzerland! Join me at the Microsoft Azure Zürich User Group in only a few weeks from now: www.meetup.com/de-DE/micros...
[In Person] Troy Hunt Have I Been Pwned Alpine Grand Tour Zürich , Di., 17. Juni 2025, 18:00 | Meetup
**IN-PERSON** Troy Hunt meetup at **Kraftwerk in Zurich**
This meetup is a collaboration between several Swiss User Groups:
[Azure Zurich User Group ](https://www.azurezur
www.meetup.com
May 27, 2025 at 12:04 AM
I'm coming to Switzerland! Join me at the Microsoft Azure Zürich User Group in only a few weeks from now: www.meetup.com/de-DE/micros...
Reposted by Peter Stöckli
Our team member Man Yue Mo is back, showing a new way to bypass MTE protection on Android phones with CVE-2025-0072. github.blog/security/vul...
Bypassing MTE with CVE-2025-0072
See how a vulnerability in the Arm Mali GPU can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled.
github.blog
May 23, 2025 at 2:52 PM
Our team member Man Yue Mo is back, showing a new way to bypass MTE protection on Android phones with CVE-2025-0072. github.blog/security/vul...
Reposted by Peter Stöckli
Next Monday I'm doing a 2h webinar on files as seen through the eyes of a cybersecurity researcher. This will cover useful stuff for programmers, more junior pentesters, and other tech enthusiasts who enjoy knowing how stuff works on a computer :)
hexarcana.ch/lp/files/?ut...
hexarcana.ch/lp/files/?ut...
Files through the eyes of a hacker
hexarcana.ch
March 26, 2025 at 8:54 AM
Next Monday I'm doing a 2h webinar on files as seen through the eyes of a cybersecurity researcher. This will cover useful stuff for programmers, more junior pentesters, and other tech enthusiasts who enjoy knowing how stuff works on a computer :)
hexarcana.ch/lp/files/?ut...
hexarcana.ch/lp/files/?ut...
In this demonstration I show the impact of CVE-2025-25291/CVE-2025-25292, an authentication bypass in ruby-saml used by high profile OSS projects such as GitLab. My team coordinated with both the ruby-saml maintainer and GitLab to get this vulnerability fixed and patches are available at gh.io/glfx
March 13, 2025 at 4:08 PM
In this demonstration I show the impact of CVE-2025-25291/CVE-2025-25292, an authentication bypass in ruby-saml used by high profile OSS projects such as GitLab. My team coordinated with both the ruby-saml maintainer and GitLab to get this vulnerability fixed and patches are available at gh.io/glfx
If you're using ruby-saml or omniauth-saml for SAML authentication make sure to update these libraries as fast as possible! Fixes for two critical authentication bypass vulnerabilities were published today (CVE-2025-25291 + CVE-2025-25292).
github.blog/security/sig...
github.blog/security/sig...
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
github.blog
March 12, 2025 at 9:50 PM
If you're using ruby-saml or omniauth-saml for SAML authentication make sure to update these libraries as fast as possible! Fixes for two critical authentication bypass vulnerabilities were published today (CVE-2025-25291 + CVE-2025-25292).
github.blog/security/sig...
github.blog/security/sig...
Reposted by Peter Stöckli
In this blog post, we detail newly discovered authentication bypass vulnerabilities in the ruby-saml library used for single sign-on (SSO) via SAML on the service provider (application) side. github.blog/security/sig...
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
github.blog
March 12, 2025 at 9:34 PM
In this blog post, we detail newly discovered authentication bypass vulnerabilities in the ruby-saml library used for single sign-on (SSO) via SAML on the service provider (application) side. github.blog/security/sig...
Reposted by Peter Stöckli
Hello from the GitHub Security Lab!
We are a team of security experts who cultivate a collaborative community where developers and security professionals come together to secure open source software.
We are a team of security experts who cultivate a collaborative community where developers and security professionals come together to secure open source software.
February 6, 2025 at 8:29 AM
Hello from the GitHub Security Lab!
We are a team of security experts who cultivate a collaborative community where developers and security professionals come together to secure open source software.
We are a team of security experts who cultivate a collaborative community where developers and security professionals come together to secure open source software.
Reposted by Peter Stöckli
Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! github.blog/security/vul...
January 22, 2025 at 6:16 PM
Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! github.blog/security/vul...
Reposted by Peter Stöckli
mitmproxy 11.1 is out! 🥳
We now support *Local Capture Mode* on Windows, macOS, and - new - Linux! This allows users to intercept local applications even if they don't have proxy settings.
More details are at mitmproxy.org/posts/local-.... Super proud of this team effort. 😃
We now support *Local Capture Mode* on Windows, macOS, and - new - Linux! This allows users to intercept local applications even if they don't have proxy settings.
More details are at mitmproxy.org/posts/local-.... Super proud of this team effort. 😃
Intercepting Linux Applications
mitmproxy.org
January 12, 2025 at 1:59 PM
mitmproxy 11.1 is out! 🥳
We now support *Local Capture Mode* on Windows, macOS, and - new - Linux! This allows users to intercept local applications even if they don't have proxy settings.
More details are at mitmproxy.org/posts/local-.... Super proud of this team effort. 😃
We now support *Local Capture Mode* on Windows, macOS, and - new - Linux! This allows users to intercept local applications even if they don't have proxy settings.
More details are at mitmproxy.org/posts/local-.... Super proud of this team effort. 😃
Reposted by Peter Stöckli
🚀 CodeQL zero to hero part 4: Gradio case study is out! This time we dive into how I wrote CodeQL to support the @hf.co's Gradio framework, scaled the research to a thousand repositories on GitHub, and found 11 vulnerabilities.
gh.io/codeql-part-4
gh.io/codeql-part-4
CodeQL zero to hero part 4: Gradio framework case study
Learn how I discovered 11 new vulnerabilities by writing CodeQL models for Gradio framework and how you can do it, too.
gh.io
December 11, 2024 at 6:59 PM
🚀 CodeQL zero to hero part 4: Gradio case study is out! This time we dive into how I wrote CodeQL to support the @hf.co's Gradio framework, scaled the research to a thousand repositories on GitHub, and found 11 vulnerabilities.
gh.io/codeql-part-4
gh.io/codeql-part-4
Reposted by Peter Stöckli
My latest blog post is live! Check your Ruby on Rails applications for the use of params[:_json]
nastystereo.com/security/rai...
nastystereo.com/security/rai...
December 10, 2024 at 8:30 AM
My latest blog post is live! Check your Ruby on Rails applications for the use of params[:_json]
nastystereo.com/security/rai...
nastystereo.com/security/rai...
Reposted by Peter Stöckli
My latest blog post is live! nastystereo.com/security/cro...
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
November 27, 2024 at 9:10 AM
My latest blog post is live! nastystereo.com/security/cro...
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Reposted by Peter Stöckli
I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties
Recently a past student came to me with a very interesting unauthenticated vulnerability in a Spring application that they were having a hard time exploiting...
srcincite.io
November 26, 2024 at 11:57 PM
I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Reposted by Peter Stöckli
I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby!
It builds on the work of others, including Leonardo Giovanni, @ulldma.bsky.social and @vakzz.bsky.social
nastystereo.com/security/rub...
It builds on the work of others, including Leonardo Giovanni, @ulldma.bsky.social and @vakzz.bsky.social
nastystereo.com/security/rub...
November 25, 2024 at 5:27 AM
I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby!
It builds on the work of others, including Leonardo Giovanni, @ulldma.bsky.social and @vakzz.bsky.social
nastystereo.com/security/rub...
It builds on the work of others, including Leonardo Giovanni, @ulldma.bsky.social and @vakzz.bsky.social
nastystereo.com/security/rub...
Reposted by Peter Stöckli
If you're interested in the inner workings of unsafe deserialization in Ruby I got you covered with a blog post that explains in detail how a concrete gadget chain works:
github.blog/2024-06-20-e...
Including proof of concept exploits that work up to Ruby 3.3 for Oj (JSON), Ox (XML) and more.
github.blog/2024-06-20-e...
Including proof of concept exploits that work up to Ruby 3.3 for Oj (JSON), Ox (XML) and more.
Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
Can an attacker execute arbitrary commands on a remote server just by sending JSON? Yes, if the running code contains unsafe deserialization vulnerabilities. But how is that possible? In this blog pos...
github.blog
June 24, 2024 at 11:30 AM
If you're interested in the inner workings of unsafe deserialization in Ruby I got you covered with a blog post that explains in detail how a concrete gadget chain works:
github.blog/2024-06-20-e...
Including proof of concept exploits that work up to Ruby 3.3 for Oj (JSON), Ox (XML) and more.
github.blog/2024-06-20-e...
Including proof of concept exploits that work up to Ruby 3.3 for Oj (JSON), Ox (XML) and more.
If you're interested in the inner workings of unsafe deserialization in Ruby I got you covered with a blog post that explains in detail how a concrete gadget chain works:
github.blog/2024-06-20-e...
Including proof of concept exploits that work up to Ruby 3.3 for Oj (JSON), Ox (XML) and more.
github.blog/2024-06-20-e...
Including proof of concept exploits that work up to Ruby 3.3 for Oj (JSON), Ox (XML) and more.
Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
Can an attacker execute arbitrary commands on a remote server just by sending JSON? Yes, if the running code contains unsafe deserialization vulnerabilities. But how is that possible? In this blog pos...
github.blog
June 24, 2024 at 11:30 AM
If you're interested in the inner workings of unsafe deserialization in Ruby I got you covered with a blog post that explains in detail how a concrete gadget chain works:
github.blog/2024-06-20-e...
Including proof of concept exploits that work up to Ruby 3.3 for Oj (JSON), Ox (XML) and more.
github.blog/2024-06-20-e...
Including proof of concept exploits that work up to Ruby 3.3 for Oj (JSON), Ox (XML) and more.