Login
Questions regarding netsec and discussion related directly to netsec are welcome here, as is sharing tool links.
As always, the content & discussion guidelines should also be observed on r/netsec.
Feedback and suggestions are welcome, but don't post it here. Please send it to the moderator inbox.
Nearly every company, from tech giants like Amazon to small startups, has first-hand experience with fake IT workers applying for jobs - and sometimes even being hired.Β β¦
We recently ran a controlled adversarial security test between two autonomous AI agents built on OpenClaw.
One agent was explicitly configured as a red-team attacker.
One agent acted as a standard defensive agent.
Once the session started, there were no humans in the loop. The agents communicated directly over webhooks with real tooling access.
The goal was to test three failure dimensions that tend to break autonomous systems in practice: access, exposure, and agency.
The attacker first attempted classic social engineering by offering a βhelpfulβ security pipeline that hid a remote code execution payload and requested credentials. The defending agent correctly identified the intent and blocked execution.
After that failed, the attacker pivoted to an indirect attack. Instead of asking the agent to run code, it asked the agent to review a JSON document with hidden shell expansion variables embedded in metadata. This payload was delivered successfully and is still under analysis.
The main takeaway so far is that direct attacks are easier to defend against. Indirect execution paths through documents, templates, and memory are much harder.
This work is not a claim of safety. It is an observability exercise meant to surface real failure modes as agent-to-agent interaction becomes more common.
Happy to answer technical questions about the setup or methodology.
Investigated a group evolving from IRC wars to destructive Android malware.
Highlights:
FreshRSS 
modem/bootloader via dd in custom ROMs.getattr/eval in Python.
This week inΒ scams, three headlines tell the same story: attackers are getting better at manipulating people, not just breaking into systems.Β WeβreΒ seeing a wave of intrusions tied to social engineering, a major delivery platform confirming a breach amid extortion claims, and a big tech headline that has a lot of people rethinking how apps handle their data.Β
Every week, this roundup breaks down theΒ scamΒ and cybersecurity stories making news and explains how theyΒ actually work, so you can spot risk earlier and avoid getting pulled into someone elseβs playbook.Β
LetβsΒ get into it.Β
The big picture:Β Several major brands were hit by cybersecurity incidents tied to social engineering tactics like phishing and vishing.Β
What happened:Β Bloomberg reportedΒ that Bumble, Match Group, Panera Bread, and CrunchBase each confirmed incidents.Β Β
Bumble said a contractor account was compromised in a phishing incident, which led to brief unauthorized access to a smallΒ portionΒ of its network, and said its member database, accounts, messages, and profiles were not accessed.Β Β
Panera said an attacker accessed a software application it used to store data, and said the data involved was contact information.Β Β
Match said the incident affected a limited amount of user data, and said it saw noΒ indicationΒ that user logins, financial information, or private communications were accessed.Β Β
CrunchBase said documents on its corporate network wereΒ impacted,Β and said itΒ containedΒ the incident.Β
According to Bloomberg, cybersecurity firm Mandiant has also warned about a hacking campaign linked to a group that calls itselfΒ ShinyHunters. The group is usingΒ vishing, which meansΒ scamΒ phone calls,Β to trick people into giving up their login information.Β Once attackers get those logins, they can access cloud tools and online work systems that companies use every day. The group has said they are behind some of these recent attacks, but that has not been independently confirmed.Β
Red flags to watch for:Β
Calls that pressure you to approve a login, reset credentials, or share a one-time codeΒ
Messages posing as IT support, a vendor, or βsecurityβ that try to rush youΒ
MFA prompts you did not initiateΒ
βQuick verificationβ requests that bypass normal internal processesΒ
How this works:Β Social engineering works because it blends into normal life. A convincing message or call gets someone to do one small βreasonableβ thing. Approve a prompt. Read a code. Reset access. That is often all an attacker needs to get inside with legitimate credentials, then pivot into the tools where valuable data lives.Β
Ok, we know this is called βThis Week in Scamsβ but this is also a cybersecurity newsletter.Β SoΒ when the biggest tech and privacy headline of the week is TikTok updating its privacy policy, weΒ have toΒ talk about it.Β
The big picture:Β TikTokβs updated terms and privacy policy are raising fresh questions about what data is collected, especially around location.Β
What happened:Β TikTok confirmedΒ last weekΒ that a new U.S.-based entity is in control of the app after splitting from ByteDance earlier this year. That same day,Β CBS reported TikTok published updated terms and a new privacy policy, which prompted backlash on social media.Β
CBS reported that one major point of concern is language stating TikTok may collect precise location information if users enable location services in device settings.Β This isΒ reportedly aΒ shift fromΒ previousΒ policyΒ language, andΒ TikTok said it plans to give U.S. users a prompt to opt in or opt out when precise location features roll out.Β
According to CBS, some users are also concerned the new privacy policyΒ would allow the TikTok to more easilyΒ share theirΒ private dataΒ with the federal and local government.Β
That fear is based on aΒ change inΒ policyΒ languageΒ statingΒ thatΒ TikTok βprocesses such sensitive personal information in accordance with applicable law.βΒ
A quick, practical takeaway:Β This is a good reminder that βprivacy policy dramaβ usually comes down toΒ one thing you canΒ actually control:Β your app permissions.Β
What to do (general privacy steps):Β
Check your phone settings for TikTok and confirm whether location access is Off, While Using, or Always.Β
If your device supports it, consider turning off precise location for apps that do not truly need it.Β
Do a quick permission sweep across social apps: location, contacts, photos, microphone, camera, and Bluetooth.Β
Make sure your account is protected with a strong, unique password and two-factor authentication.Β
Note: This is not a recommendation about whether to keep or remove any specific app.Β ItβsΒ a reminder that your device settings matter and they are worth revisiting.Β
The big picture:Β Even when a company says payment details were not affected, a breach can still create risk because stolen data often gets reused for phishing.Β
What happened:Β According toΒ BleepingComputer,Β Grubhub confirmed unauthorized individuals downloaded data from certain systems and that it investigated, stopped the activity, and is taking steps to strengthen security.Β Sources toldΒ BleepingComputerΒ the company is facing extortion demands tied to stolen data. Grubhub said sensitive information like financial details and order history was notΒ affected, andΒ did not provide more detail on timing or scope.Β
Red flags to watch for next:Β Breach headlines are often followed byΒ scamΒ waves. Be on alert for:Β
βRefundβ or βorder problemβ emails you did not requestΒ
Fake customer support messages asking you to verify account detailsΒ
Password reset prompts you did not initiateΒ
Links to βresolve your accountβ thatΒ donβtΒ come from a known, official domainΒ
How this works:Β Customer support systems canΒ containΒ personal details that makeΒ scamsΒ feel real. Names, emails, and account notes are often enough for attackers to craft messages that sound like legitimate help, especially when the brand is already in the news.Β
The big picture:Β Some browser extensions that look like normal workplace tools areΒ actually designedΒ to hijack accounts and lock users out of their own security controls.Β
What happened:Β SecurityΒ researchersΒ told Fox NewsΒ that they uncoveredΒ a campaign involving malicious Google Chrome extensions that impersonate well-known business and human resources platforms, including tools commonly used for payroll, benefits, and workplace access.Β
ResearchersΒ identifiedΒ several fake extensions that were marketed as productivity or security tools. Once installed, they quietly ran in the background without obvious warning signs. According to Fox News, Google said the extensions have been removed from the Chrome Web Store, but some are still circulating on third-party download sites.Β
How theΒ scamΒ actually works:Β Instead of stealing passwords directly, the extensions captured active login sessions. When you sign into a website, your browser stores small files that keep you logged in. If attackers get access to those files, they can enter an account without ever knowing the password.Β
Some extensions went a step further by interfering with security settings. Victims were unable to change passwords, review login history, or reach account controls. That made it harder to detect the intrusion and even harder to recover access once something felt off.Β
Why this matters:Β This kind of attack removes the safety net people rely on when accounts are compromised. Password resets and two-factor authentication only help if you can reach them. By cutting off access to those tools, attackers canΒ maintainΒ control longer and move through connected systems with less resistance.Β
What to watch for:Β
Browser extensions youΒ donβtΒ remember installingΒ
Add-ons claiming to manage HR, payroll, or internal business accessΒ
Missing or inaccessible security settings on accountsΒ
Being logged into accounts you did not recently openΒ
A quick safety check:Β Take a few minutes to review your browser extensions. Remove anything unfamiliar or unnecessary, especially tools tied to work platforms. Extensions have deep access to your browser, which means they deserve the same scrutiny as any other software you install.Β
BeΒ skepticalΒ of βhelpfulβ tools.Β Browser extensions, workplace add-ons, and productivity tools can have deep access to your accounts. Only install what you truly need and remove anything unfamiliar.Β
Treat calls and prompts with caution.Β Unexpected login requests, MFA approvals, or βIT supportβ outreach are common entry points for social engineering. If youΒ didnβtΒ initiateΒ it, pause and verify.Β
Review app and browser permissions.Β Take a few minutes to check what apps and extensions can access your location, accounts, and data.Β Small changesΒ here can significantly reduce risk.Β
Protect your logins first.Β Use strong, unique passwords and enable two-factor authentication on email and work-related accounts. If attackers get your email, they can resetΒ almost everythingΒ else.Β McAfeeβs Password ManagerΒ can help you create and store unique passwords forΒ all ofΒ your accounts.Β Β
Expect follow-upΒ scamsΒ after headlines.Β When breaches or policy changes make the news, scammers often follow with phishing messages that reference them. ExtraΒ skepticismΒ in the days and weeks after aΒ story breaksΒ can prevent bigger problems later.Β
The post This Week in Scams: Dating App Breaches, TikTok Data, Grubhub Extortion appeared first on McAfee Blog.
Hello!
My name is Bogdan Mihai, I'm 21 yr old from Romania , I am a cybersecurity researcher and I'm new to this group. I don't know how many BGP experts are here, but I have a question for them if there are any. I recently invented something a little more abstract for BGP security, and I'm almost sure that there is nothing similar.
I wasn't inspired by anything when I created this, it was a purely random idea that came to my mind. I'm not even an expert in this field, but from the beginning I saw security from a different angle than the others.
I made a tool that basically builds a map of risk areas globally, areas where if someone were to try a hijacking attack, that attack would be successful. This idea came to me when I realized that BGP security is still a big problem.
RPKI adoption is still slow. And the problem is that today's security in BGP is more reactive, it comes into play only after the attack is detected and damage is done.
So I leave you here the link to the zenodo site where I posted my invention. https://zenodo.org/records/18421580 DOI:https://doi.org/10.5281/zenodo.18421580
What I ask of you, and extremely important, is not to analyze every file there, but at least the product overview to understand the idea and tell me who this would be useful to, which company or organization. I know that maybe not everything is perfect there , and maybe there are mistakes I'm no expert, but I want to know if this idea really has value.
I'm very confused and sad because I worked on this but I don't know who it would be of value to or if it even has any value. I appreciate every opinion.
Ivanti has patched two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product that are already being exploited, continuing a grim run of January security incidents for enterprise IT vendors.β¦
Thousands more Oregonians will soon receive data breach letters in the continued fallout from the TriZetto data breach, in which someone hacked the insurance verification provider and gained access to its healthcare provider customers across multiple US states.β¦
Java developers still struggle to secure containers, with nearly half (48 percent) saying they'd rather delegate security to providers of hardened containers than worry about making their own container security decisions.β¦
Writeup on a defensive technique for constraining LLM agent database access:
Interested in feedback on the threat model. Code is open source.
opinion Maybe everything is all about timing, like the time (this week) America's lead cyber-defense agency sounded the alarm on insider threats after it came to light that its senior official uploaded sensitive documents to ChatGPT.β¦
Posted by Andrey Stoykov on Jan 29
# Exploit Title: Elgg - Username EnumerationPosted by Andrey Stoykov on Jan 29
# Exploit Title: Elgg - Lack of Password ComplexityPosted by Andrey Stoykov on Jan 29
Hi. I would like to publish my paper for exploiting XAMPP installations.Posted by Karol WrΓ³tniak on Jan 29
SummaryI built a small service to track newly published CVEs and send email alerts based on vendor, product, and severity.
It started as an internal tool and is now running in production and usable.
Feedback welcome.
