Heya @steipete.me can you do something about malicious skills in your ClawHub registry? Last night, one user published 200 malicious skills. I am tracking a dozen threat actors all publishing multiple malicious skills into this registry, and I've emailed you about all of them, but got crickets back
Some of the most popular packages on the OpenClaw official registry ClawHub are malicious
@openclaw-x.bsky.social
Touche.
Ooooohh, this looks legit!
Another day, and another @hacker0x01.bsky.social "researcher" ganking people's AWS keys in a public NPM package (plugin-senna). ๐คฆโโ๏ธ
Bug bounty peeps, yo
As an Australian, my heart hurts today.
Promotion for Absolute AppSec episode with Paul McCarty, taking place today Dec 2 at 12 Noon Eastern time. The show livestream link is provided here: https://www.youtube.com/watch?v=UM4Fq6Q_Qpg
We have a special episode of @absoluteappsec.bsky.social today with Paul McCarty @6mile.githax.com who will help us make sense of the last few weeks of npm news. So join Paul @sethlaw.bsky.social and @cktricky.bsky.social at 12 Noon ET here: www.youtube.com/watch?v=UM4F...
We knew it was coming, and now it's here: Dynamic payloads have been found in @npmjs.bsky.social packages.
Ouch. ๐ฆ
Noice! I think this is the first time my work has been covered by @bleepingcomputer.com
I'm on @thehackernews.bsky.social again
I've identified a new worm affecting NPM. I'm calling it "IndonesianFoods" based on its internal dictionary. The intent is to generate assets on the Tea Protocol blockchain.
It's dumb, but it's MASSIVE!
Check the link ๐
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
I suspect a lot of full time BB peeps are doing the same
I like the one-two combo you got going there picklerick
Don't let AI write your payloads for you if you don't know what you're doing. Otherwise, you might end up publishing your API keys, environment variables, and identity to @npmjs.bsky.social
Want to sniff out private bug bounty programs? If you monitor OSV for new malicious packages, you'll get some great intel. Today's example: @npmjs.bsky.social user Paastha published 6 packages targeting @vercel.com. But wait, they don't have a BB program?! Or do they.... ๐ฎ๐ฅ
Tell me that @v0.dev has a bug bounty program without telling me they have a bug bounty program.
#dependencyconfusion #maliciouspackage
Heya homie, that ain't gonna work.
Yes, thanks for follow up
I need to talk to someone in the @reversinglabs.com detection team.
Anyone in my network got an intro?
I gave a talk at the FIRST CTI conference in Berlin earlier this year. Here's my presentation in its entirety.
www.youtube.com/live/j23OubE...
Thanks mate! Great post pulling the thread.
Impressed withย the Tenable One CSPM demo at the #Tenable #BlackHat booth. Blends vulnerability scanning with cloud security + ASPM features via IaC scanning and Git integrations. Worth checking if you're comparing cloud security solutions:ย bit.ly/4mbhg3eย #BlackHat2025 #CloudSec
See me at 11 am today on the #DEFCON Creator State 4 (room 228). I'm super excited for this, and a big "thank you!" to the #AdversaryVillage team!
#hackersummercamp @github.com
Yeah mate, iโll be there all week.
AI has written its first malicious package! I found an NPM package named @kodane/patch-manager that deploys a well-written persistent JavaScript crypto drainer.
Here's the thing: I'm pretty sure Claude wrote it!
Check out my post: getsafety.com/blog-posts/t...
@anthropic.com @npmjs.bsky.social
The apocalypse is upon us!
