🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

We've completed our investigation and remediation for reviewdog regarding the recent incident—impact limited to the v1 tag. Investigation into the upstream cause is ongoing. Details: github.com/reviewdog/revi…

New update from はや(・ε・)ぶさ on the tj-actions supply chain attack: github.com/reviewdog/revi… * reviewdog contrib. hit via another repo * that compromise used a compromised account to invite a temporary malicious account, and a gato-x secret dump payload ... more to come

🎙️ New #CryingOutCloud episode! 🚨 Amitai Cohen 🎗️🤟 & Eden Naftali chat with Nir Ohfeld on #IngressNightmare — an unauth RCE in NGINX Ingress Controller. Listen now: 🎧open.spotify.com/episode/0G1Mml… 🍏 podcasts.apple.com/us/podcast/ing…

Amazing timing from John publishing this research on Secrets in Github Actions Workflow Logs, including a cool exploit of a 2s exposure window against CodeQL praetorian.com/blog/codeqleak…

Reddit AMA is happening now with Wiz research team! 🔗🔗 reddit.com/r/cybersecurit…

Bringing my trademark positivity on to the pod!

📝Everything you need to know about MCP security synthesized Covering local and remote servers, and clients Today's options, and tomorrow's possibilities wiz.io/blog/mcp-secur…

In light of recent GitHub Actions incidents (Ultralytics, tj-actions...), I wrote up a practical guide to hardening for Wiz Covers permissions, secrets, 3rd-party Actions, ++ Use it to avoid learning these lessons the hard way: wiz.io/blog/github-ac…

Always interesting to see a new open source CSPM, this time from Ant Group: github.com/antgroup/Cloud… h/t 尺Ξn4tø 尺ødɿiguΞ5ǃ͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗͗ ็็้้้

⏪There is a lot more to be said about the tj-actions incident. Here's a little sample of five previously unpublished details:

Since fwd:cloudsec's first year in 2020, 11 of 51 sponsors (22%) have been acquired. 2 of 18 of this year's US sponsors were acquired in the 3 months since they were selected. I don't know if it's causation, but sponsoring fwd:cloudsec seems to be correlated with good things. 🤔

Big fan of Chris Norman and Ziyad Edher's BSidesSF talk! Admission Control for Dependencies is an under rated and under discussed tool in supply chain security: youtube.com/watch?v=fCaQOP…

My keynote from BSidesSLC is up! This is a lessons learned from my mistakes and a behind the scenes look at how and why I did some things with regard to trying to get things fixed both inside and outside of a company. youtube.com/watch?v=SXiwyR…

🥺 please use rules files with your coding assistants (I've open sourced a bunch to get you started)

Seeing reports that Alibaba Cloud's main domain was pointed to The Shadowserver Foundation for ~6 hours, 🤨 mp.weixin.qq.com/s?__biz=MzI4ND…

> We've set up a web endpoint so vetted ... security researchers can submit suspected exposed credentials for review > To report exposed Google Cloud credentials, please contact [email protected] cloud.google.com/blog/products/… really buried a lede!

Another tidbit from this research: A "fun" side effect of GitHub and popular secrets scanners western-centricity - China's AI Tigers are overrepresented in secrets leakage