2/ i wrote a short-ish "note" over on The Blogging Site That Shall Not Be Named in an attempt to explain to the less technologically sophisticated people in the audience what just happened with the #nx / #npm supply chain attack.

* my simplified explanation: https://substack.com/profile/96801203-michel-de-cryptadamus/note/c-149738571
* for the trve heads with opinions on things like linux distros and the Rust programming language, Wiz wrote a much more thorough explanation: https://www.wiz.io/blog/s1ngularity-supply-chain-attack

#crypto #cryptocurrency #nodejs #node #threatintel #northkorea #lazarusgroup#DPRK #hackers #hacking #ethereum #claude #gemini

Japanese authorities have issued a joint advisory about Salt Typhoon, a Chinese government-backed hacker group, in a document prepared by the United States and signed by 13 countries including the U.K. and Canada. https://www.japantimes.co.jp/news/2025/08/28/japan/crime-legal/china-hacker-group-warning/?utm_medium=Social&utm_source=mastodon #japan #crimelegal #cybersecurity #hacking #japanesepolice

everyone calm down, the enormous #NPM supply chain attack of the incredibly popular (27,000 #github stars) #nx#AI build tool thingamajig is probably aimed solely at crypto bros. if you don't have any crypto you (hopefully) don't have anything to worry about.

my fact free, completely unsupported by evidence hunch is that we will find this came from #NorthKorea (because if it's a well orchestrated attempt to steal a bunch of crypto it's pretty much always north korea).

https://universeodon.com/@cryptadamist/115102035321832152

#crypto #cryptocurrency #ethereum #npm #nodejs #node #js#javascript#webdev#DPRK#LazarusGroup #cybersecurity #infosec #threatintel #claude #gemini

2/ i wrote a short-ish "note" over on The Blogging Site That Shall Not Be Named in an attempt to explain to the less technologically sophisticated people in the audience what just happened with the #nx / #npm supply chain attack.

* my simplified explanation: https://substack.com/profile/96801203-michel-de-cryptadamus/note/c-149738571
* for the trve heads with opinions on things like linux distros and the Rust programming language, Wiz wrote a much more thorough explanation: https://www.wiz.io/blog/s1ngularity-supply-chain-attack

#crypto #cryptocurrency #nodejs #node #threatintel #northkorea #lazarusgroup#DPRK #hackers #hacking #ethereum #claude #gemini

there's another reason for why i hate gemini other than it just being AI, whenever it (randomly!!) opens on my phone it turns off my headphones. It doesn't stop the video or plays a different sound, it doesn't simply disconnect the bluetooth, it somehow TURNS OFF my headphones.

whenever gemini does this i need to put the earbuds back in the case and take them out again. how is this a thing

@ErikUden
I wonder if gemini is why my ear buds are now randomly going to my phone when I'm using them with my computer. #bluetooth #technology #bugs#PixelBugs #hacking
Roland
Roland boosted

🍔 Found huge security flaws in McDonald's - crew members could access sites reserved for corporate employees with internal functions, API keys exposed, and more. Had to call their HQ and pretend to know people just to report it 🤦

Technical details:

  • Design Hub: Used to be client sided password, Registration endpoint exists and works even tho they dont want signups
  • TRT portal: Crew accounts could enumerate/impersonate all employees from general manager to CEO
  • GRS panel: Complete authentication bypass, arbitrary HTML injection
  • Magicbell API keys/secrets exposed in client-side JS
  • Algolia indexes listable with user PII
  • CosMc's: Server-side validation missing for coupon redemption

They fixed it but fired my friend who helped find the OAuth vulnerabilities.

Full Technical Writeup: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities

#infosec #bugbountry #responsibledisclosure #security #cybersecurity #hacking #vulnerability

🍔 Found huge security flaws in McDonald's - crew members could access sites reserved for corporate employees with internal functions, API keys exposed, and more. Had to call their HQ and pretend to know people just to report it 🤦

Technical details:

  • Design Hub: Used to be client sided password, Registration endpoint exists and works even tho they dont want signups
  • TRT portal: Crew accounts could enumerate/impersonate all employees from general manager to CEO
  • GRS panel: Complete authentication bypass, arbitrary HTML injection
  • Magicbell API keys/secrets exposed in client-side JS
  • Algolia indexes listable with user PII
  • CosMc's: Server-side validation missing for coupon redemption

They fixed it but fired my friend who helped find the OAuth vulnerabilities.

Full Technical Writeup: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities

#infosec #bugbountry #responsibledisclosure #security #cybersecurity #hacking #vulnerability