Supply chain attacks exploit the trust relationships in software development ecosystems, where attackers compromise legitimate tools and repositories to inject malicious code that appears authentic. In the Bitwarden case, attackers exploited a compromised GitHub action in the Checkmarks security tool's CI/CD pipeline to distribute malware disguised as the legitimate Bitwarden CLI password manager. This attack demonstrates how attackers can leverage trusted development infrastructure to compromise software that developers trust, making detection and prevention particularly challenging. The attack chain involved stealing developer credentials (GitHub tokens, npm tokens, SSH keys, cloud credentials) and using them to further propagate malware, creating a cascading threat that affects the entire software supply chain.
hacker and ai news - lets do it.Added:
Good morning.
What's up everybody? How you doing?
Killyte, let's do the dang thing.
Who saw Bit Warden get hacked?
We got to love when a password manager command line interface suffers a supply chain attack. That's not absolutely terrifying.
I don't use Bit Warden, but I know a lot of people that do, and I know a lot of people who recommend that you do. So, uh, this one's a bit scary.
Just a bit scary.
How's everyone doing this morning? Is anyone else terrified by that?
Just me? Just me?
Check it out.
We can talk about it. Bit Warden CLI.
So, this is the same group. I think it's like the team PCP group. This is the same supply chain group that's been just like wreaking havoc everywhere.
Let's find the teas and PCP stuff. Sorry I started streaming a little late. I uh got caught up talking to a bunch of people.
Excuse me. Excuse me. Oh, I'm a loud sneezer. Really good for live stream being a loud sneezer. Um, so, uh, I was at a coffee shop this morning after school drop off with some of the other parents and we're just yapping and, um, but a bunch of them are small business owners, so it's really like addicting, um, talking entrepreneur stuff. But, um, Team PCP, who I'm trying to see, they have like a Twitter account, which is just kind of crazy.
Um, where where is their tweet? I can't find it. Okay, so Team PCB, the same group that did the like all the crazy supply chain breaches a few weeks ago of npm, um, they got into check marks, which was part of the original breach. So, I h I actually haven't dug into the details of this yet. I just got like terrified.
Oh, of course I have the old Budweiser commercial in my head when I say that.
Waz, I am a product of Z90s. I uh yeah that's yeah I'm don't quote the old magic to me I was there when it was written. Um anyone in chat use bit warden so this is one of the uh one of the reasons that people recommend this is it's like a open-source password manager. So the reason I don't necessarily recommend it to a lot of people is a lot of people that uh wind up taking advice from me either are normies or they pass my advice along to normies and your the burden of you running Bit Warden is you need to control and secure all your own like vaults and backups because it is open source, right? That's why a lot of people use it is because they don't want to use like the cloud versions of things, which I get, right? You saw the Last Pass breach. It was kind of crazy.
Um, but I don't know, man. I just don't think the onus of uh doing everything you have to do to do Bit Warden right is legitimate advice for a lot of people.
All right, so let's see. Socket had the check mark supply chain breach. This was Oh jeez, that was also this week. So check marks, artifacts found in official KICS Docker repo and code extensions. So I saw this and I was like, yeah, okay.
Check marks was part of the supply chain stuff a few weeks ago, right? Do you just pronounce this kicks? I don't really know what this acronym actually is offhand.
Um, is that am I dumb? Does everyone else know what that acronym means?
Check marks, kicks. Oh, is this their security scanner? Is this just like my unfamiliarity with uh check marks? Oh, okay, great. This is their Twitter account. I was trying to find their Twitter account uh while I was getting news ready and I was like failing to remember what their actual handle was.
Oh, they just got suspended.
They were tweeting about this this morning. That's why I couldn't find them. Their account got nuked.
All right, let's We got to make sure to be tweeting about this. People People follow me for a reason.
Uh All right. in my major everyone follow the cyber security expert for his sound analysis. So what did I tweet?
Uh password manager breached. Bad bad bad. Okay, great. Everyone everyone here for the the expert hour on uh on this stuff.
All right, so team PCP is is taking credit. Am I on the check marks one? I am we're gonna go we're gonna go one deep. So the check mark stuff was hacked. It wound up in the official Docker image. The affected package version is this Bitworn CLI. The malicious code was published in this.js file. A file included in the package contents. The attack appears to have leveraged a compromised GitHub action.
This is what all of these supply chain attacks have done right in Bit Warden CI/CD pipeline. Consistent with the pattern seen across all the other repos.
So, Bit Warden's CLI builds were affected. The compromise follows the same GitHub uh supply chain action as the rest of the campaign, not just check marks. Um, this was the same stuff uh two weeks ago. Ongoing investigation socket blah blah blah. Oh my god, that's it. That's the whole post. Have I not?
That's it. It's just Hey yo, Bit Warden.
Bit warden popped. What am I missing?
Let's go. Let's go Twitter diving.
There's got to be more details than that.
No, there's not. Okay, let's read the let's read the check mark stuff then.
This this is the root cause of this issue.
So, Docker alerted socket. So, Saka didn't even find this one to malicious images pushed to the official check marks kicks do uh DockerHub repo after internal monitoring flags suspicious activity around the kicks image tags. Our investigation found the attacker appears to overwritten existing tags 2.1.20 and Alpine while introducing a new 2.1.21 tag that does not correspond to a legitimate upstream release.
So the poisoned image indicates that the bundled kicks binary was modified to include data collection and excfiltration capabilities not present in the illegitimate version. This is where this [ __ ] just gets super nasty, right? Because like you're not like installing some random malware. You're just version bumping something that you use legitimately that has turned into malware. This is like I made a YouTube video about this a bit ago of like there's a really interesting and hard problem to solve that like legitimate pieces of software that you use could just turn into malware eventually. So even if you do like everything right and like approve stuff and review stuff before things get installed at your enterprise.
Uh specifically we keep seeing this in extensions, right? So uh browser extensions and IDE extensions are completely legitimate. do the thing that they say they do as advertised for a very long time and then all of a sudden they're like actually this is malware now. And that's incredibly hard to catch. Incredibly hard to catch.
Morning, Bill. And this is just part of that, right? So it's like and check marks is a security tool. How do they upload the binary onto the company's legit servers? No, it's GitHub.
So, they compromise the GitHub action, put malicious code into the GitHub repo, and because they've compromised the GitHub, they can cut a new release. So, it's not the company's servers.
So, you're if you're just like tagged to check marks latest and your build process goes and grabs the latest version of check marks, it just starts pulling malware from check marks.
Right. Which is just insane. So, let's go into let's go into this because this this goes way deeper than the than the Bit Warden one does originally. Wait, wait. JROG has some. Yeah, here we go.
JROG research. Oh, did socket not identify this. Usually Socket's the one who finds it. JROG might have found this one. Maybe that's why they've got the more stuff.
Uh, the package keeps the expected bit warden metadata but rewrites both the pre-install and the BW binary entry to a custom loader BW setup.js instead of the legitimate bundled CSI uh CLI.
The loader downloads bun from GitHub if it's not already present and then launches a large obuscated JavaScript payload. Once deopuscated, that payload reveals a broad credential theft operation focused on developer workstation and CI environments, GitHub and npm tokens, SSH material, shell history. Yeah. Yeah. Yeah. So, this is like the emmo of everything that we're seeing, right? Is get the malware on and then credential harvest specifically developer environments because that's what like that's the box that you're on, right? because of your attack avenue, you're getting pulled onto developer boxes, right? Because like of course you're you're compromising GitHub actions and and like you're compromising software that developers use. So go ahead and steal a bunch of [ __ ] that developers have like their GitHub and npm tokens. And then once you steal npm tokens and GitHub tokens, guess what? You figure out what packages and repos they maintain and you push your malware to those and then it turns into a worm. This is what we're dealing with for weeks now. weeks, SSH, shell history, and then all the cloud accounts.
So then what can you get if you grab AWS tokens off of a developer thing, right?
Sensitive info. You could probably push crypto miners and all of this due to a weak GitHub actions vulnerability. It's not even really a vulnerability. It's just like the way that you have this set up.
Does the uh does that determination to see where to go next include human review or is it automated?
On the attacker's side, it's a really like I don't know if we know enough.
I think at speed they probably can tell what they got right if they find an npm token like so they are running things like truffle um let's see uh yeah here so they're running truffle hog which is a legitimate piece of security software I was a customer of it in a past life I know the founder he's he's good people um but truffle is really good at finding ing secrets and leaked creds in uh code, right? So, this is what I ran it for is like, oh, just make sure we're not pushing AP API keys to GitHub. So, we like forked truffle at Reddit. We had like truffle or something. We like we call we call out things different things, right? So, we forked it and we like messed with their detections to specifically find our secrets on a higher accuracy, right? Um, but what but truffle is really good at finding all these different tokens uh and like all sorts of stuff.
Uh, and so if you run truffle, it's going to spit out like, oh, here's your GitHub token. And and it's good at like identifying them and knowing what they are, right? So it's like, go ahead and scan a repo for stuff. And then it's really good at telling you like, "Oh, this is an npm token." Like it can identify the different types of tokens because they all usually have like a few little like bits of identifiers, uh, you know, identifiers about like what makes that token look like that, right? Like stripe tokens start with like skore for like secret key and stripe and and things like this, right?
Reax on steroids is exactly what it is, right? It's just like very very targeted uh reax on steroids for sure, right? But uh I mean they've built a whole company around this, right? That can like plug into Jira and Slack and all sorts of stuff and and it's really good. But the the hackers have started using this to like specifically find secrets. And so they'll get in and and Truffle will run and be automated at finding the tokens.
Whether their tooling then is like smart enough to be like, "Oh, I found an npm token. Let's automatically do a bunch of other things for that npm repo." I don't think we know enough about the attackers tooling yet, right? I would assume they've got a lot of automation there because they're fast and they're being successful, right?
And so I would assume there's some automation, right? But there's probably some human bits and bobs too of like, well, what npm package did we just get access to and how should we then go about compromising them?
So, you know, I don't know if it's like full off the rails automated worm that can just propagate through npm without the teamcp doing like doing stuff, right? Um, but let's let's keep reading what this attack does. The payload uses two exfiltration channels. Primary path encrypted telemetry to check marks.cx.
Okay. If that fails, it falls back to GitHub by retrieving a staged personal access token and fallback routing data from public commit messages and creates a new repo under the victim's account and uploads encrypted result blobs there. Okay. So, if it can't exfiltrate to their [ __ ] since they own your GitHub account, right, they can retrieve well since they're like stealing a bunch of information, they could grab your GitHub personal access tokens, right? If you use GitHub via the CLI or anything, you've generated these, right? You've generated these tokens to like give to your CLI.
And then and then instead of exfiltrating to their thing, they own the GitHub account and they're like, "Oh, uh, we're just going to create a repo under this victim's account, which we don't have to worry about like exfiltration to some thing getting blocked because it this is the GitHub account that we have." And then upload encrypted blobs of secrets to the victim's own GitHub account and then they can just grab it from there. Right? this combination of secret because you got it off the developer machine, you got it on GitHub encrypted, so it's not going to like flag GitHub secret scanners and then the combination of secret theft, GitHub abuse, and cloud secret harvesting makes the package significantly more dangerous than commodity npm steelers. It's wild. The primary exfiltration infrastructure on this fake check marks domain serves post requests, HTTPS post requests that are encrypted receiver for stolen data resolves to this IP. This was resolved during analysis and during tied to package primary exfiltration train. The fallback infrastructure on GitHub. The payload hardcodes uh this for uh the token staging um and is used as supporting check.
Yeah, we got this right. Okay. So the package delivery, the malicious package keeps the legitimate Bit Warden branding and repository metadata, but it changes the package execution path so that npm runs a malicious loader. This is the new malicious thing that it adds to it. The embedded metadata inside the legitimate bundle still points to the Bit Warden CLI confirming the package route was altered independently of the compiled application paywall payload. This is nasty.
The loader this bit warden setup.js first checks whether bone is installed.
If not, downloads it extracts the runtime into current directory makes an executable where needed and then runs this bit warden 1.js.
Okay, the runtime bootstrap is used as a useful evasion mechanism. It lets the thread actor ship a payload that does not depend on the victim already having bun installed while also moving execution away from the expected no.js only code path.
All right.
Then they do all the data collection.
The shell collector explicitly runs uh GitHub off token, captures the environment variables, and then scans the serialized result for the GitHub and npm token patterns. Let's see.
So this uh GitHub token, oh, so this is just reaxing on the GitHub and npm tokens.
Okay.
And then if those tokens exist, encode them and pipe them out. Makes sense, right? So this is just this is not even truffle. It's just it's not even reax on steroids. It's just reax.
Then the file system collector targets a crossplatform set of developer files.
The most relevant decoded hotspots are listed below.
So they're not even using truffle in this case. Some of the other npm attackers definitely were.
Um so in this case the attacker just is going specifically for those with reax and then it goes into the file system and starts looking for all of this stuff right SSH material git config mpm creds environment variables bash history shell history AWS creds Google cloud creds AI and MCP related configs like cloud JSON cloud MCP because a lot of people configure MCP with secrets hardcoded into these JSONs.
What's Kuro?
I'm not familiar with Kira off the top of my head. The targeting is uh unusually specific. That's what I was going to say. So the the benefit of truffle is that you don't have to be specific, right? It's just go truffle find secrets, right? And then it's going to say I think this is a secret. So this is this is like a finite list of things that it's going after, right? It's like GitHub and npm tokens, period. And then this list of like 10 things.
In addition to the standard developer secrets, the malware also hunts for AI tools. Yeah, we said that already.
GitHub abuse. The payload does more than just steal GitHub tokens. It actively weaponizes them. How?
Validates the stolen thing. Commit search. So if the commit search succeeds, it's valid.
Domain discovery via sign commits. If the primary excfiltration domain fails, it searches GitHub commits for messages beginning with beautiful castle. It verifies them an embedded RSA public key and recovers it and then repo based exfiltration. Oh, so we already covered this. They're just Oh, they're just like showing you how. Okay.
Once a valid token is available, the malware can use uh abuse GitHub actions.
Enumerates repos the token can write to.
So it spreads through whatever the uh GitHub account that initially it compromised could access to. Downloads resulting artifacts, deletes the branch and workflow run and then exfiltration just sucks the secrets back home.
infection vector assessment package. JSON advertises Bitward and CLI and then grabs uh this this uh this is the fake one, the BW setup immediate containment uninstall CLI cache clean force config set.
Man, this is a good blog post.
Review and rotate likely exposed secrets.
Revoke all tokens that could have been stolen.
And here's the IOC's. Fantastic.
Fantastic.
Oh no, Zach. This is too funny. Zack, too real. Too real. Zack, JavaScript developers trying to understand the Bit Warden compromise.
What is Bit Warden? Bit Warden is an open source password manager. What's a password manager? Oh, too real. Too real.
Isn't the change to the.exe path a red flag that could be detected? Yeah, a lot of this behavior stuff can be detected.
It's like, are is anyone doing that sort of like behavior detection in their supply chain stuff? No.
You know what I mean? Oh my god. I didn't even like look in a mirror today.
I just like put my camera full screen and I was like, "Oh geez, Matt, you just kind of rocked on in here and turned the camera on, didn't you?"
Hair and makeup.
Hair and makeup.
Someone Someone come make me look like a normal human being. All right. Well, that's the big news of the day because holy [ __ ] that's going to have ripple effects, right?
I want to know some stats on how much that got downloaded before it got caught, right? Because like npm can catch that and delist the package. But if that got downloaded by a number of people and their password manager vault got stolen and yeah, remember to hydrate. Yeah, that was a protein shake. I got these like cans of protein shakes in my in my office fridge.
This has been my breakfast. I don't really do breakfast, but these things, these like nori shakes, they're like the macros are so good.
They're like not filled with a bunch of nonsense. Like you get a lot of these protein shakes that are just like filled with a bunch of [ __ ] And this is like one sugar, two fat, one sugar, two and a half fat, 30 protein.
Like that's sick versus a lot of like the protein bars and stuff out there.
So there you go. That's my breakfast. Um and yeah, I went to a better coffee shop this morning.
My wife does a lot of like she's on boards of a lot of nonprofits and stuff and so they were they did a fundraiser um that I had to get all gussied up for.
God, I feel so out of place amongst the rich people dressed nice. This is like my natural habitat.
Like black hoodie and shorts or jeans.
you like stick me in a suit amongst a bunch of wealthy people bidding on charity auction items and I'm like, "Oh god, what am I doing here?"
Um, anyway, we had like a they had like a meeting this morning about some fundraiser that they recently did and I was like, I'm going to sit over here and drink my coffee on this other corner. And I was talking to one of the other parents who also is a small business owner.
Um, that's like I've talked to you guys about this. It's like one of my favorite parts about living in uh Austin is just like you just kind of bump into people like that a lot. So, we were just jamming about some like cool [ __ ] she's doing to expand her business and some ideas that I had with my AI community I've talked to you guys about.
Can you customize GitHub protocols to mitigate stuff like this? Yeah. Yeah.
Yeah. Um, yes, there is like there are things you can do in your GitHub actions pipeline to make them not susceptible to these attacks.
Um, let's get let's like crowdsource this.
Uh, because wh no um wait, let's go. Let's make sure I'm not tweeting Zach.
Uh, what are the GitHub?
Uh, what's the GitHub foot gun every everyone seems to be tripping over that makes their GitHub actions vulnerable, vulnerable to these attacks going wild the last few weeks.
How are we telling people to avoid this stuff?
I think there's a few answers to this. I have a few answers, but Jay says, "Hi." He has a Q1 presentation.
What up, Jerry? Oh, Jay, my other I have a few Jay friends you're talking about.
I think you work with one of the my other streamer homies, right? Or like hangs out in the stream. The one day in 90 he has to actually work. Yeah. Yeah.
You guys [ __ ] talk each other, right?
That's awesome. Um, we're going to crowdsource this because I think there's a few answers to the GitHub stuff and my brain is not bringing bringing them to memory. The J stands for J. Well, everyone's called me Matt Jay forever because there's always another Matt. You know, if you're born in the 80s, you went to school with 17 [ __ ] Matts. And so, I've been Matt Jay my whole life. And so, there we go.
Homer Simpson.
What's up, Jerry?
So, today's not one of the days in 90 that you have to work. It's Jay's turn to actually do some work today.
But you're good. You're marked safe from having to work today. That's good, dude. I've been trying to drag my buddy Pedum into stream. He he works in the office next to me and uh he's in security and he's like AI obsessed. I've been trying to drag him to stream for days now and uh he's been working his ass off. Like he showed me the screenshot the other day. He was on like a 9 and a half hour Zoom bridge. like they're trying to like get some [ __ ] out the door like all hands on deck just like ship this thing that they're working on and I'm like brutal brutal.
Um what else do we want to chat about? I got like less stuff than yesterday queued up so we can kind of have a chill stream or we can just like headline surf.
Um, or we can watch some videos or we can do Q&A or I can write my damn newsletter.
Of course.
I am very uh I'm very easily manipulated today, but there's less of you in here than usual.
Am I into crypto? No. No. I don't own any crypto. Crypto meant cryptography in my brain for years. Then it got co-opted. I fought that forever. Kind of like I fought cyber. I I used to we used to hate the term cyber security by the way in this industry. Cyber and cyber security was like laughed at. We all called it infosc and data security, information security, whatever. We hated the term cyber security and we just kind of gave up.
We're just like, "All right, fine.
Cyber, you win. And then cryptography, same thing.
Crypto meant cryptography. I had like a sticker on my laptop that said that.
Cyberducery was liquid matrix. That was uh I don't know if that was Jamie or Dave that came up with it, but that was Jamie or Dave for sure. We had a whole section of our podcast called Cyberdouchery and it was just the cyers and it was just us making fun of like mainstream media talking about it. Yeah, I think it was Jamie.
But crypto I've now given up as well.
Crypto and cyber the terms have gotten away from us.
We cannot control the narrative.
Um, all right.
I think I'm going to call it. I think, you know, you know how I've been saying the help desk thing is like number one priority for everybody? If you like don't have an answer to help desk fishing you're uh you should not focus on anything else just like fishing in general should you should solve but specifically the help desk stuff. I think if you are a maintainer of any sort of GitHub repo or any sort of npm package this is actually your top priority.
It's like stop everything and solve it.
make sure that you do not become the next supply chain entry point for an attack.
I asked if you see if you think about blockchain would help the GitHub issues validation ledger that would uh for push pull calls. Well, GitHub is already a immutable ledger. Like you can't delete anything off GitHub like not not doable. Let's pull up that truffle security GitHub delete. Let's see if I can find that.
This was a while ago. This was like research that that um I remember Dylan put, right? And his like whole thing is like there just isn't a such thing as like getting off of like if you're in a git chain on a repo, like delete doesn't do anything.
And so a lot of people will like try to remove stuff from their commit history because they'll like accidentally push push stuff. It like doesn't happen.
No, they had this isn't it. This is them putting it in their uh their product, but they had some research.
Yeah. Yeah. This This is it. Here. Check this out.
So, uh, I mean this this is like it's already the I mean it might as well be blockchain, right?
You can access data from deleted forks, deleted repos, and even private repos on GitHub. And it's available forever. This is like intentionally designed by GitHub.
So accessing deleted fork data data. You fork a public repo. You commit code to your fork. You delete your fork, right?
You're like, "Whoops, delete it." Is the code you committed to the fork still accessible? It shouldn't be. You deleted it. And it is. It's accessible forever out of your control.
>> Let's see.
>> This is a demo on how you access data from deleted forks on GitHub. We're going to create a fork of the repository OpenAI cookbook. We're going to make one new commit that's adding a file named secrets.py. This is to simulate hard- coding some type of secret data into a commit on a fork. We're going to commit that.
Double check that it actually committed.
Yes, we can see that it did. We can see all the commit details there. The name as well as a top secret data file. We're now going to delete our fork.
It's deleted. It doesn't exist anymore.
We're going to go to our original repository, which is OpenAI's OpenAI cookbook.
We're then going to go grab the commit data from our commit. If we refresh it, we'll see that at 404. It no longer exists. I left that open. So, we'd have that data. So, we have the hash, the commit, what's up, port, add that to the Open AI cookbook, and we see that that data is still available, >> right? A lot of people didn't realize this. Like a lot of people think that you can like force over this stuff and you cannot. Like they published this research in 24. I like I still don't think this is common knowledge.
You might think you're protected by needing to know the commit hash. You're not. The hash is discoverable. So how can we find data? pretty often. We surveyed a few commonly forked public repos from a large AI company and easily found 40 valid API keys from deleted forks.
Fork the repo. Hardcode an API key into an example file. Do work. Delete the fork.
You have a public repo on GitHub. A user forks your repo. You commit data after they fork it and they never sync their fork with your updates. You delete the entire repo.
Is the code you committed after they forked your repo still accessible? Yes.
GitHub stores repos and forks in a repository network with the original upstream repo acting as a root node.
When a public upstream repo that has been forked is deleted, GitHub reassigns the root node role to one of the downstream forks. However, all of the commits from the upstream repo still exist and are still accessible via any fork.
It's kind of wild, right? So, in the in the video, we create a repo, fork it, show how data not synced with the fork can still be accessed by the fork after the original repo is deleted.
This unfolded last week. I submitted a P1 vulnerability to a major tech company showing that they accidentally committed a private key for an employees GitHub account that had significant access to their entire GitHub or they immediately deleted the repository, but since it had been forked, I could still access the commit containing the sensitive data via a fork despite the fork never syncing the original upstream repository. Isn't that nuts? So basically the the the point that truffle is making here is if you ever commit a secret to GitHub, you have to rotate that secret.
You cannot erase it from GitHub.
A lot of people think that their solve is like, "Oh, we we'll just like, oh, whoops. We'll get that off of GitHub."
It's like, no, that is forever accessible if it touched GitHub.
I know the internet nothing deleted.
This isn't like that, right?
Diagram this out, please. Okay, they're going to show more more examples.
Consider this a common workflow for open sourcing a new tool on GitHub. So, it gets worse. We're going to get all the way to the end. We'll diagram it out.
You create a private repo. So, not even a public one. Okay, hold on. You want Here's the diagram, by the way.
Right. So, upstream repo. You're a public repo that gets forked.
You commit stuff that the forks never even sync.
You delete your repo. GitHub assigns upstream repo status to one of the forks.
You could still access these commits to that deleted repo even if they were never synced by the fork.
Okay.
So like in this example down below, it's like, oh, I'm big company. I commit private key. Whoops. I committed private key.
Delete.
Doesn't matter. The repo was forked. The commits are accessible. Like you could still find that key somewhere in GitHub even though it's not like publicly linked anywhere.
Okay, it gets worse. So that so far we've only been talking about public repos.
So you can create a private repo that will eventually be made public.
This is like a super common pattern, right? Like I'm going to like make a tool. I'm eventually going to open source it, right? Isn't there a way back machine for GitHub? I mean, it's kind of what we're talking about. You can just access all the commit stuff in the commit tree even like not on the website, right?
You create a private repo. you maybe you're going to make this public, right?
You create private internal version of that repo via forking and then you commit additional code for features that you're not making public yet.
You make your upstream repo public, but you keep your fork private. This is like a very common thing, right? I'm making new tool. I'm gonna make internal version of new tool and then make the new tool part public as I work on new features on the internal version of new tool which is a fork of the upstream. Right? Are your private features and related code visible to the public? Yes.
Wild. Any code committed between the time you created an internal fork of your tool and when you open source the tool, those commits are accessible to the public repo. Any commits made to your private fork after you made the upstream repo public are not viewable.
That's because changing the v visibility of private upstream repos result in two repository networks. One for the private version and one for the public version.
We demonstrate how organizations open source new tools while maintaining private internal forks and then show how someone could access commit data from the private internal version via the public one.
This workflow is one of the most common approaches users and orgs take when developing open source software. As a result, it's possible that confidential data and secrets are inadvertently being exposed in organizations get a repo.
So how do you actually access the data?
No wonder our prod CTO is always on five cups of coffee wearing yesterday's clothes. Yad.
Yoded.
All right, I got answers to my GitHub actions question. So, we have answers on how to protect against this.
How do you actually access the data?
Dru by directly accessing the commit.
Destructive actions in GitHub repo networks like the three scenarios mentioned above remove references to the commit data from the standard GitHub UI.
However, this data still exists and is accessible if you know the commit hash.
This is the tie-in between C4 and IDOR vulnerabilities. Uh if you know the commit hash, you can directly access that data that's not intended for you.
Commit hashes are Shaan values. If a user knows the Shaan commit hash of a particular commit they want to see, they can directly navigate to that commit and endpoint, they'll see a yellow banner explaining this commit does not belong to any branch in this repo and may belong to a fork outside this repo.
Basically, it's like we know that this is orphaned and like floating in the middle of nowhere, right? So that you get this warning, but you can still uh go to it.
Where do you get these hash values?
Commit hashes can be brute forced through GitHub's UI particularly because the git protocol permits the use of short SHA 1 values. So you see up here 1 2 3 4 five characters and it worked 7B C 0 B uh but like this is the full thing for example consider this commit in truffle hogs repo to access this commit users typically visit the URL containing the full Shaw 1 value but users don't need the entire 32 character Shaw 1 value they only need to correctly guess the short SHA one version which is 07F01E the first what six characters what's even more interesting GitHub exposes a public events API endpoint you can also query for commit hashes in the events archive which is managed by a third party and saves all GitHub events for past decade outside of GitHub so you can get the commit hash GitHub's like, "Yeah, this is by design.
As long as one fork exists, any commit to that repo network, upstream or downstream, will exist forever."
This further cementss our view that the only way to securely remediate a leaked key on public GitHub is through key rotation. This is like their whole thing. And they even have this site, how to rotate. What a great site. How to rotate. Here's your how to rotate.
I'm going to tweet this.
Hey, thank you.
Why does it show me who gifted the subscription? I just see who got gifted the subscription.
Well, thank you.
So you have to have a parallel repo and one is private. No, it's just if a public repo was ever forked, public, private, blah blah blah blah blah, like you uh you have to rotate the key like if if you leak Should I grab like a screenshot?
Yeah.
Here you go. Look at me being a good citizen of the community. Everyone go fix your stuff.
Kilobyte gifted. Thanks, man. Running errands today, but lurking. I have found that more of you listen to streams while like walking around stores in your AirPod than I ever thought was like a thing.
I've been I've not been stream live stream maxing. You guys are live stream maxing. Airpod live streams while walking around Sam's Club while doing stuff. Correct me if I'm wrong. people whose fork got promoted to root node had no uh say sorry their their GitHub now the access point for a dead repo's full commit history including whatever sensit yeah yeah yeah yeah so like if you're a fork you don't even know nor do you really care that like the GitHub commit thing is now treating you as like the like authoritative upstream if the original repo got deleted doesn't really matter to you have a fork You're just like doing things on your fork.
Even private. Where are those exabytes being stored?
Yeah, I mean it's just text. Like it's just text commit tree history stuff.
I'll pull up some of the videos. One sec.
They are unknowingly ho hosting someone.
Not really. Like you're for like this is all just github.com, right? So like you just click the fork button in GitHub and now in your GitHub account you have like a copy but not like you have a copy that's tied to the original repo because you forked it then you're going to work on yours which does not affect the upstream. The thing that they're talking about is like say the upstream person then deleted the repo after like [ __ ] it up and like leaking some secrets to it. you can still get to it because your fork existing keeps the whole commit tree alive on GitHub.
They don't have to go to your repo to find that stuff. You know what I mean? It's just like, okay, hold on.
I'll pull up more videos. This is really confusing.
How about we just don't hardcode secrets, dude? Yeah, sure. Everyone every day is pushing API keys to GitHub accidentally.
Okay. Everyone every day live stream listening in your car had no say to truncate. Yeah. Yeah.
Yeah. Sam's Club under 100 bucks. You guys are you guys are crazy. Okay, let's pull up Let's pull up this thing.
They've got um they've got videos here.
We're going to watch some of these videos.
All right, you guys can see this video.
This is a demo on how you access data from private repositories on GitHub.
First, we're going to go ahead and create a new repository named new tool.
Again, this will be private. That's critical. And we're going to add a readme file.
Then, as is in common in open source development workflows, we're going to create a internal only private fork of this tool. The idea being there might be features that we want to keep private to our organization that we're not going to make public for the whole world to see.
So now we have this private fork called internal new tool. We're going to add a file called feature.py to simulate adding some type of feature that again is meant to only be private to us internally. And we can see that commit.
>> Create feature.py is the name of the commit.
>> And you can see it's in our internal version of the tool. Now we're going to go ahead go back to our new tool. This is the private repository that we're going to make public which we're doing right now. We're opening this public.
This is simulating open >> we're open sourcing this. It doesn't have that feature that we've developed internally, >> right? So like both both repos are private currently with the intention to make one publicly eventually, but we're going to have an internal version. Either the internal version one is where we're going to like try new features or there are actually internal only features that we ever only want internal, right? which both of those things are very common.
So now we're going to open source the other thing >> sourcing a new project >> and we can verify that this repository is now public. It says new tool is public >> doesn't have that feature >> to our internal version.
>> We can click and see that yes it is still private internal version of that tool. We're going to copy the commit details a shaan hash of that feature.py commit and we'll see >> see what he did. It's hard because the pause screen got in the way, but like he took the Shaan hash from the feature in the private repo, just put it in the URL of the now public repo and GitHub honored it even though it doesn't belong to any branch on that repo may belong to a fork. But the way that git commit chains work >> that it made it into the public repository >> is that you can get to it from there.
working UPS. Are you driving?
That'd be kind of crazy.
That'd be kind of crazy.
Using secrets and GitHub actions seem like a good GitHub feature. All right.
Yeah, let's go through that. I got some answers to my question.
Um, hold on. I got some answers to my tweet.
Tweet, tweet, tweet.
Let's pull it up. All right. So, you guys asked like, "Hey, what are the GitHub uh listen with AirPod deliver packages?"
Dude, that's sick. I feel like I'm like riding shotgun.
These Amazon Prime people cannot be stopped, nor will they stop their side hustles.
What up, Brandon? Other Brandon. I got double Brandon again as as per usual.
Dude, GitHub seems like a bad idea right now. Tomorrow is deadline on opting out of them, training on your private repos.
Oh, yeah. We're I mean, we're [ __ ] We're [ __ ] on training on all everything. Everyone's training on all of our behaviors, our our data, everything. All right. All right. I got I got some uh uh I got some responses.
So, Ramy is awesome. Ramy, I don't know.
Sorry if I'm saying your name wrong, Ramy, but uh you're uh you're epic.
How to harden GitHub actions. Seems important, doesn't it? Literally came out this week. Build resilient GitHub action workflows so you don't [ __ ] do this [ __ ] that team PCP keeps uh going into. Okay. All right. This is just setting up the problem which we on this stream are all familiar with because I can't stop talking about it.
Um, GitHub is responded since our original guide. The platform has shipped shop pinning enforcement, immutable releases, and changes to pull request target behavior. More is coming in their 2026 road map, which includes workflow, lock files, and centralized execution path. This is great because literally what I've been saying is actually the the true responsible party for all of these supply chain issues is GitHub.
This is what I've been saying. I'm like, this is up to GitHub to solve. Like, we can't educate our way out of this one.
Like, we're not going to be like, "Hey, developers, stop getting malware."
Like, it's not going to happen, right?
Like, I mean, I if if so, we would have been out of jobs long ago. So, the only thing that would work, and I've been saying this forever, is that these platforms need to solve it, right? So um that means GitHub and npm need to solve this.
So I'm glad to see that GitHub is doing other stuff, right? This is really on them.
All right. We've updated the guide to reflect what's changed, what's been learned, and what you could do. now complements GitHub firstparty guidance and aims to serve as a practical cheat sheet uh for the landscape. All right, GitHub actions essential terminology.
We want to go through this right chat. I mean I think this is useful of 59% of popular public GitHub repos use at least one GitHub action workflow.
Yeah. Yeah. It's like the way to use GitHub now.
Everyone's doing this. It's important to establish. So, GitHub actions are a suite of automation features within GitHub that let you automate tasks in your software development life cycle.
Actions can be used to build, test, deploy. Yeah. Yeah. It's like CI/CD maxing. I don't know. Sorry. I I apologize. Millennial trying to use words. Um, workflow is a collection of automated tasks defined in a YAML file that runs in response to specific events within your GitHub repo. Think of it as a script that automates a series of actions. Got it? An action is a reusable unit of automation that can be referenced and executed within workflows. These can be created by you or pulled from the marketplace and are essentially optional building blocks of workflows. You can think of actions like functional inprogramming language small self-contained tasks that are reusable across workflows. Got it? Events. The trigger that starts a workflow. Common events include code pushes, pull request creations, or manual triggers. So you guys get this, right? So like someone opens a PR in your repo or there's a new co there's a new push to the main branch um or an issue gets opened or whatever and and if like okay PR open workflow starts right then workflow starts maybe you have a series of actions every time a PR gets open you have an action that uh scans that code for secrets with travel log and then runs some security scan against it and then just sees if they commented what the [ __ ] it does. And if not, it'll be like, "Hey, this code includes no comments and we require comments, you know, just like whatever, just random [ __ ] that you could just automate as part of every pull request that gets open." Um, good job. A unit of work within a workflow. Workflows can contain multiple jobs. Uh, jobs and each job can run tasks, which are actions. Jobs in a workflow can run in parallel or sequentially depending on how they're configured. Job is a minimal unit of execution scheduled on a runner.
All right, so job and action are kind of different because a job can contain many actions.
Got it. Got it. Got it. Got it. Got it.
This is good for me even to like go through. I' I've used these things, but like it's good to sus out the terminology as we as we go through here, right? Five repositories with workflows use uh Oh, see, excuse me.
Excuse me. You made me look stupid because in your first graph, the number was the start of the sentence. 59% of popular repos. So, I thought the number was going to be the start of the sentence for every graphic that looked exactly like this, but it's not. It's not five repositories. Repositories with workflows use a median of five workflows.
Gosh, don't they know that people are going to read this stuff live on camera and make fools of themselves? I'm just [ __ ] with you guys. All right, configuring GitHub for safer GitHub actions. This is what we this is the the bread and butter of what we wanted to talk about. So, how do you stop shooting yourself in the foot with GitHub actions? You don't become the next uh check mark/bit warden.
Securing GitHub actions starts with hardening your GitHub environment, of course, right? So, the GitHub or and your GitHub account are are are key here. Set read only default workflow permissions. By default, the workflow token permissions were set to read write prior to February 2023. For security reasons, it's crucial that they are read only. Write permissions allow workflows to inadvertently or maliciously modify the repo and its data, making lease privilege crucial. So, it sounds like if you have old workflows, you got to go check this, but it's now the default.
Double check to ensure the permission is set to read only.
All right.
Um, the majority of repo workflows have the worst default combination of permissions. allow approvals of PR and able to write content. Okay, so even though this default hasn't existed since for 3 years, the majority of repos on GitHub have the worst set of permissions, which is approving being able to approve PRs and can write to [ __ ] So if you can hijack this, that means you can open a PR and get it to write [ __ ] Bad, bad, bad, bad, bad, bad. Right. limit actions to verified actions and allow list. So this is super important, super important. This is like one of the main ways they're they're taking advantage of this stuff right now. So one of the key security measures is to control which actions can run within your workflows.
You can restrict workflows to only use verified actions from trusted sources.
Good, good, good. Actions created by GitHub. These are actions maintained and supported by the GitHub itself or access uh actions from marketplace verified creators. Actions from verified creators in the GitHub marketplace are more trustworthy. They've undergone some level of of review. You can then use an allow list of specific other trusted or reviewed actions to extend permitted sources. Since August 2025, not that long ago, this policy supports two additional controls. Shaw pinning uh which causes workflow uh causes workflows using unpinned actions to fail, not just warned. That's awesome.
And action blocking via prefix. Oh, via like a bang prefix. Bang.
Compromised.orgaction to rapidly block specific actions during incidents. Huge. Huge. Because during incident response in this like you used to have to like go bull in a China shop on your repo to respond to this stuff and now you can be a little bit more surgical. It's just like hey we have the IOC there's some compromised [ __ ] going on. We're responding to the incident. We don't need to go nuclear. Just block that damn compromised action.
Great.
Great ability govern workflow. Does everyone understand step one and step two?
Class is in session. Class, we're securing our GitHubs. I mean, some of you are driving UPS trucks, but we're securing our GitHubs.
Attend hut. Step one and step two. Makes sense to me, right? Readon permission.
Got it. Don't let it like approve. Don't let workflows approve PRs and and write.
Step two, make sure that actions are from verified sources.
Makes sense, right?
Kilobyte salutes.
Got it.
Uh, all right. Govern workflow adoption and restrict runners to specific repos.
Okay. So, this is granular permissioning. What's going on, right?
To tighten security, use a repo allow list to control where workflows can be adopted and restrict self-hosted runners to specific repos.
The state of security report says which actions are permitted all on all repos is 80%. Which is exactly what they're saying is bad, right?
What is pinning enforcement in step two?
Let's see.
Where does it say that?
Oh, this the shaw pinning enforcement which causes workflows using unpinned actions to fall. You wanna let's go into that. It's a great question. It's a new feature from GitHub. GitHub actions policy now supports blocking and Shaw pinning, right? So, we could say allow enterprise and select non-enterprise actions and reusable workflows.
Okay. And then we can allow actions created by GitHub or marketplace ones.
You can block certain ones, allow or block. So bang means block and no bang means allow. So we're going to allow docker and octaorg but we're going to bang octa.org/blocked.
Okay. And then they have another checkbox require actions to be pinned to the fulllength commit sha. What this is doing is making sure that if an allowed source, so you're like allowing this whole repo is above, right? You're allowing a whole what I just like poked chat and it went um you're allowing a whole repo with these permissions. And at this point, you're like, actually, we're not going to allow that whole repo. We're just going to allow specific fulllength commit Shaw hash hashes from that repo.
So even if that repo gets owned, the attacker would have to upload a new commit with malicious instructions and that would not pass the SHA pinning.
Right?
So GitHub recommends that workflows pin dependency versions to a specific commit shot. This will prevent malicious code added to a new or updated branch to be automatically used.
Yeah, totally. Well, actually, it doesn't have to be part of that crossfork thing, right? Say you allow dockerstar.
You're like, I'm going to allow all actions from the Docker official repo to run on my repo, right? No, I can't. It just reream is just dumb and breaks constantly. Just so happened to lightning struck when I pointed out. So, say you allow dockerstar. You're allowing all actions from Docker repo to like run in your [ __ ] with that one line of code, right? Say Docker gets p hacked, some Docker maintainer gets hacked.
The attack path of Docker's GitHub repo getting hacked is they need to put new malicious [ __ ] into the Docker repo that gets pulled by people who allowed it in their thing.
This is another layer because even if Docker gets hacked and the attacker pushes malicious code to Docker uh that will be on a new commit with a new Shaw hash.
So if you haven't pinned the specific Shaw hash from Docker allow the new bad malicious code in the Docker repo which was previously good will fail.
You can enforce the use of shop pinning through the allowed actions policy. A new checkbox appeared under the thing.
Let's see if this is a little bit better. This is the docs.
Pinning an action to a full length is the only way to use an action as an immutable release. So you're like, I'm good with that action, not all actions from that repo, right?
Oh, I need to make a plugin where I just like strike a pose and chat like flutters or like lightning strikes chat.
That'd be cool.
Uh, pinning to a particular shot helps mitigate the risk of a bad aering a back door to the actions repo. Make sense?
Which is kind of what's going on right now, right? Like this is what's going on is like these repos are getting popped.
Malicious code gets added to them. we all trust that repo because it was like check marks or bit warden and we're like good with it and we're just like pulling code down from this trusted organization. Well, that org is getting popped and then we're we're just, you know, siphoning off uh from the from the nonsense.
So this is saying instead of just allowing an action from a from GitHub or just allowing action from their marketplace verified people or just allowing actions from an allow list, you can get you're like each one of these is a step down in what you're allowing. So but they're saying that 80% of people just allow everything.
80% of people are just like, "Yeah, allow all all actions workflows are permitted on all repos is what 80% of people do." And what they're saying is, "We're giving you the tools to say, well, don't just allow all from all, right? Star, we're going to limit each one of these is lower and lower and lower." So, we can limit the actions to GitHub. Cool.
Then, well, it's not lower and lower.
GitHub is one subset of actions. Then marketplace is a bigger subset of actions, right? So you're adding stuff that you're allowing to.
Allow list is much more granular. So instead of just all GitHub all marketplace, which you could do, you could do all three of these. You could say GitHub marketplace and an allow list, which might not be part of the other two. And then instead of just allowing repos, you could be like, actually, we're not going to allow repos. We're going to allow a specific release from that repo by Shaw pinning. All right, I think I've rehashed it enough, but it is kind of confusing.
Um, it sounds like 80% don't have billing. I mean, dude, this is everything. Have you ever run MFA?
Like if you if you work in an org and you run and you have MFA uh as an option for your users, have you ever have you ever run the stats of how many of your users have MFA turned on?
Embarrassingly little. Like nobody [ __ ] cares.
Nobody cares. Like, you know, we're just toiling away over here in security and everyone's like, "Just let me log into my [ __ ] Oh my god, I just almost uh autocllicked and OBS update." OBS just like Why would OBS pop up an update while you're live streaming? Shouldn't it know that?
Shouldn't it know? Shouldn't it know that? Like, I'm currently live streaming. Don't give me a button that's about to [ __ ] restart OBS.
If you use GitLab, they have CI/CD components that does the same thing.
Okay, cool.
GitLab's usually a bit behind GitHub on like public security features. Not much behind, but behind.
Could be crit. No, it's just some [ __ ] There's nothing in OBS. It's crit. This is like the worst software I use on a daily basis.
Sorry, this Bit Warden thing is like live happening. So, I'm I'm seeing a lot of updates pop up. So, I'm just trying to make sure Uh, Twitter communities or lists for updates or news? Uh, it doesn't matter.
They just announced they're depreciating communities.
I don't really use them, but uh, Twitter just announced that they're getting rid of communities.
It's like a hot topic today on Twitter is the head of product guy there is like railing on people who are like no don't take my communities.
What is the hacking group asking for?
Team PCP. Are they even asking for anything?
I don't even think they're asking for anything. I think they're just like in it for the love of the game.
Guys, I have drank too much coffee and water today. Unfortunately, we're gonna have to do chair stream. I'm gonna play a video for chair stream and go to the bathroom. What video you guys want to watch? I feel like I'm a teacher leaving the class. All right, class. We're going to put on a little tape.
Thanks for subscribing.
>> All right, we're going to watch Low Level about hacking PDFs. Sorry, we're switching topics so I can go to the bathroom. and lowlevel. Low level, if you're here lurking, you're gonna No, he's not. He's in Miami. Low level is gonna babysit stream for a minute. Okay, everyone behave for the substitute teacher while I go recycle some coffee.
Um, I usually don't do this, man. I'm usually like NFL red zone. What bathroom break? I'm powering through. This is the first bathroom break I've taken during stream all week.
Um, all right. Can you guys hear it? And then, uh, I'll be right back.
the early 2000s, a simpler time where you could download Lincoln Park numbum.mpp3.exe from Limewire and give your family computer a disease that I will not name here on YouTube. Computers have come a long way since then and it used to be back in the day that you could click on a link or open a website and that in itself would own your computer. Now, it has not been that way for a long time, but the vulnerability today is kind of reminiscent of a simpler time back when computers could be owned by going to a bad website or opening a bad file.
hackers exploiting a Acrobat Reader zero day flaw. Since September, an article about a vulnerability that has been seen in the wild in the way that Adobe Reader parses PDFs and in particular the JavaScript engine in Adobe PDFs. I'm going to be completely honest, I didn't even know that you could run JavaScript in a PDF. I think that's a feature that no one really wants that no one asked for. It's kind of like how if you go to Notepad right now and you open it, you'll notice you have Copilot here at the right. Again, a feature that no one wanted or asked for, and I think just adds an unnecessary attack surface to a piece of software. Now, that being said, Adobe PDFs are meant to be a little more pretty. You got to have some animations in there, maybe. So, maybe JavaScript is necessary. But, as a shock to nobody, the ability to run JavaScript in a PDF is what caused the bug today. The research I'm going over today, by the way, is by this guy, Hi Lee. I'm sorry if I mispronounced your name, man, but go check their work out. Obviously, I'll link their blog in the description below. but he runs an entire platform for literally just detecting malware that is doing a sandbox escape. So, if you're not aware, Adobe Acrobat is a software that obviously has a variety of issues. One of the good things that it does is the internal JavaScript runs in a sandbox. A sandbox is literally just a software way to prevent code from doing certain things. You don't have access to all the APIs, all the files. You can only do a restricted set of things. Now attackers obviously when they're given a sandboxed environment are looking for ways to escape out of the sandbox.
They're called sandbox escape exploits.
Now his system XPmon that monitors I guess software that is trying to do sandbox escapes or software that can have sandbox escapes like Adobe for example detected this one sample that uses a very very novel fingerprinting technique to eventually pull down the exploit that pops Adobe. So you'll notice here that if you're not really aware of how PDFs work, PDFs are just a series of text objects that are concatenated together. Some of them are compressed by gzip and some are just in plain text. And so here you'll see one of the streams that is just a bunch of obfiscated JavaScript that if you deobiscate it turns into this little tidbit here app.t equals blah blah blah blah blah effectively dbase 64 encode the value in a button. The button being the field button one. Okay. So you can see here this is the base 64 data that was seen on that button. If you then look at that B 64 decoded, you get to very quickly see this is a bit of obiscated JavaScript. This is JavaScript that was obiscated in a way so that you, the reader, can't initially see what's going on here. This is a very common way that threat actors hide the functionality of malicious JavaScript.
They put it through some kind of obiscation run that has a bunch of different misdirection and bad variable names that it's basically impossible to read in its current form. Now just like any code that runs locally right even though it is obiscated at the end of the day it does have some underlying functionality which you can use to reverse engineer the intent and use that to give more meaning to the code to replace these labels these bad variable names and make it make sense. So Hi used AI here a little bit which again I think is a good use of AI if you have something local that you want.
>> Is this cool? I haven't watched this video yet. I should have Oh man I should have put a video I've have seen.
Is this cool?
We're hacking PDFs again. Is this the uh Acrobat zero day?
Is that what we're talking about? I'm not going to rewind it and make you guys watch this [ __ ] again, but just kind of automate and quickly iterate on AI is a great way to do that.
And so they found that the malware is actually doing something really novel.
So like any good sandbox, right, it does not make sense to give the contents of inside a sandbox access to the internet, right? It's the same reason why in the JavaScript environment in your browser, you can't do arbitrary socket data. You can't do arbitrary network requests, right? You can do like a fetch. You can do like an HTTP request, but you cannot do arbitrary execution of open UDP port 6969, right? Because that would give an attacker that runs bad code on your browser access to your network, which is not a good time. It's an intentional sandbox design. And similarly, for a long time, there were no real ways to run network code inside of the Adobe PDF sandbox until this was found. So apparently, and I didn't even realize that RSS was still even a thing, you can use the RSS engine in Adobe to arbitrarily run requests. So you can use the RSS feed functionality to call out to some other server where apparently this threat actor had more code weight.
And so inside the actual code that does the call, you can see a bunch of really interesting stuff. It's collecting the language of the PDF reader, the viewer type, the viewer version, the platform that they're on, the amount of active documents open, and also this one little function called to get prod version string, which does a very unique way of actually fingerprinting the exact version of Windows. So you'll look at this piece of code here, the get product version string function. Literally all it's doing is it's using a privilege sandbox function, which I'm not sure why this function exists. Uh util read file into stream. It's able to arbitrarily read ndll.dl, which is a core DL DL that like all programs use on Windows. And what it does is it searches for this exact string of hex inside that DL which proceeds the version of NDLL which is a direct indicator of what version of Windows you're on. So it looks for this string and says okay right next to it it's going to be our version of Windows and it takes that offset takes it converts it to a proper integer so we go from a string to an int and then it sends that off to the server. All of that data is used to return an as encrypted blob and that blob is additional JavaScript that gets run by the reader. One thing that really scares me about the world of AI is not what the AI tells you but what people are telling the AI and that's why today's video is sponsored by Island. Island puts control of AI in your enterprise directly into They're also a sponsor of me.
>> Thank you for sponsoring the video. Back to the video. Now, this is the inherent problem when you're doing research on like exploit servers, right? So, what's happening here is that this is literally just being used as a loader to shoot off to a server and tell us, hey, can you deliver the payload that exploits this version of the thing? This is a very common threat actor tactic, right? And so, the problem is when you get a sample like this, it's very hard to reproduce a functionality that will get the actor to give you the payload, right? The reason why they do this entire system is so that if there's some really weird exploit that gives you either rce or complete escape out of a sandbox, they don't want you, the person potentially looking at the malware, to have it, right? All they want is to fingerprint you and then send you down the version if they think that you're not watching.
And so the researcher, they tried to reproduce this and they couldn't get the server to send the exploit back.
Obviously, it's a very common tactic, but using their own kind of mockup network of the system, they were able to use their own server to send back JavaScript that gets run inside Adobe Reader. So, they were able to prove, okay, if I were this attacker, I could send back down another blob of JavaScript and run it. Now, here's the problem. There is an active rand escape vulnerability that is in the wild being exploited. We know this because on April, >> yeah, we talked about this the other day, right? I was like I tweeted it. I was like, what [ __ ] year is it? I mean when I like when I first started in security this was the wave after wave after wave after wave. We actually like used to do studies about how expensive it was for Adobe to uh fix zero days based on disclosure and we were calling it like there was like public disclosure, private disclosure and then like me and like a few people that I was working with in the valley at the time.
We were calling it like painful disclosure cuz like they would publish stats about how expensive it was for them to run an incident on a zero day. So, like if you privately disclosed a bug to Adobe, it cost X amount of dollars to uh fix it, right?
Because they could like do all their normal release cycle [ __ ] whatever. If you publicly disclosed an Adobe Zero Day, it cost them like exponentially more. It was like tens of thousands of dollars to like millions of dollars, right? Or like over a million dollars to like close a bug, uh, you know, close a zero day. And we were like, "Oh, they're like painful disclosure in Adobe." these people like it was just constant. So it wasn't like oh look at all of these Adobe bugs that were publicly disclosing. It was like oh look at this one and then like you know because they talked about it or at least the security people knew. It's like oh that just cost them millions of dollars of like internal [ __ ] and then they'd release another one millions of dollars internal [ __ ] Then they release another one right and so like I mean it was just wave after wave after wave. So that's why like if you were around in security in like the I don't know as early 2010s it was just because it was like Adobe Reader Internet Explorer combo was just bad internet man and it was [ __ ] everywhere. That's why like you still get security people are like, "Oh, you sent me a PDF. There's no way I'm opening that even though it's like you can open a PDF nowadays, right?" But like, yeah, of course, the Fed still that's probably why Adobe still exists, right?
I mean, that and like just subscription [ __ ] for whatever um stuff. But uh like, oh god, it was just painful painful internet days. But like I mean PDFs are it's not like oo scary PDF anymore, right? I mean this is like this is notable because it hasn't happened in a while. This Adobe reader zero day.
It's also like browsers open PDF nowadays. Like you don't need Acrobat if you're just like a human.
12th Adobe themselves published a security bulletin that said, "Hey guys, there is an active critical vulnerability that leads to arbitrary code execution. We can't tell you what it is. You probably could go patch diff and figure out what the two changes are.
I'm not trying to do a patch diff on the entirety of Adobe Reader. But basically, you know, just like any file format, right guys? PDFs are just a textbased file format that is somewhere in the code is getting parsed and just like anything a parser can get it wrong and in particular we are using a parser that is parsing and executing JavaScript code which is a very common attack surface in browsers. So similarly it's an attack surface that can be exploited inside of Adobe Reader. Now obviously the nature of finding and exploiting a vulnerability in an environment like the sandbox environment or like the JavaScript sandbox environment is very complicated and so those are very closely protected right the actor is not going to just shoot this out at everybody. They're going to make sure that you're not watching that you are the right fingerprint for them uh and that they don't just send it to you willy-nilly. Flash back to the early 2000s, we're kind of there again, right?
So, as usual, right guys, don't be just randomly opening files people send you.
This applies to Word documents that can have evil VBS macros and also PDFs, right? We are still in a world where PDFs can have malicious data that can reach out to and hold down information and then eventually export your browser.
We don't know the exact details of this RC, but we have confirmed from Adobe that it exists. So, it's very careful to look out for this. Uh in this particular sample, there is this IP address here.
So, if you're in like a knock environment, please go and like set up indicators for for these. And obviously, there's a world where like there are multiple IP addresses being used for this. So, make sure you're kind of looking out for maybe these uh these patterns, right? L >> would Rust fix this? Uh I don't think it was a memory van, was it? the rce in in Acrobat. Rust's like big thing that it fixes is memory safety. This seems like it's more of a Oh, I see the Java the R.
Now I know what you're talking about.
The RSS feed stuff. Uh I don't know. I'm not a Rust guy, but I don't think that this particular exploit would have necessarily been like, oh, impossible in in Rust based on what I'm seeing.
That could dude could be completely accurate. Uh inaccurate. That's like that's uh not my uh on top of memory area of expertise. All right, let's go back to this. Sorry, bathroom break low-level break. Enjoy. I hope you all enjoyed the commercial break from low-level and our dive into uh just revisiting vols of old in 2026.
you know, we felt a little nostalgic for like 2006 vulnerabilities, so we were like, let's make new ones.
Um, Microsoft appreciating C and C++ for Rust. I mean, good AI will be good. They said God damn it.
Someone's someone's like, "Hey blaming AI for the Bit Warden thing."
What does AI have to do with this? Stop blaming all hacks on AI. Stop it. I need a squirt bottle.
Stop blaming all hacks on AI.
Hey yeah, hey mythos. It's mythos. All right. Sorry.
Back from the uh back from the commercial break. So we went back, we went back over step two. We get it, right? So these are just features, but unfortunately 80% of people aren't using any of these, right? So now govern workflow adoption restrict runner. So not only can you say where actions should be able to come from restrict workflows to only use verified actions down to a SHA, right? So that's actions.
We remember that's below workflows. Uh workflows run actions, right? Now if we go to the workflow adoption, we could say uh where are your workflows coming from and then where can they run stuff on? So 80% of people say which which actions are permitted? All actions uh workflows are permitted uh on all repos 80% of people.
So like you could say selected actions workflow are permitted on selected repos. That would this is probably the sweet spot right that only 1% of people do where it's like hey only certain actions only certain repos in our in our org.
This is so they're saying to tighten the security use a repo allow list to control where workflows can be adopted and restrict self-hosted runners to specific repos which is 0% of people do this. This ensures only trusted workflows and runners are executed reducing the risk of unauthorized access and actual and execution. Got it? So that makes sense too, right? So this is this is about limiting actions. This is about workflows across your entire org or just on certain repos.
Got it. Got it. All right. Avoid allow GitHub actions to create and approve pull requests. This is a dangerous setting. Obviously, some people are still going to do it because that's like the use case that they're considering valuable, right? So, enable this setting.
What setting? Let's see.
Preventing GitHub actions from creating and approving pull requests. Okay. So, you could choose to allow or prevent GitHub action workflows from creating or approving pull requests. By default, when you create a new repo in your personal account, workflows are not allowed to create or approve pull requests.
If you create a new repo in an organization, the setting is inherited from what is configured in the organization settings.
Okay.
So this grants workflows. So it's off by default, but it if you turn it on, it grants workflows the ability to create and approve pull requests, which can be risky, of course. So now you're programmatically creating or approving pull requests. If you're an open source project, anyone can open a pull request.
So then you're having automation run on any pull request that gets opened on an open project. And apparently you can then have them approve them in an automated fashion, right? Ensuring this setting is deactivated to prevent workflows from making changes to pull request approvals or creating their own pull request without manual oversight.
Branch protection. Oh my god, this was I'm getting flashbacks. Branch protection was like a fight in previous lives for me.
Fight. Lot of debate about this.
Oh, the daily where's the GitHub repo link message. Do you have this on a cron?
So, everyone who's new here, this account comes in, asks for the GitHub repo link. I say what GitHub repo link.
They never respond. And this happens every day.
I'm not going to block you. You just come and ask stuff. Unless Unless you start doing any other nonsense, you can come in and ask your question every day.
I'll ask my follow-up question, "What GitHub repo link?" You won't answer.
You'll say, "So, no GitHub repo link."
And then we'll go, we'll both go up on our day. And like, yeah, whatever. I don't know what's going on. Very confused. Very confused. Uh, branch protection. In addition um to uh organization level settings, there's also repo level controls that help secure your workflows. Most importantly, branch protection and rule sets enforce rules before code can be merged, ensuring only trusted code makes it into your main and release branches. This is important because attackers often target these branches to exploit vulnerabilities in your CI/CD pipeline where automated workflows like deployments or tests can be manipulated.
However, branch protection has limitations. Malicious commit post approval is an attack that occurs when an attacker injects malicious changes after a pull request is approved, but before it's merged.
That's wild. Pull request hijacking can happen when an attacker adds harmful changes to someone else's pull request then approve it themselves.
I don't even fully understand that attack chain.
This it's just timing on like a pull request got approved but not merged and then at some point an attacker can add changes to it and then approve those changes themselves.
I don't understand.
That's probably just some really really weird uh I wouldn't call it an edge case because that downplays it, but just like a really weird attack based on timing of things like approvals. But how would they approve it themselves? GitHub offers config options to close off these attack paths. Dismiss stale pull request approvals when new commits are pushed.
So basically they're saying if any new commit is pushed to a pull request that was approved where where the approval is dismissed.
Okay.
And require an approval from someone other than the last person to push for the ladder. I don't understand how they would approve their own uh bits. They'd have to be in the repo already. Yeah. Yeah. But like I don't know. I I mean I understand this config based on this description. I just am not sure I understand this attack path.
But let's look at these rule sets really quick. Anyway, you're you can require require a pull request before merging.
You you can require that all changes to the target branch are associated with the pull request. That's good. So you can't like hot commit to a specific branch like main, right? The pull request doesn't necessarily have to be approved, but it must be opened. That's the top setting, right? Then additional settings, you can have a setting that says select to dismiss stale pull request approvals when new commits are pushed and/or require approval of most recent reviewable push.
Got it. Got it. Got it. I mean, this we're in the weeds here, right? But this this is making the config is making sense. I'm not sure I really understand like when that attack would arise unless like what you're saying, Brandon, right?
Like it's uh like they're already in the repo if they can approve. It's based off a cert.
Yeah. But like how could they approve their own change, right?
One second.
Watermelon. Jay, I heard that today was one of it was your first day in the last 90 days that you had to do some work and now you're here.
Jay, what are we going to do? Someone told me, a little birdie came in chat and said that this was like the the day at this quarter that you had to do some work and now you're here bullshitting with me.
All right, we're going to run past this.
I don't quite understand this attack, but I do understand the defense and I theoretically understand what's going like what could go wrong here, right?
I'm just like trying to fully understand this last part.
Like I understand all this like like you can move a pull request into an approved state but not merge it and then changes could show up. I get that. Like hey then then dismiss the approval which should just happen by default, right? Kind of crazy. Then um it's like, hey, I did not approve this anymore because this changed. So that that makes sense. But then an attacker can add harmful changes to someone else's pull request and then approve it themselves. Feels weird, right?
They're like missing a part of the explanation there.
All right. It could be unreasonable to enable those options in agile environments where rapid merging and flexibility are prioritized.
Implementing commit signing is out of band. uh and out of band detection can provide. Yeah, this is like I have run into more friction on this kind of stuff, branch protection type stuff uh than anything else as like a security person trying to like add stuff to developers workflow. Developers do not like this bit that I'm talking about right here. They're like, "No, get out of my way."
Q1 report slide text rocks. Is GitHub still [ __ ] Yeah, we're I mean we're talking about how So my take is not that GitHub is [ __ ] it's just that GitHub o has the onus to build default protections for a lot of this supply chain stuff that we're seeing.
Um and they haven't, right? And so like a lot of the stuff that we're going through is like how you protect yourself. And I'm just like as we see by state of the repos here, 80% of repos don't do anything, right?
And 80% of workflows are have right access and can approve PRs. So it's like, hey, yeah, you gave people the tools to do it. 80% of them aren't using the tools that you set up to do it.
And we keep having like the internet's gonna [ __ ] break level of supply chain attacks that hinge on this [ __ ] And you can't just be like, "Well, we gave them the tools. We gave everyone the tools to not cause internetwide supply chain disasters." And it was on them. They didn't do it. They didn't do it. Unfortunately, our customers just continue to not use the tools that we make available to them. That's it. That's where our responsibility ends. And I understand it's a shared responsibility model and there are things. I'm just saying the attackers have shown their hand that this is the way that they are going to be attacking right now. And I think that the onus is on GitHub and npm to stop this. We have proven we have proven that we are not going to do like devs are not going to do it at large.
The last two parts of this supply chain attack were security companies.
Aqua Trivy and Checkmarks, whatever the [ __ ] Kicks is, are security companies. If the developers at security companies aren't using these configurations, who the [ __ ] is I'm sorry. Why? Why would I say something so honest yet so bold or whatever that meme is? So brave yet so honest. I don't know. [ __ ] I failed. I meme failed. Um here's the explanation of that vector.
Which one? The GitHub thing I'm talking about.
All right. Secrets management for GitHub actions. So secrets play a role in most actions uh attacks on GitHub actions.
They offer an opportunity for pivoting, persistence, privilege escalated. We saw this, right? GitHub access tokens, npm access tokens, stuff like this.
There are three types of secrets in GitHub. Repo, organ, and environment.
Repo level secrets are specific to the repo should be the default choice. Or level secrets are useful when you want to share secrets across multiple repos, reducing duplication, ensuring updates or rotation propagate automatically.
They work well for credentials used by general CI infrastructure like shared build tools or thirdparty service tokens. Environment level secrets offer granular control. These secrets are only available to jobs that reference the environment and additional protections can be enforced with required approvals from reviewers ensuring they are only accessible for approved workflows. This can be ideal for sensitive actions like deployment where you might want to restrict access from non-reviewed or unmerged pull requests. By default, secrets except GitHub token are not passed to the runner when a workflow is triggered from a fork and are not passed to GitHub actions unless explicitly passed as input or environment variables in your workflow file. However, beware any user with right access to your repo has read access to all secrets configured in your repo.
So make sure any credentials used in workflows are safe to be exposed to that group of people, the right access group of people. Where possible, prefer short-lived creds over static secrets.
OIC uh OIDC support is covered in safely running GitHub workflows.
The way I understand it is we pull down and store use locally, then update as needed through review. Some key clickers try to use open tools but we block it.
Would this stop this? Sorry. Uh brain brain didn't brain there. We pull down and store use locally. I'm guessing you mean um like a GitHub release supply chain thing. Then we update as needed through a review. Some key clickers try and use open tools but we block it. That stopped us.
So the gist is uh let's go back to the JROG thing really quick.
So we're talking about this attack that just keeps happening, right?
So JROG identified Bit Warden has has put a malicious release out.
This was part of uh the check marks attack. Where's the socket blog?
Bit Warden CLI compromised an ongoing check mark supply chain attack. So the Bit Warden CLI was compromised in the check mark supply chain and campaign after the attackers abused a GitHub action in Bit Warden CI/CD pipeline.
So Bit Warden CI/CD had a check marks GitHub action.
So this was all like automated CI/CD [ __ ] The attackers got into the check marks [ __ ] which then let them get into the bit warden [ __ ] which let them cut a malicious release of this password manager that you could have automatically pulled if you're like pinned to latest or if you like updated or whatever. Right.
So the check mark [ __ ] art malicious check marks artifacts found in official kicks docker repo.
Okay.
The check marks VS Code extension embeds a JavaScript module from an orphaned GitHub commit. This JavaScript file is executed using bun interpreter supporting execution on Windows and Unix systems.
This JavaScript file functions as a standalone token stealer which uses the victim's shell, PowerShell or bash to enumerate and excfiltrate GitHub action tokens, AWS creds, Microsoft Azure, Google Cloud, npm, SSH, environment variables and other AI fun [ __ ] So the ripple effect is check marks into bit warden and then bit warden is now uh the thing that the same attack is doing the same stuff is doing the same data excfiltration to this fake check marks domain or you know using GitHub as data xfill.
Jay is code clueless. All he does is ask. But what about security, man?
Make a short. You'll hype it later. All right. I do have to make a short.
You swear this browser is cursed.
Sorry. You're fighting your browser.
All right. So, we're through branch protection. We're through secrets management. Safely writing GitHub workflows. Now that we've covered your GitHub organ actions configuration, let's talk about the risks to avoid when writing GitHub workflows. Credentials theft was the common thread in the most recent incidents.
Stolen secrets enabled lateral movement from compromised workflow to package registries.
Brandon says, "Basically, the attacker gets the PR approval, then pushes the malicious code before merging because it seems the approved status allows the unreed attack to merge."
Right? I get that part.
I get that part. I But like, okay, maybe maybe you're saying it and I'm So, I get that, right?
And a PR gets a PR gets approved. Where are we here? Right.
Malicious commits post approval is the attack that occurs right.
So an attacker injects malicious changes after the P. So the pull request is in an approved state but not but it's not merged these new malicious changes.
I'm sorry.
the pull request is in a approved state because the malicious changes didn't exist to the main branch right now or to whatever branch the pull request is to now all of a sudden these malicious commits come in but it still stays in this approved state that I that like I get that one it's this one that I don't get that like this is what you just described Brandon I get it so like these malicious just commits inherit this approved state to the pull request.
But then this pull request hijacking can happen when an attacker adds harmful changes to someone else's pull request then approve it themselves.
So I get the approved not merged and then and then the malicious changes inherent the approved state. But these are two separate attacks that they're talking about here, right? Right. And so GitHub offers config options so you can dismiss a pull request approval if new commits show up.
So that that addresses this one and I fully understand that one.
The second one says that you require an approval from someone other than the last person to push for the ladder.
So I think what this just means is this is a compromised account or something like that.
there's like a compromised GitHub account that has approval permissions on this PR adds code and then tries to approve it themselves, but they're just not saying that.
They're not saying that there's a compromised account with approved permissions.
So that's why I'm confused because I'm like if this is just an attacker so an attacker add harmful changes to someone else's pull request how can they approve it so that is say you pushed good code and I have right access to right you have right that what I don't understand is why the attacker has right access to the branch most repos run automated tests when the PR is open right but that's still not what this This is this is so like what why I'm confused, right? Okay, Brandon, you're your it's your repo and you opened a pull request or it's some public repo and you've opened a pull request to it, right?
You've opened a pull request. I'm the attacker. Mattj GitHub account is bad and I'm the attacker account. I mag account has no special permission to this pull request or this repo. I'm the attacker. I'm like over here in attacker land, right? I add harmful changes to your pull request. How do I approve it myself?
Right?
Like there's a there's like another there's a piece missing from this bit that I'm just like missing.
Why would they let them change the repo?
Yeah, most repos run. If the workflow using pull request target includes a step to check out the PR codes and runs it, you now have checked out attacker control code. Yeah. Yeah. That's a whole separate attack. That's a whole separate attack. If someone is a contributor or maintainer, they'll have right access to other branches, right? But if but what I'm getting at is if I'm just like attacker dude over here with no special permissions to your repo, which should be the case, right? Most of the time anyway. I get it. Like it's probably just without saying it here. It's like at some point an account that does have permission on this repo sneak some [ __ ] into someone else's pull request, but then they can approve it themselves. And so you could just lock that down. It's an internal attack. That's what I Yeah, I understand now. Like I kind of understand that by reading between the lines, but they're not saying that like or maybe I'm just being pedantic and I assume attacker is like over here doesn't have special permissions to the repo and that's just like a bad assumption.
Make sense?
All right, save. What's up, Roman? How you doing, bud? Did you do you know what we're talking about, Roman?
Did you see all the bit warden drama?
But also look at npm with the maintainers and contributors getting compromised lately. Yeah, that Yeah, yeah, yeah. Okay. So, okay. So, yeah. Yeah, I see what you're saying.
They have the they have the GitHub.
Okay. They have a maint Okay. Thank you, Brandon.
Oh, yeah. Roman, not not scare you.
If you're using Bit Warden, go. You're running an incident now, buddy.
Bit Warden CLI popped.
Popped. Bad, bad, bad, bad, bad, bad, bad. Go make sure you didn't pull this latest version of Bit Warden. Sorry, bud.
Sorry to laugh. Just like someone shows up in Twitch and I ruin their day.
Um, Brandon, I got it now. My brain got there. So, like GitHub maintainer maintainer loses personal access token via these supply chain attacks, but they're not like god mode on their repo.
Say, uh, Axios, right? It's not like one GitHub account is God on Axios, right? So like personal access token on Axios repo, the attacker can sneak malicious changes into another already open pull request, but and they could approve it themselves to like sneak their changes into someone else's pull request as part of like the thing.
I got there. I got there, everybody.
I got there.
GitHub just seems like a crappy place to store and collab on code. Well, it's only the biggest one.
Crappy or not, it's here. Xy utils.
So, Xyutils was slightly different, right? He he didn't do that. He just contributed legitimately for months and then opened I think he opened his own PR, right? And in the PR there was a dependency. It was there wasn't even malicious code in the PR. He just include he just introduced a malicious dependency that had the bad code in it, right?
But he had developed the trust over the last couple months by actually helping as so became a contributor, right? Is there a tool I can use to see what exposure is in our environment?
Um, depends on what you mean by what exposure. I mean, Sockets's got some free some free stuff you can kick around.
And we found out who wins between Chinese hacker and a German obsessed with efficiency. Yeah, right. He like noticed his login was like half a millisecond slower.
Uh yeah, let's put I'll put this in chat if any of you are like just It looks like viewer count just went up by quite a lot. I don't know where you all just came from, but uh and by quite a lot in Matt J terms, we're we're at kind of normal. We were quiet all morning and now we're kind of at normal. So, wherever you all just came from, there's what we're talking about.
You told your friends to join. Roman, you have friends?
What?
Yo, I get the weirdest like, "Hey, we'd like to pay for you to promote to our shit."
I have one in in my thing right now from the largest print ondemand platform in the world.
Why would you look at my account and be like, "This guy, we're gonna we're gonna pay this guy to talk about printing [ __ ] t-shirts and mugs." Baby, baby, let's do it. Let's print some t-shirts.
Send them your way.
Bots. Well, no. I mean, people are showing up chatting. There's probably I mean if I was botting you think I would stay at 25 viewers.
I got 19 of you in YouTube and six of you in Twitch.
All new needs t-shirts.
Do we like?
Should I put these online somewhere?
Boom.
Yeah, you buy one rocket. All right, I gotta put them online somewhere.
And yeah, I like my new uh I like my new bunny better than my old bunny. And so I want to make coffee mugs with my new bunny.
You'll rock vonu polo at CSA.
What's the profanities of Texas?
The profanities of Texas. Are we Are we bummed that it says Austin, Texas on it?
Austin, Texas. To be fair, I made these for a conference that came to uh came to Texas and uh I gave them out. My buddy uh my buddy is a cyber security founder, but he owns he owns one of the bars on on Sixth Street, which is like our bar district. and he uh I ran a meetup at his bar like upstairs.
We had like a private event. I catered barbecue and invited a bunch of people.
I got I got like 80 people to show up.
We had like our VNU party.
Yeah. Look, I got the sign.
This was like the the sign at uh at our event.
I can't get it on camera here.
Boom.
My buddy Sean from Miscreants. And then Brian. Sean. And then Bri. They did they did Brian dirty. He's not shorter. He's not shorter than me, but uh we did like this this little meetup.
And my one other piece of swag I printed for my team.
Kind of dark. Oh man, you can't see it at all.
Wow. Why can't you see that? Like even a little bit. Come on, focus. Damn.
This label says vulnerable you on it. It's like super dark for some reason.
Turn my flashlight off. There we go.
Look at that. Black on black.
I bought one I bought one of those bags uh and I that was my Christmas present to my team that works for me. I got them those bags and uh I filled it with like stuff that I you like that I keep in my bag. So like my my anchor like extra battery that I travel with like my big extra battery and then my uh my favorite coffee and the t and a t-shirt and I gave it I gave it to the the team. But I've got like probably 130 of those [ __ ] t-shirts in a box back there. So, I got a Yeah, I did not give away nearly as many as I thought I would at my uh at the event.
Sixth Street, where all the Twitter flights are filmed. What the [ __ ] is with that Twitter account? What camera are they using? That is the nicest footage of anything I've ever seen in my life is fights on Sixth Street on Twitter. Do you guys know what I'm talking about? Like what Roman's talking about? There's this Twitter account that's like Texas street fights or something and a lot of them are Six Streets. Some of them are Deep Ellum in Dallas, but it's like the party uh the party streets that everyone gets drunk and then at like 2 in the morning when last call happens and everyone's on the street at the same time and they're already loaded. They just start fighting each other for some reason. I don't want to pull it up on stream, but like it's better than movie. Like what is the It's like how I'm like how am I seeing like the 120 FPS?
Go look this up on your I'm not pulling this up on stream, but if you want to know what I'm talking about, go pull up like Texas Street Fights Twitter account. It's for some reason the absolute highest quality video footage I've ever seen in my life of anything.
I'm like, why can't like I get like a David Atenboroough uh [ __ ] with uh with this camera, whatever this camera is.
Dude, need that. Is the wooden nickel still open on six? I don't know if the wooden nickel that doesn't sound familiar. The quality we all wanted when we would watch World Star back in the day, dude. Yeah, for sure. Every once in a while I get I I watch way too many of those Texas Street fights. I'm like, "Oh man, I am brain rot maxing right now.
Did I use Maxing correctly?
All right. We talked a lot about supply chain stuff. We talked about how to protect ourselves.
We good? Oh, wait. I I didn't finish this whiz blog. Do you guys want to keep going through how to protect yourselves?
We could finish this this get this uh this GitHub like how to do it right thing. The one thing that I think would be worth going through is uh how to do secrets.
What do I do for work or his day job?
You're looking at it, buddy.
Most recently, I was head of software security for Reddit.
Um and before that, I was head of bold management and remediation for Bank of America. And then I was head of cloud security architecture for Bank of America. I was head of security for a fintech company that got bought by Goldman Sachs. So I was kind of like a consumerf facing CISO of a division of Goldman Sachs.
I've done a lot. But now I do Vulnerable You soon to be New York Times bestseller from your mouth to God's ears. Roman guys, I thought of a conference talk. I haven't been in the conference talk circuit in a while and I thought of one.
I need your I need you guys to tell me it's a good idea. No, I don't. I'm going to do it anyway. But I like validation from strangers. Um, the commoditization of the nation state attacker.
I think that topic is a good conference talk that I could do like 30 40 minutes on.
basically how like go over the last 10 years of like nation state uh attacks and then talk about how recently we're seeing those same type of attacks but not from nation state level attackers and then just talk about the new capabilities that uh AI is putting out without like the hype [ __ ] that we don't know is true or not with mythos but just like in general directionally where AI is going and like how we're seeing that cause cyber criminals to be able to do stuff that nation states previously were only allowed to do and just maybe like make some hot take predictions about the future and direction of this as just kind of like the commoditization of the nation state attacker was the title that I came up with.
What sparked this idea?
Oh, my video. I'm about to put out a video about um it's it's probably it's probably the hardest we've worked on a video for my channel uh with i Verify, the team that found the iOS exploits on that Russian server um that then was used on Chinese crypto scam websites.
So, it's uh it Why do I still have this up? Sorry. Um, this was kind of the thing that started it. I was like, "Oh, the like I was interviewing this guy that like his team literally found this exploit on the server, this exploit kit, Karuna, and then Dark Sword, right? And it's like Dark Sword, he he described it. Dark Sword is a $40 million exploit kit that just was on a Chinese crypto scam website in a watering hole attack. We have never seen that before.
We have never seen that before. Nation states purchasing and developing iOS exploits were always targeted after journalists, political opponents, dissident, uh, you know, protesters, whatever, right? They were always targeted.
Espionage campaigns, whatever.
These exploit kits were just sitting on servers in watering hole attacks just popping iPhones of whoever came by.
Has never happened before. So I'm like, "All right, did they not know what they were sitting on or did they not care?" And I think they didn't care because these are not dumb people. It was like Sandworm out of Russia that was doing it. Not the Chinese crypto thing, but Casey did a hot take thing in this keynote. Casey's good for a hot take, man.
So yeah, I think that's the uh I think that's the talk. So I mean Karuna and Dark Sword are like a huge part of where that idea for that talk came from.
But I think we can I think we can go back over the last 10 years and find like the style of attacks that we were only seeing nation states do and like update your threat models. The [ __ ] is coming. The [ __ ] is coming.
You look for it. Sounds good. Rashy for a Webbby.
Webbby the um webbby the podcast awards.
I got to put out a podcast.
It's more like they didn't care. Seems to be the main thing nowadays. Yeah, I agree. I don't think they cared. They're smart, right? These are smart threat actors. It's a good story. I like a story breakdown. Yeah. Yeah. So, I figure I can kind of like the history of APS go back to like AP1. All of a sudden, all the threat models change because like all of a sudden nation states with unlimited resources, time, and no financial motivation were hacking into people. That's why we're calling them advanced persistent threats.
All the way back to AP1 in China attacking Google. It was the first time that that happened that we knew about, right?
Um it's like, okay, pull the thread. What are the types of attacks that only they were doing? And it's just like, nope, nope, nope, nope. Their skill set is becoming more and more and more commoditized. More people are knowing about it. And more people, less people are having to know about it because AI is leveling everybody up.
And it's going to get worse if even a percentage of the mytho stuff is true.
It's gonna get worse before it gets better.
Gonna get worse before it gets better.
I'm giving a talk at I'm keynoting some like scuba conference, some scuba security conference that my buddy's throwing. He asked me to come keynote, but like the other keynote is the CISO of the NFL. So, I'm like, "Oh, imposttor syndrome. How you how do you do?" Um, dude, I just signed up. I got to get all scuba certified. Do you guys have you guys ever scubaed? I've never scubed, but [ __ ] um um but yeah, that's like a keynote talk. So I was trying to think of like keynote talks. All the talks that I've given in my life are like very not keynote, right? They're like very specific appsac research stuff, right? Like I was h I hacked Chrome OS and the million browser botnet was like I hacked ad networks to deliver my JavaScript to like do DOS attacks and I could have done a bunch of other gnarly [ __ ] Um what other talks did I used to give? I Oh, I gave like the top 10 web hacking technique talks year after year after year at like RSA and uh and like a ton of places.
Um I gave like Kubernetes security talks when Kubernetes was new. So those are like none of those are like really good keynotes. I get maybe the top 10 wag hacking techniques was a decent keynote if it was an epsack conference but still still didn't quite meet keynote bar. So the scuba conference asked me to keynote. I'm like all right I got to get I got to get super generic.
And so I was like okay I was like I'm obviously going to do an AI and security thing. And I I was just kind of leaning towards like the current state, the current like non-bullshit state of AI and security. Like where we at right on like a offense, here's where our capabilities lie as far as we know.
Defense, here's where our capabilities lie as far as we know. Here's like the no [ __ ] like what's AI good at?
What's it not? And I figured that was like a pretty decent keynote thing. Then I had this nation state idea. They might still I might not use this nation state idea for the keynote for this scuba conference. I might do the original idea.
Uh but I think it would be a good enough keynote. I gota I don't know. I got to like start fleshing it out.
But yeah, scuba dude. Scuba certification. I thought I was going to like have to go, you know, go to some shop in town, get in a pool with some flippy floppies, little flippers.
and like learn how to do it. It's like [ __ ] no. I got to do like five t hours of like online learning [ __ ] before the class, which I'm doing in two weeks. So, I got to like find some time to go through their e-learning stuff. And then I got to do a night, it's like a Monday, Tuesday, Wednesday night, like 7 to 11:00 p.m. I'm like, that's past my bedtime, man.
I got to like go sit in a classroom on Monday and then like Tuesday and Wednesday's in a pool and then Saturday Sunday for five day five hours each on Saturday Sunday I got to go open water.
I got to go in like real like real water in some lake somewhere like oh my god. So it's like five hours upfront beforehand is what they said for e-learning.
Then it's like or five to 10 hours I guess reading comprehension speed dependent and then it's like four hours each four hours each night Monday, Tuesday, Wednesday. So that's 12 and then 10 hours. So 22 but yeah so like 30 hours of work in a week. It's like a full-time week to get scuba certified. I'm like what?
They're going to use misos to find it and mythos 1.2 two to write the patches.
Just give them half a million to get secured. Half? Yeah, just give them half a million. Security involves psychology, code, and physical. Anything I left out.
Uh, budget, money. Security involves money and willingness to spend it and prioritize.
He needs to be about the philosophy of vulnerability and best practice. Yeah, that's I mean, that's what I kind of mean, right? It's got you got to kind of zoom out a bit to keynote.
If you persist and figure something out, how do you reach people who can also do independent verification of stuff? Like when you hacked Chrome, what was the process like after getting through?
That's a great question. So like uh when I hacked Chrome, so that was a unique scenario because they sent my company, my boss, uh the beta version of the first Chromebooks.
It's called the CR48.
And my boss, he knew me. He literally got it in the mail, was like, "Well, I'm not going to touch this." And he walked into like the the area of the office that I sat in and he gave it to me. He's like, "Here, Matt, you [ __ ] with this."
I was on a tear at the moment. By the way, internally, I was like becoming like I I I my reputation was growing at this place because I was finding some really cool bugs internally. Not [ __ ] that we could talk about publicly at the time, but it was like on our clients. I was doing really I was doing some cool stuff. Okay, so like um so Jeremiah Gman founder White Hat, he got the he got the thing. He like walked it into me. He's like here you [ __ ] with it, which already blessing. Thank you, right? That he like bestowed upon me, but I kind of earned it, right? Like my reputation was good. So he trusted me to like go find some [ __ ] I found I found that bug in the first couple hours of opening that laptop.
A default installed thing on the Chromebook.
Uh like one of the first cross-ite scripting avenues that I tried on that extension worked.
I was like, "Holy shit." Okay, cool.
Cross-ite scripting default installed thing on the Chromebook. Then I t the one of the guys that sat a few desks down from me, Kyle Osborne, was like way better at like actual JavaScript than I was. I wasn't a very good JavaScript developer. I was really good at finding cross-ite scripting. Um, and so then I tapped him. I was like, "Hey man, I think that this is pretty cool and that we could uh we that this is going to have like special permissions into stuff, right?
because it's a Chrome extension cross-ite scripting. There wasn't a whole lot of research about Chrome extension cross-ite scripting stuff in that at that time. But I was like, I think this has special permissions.
That's when I tapped him and we started working on it together. And he wrote this like actual exploit that like Oh, and the other major part about this bug was you didn't need to do anything. It was zero click.
So if I shared a Google doc with you, you would get an email, right? I would like check the notify via email that I shared a Google doc with you.
The title of that Google doc would load into this extension. The title was what had cross-hat scripting in it.
So then at that point, if I basically sent you an email, the subject line would execute JavaScript in your browser and then Kyle wrote the JavaScript to then extract your Google cookies from that.
Then we were like, "Okay, we've got something really cool here." Right.
I don't remember the like order of operations if we kept going before we let them know. I think we did.
I think we like wrote this whole PC thing because I think we I ran back into the other office. Same day I ran back into Jeremiah's office and I was like, "Bro, look what we found." And he was like, "This is a black hat talk. This is a Defcon talk. this is so cool that you're gonna be able to talk in Las Vegas about this. And so we kind of like were like, "Oh [ __ ] really? This is what we do all day in there is like find cross-ite scripting." Like he's like, "No, no, no. This is different." And like Jeremiah had talked at so many black hats up until that point, right?
And so he we were like, "Okay, let's take this super seriously." And so we uh we did and we like we realized that the extension had like super had like the super permission that a lot of extensions have which is like ability to read data from all websites because it had to um it had like this star star permission. A lot of extensions need this permission. But since you had cross-ite scripting paired with that permission, you could then like open uh open tabs in the browser and you're still executing your JavaScript. So I can open I would like So then K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K K Kyle, he went by C.
K went crazy. He was like, "Okay, cool.
Look, I'm going to open tabs for all like all these this dozen of popular websites."
At the time it was like Yahoo, AOL, Hotmail, uh, eBay, Erade, you know, I'm dating myself, PayPal, like popular like early.com [ __ ] And you open all these tabs, and if you're logged in, you have cookies in all those tabs already in this browser, but I still have JavaScript execution.
And so I was able to steal a sessions cookies of any tab that I opened from my I sent you an email. I could steal every session in your browser basically without escaping the browser sandbox.
Wasn't even fingerprinting. I got your session. I could assume your identity on all those things.
I could read CSRF tokens out of those things. I got full man in the browser.
So I could like assume your identity, assume your session, not even pass it back to myself. I could do this [ __ ] in your browser because like CSRF tokens are bypassable by cross-ite scripting.
So I could run JavaScript. I could open another tab and then okay, PayPal, submit a transaction or something like that. If there was a CSRF token so that to try to stop me from forcing you to submit a transaction for me, JavaScript could access that CSRF token and then replay the replay the thing, right? So, we were so our live demo at Black Hat was really cool. We could all He also wrote a JavaScript port scanner.
So it was like okay I got man in the brow. Basically the talk was like here's what we could do with cross-ite scripting in your browser because it was universal cross-ite scripting is what that's called. If you find cross-ite scripting in a browser extension with that broad permission you have un you you have you have cross-ite scripting on websites that might not actually have cross-ite scripting vulnerability but you can act like they do because you're you're in the uh browser extension.
So your question was like okay what did we do? So Google had Google was a very very early bug bounty program, right?
Maybe the first like them, Microsoft, um Facebook was super early.
So we uh the the team gave us this beta laptop to do this kind of security testing. So we had like a direct line.
So we were like, "Hey guys, we found something." But we already wrote all this PSC [ __ ] right? So, uh, so we told them they give me $1,000 for the bug bounty. At the time, at the time, the top browser exploits were $60,000, which would have been life-changing money for me at that time, by the way.
I was still paying student loans. I had no money. I had four roommates.
$60,000 would have been absolutely life-changing money.
Um, so I was pissed that I didn't get the 60,000. I wasn't pissed. I was really disappointed.
They said the $60,000 was if my exploit survived a restart.
So basically the the the high bug bounty ones were they were like, "We're outsourcing sandbox escapes."
And my bug didn't escape the sandbox. It just avoided it. I I did all the same stuff that that the bug that they were paying that much money for would have done. I had I because on this Chromebook there was nothing on the hard drive.
So like their whole thing was like oh you escape the sandbox, you get remote code execution on the system and you could do malware. You could like steal [ __ ] off the computer. But the whole point of a Chromebook is that there's nothing on the [ __ ] computer, right? This is why they give them to old people and students so they can't mess them up. They're like, "Here, you can't install viruses. Here's a Chromebook, right? You can't install anything."
So, uh, so my argument was you just pushed everyone to do everything via Chrome extension, G Drive, uh, word processing, like everything that you would have installed a program for before Chromebooks, they were pushing you to do in the browser, right? That was the whole point. And I exploited the browser. So I was like, everything you're doing, I have access to. I have access to your whole Google account, your whole G drive, every other website you can log into, I can access with this exploit. So I don't care that I can't install anything on this computer because there is nothing on the computer worth stealing. You're forcing everyone to do everything in the browser. That was my argument. I still think it's a good argument.
Uh, but they were like, "Yeah, but you found a cross-ite scripting bug. That's $1,000.
You didn't find a sandbox escape and remote code execution chain." By the way, it was $60,000 then. It's like $1.5 million now. $1 million now.
If you find that bug now, it's $1 million. It was $60,000 then.
So, it was early early bug bounty, right? Like, you'd give me the 60K. Thanks.
Uh, yeah, if I if you restarted this Chromebook and you reopened it up and my email and note was still in your email box, it would automatically reexploit you. So, every time you restarted, if it was still there, it would reexploit you.
That was also part of my argument um at the time. And the other thing was this was default installed on Chromebooks.
This extension that I found it in, it's called Scratchpad.
So, uh I think if I was a worse person, I could have taken over and hacked 300,000 browsers that day.
I think that was the stat of how many people had received Chromebooks or had that extension installed.
What would it have taken to meet their standard? Like it was a hardware thing.
No, it's um basically sandbox escapes, right? So like if you ever if you ever read any of these bugs in Chrome where they're like use after free bugs, memory bugs, and then they're chaining the exploits. So you're like exploit one bug, one bug, one bug and now all of a sudden you're writing code onto the machine and at that point you So like the thing that they're paying a million dollars for is you're using Chrome, you browse a website, your machine gets permanently owned by malware.
That's what they pay a million dollars for. It's very hard.
You think Bug Bunny as a side hunel is worth is worth learning still feels super saturated. it is super saturated.
I wouldn't personally be like, "Yeah, go do it and count on this income, especially if you're not already established and very good.
But as a learning methodology, hell yeah. Who cares if it's saturated?
If you're learning to hack, it's super valuable.
I wouldn't be paying my mortgage off of it. The people that do that are very very good and they're I don't know confident that they're going to be able to find a certain number of bugs per quarter, right? To like stockpile some cash. Any big breaks where you are an independent person outside of your job, especially if everybody is inundated with AI slop and you don't have a direct line relationship, Google to like like that.
Yeah. Yeah. Yeah. Yeah. Colin, have you heard my career story? Have you heard my lore? Has it Has has it been long enough since I told my lore that some people in here haven't heard it? I feel like I say it too much, so I try to not like just tell this story all the time.
No, you would like to. TLDDR came from a trust run. I [ __ ] wish, man. I wish I was born on third base.
That'd be dope.
All right.
Sorry for everyone who's already heard the match a lore. It's a good story.
I'll try to I'll try to tell it entertainingly. We'll we'll Colin is is officially uh a regular in chat, so if he would like to, I'm down to oblige for a minute here. Um so, uh I was in college in New York on Long Island. I was living in the dorms and I had an internship uh at it was a company called Arrow Electronics was like a big semiconductor like middleman website or not website company big big ass company like Fortune 100 company and I was I I had an internship with them. I was like a data security intern. I was basically like approving active directory like fileshare requests and [ __ ] like this and they were set to my internship came up and they were like hey can we keep you part-time even though school starts and the internship's up and I was like yeah I'd love that and so like my so that was the summer internship and I stayed on through the fall and I was going to graduate early uh I was graduating like a semester early so I did college in like three and a half and so this fall semester was my last semester college My internship was like, "Hey, stay part-time." And the whole thing was like, "Hey, you're graduating in December. Cool. Stay part-time. We'll give you a full-time job once you graduate."
So, I was like, "All right, cool. I'm gonna work for Arrow, you know, for like I'll make like 50 60K, you know, this is great." Like, you know, I can still stay on Long Island. You know, I had a bunch of roommates. Like, me and my college buddies were roommates. I was living in the dorms first and then I was like, "Okay." So then uh I I was still interviewing for other jobs. Um my girlfriend at the time moved to California in the Silicon Valley and I was like, "Oh, let me go out there too."
So I was like Arrow was kind of the plan, but like I was like, "Oh, let me, you know, whatever." And Twitter had just started. This was literally year one of Twitter and LinkedIn existing.
And so my my professor at college was like, "Hey man, get on LinkedIn and Twitter." And he handed me a DVD of like a talk, conference talk, giving career advice. Um, and so he was like really trying to help like mentor me. He's like, "Get on social network. Get on IRC chat rooms. Like just go meet people. Go to these meetups in New York City." So I was going to these meetups in New York City, all this stuff. Um, so I was just trying to meet people and like figure out what I was doing. But I had this other thing. And then, uh, guess what?
Financial crisis. 2008 financial crisis.
So uh, I got laid off and graduated in the same month. So, like December, it was like, "Hey, by the way, not only do you not have a full-time job here when you graduate, like you and 80 other people got laid off today, right?" So, I had to move back in with mom and dad. It was like, which is a miserable situation for me. Um, so I was like really [ __ ] depressed and stopped making money and graduated and had student loans. I was like, "A [ __ ] right?" And the whole world was burning. It was like the worst besides COVID [ __ ] like historically like probably the worst month to graduate college like ever. Uh and so no one obviously no one was hiring. Um so I was like all right I just got to meet people. So the first security conference that was coming up because I my professor was like hey man just like get out meet people meet people go to security conferences. The first big security conference that was coming up post December was Schmooon. And it was in like January or February like so it was just a few months later and it was in Washington DC which is like close enough right but again no money moved back in with mom and dad like broke depressed like all this kind of stuff.
So early Twitter I was like um uh one second. Um one second. Lunch order.
Getting lunch delivered. Um, so, uh, early Twitter, bunch of security people on early Twitter and it's still the case. Twitter, it's why I can't get rid of Twitter even though it's like, you know, partially a fascist hellscape. Um, it's still like home to a good portion of the security industry and it's like where I find a lot of stuff, right?
Um, but back then it was like a very very small niche group of people and Twitter for some reason security people loved Twitter because it kind of felt like IRC and so there was like a group of security people in Boston that were like talking about going to in DC. Jack Daniel, founder of Bides, Chris Hoff who was like head of security at Cisco at the or like head of a big part of security at Cisco at the time. um Zach Laneir who ran the security Twitter like community, security twits. Um and a few other people, Bill Brener, who's sitting in chat right now, security journalist was still in who still lives in Boston.
Uh and they were like, Jack Daniel was like, "Well, I'm going to get my company to rent an RV and we're going to load it with security people. We're going to drive down to DC to Shmukcon together and we're going to put our logo on the back of this RV and we're going to call it the Schmoo bus and it's going to be funny." Okay. So, I'm just on Twitter laughing about this. And so, I I'm on Long Island and I write Jack. I like DM Jack and I'm like, "Hey, uh, are you taking I95 down to DC?" And he said, "Yeah." I was like, "If I can get to I95 in New Jersey, will you pull over and pick me up?" And he said, "Yeah." And I was like, "Okay." And then I put on Twitter, I was like, "Hey, I got a ride to Schmukan. Does anyone have a pass? I'm a broke college kid. And then some nice gentleman was like, "Yeah, I'll sell you a pass." So, he sold me a pass for like 200 bucks, which was like all of my money. And then I uh wrote a college buddy who had moved down to DC who had graduated the year before me and he like lived in a studio apartment with like an old lady and they had like one of those like changing dividers was like all that divided the apartment into two that didn't even have rooms. was just like, "Oh, that the old lady lives on that side of the changing screen."
And then uh he didn't even have a couch for me. I just slept on the floor of my college buddy house, right? And uh and yeah, and that was it. It took all my like I I took like a $10 train to New Jersey. Jack and the crew picked me up.
It was legendary that I did this. They So then I had like four or five hour drive with like veterans in the industry and then like 21year-old me or 22-year-old me. And then like I got to Shmukcon and it was like they were like, "Who's this [ __ ] kid that was in the schmoo bus?"
So I was like, "Oh, I'm Matt Jay from Twitter." They were like, "Oh, we talked to you on Twitter."
And then I uh I met some people down there that um this guy Jamie Arland and this guy Dave Lewis who ran a blog in Canada, security blog called Liquid Matrix Security Digest. And they were like, "Oh, look at this young pup. We're going to let him help us on our blog." And so I I ghost wrote on their blog under the name security intern on their blog and I wrote the daily news on their blog. So it's literally what I'm doing now. I like did was my first thing. And Jamie who ran that blog was like hey I have a consulting company on the side of my day job. Jamie was like a CISO of like a utility business in in Toronto. And he's like I've got this consulting company that I help people out with on the side.
Do you want to help like write policies?
So, I was writing like ISO 27001 policies for his consulting company for like peanuts, but like I was getting like $1,200 paychecks from him to do this.
And really, I didn't deserve it because he was teaching me how to do it. But I was like just doing some of the grunt work on the policy writing.
And so Jamie paid my student loans and [ __ ] basically for a few months. It it helped me get out of mom and dad's house and I moved in with five roommates. So, I was paying like 200 bucks a month in rent, 300 bucks a month in rent, whatever the [ __ ] it was.
And then, uh, and then I went to RSA in the spring, that spring of09, uh, I told you my girlfriend moved out to California, so I was like, I'm going to go stay with my girlfriend. I'm going to go to RSA. And I went to, again, part of Twitter people that I knew at RSA was this company called White Hat Security that I was like, I really want to work.
Oh, no. I'm sorry. I skipped a year. I skipped a year. Hold on. I went to I didn't go to RSA that that spring.
I went to Black Hat and Defcon that summer and a bunch of people from Shmukcon that I knew were like would do like a cigar meetup at Black Hat and Defcon and I went there and I met all these other people that I knew from Twitter and 70 I I think I did the math like 80% of people that I've worked for or got a job because of were at that cigar bar that I met that uh that summer.
So, who was at that bar? Chris Hoff, who was on the Schmoo bus, by the way, but he was the one who organized the cigar meetup. Chris Hoff was uh head of cyber security technology at Bank of America, who hired me at Bank of America 15 years later. Uh Allison Miller was at that cigar bar. Allison Miller, guess what?
CESO of Reddit, hired me at Reddit.
Jeremiah Gman was at that cigar bar.
Founder of White Hat. Uh what was one of the other ones? Oh, I met Arnake, Robert Hansen, who we were talking about the other day, the inventor of Slow Loris. He was at Vegas that year. I met him. He's the one who introduced me to the guy in Austin that got me the job in Austin. Like, it's like every job that I had, it was like people that I met in that in those like first couple of conferences uh at for security. And again, no money.
I was staying at like the $20 dirty hotel. Had no badge for Black Hat or Defcon. I was just like, I'm getting to Vegas, man. I don't have a badge. But then people would hand me badges. I would sneak in, whatever. I would go to parties. I would like I would hang out.
I would meet people. And yeah, I met a guy in Vegas uh who was like, "Oh, I I'm always looking for like junior pentesters." And then I got like a consulting pentest gig. That was like my first year in security. And then that kid sent me to RSA and I met White Hat Founders at RSA uh at their party. I think I'd already met him in Vegas, but then I was like I tracked him down to this party at RSA and he was like, "Hey man, come interview tomorrow." And I did over tacos and I was like, "Hey, I don't have a suit or anything."
And so I went and interviewed over tacos in shorts and a t-shirt and they they offered me the job. So, I went back to New York, packed my [ __ ] up in my two-door car, and I drove from New York to California and moved in with my girlfriend and her roommates. I made $35,000 a year to work at White Hat. And then a few months later, they handed me that Chrome laptop. And a few months after that, I was talking at my first Black Hat, making $35,000 a year with four roommates. Uh, I was on stage at Black Hat and Defcon and being quoted in the Wall Street Journal and on CNN.
Tada. There you go. So, my lucky break.
I didn't have an in at Google, man. I just started doing what you're doing right now, right? Like, you're just talking to me like, you know, cool.
Like, let's let's chat. Let's hook you up. What do you know? You know, so what you're saying is bus.
What I'm saying is just do [ __ ] um just meet people. What do I tell every what do what do I tell you guys always learn [ __ ] meet people?
Roman just went to his first cyber security conference. Roman, did you meet anyone you kept in contact with?
You going to get like a cool job from anything you met there? Doesn't happen at every conference, but I'm just saying there's cool people to meet at every conference.
Which uh I think there's a lot of GitHub security folks involved now. Schmukon does not exist anymore.
The last was last year.
Sad.
Sad.
Yeah, they did the last year.
It was a good conference. It was a good conference. I'd say Besides SF is like is like that same size. It's not the same vibe.
I'd say besides SF is like the new pinnacle for me of like right size, right venue, right group of people.
You're moving on to the next interview round that I had yesterday. Oh, is this the cloud security one? Is did you meet this cloud security? Did you meet this team that you're interviewing with at that conference you went to?
We need more time to marinite. Not selling myself short, but I know myself well enough to know what your strengths and weaknesses are. Yeah, for sure. Do you I mean but like just put yourself out there.
Put yourself out there marinate or not.
Just like whatever you are learning just [ __ ] talk about learn publicly. I did not.
But they mentioned see me go via LinkedIn. See they're like this guy is passionate and involved in the security community. I just snapped in chat did that again.
That happened earlier. I like pointed at chat and it was like reream is gonna be dumb. Oh, reream just refreshed on screen and got rid of Twitch. That's what happened.
Twitch chat just broke on screen. Oh no, there's Roman. But Roman, none of your other chats above the one that you just said is there.
[ __ ] stupid, man.
Reream dead when just the worst [ __ ] piece of software, right?
How much time do we have left for what?
For stream today or like before the asteroid hits? I don't have the answer for the second.
I'm convinced I'm doing something wrong with the streaming software because like I agree as uh as popular as it is, I'm convinced it's me. It's got to be a me problem, right?
There's no way that everyone else that uses this software has these problems every day.
One decoder, Neil Patel, people do not yearn for automation.
What did my brain just broke? Did I just have a stroke? What are you saying?
One decoder, Nila Patel. The people do not yearn for automation.
We are all accountable to each other even when we embrace LLM. And then two, the skills thing you said on Twitter.
Dude, I'm sorry. I'm having a stroke.
Or you type out and that's fine. But um All right. We got to do we got to do some newsletter stuff. Had to truncate.
That was bad. No worries.
We got to do some newsletter stuff.
Let's make sure uh we grab any headlines that we missed and haven't talked out about today. Decoder with Neil Patel.
most recent episode.
Oh, is that is that a podcast or a YouTube channel or something?
Let's see some headlines real quick and then we can go do YouTube [ __ ] I can stay as long as we want to stay today.
Thursday is my no meeting day and I got to write my newsletter and I started late. So, we're only at 2 hours 40 minutes so far and I started like an hour late today. Am I filming a YouTube video today? Uh, maybe I'll film this Bit Warden. Should I film something about Bit Warden?
I filmed a Versel lovable rant yesterday that's going to go out today. My editor is putting that out. And I've got two other ones he's working on that are already going out. So, I don't think I've got three videos in the pipe right now with my editor. So, I don't think I absolutely need to film something today.
And honestly, Bit Warden's going to be old news by the time he can get anything out, unfortunately.
The way that my current workflow is with my editor, he cannot get something.
You can't get something out today. It's going to be and like we're going to put the Verscel lovable one out today. So, I'm going to just do a short.
I probably won't record the short while live on C. Sometimes I do that, but it's kind of cringey.
I kind of cringe at myself when I'm like, "Hey, bros. Thanks for watching me film this [ __ ] short."
Good questions today, guys.
I know there's only like a few of you active in chat right now, but um this is good. This is good stuff.
Um, let's do let's do some news stuff really quick. Sorry, I just distracted.
I texted uh Zack Corman today and I was like, "Yo, bro, we got to do more pop on each other's uh content because Zach does good content and then Soulst does good content, a start and uh I was like, we got to get our Riverside game uh so we can like [ __ ] with each other. Let's do headlines real quick because otherwise I'm if I don't do newsletter stuff, I stay up way too late. If I don't do newsletter stuff in this time block right now, I am up until significantly too late going crosseyed doing the newsletter. So, that's what we're going to do. We talked about a bunch. So, I'm guessing that Bill, who hangs out in chat and trans transcribes all of my rants all week, if you guys don't know, I've pay I pay somebody to sit in chat. He takes the transcripts of my incoherent rambling and he does things and then he like gets the newsletter started for me at the very least. And then I like throw uh I try to do like 10 to 12 stories into the newsletter. And so I I usually have to like add a few stories that I didn't like rant sufficiently about. So it's still my voice because it's like transcribed and then he massages it. But do you and the other newsletter people hate the AI written newsletter folks?
I don't know if hate's the right word. I use AI like in my [ __ ] but like I said, it's like it's my voice. I'm obviously making a lot of non AI content in a in a given week. So, I don't really care that like AI summarized a bunch of [ __ ] that I said like into a blob. Like that feels like an okay use of AI to me. Maybe people [ __ ] hate that, but it's all right. Um, but yes, I don't like the newsletters that are just like a h very obvious that a human never touched this, you know, and then there's like a lot of people that are like pitching that like completely like no hours per week. You set up this AI pipeline and a newsletter goes out and you're going to make money somehow.
And it's like, okay, cool.
Uh I think like our whole differentiator in like the little pod that I hang out with is like we're all cyberc practitioners, right?
If you have an LLM or skill tuned to be truly like your previous work's voice.
No, I still edit the [ __ ] out of all of it, but like I can at least have it format and stage and like summarize and I mean I still pay Bill a decent amount of money. He's not AI. Like Bill is a human that like gets it one step further and then I still go in and edit everything so that it's like, oh no, I said it like this or whatever.
But man, I got scared the other week. I had a CISO of a very large financial institution text me and say, "Hey man, I'm running an incident about this vulnerability and it wasn't invol.com.
It wasn't in the Vulu newsletter this week. Am I overreacting?" And I was like, "Oh, I need to take my my responsibility a little bit more seriously here." Like literally CISO of major financial decision was like, "Hey, you didn't mention this vault and I'm like running an incident. Is it not a big deal? I was like, holy [ __ ] Okay, I will go look.
Did I miss this? And it was it was not a big deal. He was overreacting.
I was like, cool.
Yeah, that beginning scaffolding takes hella long. Oh, dude. Yeah, like my big time savers is like H2 tagging the [ __ ] headline, putting a link in the headline. Here's the summary of what happened. Parenthesis, read more with the link. do that enough times in a given week and you're like, you know, it's quite literally hours of work to just like get it all loaded. And so AI plus bill saves me hours. Used to take me six to eight hours to do the newsletter. Now it's taking me, if you don't count all of this of me reading the news and talking about it, if you just count pure play me open newsletter CMS, takes me like I don't know two on a good week. if uh if we nailed it and actually covered some [ __ ] that build could turn into usable stuff and like four on a on a okay I still have a lot of work to do week but it used to take me six to eight six to eight hours um I used to be up till 2 am when I was working at Reddit I was up till 2 am 2 am easily getting the newsletter ready when I still had my day job 2 am easily and I woke up the next morning and start and was doing my YouTube channel I was like Friday mornings Before I went to work at Reddit, I would do my YouTube video like super early Friday morning. No wonder I burnt out and stopped doing YouTube for like a year.
At least I didn't stop the newsletter.
All right. A dozen allied agencies say China is building covert hacker networks out of everyday routers.
I mean, is this news? Joint warning describes major tactical shift by Chinese linked hackers. Lay out what organizations should do about it.
Like I don't think this is news like China hacks routers is like not news right US and international government agencies warned Thursday about a widespread shift what shift in Chinese hacker methodologies towards use of largecale covert networks that compromise common devices and carry out of our attacks what's the advisory defending against China nexus covert networks compromised devices bunch of three letters over the past few years there's been years.
Year years over the past few years, there's been a major shift.
Are we [ __ ] kidding me?
Do you know how much salary is sitting in a room of taxpayer dollars to say that hey over the last few years there's been a major shift Guys, this broke me.
Here I am being like, "Oh [ __ ] bunch of threeletters getting together.
Let's Let's see.
What's up, Adam?
Thank you.
As I sit here broken as I sit here broken from things that are not news.
Oh my god, guys, Adam. I really appreciate it. Thank you.
Oh my god, my brain is absolutely broken. I'm I was about to sit here and write. I was like, "Oh man, I got to write about this." What? All these theater agencies are making a a thing.
Breaking news. The shift is shifting.
Breaking news years over the last few years. If you [ __ ] need this many government agencies to tell you that China's hacking routers over the last few years, you're so cooked.
You've you've never been more cooked.
I'm streaming.
Pedum's like, "Can I come in?"
I tried to get into Pedram's office. He was on the call.
All right. I need a pedro rope maestro.
Guys, I need to give you a babysitter again. Who do you want your babysitter to be?
We need a babysitter. I got to take a phone call.
Here we go. This guy. I want to watch this though. But you're gonna you're gonna watch it and then you're going to tell me what I missed.
Okay, one sec.
>> On YouTube making a video about how miserable the job market is for software developers right now. And I catch his video because in the thumbnail, his left eye is super red. And you know, humans, we catch on to these things quickly. So, I click the video and it is the most unhinged beginning to a YouTube video that I've ever seen. He spends the first 5 seconds just staring at the camera dead pan while taking a sip of his tea without breaking eye contact. Then he suddenly leans in, points at his eye, and he's like, "Yeah, this this is from AI. This is literally from the stress of job hunting." He's been laid off for nine months now, and has been applying non-stop to jobs, and in some cases going really far into the interview process with a couple of companies. One company in particular he went nine rounds with, and he's 100% sure this job is his. He doesn't get the job, and his heart drops. He couldn't believe it. He asks them, he's like, "Why? What happened?" And they share with him the winning job entry. The winning guy used 100% AI and has 30 more features than the poor bastard Garrett who used 50% AI and 50% manual. Garrett's basically the guy who in 1849 heard about gold in California and went, "You know what?
I'll walk to Nevada and see how I feel.
I mean, the waiting dude wasn't even present when his application was submitted. For all we know, he was taking a [ __ ] while Claude was flunulating. And that dude now has equity and a 401k. And meanwhile, Garrett is at home writing unit tests and making us go dry and [ __ ] And his eyes filling with blood. One guy's [ __ ] the other guy's hemorrhaging.
Guess which one the market chose. And the jobs exist, by the way. Software engineering postings are up 11%. But the market has spoken and the market said, "We want more stuff and we want it faster and we want it cheaper." And you can sit there and say, "But what about quality? What about maintainability?"
And the market goes, "Did I stutter, [ __ ] The thing that got you hired in 2019 is the thing getting you fired in 2026." Nobody reads your own code anymore, man. Let alone your code. It's a dead skill. It's like reading hieroglyphics. It's time for you to adapt and face the slop. Don't argue.
Imagine more slop. Do the slop. Be the slop. Slop is peace. Slop is strength.
You will eat zbugs and you will make Z slop. Learn to enjoy it. For over 2 years now, AI tools were the greatest sale in the history of software. 20 bucks a month and you get a half brilliant half [ __ ] senior engineer in a box. Your CEO almost had a heart attack. It was such a good deal. They called it unlimited. And back then, unlimited used to mean something.
Unlimited meant, and I look this up without limit. Now unlimited means until we find out how much you actually want it and then we'll tell you the real number. It was basically a survey and in 2026 the results are finally in and the results are you'll pay anything. And now the price is anything. Microsoft just leaked that co-pilot is moving to tokenbased billing because its weekly cost of running the thing nearly doubled since January. What's wild is that the bad answer cost as much as the good answer and the tokens you're paying for include the tokens the model wastes on itself because the model thinks out loud. It like argues with itself. It writes a draft then second guesses. So it starts over. Then it goes actually let me reconsider and every one of those anxious utterances is on your tab. You are paying for this thing to have a nervous breakdown in front of you and your build to the millionth of a syllable. And at the end of the breakdown, it >> is this cool. Sorry. Tell me what this is about.
>> Shiny hut.
Sorry I had to give you a babysitter twice today.
Oh my god. So sick.
You weren't listening. Some guy red eye because stress of AI. Yeah. Okay. No worries. Vibe coding at work right now.
>> Produces some answer and the answer is wrong 25% of >> all right.
Was anyone listening? Should we abandon ship? Should I just get back to what I was talking about? No, you were listening. Embrace AI slop for your hiring overloads. That's what it was. I I was kind of listening. I was on the phone, but I was kind of listening.
So, this guy's in nine interviews.
Sorry, we're going to do it again.
Sorry.
>> One company in particular he went nine rounds with and he's 100% sure this job is his doesn't get the job and his heart drops. He couldn't believe it. He asks them, he's like, "Why? What happened?"
And they share with him the winning job entry. The winning guy used 100% AI. It has 30 more features than the poor bastard Garrett who used 50% AI and 50% manual. Garrett's basically the guy who in 1849 heard about gold in California and went, "You know what? I'll walk to Nevada and see how I feel." I mean, the winning dude wasn't even present when his application was submitted. For all we know, he was taking a [ __ ] while Claude was flunulating. And that dude now has equity and a 401k. And meanwhile, Garrett is at home writing unit tests and making us go dry and [ __ ] And I >> So, uh, this is like we've we've been talking about this like not only is AI like making a bunch of stuff different.
It's like ruining hiring, right? It is like so hard to hire the the amount of applications, AI generated resumes, and then AI um stuff during the interview.
What up, Francisco? Uh, I started a little late. So, I'm just now crossing three hours, which is usually when I stop. So, yeah, I'm like I started an hour late. I usually And uh and it's Thursday. It's It's time to write the newsletter. So, we're going to just make sure that we go through the news, but we're watching a video because I had to take a phone call. Um, and I This is like how I babysit you guys. I put YouTube videos on, but yeah, AI hiring is screwed. And so this is kind of what this guy's talking about.
>> Guy is filling with blood. One guy's [ __ ] the other guy's hemorrhaging.
Guess which one the market chose. And the jobs exist, by the way. Software engineering postings are up 11%. But the market has spoken and the market said, "We want more stuff and we want faster."
And you can sit there and say, "But what about quality? What about maintainability?" And the market goes, "Did I stutter, bitch?" The thing that got you hired in 2019 is the thing getting you fired in 2026. Nobody reads your own code anymore, man. Let alone your code. It's a dead skill. It's like reading hieroglyphics. It's time for you to adapt and face the slop. Don't argue.
Imagine more slop. Do the slop. Be the slop. Slop is peace. Slopp is strength.
You will eat zbugs and you will make Z slop. Learn to enjoy it. For over 2 years now, AI tools were the greatest sale in the history of software. 20 bucks a month and you get a half brilliant half [ __ ] senior engineer in a box. Your CEO almost had a heart attack. It was such a good deal. They called it unlimited. And back then, unlimited used to mean something.
Unlimited meant and I looked this up.
>> Well, I've been listen I've been doing more Apple TV YouTube stuff, too. So, hi. I'm on the big screen. I've got I I've been doing this, too. I sent Dan Meisler a picture the other day. I was like doing the dishes, and I had Dan Measler up on my on my new big screen on Apple TV.
It's kind of crazy how much people do uh YouTube on their TV these days. But the YouTube app on Apple TV is actually really good, especially once you get YouTube premium and you don't have to worry about all the ads and [ __ ] Glad hiring is up for Su and various roles.
Layoff's still happening. Dude, I'm getting hit up. I'm literally I literally vibe coded the job board because I'm getting hit up by recruiters who are like can't hire software engineers fast enough. So take that for what you will, okay? like serious shops are still gonna want more code than they can possibly even vibe code fast enough.
Like you still need people, right? Uh this is what I've long said is like I think like the appetite is going to continue to grow, right? So it's like yeah, you could do more with less, but you're going to want more now, right?
Wait, did did I just miss another call?
No. Did I?
No, I didn't. Okay.
>> Limit. Now unlimited means until we find out how much you actually want it and then we'll tell you the real number. It was basically a survey. And in 2026, the results are finally in and the results are you'll pay anything. And now the price is anything. Microsoft just leaked that Copilot is moving to tokenbased billing because its weekly cost of running the thing nearly doubled since January. What's wild is that the bad answer cost as much as the good answer.
And the tokens you're paying for include the tokens the model wastes on itself.
Because the model thinks out loud. It like argues with itself. It writes a draft then second guesses. So it starts over. Then it goes, "Actually, let me reconsider." And every one of those anxious utterances is on your tab. You are paying for this thing to have a nervous breakdown in front of you and your bill to the millionth of a syllable. And at the end of the breakdown, it produces some answer. And the answer is wrong 25% of the time according to this new Microsoft paper. A new paper dropped on archive last week with a title where you can tell they try to make it sound less bad than it is, but they just couldn't figure out how to pull it off. It's called LLM corrupt your documents when you delegate. The authors work at Microsoft Research, the division of Microsoft, where for obscure historical reasons, the employees are allowed to say things that are true. And across 52 domains, the frontier models corrupt 25% of document content by the end of a long workflow. The paper describes the ears as sparse but severe which you know they're trying to make it sound like charming.
>> You guys heard the joke. Microsoft research for some reason is allowed to say things that are true. Did you hear that?
>> The employees are allowed to say things that are true where for obscure historical reasons the employees are allowed to say things that are true and across the frontier models corrupt 25% of document content by the end of a long workflow. The paper describes the ears as sparse but severe which you know they're trying to make it sound like charming like it's glitter or something. Sparse but severe is how you describe a sniper bro. and they gave the model the ability to use tools and they found giving the bot tools made it 6% worse. This is the first time in documented history that we've managed to create a tool that becomes less useful when you give it more capability. One of the experiments was essentially edit a document then undo it and the best AI couldn't do it without insane corruption. We had the control Z button, man. It was free. But dad walks in on his 9-year-old daughter on her laptop and she immediately slams the laptop shut and starts crying. She's like, "Dad, it's not what you think. I swear."
But he knew exactly what she was doing.
She was using Google AI and he wasn't specifically pissed that she was using Gemini, although that is pretty upsetting. He was worried for her future and the way she was using it was honestly so adorable. She's asking the thing questions on how to get along with her sisters better and how to swim faster after a swim meet and for creating fanfiction plot lines for her favorite book series. And her dad freaks out and posts this on Reddit like he just discovered his daughter is selling feet pics on the internet. He's like she's not in trouble but we had a long conversation and she's devastated. She now fully understands how sickopantic and insidious it is. Which firstly like good job you've managed to teach your kid two four-cllable words that are insults directed at a bot. But I mean the poor kid her spelling test next week is going to be insane. Her teacher's going to go you sickopantic in a sentence. And she's going to go the large language model was sickophantic.
And the teacher's going to go huh? And then she's going to go it is also insidious. And the teacher just going to walk out man. She's like I'm done. And I'm so done with this generation. But I feel for the dad. Honestly, I do. He has to make sense of a technology for his kid that he himself doesn't even understand. There's no precedent for an omniscient always on ghost in your kid's pocket. Like, what do we want for our kids? You want her to be good at something, right? You want her to earn her skills. But the problem is that her friend's parents let her use AI and her friend at like 9 is shipping AAA games to Steam. By 13, your daughter is making basic 3D printed fidget spinners and her best friend is shipping enterprise SAS.
The SAS has 3% uptime, which sounds bad, but honestly, anthropic would kill for that number. And I'm so conflicted because if my four-year-old draws a house with a little square and a triangle on top with a little funny, man, >> I would literally cry. Whereas, if she showed me an oil on canvas that she generated that is objectively stunningly beautiful and may even be something that represents her, I'm still ultimately unimpressed and maybe even bothered. And the question is, why? Why does the ugly thing make me cry while the pretty thing makes me cringe? And I've been thinking about this a lot. And really, this brings to mind the fact that while AI has whopping width, like a sheer breathness that is impossible for humans to even fathom, humans have depth that is impossible for an AI to fathom. The reason I cry at my daughter's sloppy drawing is because of the infinite depth it possesses. Here, represented in this drawing, is a manifestation of love. It is a process of nourishment and nurturing that has been four years in the making. From not knowing how to say dada to crawling to laughing, walking, eating with a spoon, and now drawing a picture of the house in which she lives with the family that loves her more than anything. That crayon painting is more Mona Lisa to me than the actual Mona Lisa. So when my daughter prompts for an art piece, I'm not moved because there's no story. And without a story, humans are just aimless floating amalgamations of molecules and cells. Art is precisely depth. That is precisely what it is. It is precisely story. To me, it seems like the usage of AI has no benefit other than for commercial purposes, and even then has limited usage. If you're creating a hobby project, you're either creating it for the enjoyment the process brings you or you're creating it to learn about the process itself and to climb the ladder of skill. Using AI robs you of both opportunities. It is neither enjoyable nor educational. And so I am of the mind that the dad in this situation, while it is a tough call that is impossible to model out, he did the right thing. He gave his daughter the opportunity to struggle in a time where people are gambling with their child's upbringings and values and livelihood on the oversold promise of AI that is exclusively being propagated by open AI and anthropic. here is a man who chose to raise his daughter with his own values and beliefs and not those of Sam Alman and Dario Emma Day if he turns out to be wrong well guess what opus 20 by the time she's in college will surely be a thing that requires no mind at all and that's already arguably the case today and by then she's gained a voice a style perspective suffering struggling experience depth longing understanding and ultimately a story a story about what life beauty and its lack is whereas the kid prompting all day learned how to delegate end of list nothing else was learned as with all things the truth is likely somewhere in the middle but I'm very curious what you This guy's a certified hater, but it's uh it's good like as a as like an AI power user, it's good to throw up the certified haters every now and then. All right, sorry. I got that phone call, so I got distracted. Um Oh, no, that wasn't what initially distracted me. What initially distracted me was being completely [ __ ] broken by this [ __ ] report.
Why are we writing this?
I think Cybercroup just does all the government stuff all the times, right?
Because Tim's really good. Tim's like one of my favorite uh journalists these days.
Um over the past few years, there's been a major shift in the tactics, techniques, and my god, just [ __ ] I want to eat a gun. Over the past few years years, we're saying this like this is valuable information. Okay. Oh my gosh, the UK blah blah.
Multiple covert networks have been created and are being constantly updated. and the single covert network could be being used by multiple actors.
The networks are mainly made up of Soho routers and internet thing devices, which is news to nobody that does this for a living.
Examples of the use of covert networks include activities from Vault Typhoon, Flax Typhoon, Raptor Train.
God damn man.
This is so much worse. Like SISA just tweeted about the Axio supply chain attack like yesterday, right? Happened three [ __ ] weeks ago and it was like alert Axios is is hacked. I was like, Sisa, where you been, bro? Right? like already some [ __ ] going on with SISA and now we get this [ __ ] nonsense with like, hey everybody, we put a lot of people that make a lot more money than most of you reading this do. Uh, and they they were probably in their finest military fatigues with their [ __ ] ribbons on their chest. and we put out a joint report that this took years to write and we're and we're just going to say, "Hey, by the way, it's been a few years, but China's hacking routers." I don't know if you noticed, some routers be getting hacked.
Let's make this a headline about this being a shift. The shift be shifting.
I almost want to put this in my newsletter as like a hey, this [ __ ] ain't new, but I'm not gonna not gonna.
All right, I'm not going to put this bleeping one in because we're going to put the JROG article in.
By the way, Bill, if you ain't on it already, Jrog article, Bill, Bill's probably not actually listening.
What are you pointing up to? Most attacks on GitHub actions secured today.
Yeah, we talked for two hours about GitHub actions earlier. TV boxes, routers. Yeah, yeah, yeah. Cool.
If you're into GitHub actions, we gave a master class on this VOD, by the way. We went into how to defend against them and everything.
Verscell said some of his customer data was stolen prior to its recent attack.
Say more.
Versel said hackers had access some of its customers data before the company discovered its recent breach, suggesting that the incident may have had broader security implications.
In an updated security incident page, Verscell said it had identified evidence of malicious activity on its network preceding the early April breach after it expanded its initial investigation.
We have uncovered a small number of customers. It's always a small number of customers. Always. Always.
I steal copyrighted content and violate the copyright act a lot.
What are you talking about?
Uh, prior to compromise that is independent of and pre predates this incident potentially as a result of social engineering malware and other methods or other methods. Well, what is it?
Forcel also said it discovered more customer accounts compromised by the April incident but did not disclose details only saying that it had notified customers known to be affected so far.
The CEO confirmed that the the hackers who compromised Verscell have been active beyond that startup's compromised context AI which confirmed earlier breach of its systems post this week and again we have no other information.
Oh my gosh.
You copy text from other people's written articles and put them in your blogs.
No, I don't.
No, I don't. Without quotes and links to the article? Definitely not. I write a newsletter every week with a link to the article that I'm then summarizing. I don't copy the text of other people's articles and put them in my [ __ ] Absolutely not. I What, guys? I've written my newsletter live on stream before. Like, I've shared my CMS and clickity clack typed my thoughts into my newsletter.
The [ __ ] kind of more evidence do you need that I'm not some plagiarizer or AI bot?
All right, this is an update.
Um, ignore, bro. Well, Galaxy hangs out in here a lot. That's just really weird that you would all of a sudden throw that stone galaxy. It's super weird.
um don't know how cit I mean literally my newsletter is a news aggregator where I link the article and summarize it and then say go read more here and I send hundreds of clicks to news articles uh every week and thousands of people get exposed to the work that wouldn't like tens of thousands of people get exposed to the work that otherwise wouldn't see it.
So, no, it's a pretty big accusation there, bud. Just FYI. That's not like a light accusation of someone who makes his career doing this.
Quite literally, on both sides of what I write is a link to the story I'm writing about.
If I direct quote, I direct quote.
I don't sit up here and claim to be a journalist. I've never called myself a journalist because I'm not. I'm not breaking [ __ ] Um.
All right. What else are Sorry, that derailed me a bit. Um, cl I thought that said Cloud Flare. I was like 72 million in C fun. No, Cloudflare is way bigger than that. All right, we already got the Bit Warden thing. What else are we missing?
Cosmetic giant rituals discloses data breach. Don't care.
Uh, new criminal toolkit for consent fix.
The [ __ ] are you spewing, Galaxy? I'm kind of annoyed at this point. Like, what are you saying, bro?
All right. Consentfix v3. So, consent fix was uh push was the one. All right.
Uh my pedantic side, it's all clickfix.
Okay. We've called it clickfix. It's clickfix. We don't need to name it. We don't need to name clickfix different things. There's already like seven different things that people are calling different things slashfix. It's clickfix. Okay, there just are different methods of clickfix. This is like fishing. It's all fishing. It's not fishing. It's not quishing. It's not uh smishing. It's all fishing. It's just SMS fishing or voice fishing or QR code fishing. Um, some fake news about Shiny Hunters Group getting access to Mythos. No way. Right.
I don't think so. Uh, there was some unauthorized access to Mythos, but it was like a nothing burger. It was like some contractors or something like that and they didn't do anything cool with it. So, it's just it's just opus++, right? Like, so it doesn't really matter.
Someone is accused of being part of shiny hunters. Okay, we're gonna get to that. All right, there's obviously some shiny hunter stuff going on on Are you guys seeing this on Twitter?
This is why I need to keep Twitter up on my other screen because you guys start to see [ __ ] Um I don't see anything.
I'll Google it in a sec.
I don't see the shiny under stuff.
All right. Uh, we're going to keep going. I see Opus+. I mean, I'm I'm being a bit pedantic, but it's just it's not like it's not the super hacker model. It's not like, oh, someone got Mythos, they can hack into anything. like that's just not like what's going on, right?
Um, all right. In December, we covered this consent fix. It's like a new it's like a new form of clickfix, right? Let's let's review what's consentfix.
Confens uh consent fix a new kind of fishing attack.
Browserbased attack technique that takes over users accounts with a simple copy paste. This is, you know, just like clickfix.
Uh, enter consent fix. This attack shares a lot of similarities with clickfix.
Uh, and ooth consent fishing. You can think of it as a browser native clickfix attack that fishes an OOTH token on a target app by getting the victim to copy and paste the URL containing an OOTH key material into a fishing page.
The campaign we detected looks specifically like targeting Microsoft accounts uh by abusing the Azure CLI OOTH app.
In all the examples we saw, the victim accessed uh accessed a malicious or compromised web page via Google search.
Verify your human by completing the action below. Email address. The attacker had injected a fake Cloudflare turnstyle requiring an email address. Then this acted as a form of conditional loading.
You can't use a personal address. Use your work one. Okay. V verify. Um this is like a stage two. After entering an approved email address, the next stage was loaded.
Paste the URL to allow access. Sign into your Microsoft account to verify your identity. And after successful authentication, copy the URL received below.
I mean, this is so multi-step, right?
So, to complete the fish, the victim copies the URL and paste it below. So, it's like verify you're human.
Sign in. So, you click sign in. It brings you to login Microsoft. You pick an account. You sign in. URL containing OOTH code, what the attacker wants. So, you put the URL and you paste it in the sign-in page. This can't have been that successful, could it be? That's like hard. Like, I couldn't even tell that that's what they were asking for. Sign into your Microsoft account and then verify at copy the URL received and paste it in. Like, how do they know that that's the URL received, right?
I mean, I believe it if it's out in the wild, but consentfix v3, analyzing a new toolkit, investing in a new criminal toolkit. So, that's the quick 101 of what consent fix is. Got it. At the end of the attack chain, the attacker is effectively granted API access to the victim's entra account while sidestepping MFA, even pass keys.
So, that's why it's gnarly, right?
It didn't take long security researchers to jump on this new technique.
Most notable contribution came from John Hammond, who took the attackers implementation and said, "I could do better. His V2 replaced a somewhat clunky implementation with a sick drag and drop function.
This is John's video.
Site can't be reached. Drag and drop."
Okay, cool.
Consentfix V3. The latest development is that a member of the XSS criminal forum site with Russian state involvement released a consent fix v3 building on the V1 we saw in the wild and John's v2.
The ultimate Azure attack chain description of cons. Where's the summary video? Let's see.
Can you guys see the summary? Yeah, it's kind of small. It's even small for me.
All right, new email.
Whatever. We're emailing I don't think I understand what's going on. Do you?
So, they get an email. There's the password.
They do the password.
Oh, that was just like constructing the thing. And now they have like this really slick page that shows them how to do it. So, they just have an animation that shows them what to do.
drop the icon here and then it like brings them to the thing. So it feels like it works for them and you grab their token. So it's the same attack.
So the first thing that jumps out is how detailed this forum post is. It reads like a security vendor post. It walks through the key technical concept. This is cool.
So consentfix v3 allows users to instrument the entire attack chain enabling users to spin up consentfix infrastructure create. Yeah. So it's the same attack.
So it's not really a v3. It's just like an exploit kit around v2, right? They were still drag and dropping it. It just looked slicker. SAS open source tools used to perform the attack.
Cloudflare workers, all this kind of stuff.
All right.
I mean, that makes sense, right?
Merryill had a good video on it. I forgot his last name, but Project Matter for Entra.
John Hammond, new video, hacked PDF.
We watched the low-level hacked PDF video.
All right, that's good. This This makes it That's interesting enough. Makes it into the newsletter. All right. Google Threat Intelligence. These are always must readad. What happened?
Okay. Issue. I never remember what [ __ ] threat actor group Google is talking about when they use their their numbering scheme.
These are the least memorable number uh names. I'm like, who is this?
Who's this UNK?
Do we know? Does it say?
No, because they don't want to advertise their competitor's names.
What's their other names?
So, I try to search for them and I try to search for another blog post that does say both names and I get nothing.
I get bad blog posts that never talk about this person.
Uh, so I don't know if I know this attack a threat actor or not.
Um, all right. What are we What are we reading? I'm sorry. I'm like distracted trying to figure out who this is.
Employed social engineering to deploy custom malware suite. Great. Who on what?
Newly Oh, it's a newly tracked thread actor group. That's why I can't find anything about the the leverage persistent social engineering custom modular malware suite and deft pivoting inside the custom environment. As with many other intrusions in recent years, they they're impersonating IT help desk employees.
What does Matt say is everyone's number one [ __ ] job, right?
What what do I constantly keep saying?
If you don't have a story, if you don't have a story and a solve for this, stop literally every other part of your security program and solve this. I stand by it. The threat actors are just constantly telegraphing that this is how they're going to get in.
So, it's time.
It's time you have a solve for this. All right. Victim contacted through Microsoft Teams. I don't understand why Microsoft Team allow external messages.
I don't get it. Prompted to click a link to install local patch that prevents email spamming. Once clicked, the user's browser opened an HTML page and ultimately downloaded and renamed auto hotkey binary and an auto hotkey script sharing the same name from the thread actor controlled AWSS3 bucket.
Yeah, Galaxy, we already watched we watched that whole video earlier on stream.
Um, if the auto hotkey binary is named the same. This is just full malware analysis at this point. I don't feel like reading the full malware analysis.
Let me guess. It does malware things.
Imagine that. It does recon lateral movement, escalates privileges, and then and then data excfiltration.
So, Microsoft Teams fishing auto hotkey does some malware [ __ ] Does some more malware [ __ ] and then does nastiness.
Interesting. This is from Google. Um, I can't uh this is from Google's threat thing, but it's got Flare as uh the the user, which is another thread intel company, which is funny. But it doesn't it it doesn't say that the source is Flare. So maybe they're using Flare or maybe it's just a coincidence fishing link.
It's an Amazon AWS bucket to made look like an Outlook thing.
Directs the victim to a landing page masquerading as mailbox repair utility.
So what you click health check and it downloads those things.
The script checks at the victim browser.
If the user is not using Edge, the page displays persistent overlay warning open in Edge. Why? This is to ensure the victim is moved from potentially secure or mobile thirdparty browser environments into a specific workspace where the attacker Ah, okay. Interesting. I've seen that personally. They will email bomb the account and then Yeah. Yeah. Yeah. I've seen that too. Guitar. I've responded to those incidents.
Phase 2 credential harvesting via social engineering.
I mean, the most interesting bit of this whole article is that this is a new thread actor because all this is just like Yeah. Right. Like we get it, we get all this, right? I mean, there's a good thread intel report. I'm not like knocking it, but I don't think I'm going to cover it in the newsletter.
I don't know.
I don't know. I'll start it. I don't I'll see. It's not going to make the cut if I've got enough to talk about, but which I probably do.
What? I thought the SISA director got confirmed.
The new SISA director has withdrawn from consideration after his nomination stalled for more than a year.
Oh my gosh. What?
He left that role in March, reportedly telling colleagues that he needed to focus on assuaging concerns about his Coast Guard work that had led Rick Scott to block his nomination. More than a month after his departure from DSH, Plan Key's nomination remain on hold. So, this is currently being read by acting director Nick Anderson after the last acting director stepped down for leaking sensitive documents into chatt. It's just a [ __ ] mess over there.
Agency's been hobbled in recent months.
>> Thank you.
>> Thank you.
I have something.
>> Thank you.
>> Are you hanging out? Are you leaving?
>> Okay. See you.
>> Sorry. Food delivery.
We're gonna We're gonna do lunch stream.
Door Dash. Yeah, Door Dash, aka my wife.
Don't worry, I'll tip her. Um so uh agency h recent month after losing about 30% of its workforce due to widespread layoffs and experiencing furloss due to recent government shutdowns. Yeah. And anyone worth it like leaving? Well, I shouldn't say that. There's probably some very good people still working there. So sorry, no offense, but I'm just saying a ton of people are like morale shot, right? Like they're just under attack left and right. And so it's probably not like, yeah, I can't wait to get up and go work for CISA this morning. It's, you know, it's like Meta right now. Meta is like training everyone on like their AI replacements and uh and then announced 10% layoffs.
Whoa, breaking news.
Heyo, breaking.
Breaking news. GPT 5.5 is already live.
Holy [ __ ] Let's see the video.
Ah, browser built into codeex.
A lot more tool use.
keeps going until done. Oh, now Claude co this is Claude co-work type stuff.
All right.
excels at writing and debugging code, researching online, analyzing data, creating documents and spreadsheets.
Yeah. So, they're going after the they were going like so consumer with chat GPT, right? Image generation and like just very like consumer and Anthropic went enterprise with code and co-work and like presentations and stuff and Anthropic's been eating their [ __ ] lunch. So, obvious we obviously knew that OpenAI had way too much money to not immediately follow suit, right?
GPT55 delivers this step up in intelligence without compromising speed.
Where we at? Anthropic Opus 47.
SWE benchmark. Nowhere to be found.
Nowhere to be found.
Can't put the SWE benchmark on if Opus uh destroys us on it, right?
Let me see. Is that some of the quote tweets?
I want to see the quote tweets.
Wait, how do you Oh, they moved view quotes again.
How is no one else calling out that benchmark isn't in this tweet?
No one compared to Mythos. Why is the Swoo stuff not here? I want to like I care about how they're good at writing code.
I mean, it seems really good.
in chatbt full stack inference improvement enabled more capable model faster speed the efficiency is a gamecher for 55 pro yeah if you've ever run any GBT pro things they take [ __ ] forever right early testers described it as an iterative research partner performing especially well when paired with contextual inputs from documents and other plugins Where's the blog post? Let's read the blog post.
My first impression of GBT 5.5 is that it is it is different in the sense that it actually understands what I'm trying to tell it to do. Um I see before previously a lot of my prompts have to be very detailed or very instructiony kind of where I'm trying to tell it like hey look in this part of the codebase do this um whereas with GPT 5.5 sometimes I become lazy and I kind of give it a very amigious task but then it will figure it out. It actually re it directs his research and exploration to the right areas of the codebase comes up with potentially multiple options of how we could do it and then um gets it done for me. So it's been it's been impressive.
We had a little backlog of crew and I just dropped that into a CSV, gave it to 5.5 and said, "Go fix a couple categories of bugs that had really bothered me for a really long time." And it did, I would say, a 98% job all by itself. And I buttoned some stuff up and it was done. It was able to traverse a pretty complex codebase. it was doing the the grouping and the architecture of the solutions in a way that >> like wouldn't 54 have been able to do a bunch of like I want to know like the main like was this person comparing it to 54 or this is like the first time they're using uh a coding agent that >> I didn't feel like I had to babysit as much and I saw the alerts on bugs that had really kind of bothered us for a really long time but were hard to hunt down totally go away. It's been incredible using GPT 5.5. Uh I did not expect the title wave of pull requests and changes coming in uh as a result of engineers having so much intelligence at their fingertips.
>> Any other videos in here?
Here's the what?
Oh, this is an internal benchmark.
Where's the [ __ ] benchmark for Opus 47? I just want the sweet benchmark.
Am I dumb? There's always a benchmark.
They're just comparing it to themselves on the I want to see it compared to Opus.
What is this?
Space mission app.
Earthquake tracker. Dungeon game.
Codex handled the game architecture.
Typescript 3JS implementation, combat systems, enemy encounters, HUD feedback, and GBT generated environment textures, character models, and character uh textures and animations were created.
Character models, character textures, and animations are created with thirdparty asset generation tools. Yeah, I was about to say and open AI APIs were used to generate character dialogue.
You're absolutely right. I am an orc trying to kill you. Threat noted prompt. Create a 3D game using 3JS. It should be a UFA UFO shooter game where I control a tank and shoot down UFOs flying overhead.
Think step by step. Take a deep breath.
H I hate these prompts that personify it.
Take a deep breath. GPT.
I mean, this is really honestly kind of crazy, right? With that one prompt, this is what you get.
That's pretty nuts.
That's pretty nuts, right?
Um, knowledge work.
You're an investment analyst.
Go do investment analyst things.
Yeah. I mean, they're just claw maxing here, right? This is what things have felt like in Claude for a bit.
I mean, good. I'm like, I'm all about them competing with each other. Codeex and Claude can compete all day as long as we benefit.
Anything else?
Cyber security. That's what I want to know. Give me a video to watch on cyber security stuff. No.
Darn. I got to read it. I was trying to take a few bites of my lunch. You can't read this to me.
Damn.
All right. They're saying um incremental but important step towards AI uh that can solve some of the world's toughest challenges like cyber security. With 52 December, we proactively deploy the necessary cyber safeguards.
Now with 55, we're deploying stricter classifiers for potential cyber risk, which some users may find annoying as we tune over time. We've identified cyber security as a category in our preparedness framework.
They're just talking about the safeguards.
We're making our cyber permissive models available through trusted access for cyber starting with codeex organizations who are responsible for defending critical infrastructure. So they're they're glasswing right Here we go.
Sweet benchmark public 55 58%. No wonder it's [ __ ] buried.
God damn it.
Why is this star? There is evidence of memorization in these evals.
Oh my god.
Star star on opus. They're saying there's evidence of memorization in these evals and they're linking.
Oh my god, that's so funny.
Oh, damn.
Wow.
Wow. That's wild.
That's wild. evidence of memorization.
Sorry chat, this became the uh GPT55 stream pretty quick here.
So they're saying they're basically mythos level on this stuff.
No Galaxy. I covered the [ __ ] out of that when it came out a few days ago.
Whoa.
Wild.
Wild. Wild. What else? I mean, what were we even talking about? We were about to do the newsletter and I'm like Oh, you're AI generated.
All right. My god.
Brain brain just got completely derailed by GBT55.
It's wild.
Um, all right. Let's keep let's keep doing the news. Sorry, I'm going to be eating, but we're going to do the news.
Or I might get off stream and finish the newsletter. We'll see.
See what we want to do.
ADHD bros unite. Dude, this is I mean I am guilty of ADHD, but breaking news like GPT55 requires a bit of a derail, doesn't it?
I think I think so. I think this is perfectly valid ADHD right now.
All right. Are do we really We're really doing some privacy legislation. What are we talking about? This is probably not good. I have no confidence that we're going to do this right.
The new bill tears up a tougher proposal that was introduced last Congress.
Robust data minimization clause says it limits the collection of personal data to what is adequate, relevant, and reasonably necessary. They hailed the bill for requiring the sensitive data only be processed with a consumer's consent and for giving consumers the right to know their data is being collected and used to delete their data and access it.
I mean, yeah, but like this is already [ __ ] Privacy advocates don't they they bock.
They say this bill's limited protections are rendered toothless by overly broad language. Yeah, that's why that's exactly I'm not a privacy expert and I read this and I was like, "Yeah, but that's bullshit." Like, if the consumer was just going to click through some like, "Yeah, you get consent thing and then you're going to have to like write a [ __ ] letter to delete it." This is basically where we are now.
The only health data counted as sensitive involves diagnosis, meaning data collected by period tracking apps and other health tech is exempt. The proposed legislation also does not protect the contents of consumers communications or financial data held by non-fancial financial institution. The data minimization provision is weak because it uh the adequate, relevant and reasonably necessary language is broad and therefore easy for companies to work around. Yeah, this is [ __ ] H damn.
What things do you do with GPT?
Kilobyte, to be honest, I used to be a GPT power user. It became Google for me and I haven't touched it in months. I haven't touched it. I don't use GPT for anything right now. It got way lapped by everything else in my tool chain.
Um, so but I do hear Codeex F with 54 was good.
So Codex with 55 is going to be better.
So I don't know. I don't want another $200 a month bill, though.
Um, any other headlines from today that I have? I kind of went through the rest of the week because I've been live every day. I've been going through the news headlines.
Just trying to make sure there's no headlines that I missed.
What a I mean, Unit 42, we're homies, but what a [ __ ] headline. Can AI attack the cloud?
It's a bad headline, buddies.
I'll text I'll text my homies there.
That Mongolian government systems probably not making my newsletter.
Oh yeah, Apple fixed the signal thing. Oh, that's in 404 media, right? Where's four? I want the source.
Oh my god. Crypto scam lures ships into straight of Hermuse. Falsely promising safe passage. Oh my god, that's crazy.
I have 404 in here, right? Where's the source?
I definitely have 404 in here.
Oh my god. Do I not? Is it Do I like them so much they're in their own thing?
What the fudge am I just staring at it and I'm missing it? I know for sure that I've had 404 here in here in the past.
Oh my god, they're in their own thing and it's broken. Oh my god, it's broke.
Devastating.
All right, I guess we'll uh We'll grab the summary. Where'd that go?
It was like right at the turn of the day, right? Yeah, right here.
Oh, man. Did you guys see this one? So, if you're unfamiliar, where's the link to 404?
Usually, they link straight out.
So people were thinking that Signal messages were getting hacked, but it was really like they were notifications getting stored improperly. And so Signal did not push an update. iPhones pushed an update so that this would not happen anymore, which is further evidence that Signal was not broken. Like everyone was tweeting haphazardly.
For most app notifications, there's no way to easily figure out what metadata might be gleaned from a notification or if a notification is unencrypted or not, said the EFF. It's also good to reconsider whether any app should be sending you notifications to begin with.
Basically, just turn the notifications off if you don't need them.
Note that no action is needed for this fix to protect Signal users. Signal said once you install the patch, all inadvertently preserved notifications will be deleted and no forthcoming notifications will be preserved forever.
All right, cool. Well guys, we're at literally at the 4 hour mark right now.
So that's usually my target about 3 to four hours. So I'm going to eat lunch, finish my newsletter. If you haven't subscribed already, vu.com.
Uh I appreciate you, but um we're gonna we're gonna wrap it up. If you guys play with 55, hit me up over the weekend. But I'll be live on Tuesday and I'm sure there will be news about it as people start to get their hands on 55.
If it's cyber security benchmark is as close to all that stuff, then we'll see.
Colin Roman Galaxy, everyone, who is the other ES9, you're you're kind of uh new to chat. Thanks for thanks for hanging out. Kilobyte, thanks for hanging out.
Who else? Everyone. Everyone, everyone who might still be here, see you. See you. See you. And uh I'll be back on Tuesday morning.
Thanks for a good
Related Videos
OpenHuman VS Hermes AI: Who Wins?
JulianGoldieSEO
285 views•2026-05-29
Long-Running Agents — Build an Agent That Never Forgets with Google ADK
suryakunju
142 views•2026-05-30
This computer is made from real human brain cells. And you can buy it.
Talktmsmedia
3K views•2026-05-28
BREAKING: Microsoft’s New Image Generating Model Beat Out GPT 1.5 and Nano Banana 2
aimmediahouse
122 views•2026-06-03
I Made the Same Anime Fight Scene in Every AI Video Generator
NobleGooseAnime
295 views•2026-05-30
Nvidia Bets Big On AI PCs | New Chip To Power Windows Laptops | Technology | AI Updates | N18S
cnnnews18
3K views•2026-06-01
I Tested NEW Opus 4.8 on Four Projects (Updated LLM Leaderboard)
AICodingDaily
298 views•2026-05-29
3D Platformer Update - NO CAPES
SolarLune
294 views•2026-05-30
