Sam Stepanyan
@securestep9.bsky.social
OWASP London Chapter Leader. #OWASP Global Board Member. OWASP #Nettacker Project Leader. #AppSec Consultant, #CISSP. Follow me on Twitter/X and Mastodon https://twitter.com/securestep9 https://infosec.exchange/@securestep9
#TrustWallet: in a potential supply chain attack TrustWallet browser extension is compromised in the latest update with injected malicious code quietly sending the wallet's seed phrase to malicious domain named "metrics-trustwallet(.)com"- registered only a few days ago
👇
www.ccn.com/education/cr...
👇
www.ccn.com/education/cr...
How Trust Wallet Crypto Users Lost $6M+ in a Browser Extension Incident
$6M+ in BTC, ETH, and SOL was lost via a Trust Wallet browser extension incident, prompting an urgent user warning.
www.ccn.com
December 26, 2025 at 7:53 AM
#TrustWallet: in a potential supply chain attack TrustWallet browser extension is compromised in the latest update with injected malicious code quietly sending the wallet's seed phrase to malicious domain named "metrics-trustwallet(.)com"- registered only a few days ago
👇
www.ccn.com/education/cr...
👇
www.ccn.com/education/cr...
#MongoDB and MongoDB Server multiple versions are vulnerable to Remote Code Execution (#RCE) #vulnerability CVE-2025-14847 and may be abused by unauthenticated threat actors in low-complexity attacks that don't require user interaction. Patch now!
👇
www.bleepingcomputer.com/news/securit...
👇
www.bleepingcomputer.com/news/securit...
MongoDB warns admins to patch severe RCE flaw immediately
MongoDB has warned IT admins to immediately patch a high-severity vulnerability that may be exploited in remote code execution (RCE) attacks targeting vulnerable servers.
www.bleepingcomputer.com
December 26, 2025 at 6:47 AM
#MongoDB and MongoDB Server multiple versions are vulnerable to Remote Code Execution (#RCE) #vulnerability CVE-2025-14847 and may be abused by unauthenticated threat actors in low-complexity attacks that don't require user interaction. Patch now!
👇
www.bleepingcomputer.com/news/securit...
👇
www.bleepingcomputer.com/news/securit...
Reposted by Sam Stepanyan
🎉 Big news! Early Bird tickets for OWASP Global AppSec Vienna 2026 are here!
25 years of OWASP ✨ Stunning Vienna 🇦🇹 World-class training 🧠 & a conference like no other 🔥
Why wait? Register now for early bird pricing: owasp.glueup.com/eve...
#appsec #owasp #cybersecurity #securebydesign
25 years of OWASP ✨ Stunning Vienna 🇦🇹 World-class training 🧠 & a conference like no other 🔥
Why wait? Register now for early bird pricing: owasp.glueup.com/eve...
#appsec #owasp #cybersecurity #securebydesign
December 19, 2025 at 2:48 PM
🎉 Big news! Early Bird tickets for OWASP Global AppSec Vienna 2026 are here!
25 years of OWASP ✨ Stunning Vienna 🇦🇹 World-class training 🧠 & a conference like no other 🔥
Why wait? Register now for early bird pricing: owasp.glueup.com/eve...
#appsec #owasp #cybersecurity #securebydesign
25 years of OWASP ✨ Stunning Vienna 🇦🇹 World-class training 🧠 & a conference like no other 🔥
Why wait? Register now for early bird pricing: owasp.glueup.com/eve...
#appsec #owasp #cybersecurity #securebydesign
#n8n: Critical CVSS 10.0 Remote Code Execution (#RCE) #Vulnerability in n8n via expression injection. Users advised to upgrade to version 1.122.0 or later immediately:
github.com/n8n-io/n8n/s...
github.com/n8n-io/n8n/s...
Remote Code Execution via Expression Injection
### Impact
n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users dur...
github.com
December 21, 2025 at 9:51 AM
#n8n: Critical CVSS 10.0 Remote Code Execution (#RCE) #Vulnerability in n8n via expression injection. Users advised to upgrade to version 1.122.0 or later immediately:
github.com/n8n-io/n8n/s...
github.com/n8n-io/n8n/s...
#Gemini Zero-Click #Vulnerability Let Attackers Access Gmail, Calendar, and Docs. No clicks or warnings were needed. An attacker simply shared a poisoned Google Doc, Calendar invite, or email embedding hidden prompt injections.
#AISecurity
👇 cybersecuritynews.com?p=135749
#AISecurity
👇 cybersecuritynews.com?p=135749
Gemini Zero-Click Vulnerability Let Attackers Access Gmail, Calendar, and Docs
A critical zero-click vulnerability dubbed "GeminiJack" in Google Gemini Enterprise and previously Vertex AI Search that let attackers siphon sensitive corporate data from Gmail, Calendar, and Docs wi...
cybersecuritynews.com
December 12, 2025 at 8:20 AM
#Gemini Zero-Click #Vulnerability Let Attackers Access Gmail, Calendar, and Docs. No clicks or warnings were needed. An attacker simply shared a poisoned Google Doc, Calendar invite, or email embedding hidden prompt injections.
#AISecurity
👇 cybersecuritynews.com?p=135749
#AISecurity
👇 cybersecuritynews.com?p=135749
If you missed @shehackspurple.bsky.social 's talk "30 Tips for Secure #JavaScript" at the @owasplondon.bsky.social meetup last week - you can watch the recording on the #OWASPLondon YouTube channel [please subscribe!]:
Many thanks to @shehackspurple.bsky.social for presenting her talk: "30 Tips for Secure JavaScript" at the #OWASP London Chapter Meetup last Friday!
The video recording of the talk is now available to watch 📺️ on the #OWASPLondon YouTube Channel
👇️
The video recording of the talk is now available to watch 📺️ on the #OWASPLondon YouTube Channel
👇️
30 Tips for Secure JavaScript - Tanya Janca
"30 Tips for Secure JavaScript" - Tanya Janca
In this talk, we will cover 30 tips for writing more secure JavaScript, emphasizing what to do, what NOT to do, and utilizing open-source tooling to enhance security. JavaScript is not only the most popular web programming language, but it also faces se
youtu.be
December 8, 2025 at 12:24 AM
If you missed @shehackspurple.bsky.social 's talk "30 Tips for Secure #JavaScript" at the @owasplondon.bsky.social meetup last week - you can watch the recording on the #OWASPLondon YouTube channel [please subscribe!]:
#Swiss government urges citizens to ditch #Microsoft365 and other #Cloud providers due to lack of proper E2E encryption citing US Cloud Act requirement to hand over data to US authorities, even if it’s stored in Switzerland:
#DataSecurity
👇
www.techradar.com/pro/security...
#DataSecurity
👇
www.techradar.com/pro/security...
Swiss government urges people to ditch Microsoft 365 and others due to lack of proper encryption
Switzerland is worried about data privacy
www.techradar.com
December 3, 2025 at 8:36 AM
#Swiss government urges citizens to ditch #Microsoft365 and other #Cloud providers due to lack of proper E2E encryption citing US Cloud Act requirement to hand over data to US authorities, even if it’s stored in Switzerland:
#DataSecurity
👇
www.techradar.com/pro/security...
#DataSecurity
👇
www.techradar.com/pro/security...
#Wordpress: 100,000+ WordPress Websites Affected by Remote Code Execution (#RCE) #vulnerability in Advanced Custom Fields Plugin:
👇
www.wordfence.com/blog/2025/12...
👇
www.wordfence.com/blog/2025/12...
December 2, 2025 at 10:40 PM
#Wordpress: 100,000+ WordPress Websites Affected by Remote Code Execution (#RCE) #vulnerability in Advanced Custom Fields Plugin:
👇
www.wordfence.com/blog/2025/12...
👇
www.wordfence.com/blog/2025/12...
#VSCode: 24 malicious VS Code and #OpenVSX extensions are stealing developer credentials - spreading through popular names like Flutter, React, and Tailwind.
Full list of malicious VSCode extensions in the article below:
#SoftwareSupplyChainSecurity
👇
Full list of malicious VSCode extensions in the article below:
#SoftwareSupplyChainSecurity
👇
GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools
GlassWorm spreads again using 24 fake extensions across Visual Studio Marketplace and Open VSX, hiding Rust implants & Solana-based C2 to target devs.
thehackernews.com
December 2, 2025 at 3:17 PM
#VSCode: 24 malicious VS Code and #OpenVSX extensions are stealing developer credentials - spreading through popular names like Flutter, React, and Tailwind.
Full list of malicious VSCode extensions in the article below:
#SoftwareSupplyChainSecurity
👇
Full list of malicious VSCode extensions in the article below:
#SoftwareSupplyChainSecurity
👇
#npm: Malicious NPM Package eslint-plugin-unicorn-ts-2 Uses Hidden Prompt and Script to Evade #AI Security Tools:
#SoftwareSupplyChainSecurity
👇
#SoftwareSupplyChainSecurity
👇
Malicious npm Package Uses Hidden Prompt and Script to Evade AI Security Tools
Malicious npm package mimics an ESLint plugin, embeds an AI-tricking prompt, and steals environment variables via a post-install script.
thehackernews.com
December 2, 2025 at 3:06 PM
#npm: Malicious NPM Package eslint-plugin-unicorn-ts-2 Uses Hidden Prompt and Script to Evade #AI Security Tools:
#SoftwareSupplyChainSecurity
👇
#SoftwareSupplyChainSecurity
👇
#OpenAI API Data Breach: OpenAI has disclosed a #databreach affecting some API customers due to a hack at third-party vendor #Mixpanel.
What was exposed: Names & Emails, Approximate Location, UserID/Org IDs
👇
What was exposed: Names & Emails, Approximate Location, UserID/Org IDs
👇
OpenAI discloses API customer data breach via Mixpanel vendor hack
OpenAI is notifying some ChatGPT API customers that limited identifying information was exposed following a breach at its third-party analytics provider Mixpanel.
www.bleepingcomputer.com
November 27, 2025 at 4:42 PM
#OpenAI API Data Breach: OpenAI has disclosed a #databreach affecting some API customers due to a hack at third-party vendor #Mixpanel.
What was exposed: Names & Emails, Approximate Location, UserID/Org IDs
👇
What was exposed: Names & Emails, Approximate Location, UserID/Org IDs
👇
#Maven: hundreds of packages just got caught running Shai-Hulud v2 - the same malware that hijacked npm two days ago.
It spread through automated rebuilds, infecting devs who never used npm stealing & leaking secrets across thousands of GitHub repos:
👇 thehackernews.com/2025/11/shai...
It spread through automated rebuilds, infecting devs who never used npm stealing & leaking secrets across thousands of GitHub repos:
👇 thehackernews.com/2025/11/shai...
Shai-Hulud v2 Campaign Spreads From npm to Maven, Exposing Thousands of Secrets
Shai-Hulud v2 breached npm and Maven, impacting 28,000+ repos and leaking 11,858 secrets.
thehackernews.com
November 26, 2025 at 7:16 PM
#Maven: hundreds of packages just got caught running Shai-Hulud v2 - the same malware that hijacked npm two days ago.
It spread through automated rebuilds, infecting devs who never used npm stealing & leaking secrets across thousands of GitHub repos:
👇 thehackernews.com/2025/11/shai...
It spread through automated rebuilds, infecting devs who never used npm stealing & leaking secrets across thousands of GitHub repos:
👇 thehackernews.com/2025/11/shai...
Reposted by Sam Stepanyan
You all should be starring this repo and following up on every npm security best practice: github.com/lirantal/npm...
GitHub - lirantal/npm-security-best-practices: Collection of npm package manager Security Best Practices
Collection of npm package manager Security Best Practices - lirantal/npm-security-best-practices
github.com
November 25, 2025 at 1:42 PM
You all should be starring this repo and following up on every npm security best practice: github.com/lirantal/npm...
Reposted by Sam Stepanyan
If you couldn't make it to German @owasp Day 2025 in person, you can watch the live stream here: media.ccc.de #owasp_god25
home
- media.ccc.de
Video Streaming Portal des Chaos Computer Clubs
media.ccc.de
November 26, 2025 at 8:53 AM
If you couldn't make it to German @owasp Day 2025 in person, you can watch the live stream here: media.ccc.de #owasp_god25
Over 80,000 files with #passwords and keys from governments, banks, and tech firms were found online pasted into public code tools like #JSONFormatter and #CodeBeautify.
Cybercriminals are already scraping and using the data.
And yes - it’s still live!
👇 thehackernews.com/2025/11/year...
Cybercriminals are already scraping and using the data.
And yes - it’s still live!
👇 thehackernews.com/2025/11/year...
Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys
Researchers uncovered 5GB of leaked credentials from JSONFormatter and CodeBeautify, exposing sensitive data across critical sectors.
thehackernews.com
November 25, 2025 at 11:52 PM
Over 80,000 files with #passwords and keys from governments, banks, and tech firms were found online pasted into public code tools like #JSONFormatter and #CodeBeautify.
Cybercriminals are already scraping and using the data.
And yes - it’s still live!
👇 thehackernews.com/2025/11/year...
Cybercriminals are already scraping and using the data.
And yes - it’s still live!
👇 thehackernews.com/2025/11/year...
#NPM: Second Shai-Hulud Infection Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft:
#SoftwareSupplyChainSecurity
👇
#SoftwareSupplyChainSecurity
👇
Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft
Security vendors warn Sha1-Hulud has hijacked 25,000+ GitHub repos via npm packages, stealing cloud credentials or wiping dev home directories.
thehackernews.com
November 24, 2025 at 5:30 PM
#NPM: Second Shai-Hulud Infection Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft:
#SoftwareSupplyChainSecurity
👇
#SoftwareSupplyChainSecurity
👇
Reposted by Sam Stepanyan
The next OWASP London Chapter in-person Meetup will take place on December 5th, 2025, kindly hosted by @tessl_io.
Raffle prizes sponsored by @semgrep.com & Root.io
Talks from @shehackspurple and @SonyaMoisset
Register to attend this event here:
👇
www.meetup.com/owasp-london...
Raffle prizes sponsored by @semgrep.com & Root.io
Talks from @shehackspurple and @SonyaMoisset
Register to attend this event here:
👇
www.meetup.com/owasp-london...
OWASP London Chapter Meetup [IN-PERSON], Fri, Dec 5, 2025, 6:00 PM | Meetup
**This event is kindly hosted by Tessl.**
**Raffle prizes are kindly sponsored by Semgrep and Root.**
**There is limited seating available for in-person attendees. Regist
www.meetup.com
November 23, 2025 at 9:23 PM
The next OWASP London Chapter in-person Meetup will take place on December 5th, 2025, kindly hosted by @tessl_io.
Raffle prizes sponsored by @semgrep.com & Root.io
Talks from @shehackspurple and @SonyaMoisset
Register to attend this event here:
👇
www.meetup.com/owasp-london...
Raffle prizes sponsored by @semgrep.com & Root.io
Talks from @shehackspurple and @SonyaMoisset
Register to attend this event here:
👇
www.meetup.com/owasp-london...
#AWS launched Agentic AI Security Scoping Matrix – a framework designed to help organizations securely deploy autonomous AI systems:
#AISecurity
👇
#AISecurity
👇
The Agentic AI Security Scoping Matrix: A framework for securing autonomous AI systems | Amazon Web Services
As generative AI became mainstream, Amazon Web Services (AWS) launched the Generative AI Security Scoping Matrix to help organizations understand and address the unique security challenges of foundation model (FM)-based applications. This framework has been adopted not only by AWS customers across the globe, but also widely referenced by organizations such as OWASP, CoSAI, and […]
aws.amazon.com
November 23, 2025 at 11:42 AM
#AWS launched Agentic AI Security Scoping Matrix – a framework designed to help organizations securely deploy autonomous AI systems:
#AISecurity
👇
#AISecurity
👇
#WhatsApp: Largest data leak in history - the entire directory of 3.5bln of WhatsApp users was available online unprotected for retrieval.
Austrian researchers were able to download all phone numbers, profile pictures & data including public keys:
👇
www.heise.de/en/news/3-5-...
Austrian researchers were able to download all phone numbers, profile pictures & data including public keys:
👇
www.heise.de/en/news/3-5-...
3.5 Billion Accounts: Complete WhatsApp Directory Retrieved and Evaluated
Vienna researchers retrieved all WhatsApp numbers. The 3.5 billion profiles represent the largest data leak in history—and it's worse than you might think.
www.heise.de
November 19, 2025 at 4:40 PM
#WhatsApp: Largest data leak in history - the entire directory of 3.5bln of WhatsApp users was available online unprotected for retrieval.
Austrian researchers were able to download all phone numbers, profile pictures & data including public keys:
👇
www.heise.de/en/news/3-5-...
Austrian researchers were able to download all phone numbers, profile pictures & data including public keys:
👇
www.heise.de/en/news/3-5-...
#GitHub: Downdetector and social media platforms are currently filled with reports about a GitHub outage, and the official GitHub Status portal has confirmed the problem:
#GitHubDown
👇
#GitHubDown
👇
GitHub is down right now, it's not just you
Hope you didn't need to work today.
www.howtogeek.com
November 18, 2025 at 9:43 PM
#GitHub: Downdetector and social media platforms are currently filled with reports about a GitHub outage, and the official GitHub Status portal has confirmed the problem:
#GitHubDown
👇
#GitHubDown
👇
#Fortinet: Critical vulnerability in Fortinet FortiWeb (CVE-2025-64446), is under active exploitation - CISA adds it to KEV catalog:
Critical vulnerability in Fortinet FortiWeb is under exploitation
The company faces criticism as multiple researchers claim a silent patch was issued weeks before official guidance was released.
www.cybersecuritydive.com
November 18, 2025 at 12:55 PM
#Fortinet: Critical vulnerability in Fortinet FortiWeb (CVE-2025-64446), is under active exploitation - CISA adds it to KEV catalog:
#NPM: Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack Exposing Major Security Gaps:
👇
👇
Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack
A mysterious npm worm published 46K fake packages in a two-year spam campaign, exposing major security gaps.
thehackernews.com
November 13, 2025 at 12:40 PM
#NPM: Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack Exposing Major Security Gaps:
👇
👇
#Linux: Rust-based sudo-rs Affected By Multiple Security Vulnerabilities - Impacting #Ubuntu 25.10 including partial password exposure (CVE-2025-64170) and incorrect User ID in timestamps. Patches for both issues have been released:
👇
www.phoronix.com/news/sudo-rs...
👇
www.phoronix.com/news/sudo-rs...
sudo-rs Affected By Multiple Security Vulnerabilities - Impacting Ubuntu 25.10
The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky
www.phoronix.com
November 13, 2025 at 8:30 AM
#Linux: Rust-based sudo-rs Affected By Multiple Security Vulnerabilities - Impacting #Ubuntu 25.10 including partial password exposure (CVE-2025-64170) and incorrect User ID in timestamps. Patches for both issues have been released:
👇
www.phoronix.com/news/sudo-rs...
👇
www.phoronix.com/news/sudo-rs...
#NPM: Malicious NPM Package @acitons/artifact With 206K+ Downloads Stole GitHub Tokens:
👇
hackread.com/fake-npm-pac...
👇
hackread.com/fake-npm-pac...
Fake NPM Package With 206K Downloads Targeted GitHub for Credentials
Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread
hackread.com
November 11, 2025 at 12:09 PM
#NPM: Malicious NPM Package @acitons/artifact With 206K+ Downloads Stole GitHub Tokens:
👇
hackread.com/fake-npm-pac...
👇
hackread.com/fake-npm-pac...