Miki
@mikisec.bsky.social
Cyber security officer by day, a fabulous cookie by night
Reposted by Miki
We disclosed two new RSC vulnerabilities:
- Denial of Service (High): CVE-2025-55184
- Source Code Exposure (Medium): CVE-2025-55183
Patches are available now, please update immediately.
react.dev/blog/2025/12...
- Denial of Service (High): CVE-2025-55184
- Source Code Exposure (Medium): CVE-2025-55183
Patches are available now, please update immediately.
react.dev/blog/2025/12...
Denial of Service and Source Code Exposure in React Server Components – React
The library for web and native user interfaces
react.dev
December 11, 2025 at 8:51 PM
We disclosed two new RSC vulnerabilities:
- Denial of Service (High): CVE-2025-55184
- Source Code Exposure (Medium): CVE-2025-55183
Patches are available now, please update immediately.
react.dev/blog/2025/12...
- Denial of Service (High): CVE-2025-55184
- Source Code Exposure (Medium): CVE-2025-55183
Patches are available now, please update immediately.
react.dev/blog/2025/12...
Just read Sysdig's EtherRAT analysis and… wow! North Korea is now running a RAT with a C2 through Ethereum smart contracts. And not just that, but also with a 9-RPC consensus layer for resiliency.
Decentralized, resilient, and honestly very clever.
www.sysdig.com/blog/etherra...
#CyberSecurity
Decentralized, resilient, and honestly very clever.
www.sysdig.com/blog/etherra...
#CyberSecurity
EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks | Sysdig
A novel Ethereum-powered backdoor, EtherRAT, is being deployed through the React2Shell vulnerability (CVE-2025-55182). With multi-layer persistence, blockchain C2, and self-updating payloads, this mal...
www.sysdig.com
December 9, 2025 at 8:42 PM
Just read Sysdig's EtherRAT analysis and… wow! North Korea is now running a RAT with a C2 through Ethereum smart contracts. And not just that, but also with a 9-RPC consensus layer for resiliency.
Decentralized, resilient, and honestly very clever.
www.sysdig.com/blog/etherra...
#CyberSecurity
Decentralized, resilient, and honestly very clever.
www.sysdig.com/blog/etherra...
#CyberSecurity
TIL: flatpak's session bus 'org.freedesktop.Flatpak' permission allows to escape the sandbox (by allowing to run commands on the host machine)
This shows the importance of not only denying access to the 'host' and 'home' filesystems.
This shows the importance of not only denying access to the 'host' and 'home' filesystems.
May 30, 2025 at 8:46 PM
TIL: flatpak's session bus 'org.freedesktop.Flatpak' permission allows to escape the sandbox (by allowing to run commands on the host machine)
This shows the importance of not only denying access to the 'host' and 'home' filesystems.
This shows the importance of not only denying access to the 'host' and 'home' filesystems.
Reposted by Miki
I wrote up a post about how we hugely improved the write performance for Bluesky's timelines/following feed.
If you want to learn more about how we did it, check it out.
Some nuggets in there about embracing imperfection in some parts of a system to scale better.
jazco.dev/2025/02/19/i...
If you want to learn more about how we did it, check it out.
Some nuggets in there about embracing imperfection in some parts of a system to scale better.
jazco.dev/2025/02/19/i...
When Imperfect Systems are Good, Actually: Bluesky’s Lossy Timelines
By examining the limits of reasonable user behavior and embracing imperfection for users who go beyond it, we can continue to provide service that meets the expectations of users without sacrificing s...
jazco.dev
February 19, 2025 at 5:30 PM
I wrote up a post about how we hugely improved the write performance for Bluesky's timelines/following feed.
If you want to learn more about how we did it, check it out.
Some nuggets in there about embracing imperfection in some parts of a system to scale better.
jazco.dev/2025/02/19/i...
If you want to learn more about how we did it, check it out.
Some nuggets in there about embracing imperfection in some parts of a system to scale better.
jazco.dev/2025/02/19/i...
Just discovered GNS3, an open source software to create virtual network labs (using VMs)
Looks amazing! Next step is to experiment with security controls and incident response.
Also cool: can sniff packets in one click between links (using Wireshark)
World's most basic set-up:
Looks amazing! Next step is to experiment with security controls and incident response.
Also cool: can sniff packets in one click between links (using Wireshark)
World's most basic set-up:
January 25, 2025 at 9:06 PM
Just discovered GNS3, an open source software to create virtual network labs (using VMs)
Looks amazing! Next step is to experiment with security controls and incident response.
Also cool: can sniff packets in one click between links (using Wireshark)
World's most basic set-up:
Looks amazing! Next step is to experiment with security controls and incident response.
Also cool: can sniff packets in one click between links (using Wireshark)
World's most basic set-up:
Really looking forward for digital attestations to be widespread ❤️ (PEP 740)
I'm also hopeful that more and more developers will start switching towards Trusted Publishers. Maybe a warning if it's not done yet: "You are using an API key, consider using Trusted Publishers if possible: <docs URL>"
I'm also hopeful that more and more developers will start switching towards Trusted Publishers. Maybe a warning if it's not done yet: "You are using an API key, consider using Trusted Publishers if possible: <docs URL>"
Last week the Python package "Ultralytics" suffered a supply-chain attack on its build and release process. This is a review of the attack from @pypi.org's perspective.
There's plenty of advice for how Python projects can increase their #security posture:
blog.pypi.org/posts/2024-1...
There's plenty of advice for how Python projects can increase their #security posture:
blog.pypi.org/posts/2024-1...
Supply-chain attack analysis: Ultralytics - The Python Package Index Blog
Analysis of a package targeted by a supply-chain attack to the build and release process
blog.pypi.org
December 11, 2024 at 6:06 PM
Really looking forward for digital attestations to be widespread ❤️ (PEP 740)
I'm also hopeful that more and more developers will start switching towards Trusted Publishers. Maybe a warning if it's not done yet: "You are using an API key, consider using Trusted Publishers if possible: <docs URL>"
I'm also hopeful that more and more developers will start switching towards Trusted Publishers. Maybe a warning if it's not done yet: "You are using an API key, consider using Trusted Publishers if possible: <docs URL>"
Reposted by Miki
Weekend read: What @owasp.org CRS learnt during its open source bug bounty program.
coreruleset.org/20230509/wha...
(Repost from 2023, covers 180+ reports and 500+ findings)
#bugbounty #wafbypass #bugbountytips #weekendread
coreruleset.org/20230509/wha...
(Repost from 2023, covers 180+ reports and 500+ findings)
#bugbounty #wafbypass #bugbountytips #weekendread
What we learnt from our bug bounty program: It's not for the faint of heart
A bug hunter’s collection with some nice specimens (Photo: FreeImages.com/pi242)
OWASP CRS is the dominant open source web application firewall (WAF) rule set that powers countless servers, commercial...
coreruleset.org
December 7, 2024 at 11:07 AM
Weekend read: What @owasp.org CRS learnt during its open source bug bounty program.
coreruleset.org/20230509/wha...
(Repost from 2023, covers 180+ reports and 500+ findings)
#bugbounty #wafbypass #bugbountytips #weekendread
coreruleset.org/20230509/wha...
(Repost from 2023, covers 180+ reports and 500+ findings)
#bugbounty #wafbypass #bugbountytips #weekendread
Reposted by Miki
#blogvent day 4 is here!
I wrote about writing! So meta!
But actually though, writing for devs/a techy audience can be tough, so I tried to put together some useful tips that have helped me. Hope it's helpful!
cassidoo.co/post/good-wo...
I wrote about writing! So meta!
But actually though, writing for devs/a techy audience can be tough, so I tried to put together some useful tips that have helped me. Hope it's helpful!
cassidoo.co/post/good-wo...
Writing good words for tech folks
Writing content for developers can be challenging, and there's some tips that might help.
cassidoo.co
December 5, 2024 at 5:14 AM
#blogvent day 4 is here!
I wrote about writing! So meta!
But actually though, writing for devs/a techy audience can be tough, so I tried to put together some useful tips that have helped me. Hope it's helpful!
cassidoo.co/post/good-wo...
I wrote about writing! So meta!
But actually though, writing for devs/a techy audience can be tough, so I tried to put together some useful tips that have helped me. Hope it's helpful!
cassidoo.co/post/good-wo...
Reposted by Miki
Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Hope you enjoy this quality bit of RFC-diving from @d4d89704243.bsky.social!
portswigger.net/research/byp...
portswigger.net/research/byp...
Bypassing WAFs with the phantom $Version cookie
HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known
portswigger.net
December 4, 2024 at 3:17 PM
Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Hope you enjoy this quality bit of RFC-diving from @d4d89704243.bsky.social!
portswigger.net/research/byp...
portswigger.net/research/byp...
Reposted by Miki
#blogvent Day 2 is here!
I wrote about note-taking, one of my fave topics, and strategies I use to not just use notes to hoard information!
cassidoo.co/post/note-ta...
I wrote about note-taking, one of my fave topics, and strategies I use to not just use notes to hoard information!
cassidoo.co/post/note-ta...
The what and the what now: note-taking
Sometimes we take notes just to have notes, rather than for a purpose.
cassidoo.co
December 3, 2024 at 5:06 AM
#blogvent Day 2 is here!
I wrote about note-taking, one of my fave topics, and strategies I use to not just use notes to hoard information!
cassidoo.co/post/note-ta...
I wrote about note-taking, one of my fave topics, and strategies I use to not just use notes to hoard information!
cassidoo.co/post/note-ta...
Thankfully we are not getting many yet on our end yet. Once every few months, still a few too many where we could spend time on something else.
Only 2 GitHub accounts were reported and banned for bulk spamming (us and others users & organizations), hopefully it stays at 2.
Only 2 GitHub accounts were reported and banned for bulk spamming (us and others users & organizations), hopefully it stays at 2.
I've noticed a concerning trend of "slop security reports" being sent to open source projects. Here are thoughts about what platforms, reporters, and maintainers can do to fight back:
#oss #opensource #security #vulnerability #vuln #cve #slop #ai #llm
sethmlarson.dev/slop-securit...
#oss #opensource #security #vulnerability #vuln #cve #slop #ai #llm
sethmlarson.dev/slop-securit...
New era of slop security reports for open source
I'm on the security report triage team for CPython, pip, urllib3, Requests, and a handful of other open source projects.
I'm also in a trusted position such that I get "tagged in" to other open sou...
sethmlarson.dev
December 3, 2024 at 10:11 PM
Thankfully we are not getting many yet on our end yet. Once every few months, still a few too many where we could spend time on something else.
Only 2 GitHub accounts were reported and banned for bulk spamming (us and others users & organizations), hopefully it stays at 2.
Only 2 GitHub accounts were reported and banned for bulk spamming (us and others users & organizations), hopefully it stays at 2.