The Exploit Post

Sign in Subscribe

Red Dog Security

Malicious npm Package Used QR Codes to Deliver Cookie-Stealing Malware

Malicious npm Package Used QR Codes to Deliver Cookie-Stealing Malware

Researchers have uncovered a malicious npm package named fezbox that steals victims’ cookies by downloading an obfuscated payload hidden inside a dense QR code. Specialists at Socket say the attackers used QR codes as a covert delivery channel. The package contains instructions to fetch a JPG that holds a high-density

GitHub Enhances npm Security with Mandatory 2FA and Other Measures

GitHub Enhances npm Security with Mandatory 2FA and Other Measures

GitHub has announced a new set of protective measures designed to counter supply chain attacks—an escalating problem that has led to several major incidents on the platform in recent months. A String of High-Profile Attacks Several large-scale compromises have highlighted the risks facing GitHub and npm: * August: the “s1ngularity”

Researchers Compile Top 25 MCP Vulnerabilities

Researchers Compile Top 25 MCP Vulnerabilities

Specialists from Adversa have published an analysis of the top 25 vulnerabilities of the Model Context Protocol (MCP). The researchers describe this work as “the most comprehensive analysis of MCP vulnerabilities to date.” What MCP Is—and Why It Matters The Model Context Protocol (MCP), developed by Anthropic and released

Cloudflare Reports DDoS Attack Peaking at 22.2 Tbps

Cloudflare Reports DDoS Attack Peaking at 22.2 Tbps

Cloudflare has reported a new milestone in the escalating scale of distributed denial-of-service (DDoS) attacks. The company says it successfully mitigated an assault that peaked at 22.2 terabits per second (Tbps) and 10.6 billion packets per second (PPS) — making it the most powerful DDoS attack recorded to date.

Fake Password Managers Infect macOS with Atomic Stealer

Fake Password Managers Infect macOS with Atomic Stealer

LastPass developers warn that threat actors are targeting macOS users by impersonating popular products on GitHub and pushing info-stealers disguised as legitimate installers. Security teams say attackers create fake repositories that appear to host macOS software from well-known vendors, then use search-engine optimization to push those malicious links to the

Client Data Stolen from Automaker Stellantis

Client Data Stolen from Automaker Stellantis

Stellantis has confirmed that malicious actors gained access to a third-party service provider’s platform and stole customer data belonging to North American clients. The incident is reportedly connected to a wider Salesforce compromise that has affected multiple organizations. Background on Stellantis Stellantis was formed in 2021 through the merger

U.S. Secret Service Uncovers 100,000 SIM Cards That “Could Have Disabled the New York City Cellular Network”

U.S. Secret Service Uncovers 100,000 SIM Cards That “Could Have Disabled the New York City Cellular Network”

The U.S. Secret Service has seized more than 300 SIM boxes and 100,000 SIM cards in the New York metropolitan area, equipment that officials say could have posed an “immediate threat to national security” and had the potential to “disable the cellular network in New York City.” Discovery