#openssh — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #openssh, aggregated by home.social.
-
#OpenBSD 7.9 has been released ( #BSD / #NetBSD / #386BSD / #Unix / #LibreSSL / #OpenSSH / #OpenBGPD / #OpenSMTPD / #OpenNTPD / #OpenIKED / #rpkiClient / #mandoc ) https://openbsd.org/
-
#OpenBSD 7.9 has been released ( #BSD / #NetBSD / #386BSD / #Unix / #LibreSSL / #OpenSSH / #OpenBGPD / #OpenSMTPD / #OpenNTPD / #OpenIKED / #rpkiClient / #mandoc ) https://openbsd.org/
-
#OpenBSD 7.9 has been released ( #BSD / #NetBSD / #386BSD / #Unix / #LibreSSL / #OpenSSH / #OpenBGPD / #OpenSMTPD / #OpenNTPD / #OpenIKED / #rpkiClient / #mandoc ) https://openbsd.org/
-
Sortie de la 60ᵉ version d’OpenBSD https://linuxfr.org/news/sortie-de-la-60-version-d-openbsd #sortie_version #sécurité #OpenBSD #openbsd #openssh
-
Sortie de la 60ᵉ version d’OpenBSD https://linuxfr.org/news/sortie-de-la-60-version-d-openbsd #sortie_version #sécurité #OpenBSD #openbsd #openssh
-
Sortie de la 60ᵉ version d’OpenBSD https://linuxfr.org/news/sortie-de-la-60-version-d-openbsd #sortie_version #sécurité #OpenBSD #openbsd #openssh
-
Sortie de la 60ᵉ version d’OpenBSD https://linuxfr.org/news/sortie-de-la-60-version-d-openbsd #sortie_version #sécurité #OpenBSD #openbsd #openssh
-
Sortie de la 60ᵉ version d’OpenBSD https://linuxfr.org/news/sortie-de-la-60-version-d-openbsd #sortie_version #sécurité #OpenBSD #openbsd #openssh
-
SSH как корпоративный L3-туннель: когда классические VPN-протоколы больше не работают
В последние годы для команд, которые работают с зарубежной инфраструктурой из России, обычный корпоративный VPN перестал быть чем-то, что можно один раз настроить и забыть. OpenVPN, WireGuard, IPsec, различные TLS- и QUIC-обёртки могут работать стабильно месяцами, а потом внезапно начать деградировать: где-то соединение не устанавливается, где-то режется UDP, где-то DPI начинает узнавать сигнатуры, где-то провайдер меняет правила фильтрации. Для компании это превращается не в техническую мелочь, а в операционный риск. Инженеры не могут попасть на серверы. DevOps не может проверить прод. Администратор не может забрать бэкап. Пентестер не может подключиться к стенду заказчика. При этом инфраструктура может находиться в Европе, США, Азии или у любого другого зарубежного провайдера, а сотрудники — физически находиться в РФ. В какой-то момент мы пришли к простой мысли: если из корпоративной сети ещё можно установить исходящее SSH-соединение, то можно попробовать использовать сам OpenSSH не только как инструмент администрирования, но и как транспорт для L3-туннеля. В OpenSSH для этого давно существует режим ssh -w, который поднимает туннель через tun-устройство. Идея статьи не в том, чтобы объявить ssh -w «лучшим VPN на все времена». Это не замена WireGuard для нормальной постоянной инфраструктуры и не серебряная пуля против любых сетевых ограничений. Но это очень полезный аварийный и корпоративный вариант: работает поверх обычного SSH, не требует отдельного VPN-демона на сервере, может быть поднят на дешёвом VPS, использует привычную модель ключей OpenSSH и позволяет строить полноценную маршрутизацию на L3.
-
37 Debian LTS advisories were released in February fixing 145 CVEs across various packages. These include security fixes for bind9, firefox-esr, imagemagick, libpng, mbedtls, openssh, packagekit, perl, postgresql-13, python3.9, systemd and many more.
Debian LTS contributors also prepared updates for more recent releases, Debian 12 (#bookworm), Debian 13 (#trixie) and Debian unstable.
Read the full report: https://www.freexian.com/blog/debian-lts-report-2026-04/?utm_source=mastodon&utm_medium=social
This work is funded by Freexian's Debian LTS offering. Become a sponsor of Debian LTS (https://www.freexian.com/lts/debian/?utm_source=mastodon&utm_medium=social) and enjoy the benefits (https://www.freexian.com/lts/debian/details/#benefits).
#debian #debianlts #freexian #imagemagick #libpng #openssh #packagekit #perl #systemd
-
37 Debian LTS advisories were released in February fixing 145 CVEs across various packages. These include security fixes for bind9, firefox-esr, imagemagick, libpng, mbedtls, openssh, packagekit, perl, postgresql-13, python3.9, systemd and many more.
Debian LTS contributors also prepared updates for more recent releases, Debian 12 (#bookworm), Debian 13 (#trixie) and Debian unstable.
Read the full report: https://www.freexian.com/blog/debian-lts-report-2026-04/?utm_source=mastodon&utm_medium=social
This work is funded by Freexian's Debian LTS offering. Become a sponsor of Debian LTS (https://www.freexian.com/lts/debian/?utm_source=mastodon&utm_medium=social) and enjoy the benefits (https://www.freexian.com/lts/debian/details/#benefits).
#debian #debianlts #freexian #imagemagick #libpng #openssh #packagekit #perl #systemd
-
37 Debian LTS advisories were released in February fixing 145 CVEs across various packages. These include security fixes for bind9, firefox-esr, imagemagick, libpng, mbedtls, openssh, packagekit, perl, postgresql-13, python3.9, systemd and many more.
Debian LTS contributors also prepared updates for more recent releases, Debian 12 (#bookworm), Debian 13 (#trixie) and Debian unstable.
Read the full report: https://www.freexian.com/blog/debian-lts-report-2026-04/?utm_source=mastodon&utm_medium=social
This work is funded by Freexian's Debian LTS offering. Become a sponsor of Debian LTS (https://www.freexian.com/lts/debian/?utm_source=mastodon&utm_medium=social) and enjoy the benefits (https://www.freexian.com/lts/debian/details/#benefits).
#debian #debianlts #freexian #imagemagick #libpng #openssh #packagekit #perl #systemd
-
37 Debian LTS advisories were released in February fixing 145 CVEs across various packages. These include security fixes for bind9, firefox-esr, imagemagick, libpng, mbedtls, openssh, packagekit, perl, postgresql-13, python3.9, systemd and many more.
Debian LTS contributors also prepared updates for more recent releases, Debian 12 (#bookworm), Debian 13 (#trixie) and Debian unstable.
Read the full report: https://www.freexian.com/blog/debian-lts-report-2026-04/?utm_source=mastodon&utm_medium=social
This work is funded by Freexian's Debian LTS offering. Become a sponsor of Debian LTS (https://www.freexian.com/lts/debian/?utm_source=mastodon&utm_medium=social) and enjoy the benefits (https://www.freexian.com/lts/debian/details/#benefits).
#debian #debianlts #freexian #imagemagick #libpng #openssh #packagekit #perl #systemd
-
37 Debian LTS advisories were released in February fixing 145 CVEs across various packages. These include security fixes for bind9, firefox-esr, imagemagick, libpng, mbedtls, openssh, packagekit, perl, postgresql-13, python3.9, systemd and many more.
Debian LTS contributors also prepared updates for more recent releases, Debian 12 (#bookworm), Debian 13 (#trixie) and Debian unstable.
Read the full report: https://www.freexian.com/blog/debian-lts-report-2026-04/?utm_source=mastodon&utm_medium=social
This work is funded by Freexian's Debian LTS offering. Become a sponsor of Debian LTS (https://www.freexian.com/lts/debian/?utm_source=mastodon&utm_medium=social) and enjoy the benefits (https://www.freexian.com/lts/debian/details/#benefits).
#debian #debianlts #freexian #imagemagick #libpng #openssh #packagekit #perl #systemd
-
OK, normally I have my shit wired together, but this bastard is getting to me.
The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.
Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.
Life.
I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.
So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?
#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh
-
OK, normally I have my shit wired together, but this bastard is getting to me.
The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.
Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.
Life.
I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.
So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?
#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh
-
OK, normally I have my shit wired together, but this bastard is getting to me.
The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.
Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.
Life.
I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.
So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?
#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh
-
OK, normally I have my shit wired together, but this bastard is getting to me.
The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.
Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.
Life.
I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.
So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?
#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh
-
OK, normally I have my shit wired together, but this bastard is getting to me.
The requirement is for 'phishing-resistant' second factor. That rules out all of the six-digit code apps - it is too easy apparently to get someone to read out their codes to an attacker.
Again, IDK, but apparently 'phishing-resistant' is the next Big Thing. My personal feeling? We are chasing our shadows. Unless I am the last alive Iranian nuclear bloke, my login is as secure as I can be bothered to make it, and I am bound to be disappointed by a weakness at some point in the near or far future. Phishing isn't on the agenda.
Life.
I carry a seemingly-fine cryptographic store about with me most days and ludicrously call it my 'phone'. It can sign stuff, wrangle certificates, store passwords, read faces and fingerprints and QRcodes and NFC tags. Heaps of useful 'security' stuff. I wouldn't call the software environment _secure_ at all, but ... IDK, people seem happy enough with it. Anything for an easy life. Row with the flow.
So I search for:
"google passkey login with ssh"
My god, whatalottasloppa comes back. A gattling gun of half-arsery, cant and junk advice.
Then "MS hello for business login ssh". Christ almighty. Much worse. Worse again.
Then "Apple ID login to ssh". At least that seems to be a simple: "no". A relief really.Someone in the know please: can I set up my sshd to use my phone-based passkey as a; primary, secondary or even the complete, login?
#TOTP #HOTP #passkey #sshd #key #certificates #PSK #login #ssh #linux #pam #openssh
-
Debian 13.5 reminds Linux users why boring distributions still win
https://fed.brid.gy/r/https://nerds.xyz/2026/05/debian-13-5-linux-security-update/
-
Debian 13.5 reminds Linux users why boring distributions still win
https://web.brid.gy/r/https://nerds.xyz/2026/05/debian-13-5-linux-security-update/
-
Today feels like a good day to point out that ssh host keys should be tied to your hardware.
I've heard TPMs are good at this.
-
#Freexian collaborators worked on detecting undeclared file conflicts, mini-sprint improving contributors.debian.org, security-tracker performance, fixing dput-ng data loss bug, MiniDebConf Campinas and many more contributions to #Debian in April 2026.
Read all the details at https://www.freexian.com/blog/debian-contributions-04-2026/?utm_source=mastodon&utm_medium=social
We thank the organizations subscribing to our Long Term Support contracts (https://www.freexian.com/lts/?utm_source=mastodon&utm_medium=social) and consulting services (https://www.freexian.com/services/?utm_source=mastodon&utm_medium=social) for making this possible.
-
#Freexian collaborators worked on detecting undeclared file conflicts, mini-sprint improving contributors.debian.org, security-tracker performance, fixing dput-ng data loss bug, MiniDebConf Campinas and many more contributions to #Debian in April 2026.
Read all the details at https://www.freexian.com/blog/debian-contributions-04-2026/?utm_source=mastodon&utm_medium=social
We thank the organizations subscribing to our Long Term Support contracts (https://www.freexian.com/lts/?utm_source=mastodon&utm_medium=social) and consulting services (https://www.freexian.com/services/?utm_source=mastodon&utm_medium=social) for making this possible.
-
#Freexian collaborators worked on detecting undeclared file conflicts, mini-sprint improving contributors.debian.org, security-tracker performance, fixing dput-ng data loss bug, MiniDebConf Campinas and many more contributions to #Debian in April 2026.
Read all the details at https://www.freexian.com/blog/debian-contributions-04-2026/?utm_source=mastodon&utm_medium=social
We thank the organizations subscribing to our Long Term Support contracts (https://www.freexian.com/lts/?utm_source=mastodon&utm_medium=social) and consulting services (https://www.freexian.com/services/?utm_source=mastodon&utm_medium=social) for making this possible.
-
#Freexian collaborators worked on detecting undeclared file conflicts, mini-sprint improving contributors.debian.org, security-tracker performance, fixing dput-ng data loss bug, MiniDebConf Campinas and many more contributions to #Debian in April 2026.
Read all the details at https://www.freexian.com/blog/debian-contributions-04-2026/?utm_source=mastodon&utm_medium=social
We thank the organizations subscribing to our Long Term Support contracts (https://www.freexian.com/lts/?utm_source=mastodon&utm_medium=social) and consulting services (https://www.freexian.com/services/?utm_source=mastodon&utm_medium=social) for making this possible.
-
#Freexian collaborators worked on detecting undeclared file conflicts, mini-sprint improving contributors.debian.org, security-tracker performance, fixing dput-ng data loss bug, MiniDebConf Campinas and many more contributions to #Debian in April 2026.
Read all the details at https://www.freexian.com/blog/debian-contributions-04-2026/?utm_source=mastodon&utm_medium=social
We thank the organizations subscribing to our Long Term Support contracts (https://www.freexian.com/lts/?utm_source=mastodon&utm_medium=social) and consulting services (https://www.freexian.com/services/?utm_source=mastodon&utm_medium=social) for making this possible.
-
@FritzAdalis @RuntimeArguments @jammcq @YesJustWolf
Thanks. I did look this up after I wrote the post. I should have looked it up before. But still, without knowing that history, it appeared the speaker was either confused about #OpenSSH and #OpenBSD or equating them or something. It wasn't obvious to me that the OpenBSD team *wrote* OpenSSH. That's the way I heard it, might have misinterpreted what was said.
-
@RuntimeArguments @jammcq @YesJustWolf
I've been a #UNIX user since 1984, and spent my working life developing flavors of Unix and now #Linux. I listened to this episode over the past couple of days. I'm a long time user of #SSH One point of confusion and a few points that I learned.
When talking about the origins of #OpenSSH you talked about #OpenBSD but didn't explain how it related to OpenSSH . Was OpenBSD involved in the creation of OpenSSH ? It could have used explanation.
1/2
-
Did a new release of ssh-tpm-agent.
https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.9.0
`ssh-tpm-add` now supports `-c` for confirmation dialogs before key usage, along with a nice process chain. Thanks to @mic92
-
Did a new release of ssh-tpm-agent.
https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.9.0
`ssh-tpm-add` now supports `-c` for confirmation dialogs before key usage, along with a nice process chain. Thanks to @mic92
-
Did a new release of ssh-tpm-agent.
https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.9.0
`ssh-tpm-add` now supports `-c` for confirmation dialogs before key usage, along with a nice process chain. Thanks to @mic92
-
Did a new release of ssh-tpm-agent.
https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.9.0
`ssh-tpm-add` now supports `-c` for confirmation dialogs before key usage, along with a nice process chain. Thanks to @mic92
-
Did a new release of ssh-tpm-agent.
https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.9.0
`ssh-tpm-add` now supports `-c` for confirmation dialogs before key usage, along with a nice process chain. Thanks to @mic92
-
🕵🏻♂️ [InfoSec MASHUP] - This week's news cycle handed us the usual parade of breaches, arrests, and patch-your-stuff urgency — but if you squint at the #Malware section long enough, a more uncomfortable story emerges. #SAP-related npm packages backdoored with a credential stealer. A popular #PyPI package hijacked via a forged signed release pushed through a compromised GitHub Actions workflow. Seventy-three "sleeper" extensions quietly sitting in #OpenVSX, waiting. The common thread: attackers aren't breaking down the front door anymore. They're walking in through the tools developers use every day, often with a valid signature and a clean commit history.
What makes this particularly fun — in the way a slow-motion disaster is fun — is that the blast radius isn't just the developer who ran pip install. It's every downstream user, every CI/CD pipeline, every AI coding agent that helpfully executed the preinstall hook without asking questions. The supply chain isn't a niche threat vector reserved for nation-state ops anymore. It's where commodity attackers are increasingly playing, because it scales beautifully and the detection gap remains embarrassingly wide.
→ Week #18/2026 also covers: Supply chain attackers found the path of least resistance, #OpenSSH patched a bug older than most junior devs, and #Europe is done pretending U.S. #cloud is a neutral choice.
Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-18-2026-shinyhunters-week-off-they-didn-t-take-one
If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI
-
🕵🏻♂️ [InfoSec MASHUP] - This week's news cycle handed us the usual parade of breaches, arrests, and patch-your-stuff urgency — but if you squint at the #Malware section long enough, a more uncomfortable story emerges. #SAP-related npm packages backdoored with a credential stealer. A popular #PyPI package hijacked via a forged signed release pushed through a compromised GitHub Actions workflow. Seventy-three "sleeper" extensions quietly sitting in #OpenVSX, waiting. The common thread: attackers aren't breaking down the front door anymore. They're walking in through the tools developers use every day, often with a valid signature and a clean commit history.
What makes this particularly fun — in the way a slow-motion disaster is fun — is that the blast radius isn't just the developer who ran pip install. It's every downstream user, every CI/CD pipeline, every AI coding agent that helpfully executed the preinstall hook without asking questions. The supply chain isn't a niche threat vector reserved for nation-state ops anymore. It's where commodity attackers are increasingly playing, because it scales beautifully and the detection gap remains embarrassingly wide.
→ Week #18/2026 also covers: Supply chain attackers found the path of least resistance, #OpenSSH patched a bug older than most junior devs, and #Europe is done pretending U.S. #cloud is a neutral choice.
Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-18-2026-shinyhunters-week-off-they-didn-t-take-one
If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI
-
🕵🏻♂️ [InfoSec MASHUP] - This week's news cycle handed us the usual parade of breaches, arrests, and patch-your-stuff urgency — but if you squint at the #Malware section long enough, a more uncomfortable story emerges. #SAP-related npm packages backdoored with a credential stealer. A popular #PyPI package hijacked via a forged signed release pushed through a compromised GitHub Actions workflow. Seventy-three "sleeper" extensions quietly sitting in #OpenVSX, waiting. The common thread: attackers aren't breaking down the front door anymore. They're walking in through the tools developers use every day, often with a valid signature and a clean commit history.
What makes this particularly fun — in the way a slow-motion disaster is fun — is that the blast radius isn't just the developer who ran pip install. It's every downstream user, every CI/CD pipeline, every AI coding agent that helpfully executed the preinstall hook without asking questions. The supply chain isn't a niche threat vector reserved for nation-state ops anymore. It's where commodity attackers are increasingly playing, because it scales beautifully and the detection gap remains embarrassingly wide.
→ Week #18/2026 also covers: Supply chain attackers found the path of least resistance, #OpenSSH patched a bug older than most junior devs, and #Europe is done pretending U.S. #cloud is a neutral choice.
Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-18-2026-shinyhunters-week-off-they-didn-t-take-one
If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI
-
🕵🏻♂️ [InfoSec MASHUP] - This week's news cycle handed us the usual parade of breaches, arrests, and patch-your-stuff urgency — but if you squint at the #Malware section long enough, a more uncomfortable story emerges. #SAP-related npm packages backdoored with a credential stealer. A popular #PyPI package hijacked via a forged signed release pushed through a compromised GitHub Actions workflow. Seventy-three "sleeper" extensions quietly sitting in #OpenVSX, waiting. The common thread: attackers aren't breaking down the front door anymore. They're walking in through the tools developers use every day, often with a valid signature and a clean commit history.
What makes this particularly fun — in the way a slow-motion disaster is fun — is that the blast radius isn't just the developer who ran pip install. It's every downstream user, every CI/CD pipeline, every AI coding agent that helpfully executed the preinstall hook without asking questions. The supply chain isn't a niche threat vector reserved for nation-state ops anymore. It's where commodity attackers are increasingly playing, because it scales beautifully and the detection gap remains embarrassingly wide.
→ Week #18/2026 also covers: Supply chain attackers found the path of least resistance, #OpenSSH patched a bug older than most junior devs, and #Europe is done pretending U.S. #cloud is a neutral choice.
Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-18-2026-shinyhunters-week-off-they-didn-t-take-one
If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI
-
🕵🏻♂️ [InfoSec MASHUP] - This week's news cycle handed us the usual parade of breaches, arrests, and patch-your-stuff urgency — but if you squint at the #Malware section long enough, a more uncomfortable story emerges. #SAP-related npm packages backdoored with a credential stealer. A popular #PyPI package hijacked via a forged signed release pushed through a compromised GitHub Actions workflow. Seventy-three "sleeper" extensions quietly sitting in #OpenVSX, waiting. The common thread: attackers aren't breaking down the front door anymore. They're walking in through the tools developers use every day, often with a valid signature and a clean commit history.
What makes this particularly fun — in the way a slow-motion disaster is fun — is that the blast radius isn't just the developer who ran pip install. It's every downstream user, every CI/CD pipeline, every AI coding agent that helpfully executed the preinstall hook without asking questions. The supply chain isn't a niche threat vector reserved for nation-state ops anymore. It's where commodity attackers are increasingly playing, because it scales beautifully and the detection gap remains embarrassingly wide.
→ Week #18/2026 also covers: Supply chain attackers found the path of least resistance, #OpenSSH patched a bug older than most junior devs, and #Europe is done pretending U.S. #cloud is a neutral choice.
Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-18-2026-shinyhunters-week-off-they-didn-t-take-one
If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI
