Infosec Researcher, Journalist | 📰 Bylines + seen on 📸 BBC, BleepingComputer, Channel 5, WaPo, TechCrunch, WIRED | Member @The_BAJ @CAJ | ✉️ Tips? ax@hey.ax
Jan 1, 2023 • 7 tweets • 2 min read
PyTorch reveals malicious dependency chain compromise between Dec 25th & 30th.
The counterfeit 'tortchtrion' stole SSH keys, first 1000 files in $HOME, .gitconfig and other secrets.
2,300+ downloads seen so far on PyPI.
Uninstall now 👇👇👇 bleepingcomputer.com/news/security/…#opensource
Unsurprisingly, the hacker behind the package—that steals all these secrets, claims that they are only collecting "metadata" and wrongly implying this is ethical research. Analysis strongly indicates otherwise.
Apr 12, 2022 • 7 tweets • 7 min read
In 🆕 BBC documentary, Victims of Ukraine War Scammers, @Hannah_Gelbart and I investigate FAKE crypto donation scams capitalizing on the ongoing war to snatch funds away from charities and into their pockets. 💰
Props to @SoyaInk & BBC crew for a brilliant production!
And it doesn't stop at just threat actors stealing thousands of dollars in donations from unsuspecting donors.
We come across real people's identities being stolen.
Dr. @MiguelHibert's identity and pics being abused by an 'Aronov Maxim'—but reverse image search reveals the truth.
Apr 11, 2022 • 5 tweets • 2 min read
Russia-based dev Yaffle altered 'event-source-polyfill' #npm package in March to show anti-war messages to Russians, as a a peaceful protest.
This marks the THIRD major #opensource self-sabotage of 2022: npm package is downloaded 600K weekly and used by 135,000+ GitHub repos.
After printing the Russian language, the package opens up the user's web browser and directs them to a Change[.]org petition, 'NetVoyne' — signed by over 1.2 million people already.