Supply-chain attack using invisible code hits GitHub and other repositories Unicode that's invisible to the human eye was largely abandoned—until attackers took notice.

Researchers found 151 malicious packages uploaded to repositories like GitHub, npm, and Open VSX that hide harmful code using invisible Unicode characters, making the malware undetectable in normal editors and code reviews.

via Ars Technica

arstechnica.com/security/202...

"Zombie ZIP" CVE-2026-0866 is not really a vulnerability which can evade AV engines, because the resulting ZIP file cannot be opened by normal tools, it's malformed.
It's more like a steganography/obfuscation trick, you need malicious code already running to extract the payload.

CERTFR-2026-AVI-0241: Vulnérabilité dans ClamAV
https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0241/

Another antivirus 🛡️, another unfulfilled promise 😣. @kaluche_ turns Avira's protection into a privilege escalation playground. This time: 3 LPE vectors 🆙 via symlink abuse (CVE-2026-27748, CVE-2026-27750) and unsafe deserialization (CVE-2026-27749).

Find out more: blog.quarkslab.com/avira-deseri...

Honestly, AI slop PRs are becoming increasingly draining and demoralizing for #Godot maintainers.

If you want to help, more funding so we can pay more maintainers to deal with the slop (on top of everything we do already) is the only viable solution I can think of:

fund.godotengine.org

How can we detect malicious documents exploiting CVE-2026-21509, the recent 0-day vulnerability in MS Office ?
I designed a YARA rule for this, which detects all the malicious files that have been reported.
To get the YARA rule and all the explanations: decalage.info/CVE-2026-215...

Malware Analysis - Malicious MS Office files without Macros YouTube video by MalwareAnalysisForHedgehogs

🦔 📹 New Video: Can office files be malicious without Macros?

➡️ VSTO Add-Ins
➡️ External Templates
➡️ Checklist for Office analysis
#MalwareAnalysisForHedgehogs
www.youtube.com/watch?v=RtHH...

Nice examples! I also maintain a list of the various attack techniques vs. file formats in the oletools wiki:
github.com/decalage2/ol...

reverse-2026.sessionize.com/session/1082... with @mad5quirrel.bsky.social

Blind trust: what is hidden behind the process of creating your PDF file? Every day, thousands of web services generate PDF (Portable Document Format) files—bills, contracts, reports. This step is often treated as a technical routine, “just convert the HTML,” but in practic...

Blind trust: what is hidden behind the process of creating your PDF file?

swarm.ptsecurity.com/blind-trust-...

#vulnerability #cve #exploitation #infosec

GitHub - decoderloop/rust-malware-gallery: A collection of malware families and malware samples which use the Rust programming language. A collection of malware families and malware samples which use the Rust programming language. - decoderloop/rust-malware-gallery

🦀 Looking for Rust malware samples to practice analyzing? Our Rust Malware Sample Gallery just received a major update, with 20 new families added! github.com/decoderloop/...

#rust #rustlang #malware #infosec #ReverseEngineering #MalwareAnalysis #reversing

MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper A look at how threat actors are abusing AppleScript .scpt files to deliver macOS malware, from fake documents to browser update lures, and how these scripts ...

MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper:

pberba.github.io/security/202...

#macOS #infosec #applescript #cybersecurity #exploitation #hacking

Virus Bulletin

Videos and papers from this year's @virusbtn.bsky.social in Berlin are now available online. Amazing conference and looking forward to the next one: www.youtube.com/@virusbtn

There's some really big caveats to this. A thread.

Using .LNK files as lolbins

www.hexacorn.com/blog/2025/10...

At hack.lu I gave a presentation about "How to better identify (weaponized) file formats":

- Why do we need to identify file formats accurately?
- Why can the current tools (libmagic, magika) sometimes be bypassed?
- How can we do better?

You can now see it here: youtu.be/Qp5GDh2sj6A

#HackLu

I've put together a website which indexes all the recordings my rigs have made thus-far as well as those currently planned:
administraitor.video
(minimalist - I'm a mid-/backend dev! 😋)

How To Better Identify (Weaponized) File Formats With Ftguess - Philippe Lagadec YouTube video by Cooper

How To Better Identify (Weaponized) File Formats With Ftguess - Philippe Lagadec
youtu.be/Qp5GDh2sj6A
#HackLu

hack.lu 2025 Hack.lu (and CTI summit) is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. It’s the ...

This week I'm going to hack.lu, to give a presentation about file format identification:
Why do we need to identify file formats accurately?
Why can the current tools sometimes be bypassed, or make mistakes?
How can we do better?
2025.hack.lu/agenda/

Send me a DM if you'd like to meet there.

I'm happy to share that LIEF 0.17.0 is out: lief.re/blog/2025-09...

#ESETresearch has discovered #HybridPetya ransomware on VirusTotal: a UEFI-compatible copycat of the infamous Petya/NotPetya malware. HybridPetya is capable of bypassing UEFI Secure Boot on outdated systems. www.welivesecurity.com/en/eset-rese... 1/8

#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7

This explanation of Passkeys and FIDO2 is really good 👍

michaelwaterman.nl/2025/04/02/h...

Malwoverview: First response tool for threat hunting - Help Net Security Malwoverview is an open-source threat hunting tool designed for the initial triage of malware samples, URLs, IP addresses, domains, malware families,

Even though I've been away from the field for years, it's great to see that a simple tool that I initially launched in 2018 and with great collaborators (Artur Marzano, Corey Forman and Christian Clauss) has been used by so many professionals.

www.helpnetsecurity.com/2025/03/26/m...

#malware

Celui qui n’aurait pas dû installer l’antivirus Kaspersky Où l’on découvre la carrière brisée d’un fonctionnaire à cause d’un penchant, au choix, pour des versions crackées de Windows ou pour l'antivirus du célèbre ingénieur russe.

Merci @gabrielthierry.bsky.social de revenir sur l'histoire incroyable des #ShadowBrokers en plusieurs parties #MustRead

Partie 1

open.substack.com/pub/pwned/p/...

Partie 2

open.substack.com/pub/pwned/p/...

Partie 3

open.substack.com/pub/pwned/p/...

Do you know examples of polyglot files that have been used in real-life to hide malware from detection/analysis tools?

There is at least this PDF/MHT: blogs.jpcert.or.jp/en/2023/08/m...

Do you know other real malware cases?

I made a Doom source port that runs within a PDF file.

PDFs support Javascript, so Emscripten is used to compile Doom to asm.js, which is then run within the PDF engine. Input/output is done by manipulating text input fields.

doompdf.pages.dev/doom.pdf

github.com/ading2210/do...

The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:

exploitreversing.com/2025/01/08/m...

Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).

#malware

Forget PSEXEC: DCOM Upload & Execute Backdoor Join Deep Instinct Security Researcher Eliran Nissan as he exposes a powerful new DCOM lateral movement attack that remotely writes custom payloads to create an embedded backdoor.

New DCOM lateral movement technique discovered that bypasses traditional defenses. Unlike previous attacks relying on IDispatch interfaces, this method exploits undocumented COM interfaces within MSI, specifically targeting IMsiServer and IMsiCustomAction interfaces. 1/7