Marimo CVE-2026-39987 Exploited in the Wild

Your machine is compromised. Act now. The Problem: The PyTorch Lightning Python Package on PyPI was weaponized. Versions 2.6.2 and 2.6.3 dropped a hidden Malware payload. The Agitation: This isn’t just a bug. It’s a full Supply Chain Attack . - The execution chain runs automatically on import. - An 11MB obfuscated JavaScript payload executes via the Bun runtime. - It harvests Developer Credentials and validates GitHub tokens in real-time. - The worm then injects malicious code into up to 50 branches per repo. This is the Mini Shai-Hulud campaign. Your Software Supply Chain just became an attack vector. The Solution: - Immediately quarantine versions 2.6.2 and 2.6.3. - Downgrade to version 2.6.1. - Rotate all credentials exposed in affected environments. - Treat every machine that imported these versions as fully compromised. This Security Vulnerability exploits trust. Don’t let it exploit your team. How is your team securing your infrastructure against this type of exploitation? Let’s discuss in the comments below. #SupplyChainAttack #PyTorchLightning #PyPI

🚀 Ever tried Burp MCP for automated security testing with an LLM like Claude Desktop? I extended the official Burp MCP Server with a brand new tool. 🤠 𝗪𝗵𝗮𝘁 𝗱𝗶𝗱 𝗜 𝗮𝗱𝗱? A new tool on top of the official Burp MCP Server that lets AI agents like Claude write and deploy Bambda scripts directly into Burp Suite — in real time. 𝗪𝗵𝗮𝘁'𝘀 𝗮 𝗕𝗮𝗺𝗯𝗱𝗮? Bambdas are scripts that you can run directly from Burp Suite's interface. They enable you to quickly personalize various tasks, such as creating custom match-and-replace rules, table columns, active scan checks and filters. 😎 Instead of writing Java code manually, you just send a prompt: 💬 "Create a custom column in HTTP history that extracts the GraphQL operation name directly from the request body" ...and just like that, every GraphQL call in your Proxy history shows exactly which operation it's hitting in a separate column. No more clicking into each request manually. 🎯 𝗪𝗵𝘆 𝗱𝗼𝗲𝘀 𝘁𝗵𝗶𝘀 𝗺𝗮𝘁𝘁𝗲𝗿? Security testing involves a lot of repetitive scripting work. This tool lets you focus on finding vulnerabilities — not wrestling with boilerplate Java code. 🎯 🔗 GitHub link: https://lnkd.in/dezg8dkT #BurpSuite #CyberSecurity #PenetrationTesting #MCP #AI #OpenSource #AppSec #WebSecurity #BugBounty #Infosec #PortSwigger

Project 4/18 – Continuing my structured journey into Malware Development 👾 For my fourth project, I decided to dive deep into network traffic manipulation by building a custom DNS Spoofer from scratch using Python. This project was a fantastic hands-on experience in understanding how Man-In-The-Middle (MITM) attacks operate at the packet level. By chaining this tool with an ARP Spoofer (Project 3/18), I successfully intercepted, modified, and rerouted DNS responses on the fly within my controlled lab environment. 🛠️ Technical Highlights & What I Learned:  🔹 Packet Interception: Utilized NetfilterQueue alongside Linux iptables to trap traffic traversing the FORWARD chain during a MITM scenario.  🔹 Packet Manipulation: Leveraged Scapy to dissect network layers, identify DNS Resource Records (DNSRR), and dynamically inject spoofed IP addresses into the DNS answers.  🔹 Header Reconstruction: Handled the removal of old IP/UDP lengths and checksums so the reconstructed packets wouldn't be dropped by the target machine's operating system.  🔹 OS Networking Behaviors: Gained practical insights into how operating systems handle DNS caching (ipconfig /flushdns) and how modern browsers attempt to bypass traditional interception using Secure DNS (DoH). Building this tool reinforced the critical importance of DNS integrity and why secure protocols like DNSSEC and DoH are essential in modern network architectures. Excited to keep building and sharing my progress! On to the next one. 💻🚀 #CyberSecurity #Python #Scapy #NetworkSecurity #MalwareDevelopment #EthicalHacking #InfoSec #CyberJourney

Payatu Bandit Dhabaleshwar Das discovered an insecure deserialization vulnerability in the pytries datrie package (up to version 0.8.3), now tracked as CVE-2026-5659. The issue is in how .trie files are loaded. When Trie.load(), Trie.read(), or Trie.__setstate__() processes a .trie file, it first parses the valid trie binary data, then passes the remaining file content directly to pickle.load() with no validation. An attacker can append a crafted pickle payload after valid trie data. When the file is loaded, arbitrary Python code executes automatically. The issue is particularly dangerous because the unsafe deserialization is hidden behind seemingly safe data-loading APIs, giving users no indication that untrusted code execution is occurring. What this enables: system-level command execution, data exfiltration, persistence mechanisms, and supply chain compromise for any application processing third-party .trie files. CVSS Base Score: 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) The BaseTrie class is not affected, as it does not use pickle for data loading. Read the full advisory: https://lnkd.in/gqxQkyte This is what research-driven security work looks like. If your product handles third-party file formats, serialized data, or untrusted inputs, the same class of vulnerability could exist in your stack: https://lnkd.in/gxxYEAmX #CVE #infosec #cybersecurity #deserialization #appsec

𝗝𝘂𝘀𝘁 𝗰𝗼𝗺𝗽𝗹𝗲𝘁𝗲𝗱 𝗪𝗲𝗯 𝗔𝗽𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 — 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗔𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 & 𝗦𝗲𝗰𝘂𝗿𝗲 𝗖𝗼𝗱𝗶𝗻𝗴 𝗹𝗮𝗯! In this lab, I built a comprehensive security assessment solution to expose and fix critical web application vulnerabilities across multiple attack scenarios using Flask, SQLite. I implemented multiple attack simulations and secure coding fixes:  • SQL Injection vulnerability to bypass authentication via string-concatenated queries  • Authentication Bypass testing using empty, malformed and incorrect credentials  • Privilege Escalation through URL parameter manipulation to gain admin access  • HTTP Request Interception using Burp Suite to capture and modify live requests  • Secure coding remediation using parameterized queries, session-based auth and role validation The entire setup was tested in a simulated web environment, where I introduced real-world vulnerabilities, executed attack payloads, and observed how each weakness could be exploited — then patched every one. This lab taught me how to translate theoretical web security concepts into real, hands-on solutions — one of the best learning experiences this lab! Instructor: Syed Muhammad Awais, Ph.D. #WebSecurity #SQLInjection #CyberSecurity #EthicalHacking #VulnerabilityAssessment #SecureCoding #BurpSuite #Flask #ITStudents #HandsOnLearning #ProjectDone

Ever tried running a fuzzing tool across a 300+ subdomain scope, only to get your IP instantly banned by Cloudflare or watch your terminal fill up with thousands of useless Catch-All false positives? Meet my new bug hunting tool: ReconOrchestrator v1.0 It is a Python-based concurrency engine I built specifically for security researchers to handle massive web fuzzing. Rather than blindly spraying payloads, it acts as an intelligent governor - managing strict thread limits, evading WAFs, and ensuring your local hardware doesn't choke under pressure. In my latest test run, the engine cleanly pushed over 1.3 million HTTP requests from a local machine - without a single dropped packet or WAF ban. Under the Hood: • Intelligent Anomaly Detection: Dynamically filters out "Catch-All" (Soft 404) servers that trick standard auto-calibration, keeping the output perfectly clean. • Adaptive Rate-Limiting: Intercepts WAF responses and automatically triggers exponential backoff on 429 or 403 blocks to protect your IP. • Strict Concurrency Governor: Hard-caps horizontal and vertical threading, enforcing a strict 2-minute kill switch per target to prevent tarpitting. • Smart Pre-Probing: Ping-checks and drops dead infrastructure in 5 seconds before heavy fuzzing even begins. If you are hunting wide scopes or building automation pipelines, check out the source code and let me know your thoughts! Feedback from the community is always welcome. 🔗 GitHub Repository: https://lnkd.in/g3xA9uZx #BugBounty #Cybersecurity #Infosec #Python #OpenSource #Reconnaissance #OffensiveSecurity

I have just released a new project focused on one of the most persistent threats in web security: the SQL Injection Playground and Detection Engine. This platform is designed as a comprehensive educational tool for developers and security professionals to understand, detect, and mitigate SQLi vulnerabilities. The system integrates three core components to provide a complete learning lifecycle: Vulnerable Web Application: A Flask-based environment featuring intentional flaws in login and search functionalities to demonstrate real-world exploitation. Automated Detection Engine: A tool that employs pattern matching, error detection, and timing analysis to identify vulnerabilities automatically. Educational Dashboard: An interactive interface providing side-by-side comparisons between vulnerable string concatenation and secure parameterized queries. Key Technical Implementations:Attack Vectors: The engine successfully detects and demonstrates authentication bypass, UNION-based extraction, and time-based blind SQLi. Defensive Strategies: I have implemented and documented a 100% prevention rate using parameterized queries, input validation, and the principle of least privilege. Automated Reporting: The system generates detailed JSON logs and text-based security reports, simulating professional auditing workflows. This project was built using Python, Flask, and SQLite3 to serve as a hands-on training ground for those looking to strengthen their secure coding practices. Full Documentation and Source Code: https://lnkd.in/gBJVM2cq 👍 #CyberSecurity #AppSec #WebSecurity #Python #Flask #SQLInjection #InfoSec #SecureCoding #GitHub

🍯Built an SSH Honeypot from scratch. Here's what I learned. Instead of faking a shell and hoping attackers don't notice, I built a Man-in-the-Middle proxy — the honeypot sits between the attacker and a real decoy VM, forwarding everything bidirectionally while logging every credential and command. Attackers get a fully functional Linux shell. They have no idea they're being watched. Some of the decisions I'm proud of: → Randomized authentication delay — accepts login after a random number of attempts per attacker. A honeypot that accepts every password immediately is trivially detected. This one behaves like a real server with a strong password. → Credential memory — once credentials are accepted, repeat logins stay consistent. A real server remembers your password. So does this one. → Dual logging — real-time .log file for live monitoring + SQLite for structured queries. When it's deployed on a public IP, I'll be able to query the most common passwords attackers use, attack frequency by IP, and what commands they run after getting in. Tech stack: Python, Paramiko, Socket, Threading, SQLite, python-dotenv Building both sides — offensive and defensive — is the fastest way to actually understand security. If you know how a honeypot works, you know how to bypass one. If you know how to bypass one, you know how to harden it. Code is on my GitHub. Link in comments. #CyberSecurity #EthicalHacking #Python #SSH #PenTesting #Networking #InfoSec #StudentProject #SOCAnalyst

For my final year project, I really didn't want to just write a theoretical paper. I wanted to see how attacks actually happen in real-time. So, my project partner and I decided to build a custom, AI-driven deception network from scratch. The idea was simple but the execution was tough: instead of just trying to block attackers, we wanted to trap them, study them, and adapt to their movements. We set up isolated lab environments and deployed Cowrie and Dionaea honeypots using Docker to safely capture what the attackers were trying to do. The coolest part? Figuring out the log pipeline. Routing all that raw interaction data through Filebeat into Logstash, and finally getting it to visualize in Elasticsearch and Kibana, was a massive learning curve, but totally worth it. We’re now gearing up to simulate a full, stealthy APT attack using Kali Linux against our Ubuntu Server setup to see how the system holds up. Has anyone else built out an ELK stack for their home lab? Would love to hear how you optimized your log parsing! #cybersecurity #ELKStack #HomeLab #SOCAnalyst #ThreatDetection #StudentProject #ThreatHunting Muhammad Faheem SNSKIES Tauseef Ahmed NADEEM IQBAL Dr. Jan Badshah