Critical GitHub Actions security risks exposed by Orca Research Pod

🚨 Critical security risks in GitHub Actions exposed The Orca Research Pod has uncovered critical security risks across several high-profile open source repositories that relied on GitHub Actions. Due to misconfigured 𝗽𝘂𝗹𝗹_𝗿𝗲𝗾𝘂𝗲𝘀𝘁_𝘁𝗮𝗿𝗴𝗲𝘁 workflows, adversaries could escalate from an untrusted forked pull request to remote code execution (RCE) on both GitHub-hosted and self-hosted runners. During our investigation, we were able to exploit workflows maintained by Fortune 500 companies. All findings were responsibly disclosed to the affected organizations. Dive into Roi Nisimi's technical breakdown to see how these attacks can unfold in the real world. https://lnkd.in/gceWhyf8

PoC Exploit Released for Sudo Vulnerability that Enables Attackers to Gain Root Access A publicly available proof-of-concept (PoC) exploit has been released for CVE-2025-32463, a local privilege escalation (LPE) flaw in the Sudo utility that can grant root access under specific configurations. Security researcher Rich Mirch is credited with identifying the weakness, while a functional PoC and usage guide have been published in an open GitHub repository, accelerating the urgency for patching across Linux environments that rely on Sudo’s chroot functionality. Stay connected for industry’s latest content – Follow Deepthi Talasila #DevSecOps #ApplicationSecurity #AgenticAI #CloudSecurity #CyberSecurity #AIinSecurity #SecureDevOps #AppSec #AIandSecurity #CloudComputing #SecurityEngineering #ZeroTrust #MLSecurity #AICompliance #SecurityAutomation #SecureCoding #linkedin #InfoSec #SecurityByDesign #AIThreatDetection #CloudNativeSecurity #ShiftLeftSecurity #SecureAI #AIinDevSecOps #SecurityOps #CyberResilience #DataSecurity #SecurityInnovation #SecurityArchitecture #TrustworthyAI #AIinCloudSecurity #NextGenSecurity https://lnkd.in/gnNqxUBZ

Hot take: finding malicious code on GitHub can be stupidly simple — and you don’t need fancy tooling to start uncovering real threats. 👇 I built a tiny workflow that’s been very effective during quick triage and threat-hunting exercises: git clone the repo (or use a shallow fetch) run a few regexes to extract domain names / suspicious endpoints from code, config, and comments check those domains against reputation services / WHOIS / passive DNS to spot malicious infrastructure or reused C2 hostnames Why this works: many malicious payloads, supply-chain tricks, and backdoors still hard-code endpoints or leave readable indicators in files that humans (and simple scripts) miss. The method is fast, scales cheaply, and surfaces high-value leads you can investigate further. A few important caveats: • Do this only on repos you’re allowed to analyze (public code is fine, but be responsible). • Don’t probe or attack third-party domains — use passive lookups and reputation APIs. • If you find something malicious, report it responsibly to the repo owner, GitHub, and any affected vendors. If anyone wants the regex snippets and a tiny starter script (bash + grep + a reputation API call), drop a comment or DM — happy to share and iterate. Let’s make open-source safer. 🔍🛡️ #CyberSecurity #Infosec #ThreatHunting #OpenSourceSecurity #GitHub #OSINT #DevSecOps #Malware #Regex #SecurityResearch #BugBounty #SupplyChainSecurity #VulnerabilityDiscovery

⚠️ Security Reminder We recently unveiled our Stream #CDRGoat , our new open-source project, with the purpose of letting organizations safely validate their detection and response to real-world cloud-native attacks—without risking production. We have seen such a strong demand and interest on the project since day #1 . A threat actor recently forked our public CDRGoat GitHub repository, creating a 1:1 copy under their own organization — but with malicious code inserted into several files. Please be extremely careful when downloading from GitHub (or any public repo). ✅ Always verify the author and organization before cloning or running code. Once we reported the issue GitHub security team responded almost immediately — kudos to them for the swift action. Kudus Petr Zuzanov for detecting this almost immediately Stay safe out there and double-check what you pull. 🛡️

⚠ Pentesting using OWASP ZAP Our latest lab dove into OWASP Top 10 A07 (Identification & Authentication Failures) using the powerful OWASP ZAP tool in a Dockerized environment (WebSwing UI). While the setup seemed straightforward, we quickly ran into two major roadblocks that are crucial for any ZAP user to know: 📍 Port collision: The classic issue where both ZAP and the target application (e.g., WebGoat) claim the same port (like 8080) on the host, preventing a proper connection. 📍 Docker network address resolution: When ZAP runs in a container and tries to attack localhost, it resolves the address inside its own container's context. The result is that ZAP ends up attacking itself. We had to ditch hostnames and target the vulnerable application using its internal docker IP addresses to ensure the scan was directed to the correct container. Learn how we navigated these critical steps to successfully launch our automated ZAP scan. Article: https://lnkd.in/eGctttUu  Repository: https://lnkd.in/eG3-HiAk #pentesting #owasp #zap #docker #appsec #cybersecurity #websecurity #troubleshooting #owasptop10 #appsec

WTM18 - OWASP 10 A07 - Identification and Authentication Failures (Lab - OWASP Zed Attack Proxy pentesting) Diving into the security testing guidelines of OWASP for the 7th position, identification and authentication failures, an intersection point was the OWASP ZAP tool. Zed Attack Proxy is a pentesting tool that sits as a proxy between the browser and the targeted application. We were playing around with it on our latest lab using the Docker approach (Websing for the UI). We were able to catch 2 main problems during the execution of the tool: colliding ports and wrong address resolution (a subtle one that can easily go unnoticed) For extended pentesting: 1. API scanning 2. Manual scanning 3. Automation framework (new feature and 100% customizable through yml files) Article: https://lnkd.in/em98PZWH Repository: https://lnkd.in/e9nNFAax #appsec #owasp #cybersecurity #owasptop10 #authenticationfailures #identificationfailures #softwaresecurity #pentesting #zap #websecurity

GitHub acts on npm security after Shai-Hulud worm attack: Enhanced trusted publishing to limit ongoing supply chain attacks. #Technology #ITNews

A publicly available proof-of-concept (PoC) exploit has been released for CVE-2025-32463, a local privilege escalation (LPE) flaw in the Sudo utility that can grant root access under specific configurations. Security researcher Rich Mirch is credited with identifying the weakness, while a functional PoC and usage guide have been published in an open GitHub repository, accelerating the urgency for patching across Linux environments that rely on Sudo’s chroot functionality. Stay connected to Aashay Gupta, CISM, GCP for content related to Cybersecurity.   #LinkedIn #Cybersecurity #Cloudsecurity #AWS #Cyberthreats https://lnkd.in/e-N8-ymg

The CI/CD pipeline is a critical attack vector. A single compromised open-source dependency can compromise thousands of downstream users.. The threat isn't just a data leak anymore. If a team member's computer gets hacked, the attacker gains the keys to your entire cloud environment. With a single tool, the infamous AWS-Nuke, they can instantly delete every server, database, and all your assets. We're talking about total, irreversible destruction in seconds. #CloudSecurity #CyberAttack #DevOps #SecurityAwareness

Cybersecurity risks are increasingly expanding into the software supply chain, with attackers exploiting automated workflows to harvest credentials. The latest campaign — known as “GhostAction” — reportedly impacted hundreds of repositories and extracted thousands of secrets like tokens and keys. The incident underscores the need for stronger guardrails around code workflows, credential storage, and repository access. Organizations and developers alike must prioritize transparent security practices, rapid incident response, and continuous scrutiny of development pipelines. https://lnkd.in/gJHHkyJk #SupplyChainSecurity #GhostAction #DevSecOps #CredentialRisk #CodeWorkflow #RepositorySecurity #IncidentAwareness #SecurityPractices #DevOpsSafety #RiskMitigation #UnderstandingEnterpriseTech #EnterpriseTechnologyNow #EnterpriseTechnologyToday