Weaponized file name flaw allows RCE through glob • The Register

Infosec In Temporary Researchers have urged customers of the glob file sample matching library to replace their installations, after discovery of a years-old distant code execution flaw within the device’s CLI.

Glob is used to search out recordsdata utilizing wildcards, is usually run as a library API, and is an all however common a part of the JavaScript stack. This vulnerability lives in glob’s CLI device – particularly the device’s –c flag used to execute instructions on matching recordsdata.

Spotted by safety researchers at automated infosec outfit AISLE, the 7.5-rated vuln (CVE-2025-64756) doesn’t affect each glob person.

It is there that the issue begins: Glob is programmed with shell: true enabled by default, which means that each time a file is discovered utilizing glob’s CLI device with a –c flag it passes the file to a shell for execution. On POSIX methods, particularly (e.g., Linux, macOS, BSD, and so on.), shell metacharacters included in a file identify are executed as in the event that they’re code, which means a file touched by glob –c with a maliciously coded identify will do no matter an attacker needs it to.

“The implementation assumed filenames have been reliable knowledge, however this assumption was flawed,” AISLE researchers famous. The researchers suspect the flaw went unnoticed for therefore lengthy as a result of, regardless of glob being downloaded greater than ten million occasions every week on common, the CLI device is never used, “and even fewer know that –c executes by way of a shell.”

Glob variations v10.2.0 by way of v11.0.3 are weak, and even then solely in particular environments that course of recordsdata from untrusted sources on POSIX methods with CI/CD pipes or construct scripts that invoke glob –c or glob –cmd.

Glob v10.5.0, v11.1.0, and v12.0.0 repair the difficulty; glob customers who can examine off all of the vulnerability standards are suggested to replace as quickly as potential.

CISA warns of drone risk

The USA’s Cybersecurity and Infrastructure Safety Company (CISA) final week warned essential infrastructure managers to “be air conscious” because the risk from unmanned plane methods (UAS – aka drones) continues to develop.

Drones, CISA stated, can be utilized to ship hazardous payloads that might injury infrastructure and hurt folks, conduct surveillance, and even presumably help in cyberattacks.

“We proceed to watch regarding UAS exercise over delicate essential infrastructure websites, which may intrude with common facility operations, disrupt emergency response or approved flight operations, and supply intelligence to malign actors,” CISA famous.

Whereas the company does not have any data to counsel home or overseas extremists are at the moment utilizing drones to plan assaults, intelligence suggests they’ve thought-about it.

Have you learnt the place your DNS is pointing?

ESET researchers have found an attacker-in-the-middle equipment being utilized by Chinese language-aligned risk actors that might be deploying malicious updates on networks whereas leaving scant proof of its actions.

ESET said the PlushDaemon APT group is behind the “EdgeStepper” community implant that hijacks DNS visitors and sends it to malicious nodes managed by the risk actors.

The seller thinks attackers set up EdgeStepper by exploiting current vulnerabilities in software program operating on community units, or by having access to these units utilizing default or weak passwords. As soon as put in, EdgeStepper screens visitors, and when it detects a tool making an attempt to connect with a site linked to software program updates it snags the visitors and pushes out a malicious replace bundle, additional infecting machines on a compromised community.

Samourai cofounders head to jail

The cofounders of cryptocurrency laundering service Samourai Pockets are headed to jail, the Justice Division announced final week.

Samourai CEO Keonne Rodriguez will likely be as much as 5 years behind bars, whereas his cofounder and CTO William Lonergan Hill, scored himself 4 years in Membership Fed, for his or her roles working the service, which the Justice Division stated was actively promoted to criminals as a spot to transmit their ill-gotten positive aspects.

The service was used to launder greater than 80,000 Bitcoin, amounting to round $2 billion on the time.

Cox caught in Oracle’s E-Enterprise Clop mess

Media conglomerate Cox Enterprises has admitted theft of 9,479 folks’s knowledge saved in its Oracle E-Enterprise situations on account of ransomware gang Clop’s reported assault on Huge Purple’s software program.

Cox started sending breach notification final week. The Register has seen among the mails, which point out publicity of buyer names and embrace clean fields to report different stolen data. The state of Maine’s breach notification web page, likewise, does not embrace any specifics as to what was uncovered.

Cox, which has plenty of subsidiaries together with the Cox Communications broadband service, has been caught up in a whole lot of safety incidents over time, together with a rather embarrassing incident by which an worker was tricked into handing over a database containing tons of of 1000’s of buyer data to a hacker who pretended to be a member of the agency’s IT division. Not less than Cox can blame this one on a 3rd occasion.®