Skip to content

Instantly share code, notes, and snippets.

View N3mes1s's full-sized avatar

Giuseppe Massaro N3mes1s

147 followers · 25 following
View GitHub Profile
@N3mes1s
N3mes1s / 2026.4.0-bw1-public-gist.md
Last active April 24, 2026 15:21
@bitwarden/cli@2026.4.0 bw1.js supply-chain worm analysis

@bitwarden/cli@2026.4.0 - bw1.js Supply-Chain Worm Analysis

Date: 2026-04-23

Analysis

The npm package @bitwarden/cli@2026.4.0 contains a malicious install-time payload. The package adds a preinstall hook that runs a Node bootstrapper, downloads Bun if needed, then executes a large obfuscated Bun bundle named bw1.js.

This is a full supply-chain worm and secret exfiltration agent. It harvests local secrets, CI secrets, GitHub repository secrets, and cloud secret stores, then exfiltrates encrypted results and uses stolen npm tokens to publish infected package updates.

@N3mes1s
N3mes1s / attack_chain.md
Created April 10, 2026 17:30
Adobe Reader Zero-Day — Full Attack Chain Analysis (SHA-256: 54077a5b...)

Adobe Reader Zero-Day — Full Attack Chain Analysis

Analyzed using Adobe's real SpiderMonkey JS engine (EScript.api) running on Linux Engine loaded via taviso/loadlibrary fork

Sample Info

Field Value
SHA-256 54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f
@N3mes1s
N3mes1s / ANALYSIS.md
Last active April 21, 2026 08:36
CPU-Z 2.19 Supply Chain Attack Analysis (April 2026) - Trojanized DLL Sideloading with Zig-compiled CRYPTBASE.dll, IPv6-encoded .NET deserialization, MSBuild persistence

CPU-Z 2.19 Supply Chain Attack - Malware Analysis Report

Date: 2026-04-10 Analyst: nemesis Classification: Trojan / Backdoor (Alien RAT variant) Severity: CRITICAL Campaign ID: CityOfSin (extracted from C2 callback UTM parameters) Scope: CPUID official domain compromise affecting CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor 2, powerMAX + separately FileZilla Status: Breach confirmed and fixed by CPUID; site was compromised ~6 hours on April 9-10, 2026 CPUID Statement: "A secondary feature (a side API) was compromised for approximately six hours [...] causing the main website to randomly display malicious links. Our signed original files were not compromised."

@N3mes1s
N3mes1s / FULL_REPORT.md
Last active April 22, 2026 08:43
Adobe Reader Zero-Day PDF Exploit - Full Forensic Analysis (SHA-256: 54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f)

Adobe Reader Zero-Day PDF Exploit - Full Forensic Analysis

SHA-256: 54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f
Analysis Date: 2026-04-08
Related Research: EXPMON Blog - Zero-Day Adobe Reader Exploit
VirusTotal: VT Report

1. Executive Summary

@N3mes1s
N3mes1s / CVE-2026-5245.md
Last active April 2, 2026 11:53
CVE-2026-5245: Cesanta Mongoose mDNS Stack Buffer Overflow PoC (dynamic loop verified)

CVE-2026-5245: Stack Buffer Overflow in Cesanta Mongoose mDNS Handler

Vulnerability Type

  • Type: Stack-based Buffer Overflow
  • CWE: CWE-121 (Stack-based Buffer Overflow)
  • CVE: CVE-2026-5245
  • Affected Software: Cesanta Mongoose <= 7.20, fixed in 7.21

Target

  • Endpoint: UDP port 5353 (mDNS multicast address 224.0.0.251)
@N3mes1s
N3mes1s / 00_README.md
Last active April 13, 2026 17:21
Axios npm Supply Chain Compromise (2026-03-31) — Full RE + Dynamic Analysis + BlueNoroff Attribution | 17 SHA256 | YARA/Sigma/Suricata rules | Live peinject validation on Daytona

Axios npm Supply Chain Compromise — Full Analysis Package

Date: 2026-03-31 | Attribution: BlueNoroff / Lazarus Group (HIGH confidence) Attack: Maintainer account hijacked, cross-platform RAT deployed via axios@1.14.1 and axios@0.30.4

What happened

On March 30-31, 2026, the npm package axios (~83M weekly downloads) was compromised through a maintainer account hijack. Two malicious versions injected plain-crypto-js@4.2.1, an obfuscated dropper that deploys platform-specific RATs (Windows PowerShell, macOS Mach-O C++, Linux Python). The macOS RAT is classified as NukeSped (Lazarus-exclusive). The internal project name macWebT links directly to BlueNoroff's documented RustBucket webT module from 2023.

File Index

@N3mes1s
N3mes1s / telnyx-4.87.2-vs-4.87.0.md
Created March 27, 2026 09:08
telnyx-4.87.2-vs-4.87.0.md

Release Diff: pypi:telnyx

  • Baseline: 4.87.0
  • Target: 4.87.2
  • Generated: 2026-03-27T09:05:06.509752+00:00
  • Status: unknown -> unknown
  • Artifacts: +1 -1 ~0
  • Metadata keys: +0 -0 ~1
  • Content: wheel +4 -4 ~2
@N3mes1s
N3mes1s / litellm-1.82.8-report-v6.md
Created March 25, 2026 14:56
litellm-1.82.8-report-v6.md

Release Diff: pypi:litellm

  • Baseline: 1.82.6
  • Target: 1.82.8
  • Generated: 2026-03-25T14:54:22.817951+00:00
  • Status: active -> unknown (changed)
  • Artifacts: +1 -2 ~0
  • Metadata keys: +1 -4 ~0
  • Content: wheel +40 -39 ~27
@N3mes1s
N3mes1s / CVE-2025-67644.md
Created December 10, 2025 21:05
SQL Injection in LangGraph SQLite Checkpointer - CVE-2025-67644

SQL Injection in LangGraph SQLite Checkpointer - CVE-2025-67644

Report Date: December 10, 2025 Advisory ID: GHSA-9rwj-6rc7-p77c Reproduction Status: ✅ CONFIRMED

Executive Summary

@N3mes1s
N3mes1s / GHSA-4r66-7rcv-x46x.md
Created December 10, 2025 08:03
SiYuan Zip Slip + Pandoc Binary Execution RCE

Security Report: SiYuan Zip Slip + Pandoc Binary Execution RCE (GHSA-4r66-7rcv-x46x)

Executive Summary

SiYuan Note versions through v3.4.2 contain a chained vulnerability allowing authenticated remote code execution. The /api/archive/unzip endpoint is vulnerable to Zip Slip (path traversal), enabling attackers to write arbitrary files outside the intended workspace. Combined with the /api/setting/setExport endpoint which executes user-supplied pandocBin paths for validation, an attacker can overwrite system executables and trigger their execution. This report is self-contained and documents the full reproduction procedure, evidence, and remediation guidance.

Vulnerability Overview

  • Identifier: GHSA-4r66-7rcv-x46x
  • CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')