Tootfinder

🎅 🌲 💫
Weihnachtlich erstrahlen Gassen
Auf zum Einkauf hasten Massen
Drinnen leuchten Kerzen hell
Nur Systemadministratoren
Lauschen bang dem Netz-Rumoren
Horch! Es naht #React2Shell!

China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182) | Amazon Web Services
Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. This critical vulnerability in React Server Components has a maximum Common Vulnerability Scoring System (CVSS) score of 10.0 and affects React versions […]

I've recently stumbled upon an RCE "exploit" for the Serendipity blog software, which I happen to use and have contributed to in the past. From what I can tell, it does nothing interesting (it does not even work due to broken indents, if one fixes that it uploads a PHP shell given existing credentials, but that won't be executed unless you have a server config that executes .inc files). I'm 95% certain this is bogus. Yet... in case anyone wants to have a look:

Exploit (probably bogus) on exploit-db · Issue #940 · s9y/Serendipity
I stumbled upon this: https://www.exploit-db.com/exploits/52036 This claims to be a remote code execution exploit for serendipity. I believe it is bogus. I'm sharing what I figured out here, mostly...

Russian state hackers exploit new Microsoft Office flaw in attacks on Ukraine, EU https://therecord.media/russian-state-hackers-exploit-new-microsoft-flaw

„MongoBleed“: Exploit für kritische Lücke in MongoDB erleichtert Angriffe
Wer für eine MongoDB-Instanz verantwortlich ist, kann sich nicht zurücklehnen: Ein Exploit für eine schwerwiegende Lücke macht Upgrades jetzt noch dringender.

"EU seeks to exploit nature-based products for competitiveness push, green groups say"
#EU #EuropeanUnion #Nature

EU bets on nature-based products to increase domestic competitiveness
Nature-based products such as biofuels and bioplastics will be looked to as drivers of green growth under a recently announced bioeconomy strategy, but critics are wary of overexploitation.

Inside Patriots-Seahawks Super Bowl matchup: What to watch when New England has the ball https://www.nytimes.com/athletic/7019593/2026/02/05/seahawks-patriots-super-bowl-film-what-to-watch/

„MongoBleed“: Exploit für kritische Lücke in MongoDB erleichtert Angriffe
Wer für eine MongoDB-Instanz verantwortlich ist, kann sich nicht zurücklehnen: Ein Exploit für eine schwerwiegende Lücke macht Upgrades jetzt noch dringender.

The Playbook: Shadow Reports, lineup locks for Week 14 https://www.espn.com/fantasy/football/story/_/id/47176232/nfl-fantasy-football-2025-ultimate-playbook-projections-win-probabil…

"human fracking
The use of information technology to exploit human attention in ways that are net counterproductive to the persons thus exploited
" https://en.wiktionary.org/wiki/human_fracking

Just learned about the term, reading

Check out today's Metacurity to stay up-to-date on the critical infosec developments you should know, including
--The interim head of CISA uploaded sensitive documents to ChatGPT,
--Koreans to be notified of possible data breaches,
--Operations at Russian security systems outfit were disrupted by a cyberattack,
--EU-India security deal omits hackers-for-hire,
--Threat actors exploit a high-severity vulnerability in WinRAR,
--Mustang Panda can steal logi…

The interim head of CISA uploaded sensitive documents to ChatGPT
Koreans to be notified of possible data breaches, Operations at Russian security systems outfit were disrupted by a cyberattack, EU-India security deal omits hackers-for-hire, Threat actors exploit a high-severity vulnerability in WinRAR, Mustang Panda can steal login data from browsers, much more

Fundamentalist Christian influencer Allie Beth Stuckey
doesn’t see empathy as a failure of evolution (like Elon Musk does).
As a creationist who denies the scientific reality of prehistoric dinosaurs,
she doesn’t even believe in evolution.
Stuckey has made it her mission to rewrite the teachings of Jesus so that her savior is a harsh disciplinarian
whose “love” has little to do with empathy.
Stuckey’s book
“Toxic Empathy: How Progressives Exploit C…

MAGA's war on empathy was started by a woman
Allie Beth Stuckey weaponizes her gender to sell the idea of a cold-hearted Jesus

@… As a “computer person” in this equation, it strikes me as obvious that, if some exploit exists, no matter how hard you try to keep it secret, bad actors are already out there who posses the knowledge.
Trying to keep it under wraps only serves to allow those actors to exploit the issue, without the rest of us being any wiser.
I suppose that’s ex…

“you can just supply an IP address of a MongoDB instance and it’ll start ferreting out in memory things such as database passwords (which are plain text), AWS secret keys etc. The exploit specifically looks for those class of credentials and secrets, too.”
https://doublepulsar.com…

Merry Christmas Day! Have a MongoDB security incident.
Somebody from Elastic Security decided to post an exploit for CVE-2025–14847 on Christmas Day.

South Korean crypto exchange Upbit suspended deposits and withdrawals after saying $37M worth of Solana tokens were moved to an unauthorized external wallet (Sidhartha Shukla/Bloomberg)
https://www.bloomberg.com/news/articles/20…

"AI democratizes creativity and talent" => "AI offers everyone a minion they can exploit ruthlessly"
... sure it's possible to ethically use dollar-store fluffers when you can't afford professionals or can't attract volunteers, but maybe don't delude yourself into thinking it's something else?

Hard to argue with this.
https://www.platformer.news/social-media-screen-time-manchester-study-haidt/

US plans to exploit Venezuela’s oil reserves could by 2050 consume 🔥more than a tenth of the world’s remaining carbon budget to limit global heating to 1.5C, according to an exclusive analysis.
The calculation highlights how any moves to further exploit the
South American nation’s oil reserves
– the largest in the world,
at least on paper
– would put increasing pressure on climate goals,
and risk plunging the globe further into climate catastrophe.
<…

Chris Krebs compared the Balancer exploit to the scheme from Office Space, where the idea was to skim fractions of a penny off the top of many individual transactions.
Krebs also pointed to the possible use of artificial intelligence in crafting the exploit code as another interesting aspect of the situation.

$120 Million Crypto Hack Blamed on Office Space-Style Exploit
Insert your favorite Office Space quote here.

Disney sends Google a cease-and-desist, accusing Google of copyright infringement on a "massive scale" and using AI to "exploit and distribute" the content (Todd Spangler/Variety)
https://variety.com/2025/digital/news/

Disney Accuses Google of Using AI to Engage in Copyright Infringement on 'Massive Scale'
Disney is accusing Google of copyright infringement on a "massive scale" using AI models and services to "commercially exploit and distribute" infringing images and videos.

Notepad hijacked by suspected state-sponsored hackers https://therecord.media/popular-text-editor-hijacked-by-suspected-state-sponsored-hackers

"In Phrack Magazine, this author learned at the end of the 1990s the subtle art of smashing the stack, an exploit that would become the starting point of many a computer security book afterward.
There is one magazine that has been around for a decade: the “International Journal of Proof-of-Concept or Get The Fuck Out”, or “PoC||GTFO”.
(I should have probably warned readers about the profanity in the title, but nah, I assume them to be adults at this point.)"

Pastor Manul Laphroaig, T.G. S.B.
Paraphrasing a well-known software mogul who shall remain nameless in the pages of this magazine, insecure software is eating the world. The reasons of such sad state of things are varied and range from social to economic; the technological aspect is usually the one that concerns me the least. In this sea of unusable things and insecure networks, there is a “subculture” (a horrible word, but bear with me) of highly skilled individuals who teach each other how broken those things are. And ye…

It's also interesting that we're only tangentially making the connection between shit social media and fascism. What we are not saying is that control of social space *is* a form of governance. Humans have the right to free social spaces, both physical and digital.
When we think about social media as a system of control, as a government, we see that capitalist social media results in incredibly abusive dictatorships. These dictatorships exist solely to exploit their citizens, extracting both labor and attention, for the gain of a few. They manipulate their citizens to keep them locked in. It's not a coincidence that these systems algorithmically promote fascist ideology. They are themselves a type of fascist government that pushes fascism into the physical space.

from my link log —
What they don't tell you about demand paging in school.
https://offlinemark.com/2020/10/14/demand-paging/
saved 2020-10-17 ht…

What they don't tell you about demand paging in school - offlinemark
This post details my adventures with the Linux virtual memory subsystem, and my discovery of a creative way to taunt the OOM (out of memory) killer by accumulating memory in the kernel, rather than in userspace. Keep reading and you’ll learn: Internal details of the Linux kernel’s demand paging implementation How to exploit virtual memory […]

Even if you're gearing up for a monster winter storm, take the time to check out today's Metacurity for the most crucial cybersecurity developments you should know, including
--Acting CISA head got grilled on mass firings at the agency,
--EU's CIRCL launches GCVE system,
--DeFi project EVM was exploited for $6m,
--Attackers exploit patch bypass for FortiGate flaw,
--Cisco fixes Unified Communications and Webex Calling RCE flaw,
--Mass spam wave …

Acting CISA head got grilled on mass firings at the agency
EU's CIRCL launches GCVE system, DeFi project EVM was exploited for $6m, Attackers exploit patch bypass for FortiGate flaw, Cisco fixes Unified Communications and Webex Calling RCE flaw, Mass spam wave emanates from unsecured Zendesk support systems, much more

Disney sends Google a cease-and-desist, accusing Google of copyright infringement on a "massive scale" and using AI to "exploit and distribute" the content (Todd Spangler/Variety)
https://variety.com/2025/digital/news/

Disney Accuses Google of Using AI to Engage in Copyright Infringement on 'Massive Scale'
Disney is accusing Google of copyright infringement on a "massive scale" using AI models and services to "commercially exploit and distribute" infringing images and videos.

The Playbook: Shadow Reports, lineup locks and projected scores for Week 18 https://www.espn.com/fantasy/football/story/_/id/47453242/nfl-fantasy-football-2025-ultimate-playbook-pro…

A massive WhatsApp security flaw exposed the phone number of almost every user on the planet
– despite the fact that parent company Meta had been alerted to the vulnerability way back in 2017.
Security researchers were able to use what they described as a “simple” exploit to extract a total of 3.5 billion phone numbers from the messaging service …
The researchers say that if the same exploit had been used by bad actors, the result would have been “the largest data leak in …

WhatsApp security flaw exposed 3.5B phone numbers – inc yours
A massive WhatsApp security flaw exposed the phone number of almost every user on the planet – despite the fact...

Using MS365 for email is accepting the combined unknown unknowns of both MS operating policy choices and their other customers’ security.
And the KNOWN risk that it makes phishing much easier to execute in ways which are harder to catch.
#Sysadminnery @…

Hackers exploit 3D design software to target game developers, animators https://therecord.media/hackers-blender-software-malware

Rapid insights for malware analysts, by Marc Rivero (@…).
Talk about r2inspect "a framework for static malware analysis built on top of radare2 and r2pipe, providing accurate detection of obfuscated strings, cryptographic signatures, exploit mitigation analysis, and more".

🚨An email pops up: “Quick! Can you upload the contract here? My VPN’s down!”
It looks like your colleague. It feels urgent. But is it real? 👀
Smishing messages like these exploit trust and urgency, making us act before we think.
It’s easy to slip into autopilot when we’re busy.
But #digitalmindfulness means slowing down, even if for just a few seconds.
🔗 W…

Don't miss today's Metacurity for a concise round-up of the most critical infosec developments you should know, including
--UK's NCSC warns of Russian-aligned hacktivist groups,
--UK and China enter a forum to discuss cyberattacks,
--Makina Finance lost $4.2m in an exploit,
--Ingram Micro report ransomware attack affecting 42k,
--Minnesota DHS breach affected 304k,
--SK Telecom appeals $91m fine,
--NexShield malvertising campaign crashes b…

UK's NCSC warns of Russian-aligned hacktivist groups
UK and China enter a forum to discuss cyberattacks, Makina Finance lost $4.2m in an exploit, Ingram Micro report ransomware attack affecting 42k, Minnesota DHS breach affected 304k, SK Telecom appeals $91m fine, NexShield malvertising campaign crashes browsers, much more

A look at Rupert Murdoch's California Post, which will focus on LA, Silicon Valley, and Sacramento when it launches in 2026; Ian Mohr will lead CA Page Six (Lachlan Cartwright/Vanity Fair)
https://www.vanityfair.com/hollywood/story/rupert-murdoc…

Rupert Murdoch’s Last Hurrah: Conquering Hollywood With the 'California Post'
California is a veritable news feast—politicians with national ambitions, climate disasters, the twin industries of Hollywood and tech. And News Corp sees a media weakness to exploit.

TDCOSMO 2025 - Cosmological constraints from #StrongLensing time delays: https://www.aanda.org/articles/aa/full_html/2025/12/aa55801-25/aa55801-25.html -> A speed camera for the universe: https://www.u-tokyo.ac.jp/focus/en/press/z0508_00434.html - researchers exploit gravitational lensing to see how fast the universe is really expanding.

This kind of circular causality is exactly the reason why I don't have even a burner account on X. As a social website, it went belly up more times than his owner's talk of colonizing anything in space.
X axes European Commission’s ad account after €120M EU fine – POLITICO
https://www.

X axes European Commission’s ad account after €120M EU fine
Nikita Bier, X’s head of product, accused the EU executive of trying to amplify its own social media post about the fine on X by trying “to take advantage of an exploit in our Ad Composer.”

Check out today's packed Metacurity for the most critical infosec developments you should know, including
--Venezuela's state-run oil company PDVSA was hit by a cyberattack,
--Coupang's founder failed to show at parliamentary hearing,
--Vast majority of parked domains foist scams and malware,
--FTC orders Nomad to pay victims after hackers stole cryptocurrency,
--noyb alleges data exposure by TikTok, Grindr and AppFlyer,
--Hackers exploit critica…

Venezuela's state-run oil company PDVSA was hit by a cyberattack
Coupang's founder didn't show at parliamentary hearing, Majority of parked domains foist scams and malware, FTC orders Nomad to pay victims after hackers stole cryptocurrency, noyb alleges data exposure by TikTok, Grindr and AppFlyer, Hackers exploit critical flaws in Fortinet products, much more

The Playbook: Shadow Reports, lineup locks https://www.espn.com/fantasy/football/story/_/id/47094512/nfl-fantasy-football-2025-ultimate-playbook-projections-win-probabilities-week-1…

Wouter constant is talking about permissionlessness. Nostr is a protocol that doesn't need some central server to authenticate your requests. Which is good. But this means that, say, children can use it without parents permission.
Online safety act and others are closing down the internet to protect them kids. So can nostr have accounts that do need permission? Can it be made kid safe? Of only to satisfy crazy governments under parent pressure.
Weboftrustfoundation exists to try and build kidstr, some kind of nostr for children.
Mostly just asking questions so far. How can it work? How can it avoid labelling vulnerable people to exploit?
#nostr #permissionlessness #nostrshire

"A ‘fossil-fuelled war': Trump’s plans to ‘exploit’ Venezuela’s oil reserves sparks climate backlash"
#US #USA #America #Vanezuela

Trump’s push to control Venezuela’s oil sparks climate outrage
Trump says he will bring in large US companies to fix Venezuela’s oil infrastructure, despite growing calls to end fossil fuels.

Before you head out for the weekend, check out today's Metacurity for the most critical infosec developments you should know, including
--Trump officials might boycott RSAC citing Easterly's CEO position,
--Grubhub confirms data breach,
--China's UAT-8837 breached CIC orgs in N. America,
--Hackers exploit top severity flaw in Modular DS WordPress plugin,
--Flaw in MD CPUs exposes secure virtualization environment,
--Gemini 'personal intelli…

Trump officials might boycott RSAC citing Easterly's CEO position
Grubhub confirms data breach, China's UAT-8837 breached CIC orgs in N. America, Hackers exploit top severity flaw in Modular DS WordPress plugin, Flaw in MD CPUs exposes secure virtualization environment, Gemini 'personal intelligence' will scan everything, much more

Nikita Bier accuses the European Commission of trying to deceptively amplify the reach of its post about the €120M fine on X; X terminates the EC's ad account (Bjarke Smith-Meyer/Politico)
https://www.politico.eu/article/x-axes-european-commiss…

X axes European Commission’s ad account after €120M EU fine
Nikita Bier, X’s head of product, accused the EU executive of trying to amplify its own social media post about the fine on X by trying “to take advantage of an exploit in our Ad Composer.”

"US plan to exploit Venezuela’s oil could eat up 13% of carbon budget to keep 1.5C limit"
#US #USA #America #Venezuela

The Playbook: Shadow Reports, lineup locks for Week 16 https://www.espn.com/fantasy/football/story/_/id/47323808/nfl-fantasy-football-2025-ultimate-playbook-projections-win-probabil…

The Playbook: Shadow Reports, lineup locks for Week 16 https://www.espn.com/fantasy/football/story/_/id/47323808/nfl-fantasy-football-2025-ultimate-playbook-projections-win-probabil…

Part of why #Trump has always been so hard to pin down politically is that he was always representing highly conflicting interests. Now, as that eats him alive, the GOP is fracturing in to two main groups: the Pinochet/Franco wing and the Hitler wing.
The Pinochet/Franco wing (let's call them PF) are lead by Vance. PF are also a coalition with some competing interests, but basically it's evangelical leaders, Opus Dei (fascist catholics), tech fascists (Yarvinites), pharma, and the other normal big republican donors. They support Israel, some because apartheid is extremely profitable and some because they support the genocide of Palestinian in order to bring the end of the world. They are split between extremely antisemitic evangelicals and Zionists, wanting similar things for completely different reasons. PF wants strong immigration enforcement because it lets them exploit immigrants, they don't want actual ethnic cleansing (just the constant threat). They want H1B visas because they want to a precarious tech work force. They want to end tariffs because they support free trade and don't actually care about things being made here.
The Hitler wing are lead by Nick Fuentes. I think they're a more unified group, but they're going to try to pull together a coalition that I don't think can really work. They're against Israel because they believe in some bat shit antisemitic conspiracy theory (which they are trying to inject along side legitimate criticism of Israel). They are focused on release of the #EpsteinFiles because they believe that it shows that Epstein worked for Mossad. They don't think that the ICE raids are going far enough, they oppose H1Bs because they are racists. They want a full ethnic cleansing of the US where everyone who isn't "white" is either enslaved for menial labor, deported, or dead. But they're also critical of big business (partially because of conspiracy theories but also) because they think their best option is to push for a white socialism (red/brown alliance).
Both of them want to sink Trump because they see him as standing in the way of their objectives. Both see #Epstein as an opportunity. Both of them have absolutely terrifying visions of authoritarian dictatorships, but they're different dictatorships.with opposing interests. Even within these there may be opportunities to fracture these more.
While these fractures decrease the likelihood of either group getting enough people together, their vision is more clear and thus more likely to succeed if they can make that happen. Now is absolutely *not* the time to just enjoy the collapse, we need to keep up or accelerate anti-fascist efforts to avoid repeating some of the mistakes of history.
Edit:
I should not that this isn't *totally* original analysis. I'll link a video later when I have time to find it.
Here it is:
#USPol

The Playbook: Lineup locks, Shadow Reports for Week 10 https://www.espn.com/fantasy/football/story/_/id/46832834/nfl-fantasy-football-2025-ultimate-playbook-projections-win-probabil…