Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government RoadK1ll: A WebSocket Based Pivoting Implant axios Compromised: npm Supply Chain Attack via Dependency Injection […]
A malicious email delivered a .cmd malware that escalates privileges, bypasses antivirus, downloads payloads, sets persistence, and self-deletes. I received this email from a friend to make an analysis. First, let me express my thanks to Janô Falkowski Burkard for this amazing contribution. A little context, He received an email that was really strange and […]
A new round of the weekly Security Affairs newsletter has arrived! Every week, the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Qilin ransomware group claims the hack of German political party Die Linke U.S. CISA adds a […]
Qilin ransomware claims it stole data from Germany’s Die Linke and threatens to leak it; the party confirmed the incident, but not a breach. The Qilin ransomware group claims it stole data from Die Linke, a German political party, and is threatening to release it. Die Linke is a left-wing political party in Germany. Its […]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in TrueConf Client to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in TrueConf Client, tracked as CVE-2026-3502 (CVSS score of 7.8), to its Known Exploited Vulnerabilities (KEV) catalog. TrueConf is a videoconferencing platform often used in secure, offline […]
CERT-EU says a European Commission cloud hack exposed data from 30 EU entities and links the breach to the TeamPCP group. CERT-EU attributed a European Commission cloud breach to the TeamPCP threat group, revealing that data from at least 30 EU entities was exposed. The incident was publicly disclosed on March 27 after inquiries confirmed […]
I got into cybersecurity 4 years ago – back when I was still doing night shifts as a security guard. During my learning, I remember that the THM and HTB paywalls were fairly annoying.
4 years later, with a few years as a security researcher on my CV, I thought it’s time to give back.
TarantuLabs is a site where you can practice your web app bug bounty skills, for free. Currently there are 12 labs there, and more will be added every week!
The labs are AI generated, but each have passed a comprehensive test suite to make sure they work, and for the first batch I also solved them manually and verified they work as well.
The labs load client-side, meaning you don’t need to wait for a Docker or VM to boot up somewhere. Just wait for a few seconds in your browser for all the dependencies to be installed, and you’re good to go! This approach solves multiple problems I’ve had when I first started this project, and I’ll elaborate more below. Read if you’re interested. If not, go ahead to:
For those who’ve stayed and who may remember when I first started – and then scrapped – this project, here were my challenges, and how I solved each of them:
These problems, primarily the AI bottleneck one, have forced me to wait almost a year for the models to be capable enough to produce labs worth solving. After that, here were my solutions to the problems:
The downside of moving everything to be client-side is that I had to give up on certain vulnerability classes and specific labs I had in mind, so bear that in mind.
I hope you like it and try it out, and if you know anyone wishing to break into the field, go ahead and share it with them!
submitted by /u/dvnci1452
[link] [comments]
Drift lost $285M in a sophisticated attack, likely by North Korea, who used nonce-based tricks to gain control and quickly drain funds Drift suffered a $285 million cryptocurrency heist in a highly sophisticated attack likely linked to North Korea. Threat actors used durable nonce accounts to pre-sign and delay transactions, while also compromising multisig approvals […]
CrystalX RAT, a new sophisticated MaaS malware, combines spyware, data theft, and remote access, allowing attackers to monitor victims. In March 2026, Kaspersky researchers uncovered a Telegram-based campaign promoting a previously unknown malware sold as a MaaS with three subscription tiers. The Trojan offers a wide range of features, including RAT capabilities, data theft, keylogging, […]
Iran-linked hackers claim to have breached Israeli air defence contractor PSK Wind, which develops command and control systems. Pro-Iran Handala group announced on April 2 that it breached PSK Wind Technologies, an Israeli engineering and IT firm specializing in integrated systems for defense and critical communications, including command and control solutions. Handala appears as a […]