Supply-chain attack using invisible code hits GitHub and other repositories

https://arstechnica.com/security/2026/03/supply-chain-attack-using-invisible-code-hits-github-and-other-repositories/

Short summary: https://hackerworkspace.com/article/supply-chain-attack-using-invisible-code-hits-github-and-other-repositories

#malware #cybersecurity #threatintelligence

This dumb password rule is from United Parcel Service of America.

Your password must:
- Be between 7 and 26 characters long
- Contain at least 1 lowercase character
- Contain at least 1 uppercase character
- Contain at least 1 number character
- Contain one special character (!@#$%*)
- NOT contain first or last name
- NOT contain UPS user ID
- NOT contain email...

https://dumbpasswordrules.com/sites/united-parcel-service-of-america/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The SSH Key Breadcrumb Trap 🦩

Most honeypots have one fatal flaw: they're too clean.
Empty bash history. Pristine directories. No evidence of actual use. Attackers notice.

So I plant breadcrumbs. 🤷‍♀️

Realistic bash history. A private SSH key in .ssh/. History showing SSH connections to "other servers" using that key.

Those "other servers"? Also honeypots!

When bots hit my honeypots, they brute force and move on. Boring.
But when a HUMAN does post-compromise recon, finds that key, and tries to pivot to those other servers?

Critical Wazuh alert, because only humans do this!!

Bots don't read history files. They don't hunt for lateral movement opportunities. They don't use found SSH keys.

Standard attacker tradecraft requires checking for keys and using them. If they skip it, they might miss real opportunities. If they follow it, I know I'm dealing with an actual human threat actor.

It's a catch-22. And it works beautifully. (And "@sashatheflamingo Approved")
Full writeup coming to sashatheflamingo.xyz soon!!

#Cybersecurity #HoneyPot #ThreatIntel #Deception

UK MPs have passed an amendment giving the government powers to restrict access to VPNs.

Imposing digital ID checks will turn people away from using a tool that keeps them safe and secure online.

Instead it'll fuel the surveillance-based economy that causes harms.

Sign our petition to protect VPN use in the UK ⬇️

https://action.openrightsgroup.org/tell-government-protect-vpn-use-uk

#vpn #privacy #cybersecurity #onlinesafety #ukpolitics #ukpol

"There is little evidence that young people are using VPNs to bypass digital ID checks imposed by the [UK] Online Safety Act."

Age gating them "will have little impact on children's online safety but will deter adults from using them or force people to hand over personal documents or biometric data."

🗣️ @JamesBaker for ORG.

https://www.independent.co.uk/extras/indybest/gadgets-tech/vpn-ban-uk-b2934934.html

#vpn #privacy #cybersecurity #onlinesafety #ukpolitics #ukpol

This dumb password rule is from Estheticon.

- At least 8 characters but limited to 20 characters at max
- At least 1 digit
- At least one letter (just a letter in general, no specific casing required)
- No special characters at all

https://dumbpasswordrules.com/sites/estheticon/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from MobileIron MDM.

You can't make this up - no dictionary words, no more than 2 repeating
characters, no alphabetic sequences, no whitespace, 3 character sets,
maximum of 32 characters.

https://dumbpasswordrules.com/sites/mobileiron-mdm/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The line between national security and political surveillance is thinning. Congressional Democrats just launched an inquiry into the Department of Homeland Security regarding its use of administrative subpoenas. Unlike the subpoenas you see in courtroom dramas, these do not require a judge’s signature. They allow federal agencies to demand personal information and internal communications directly from technology companies with almost zero outside oversight.

This investigation follows reports that DHS used these "judge-free" demands to gather data on Americans who criticized the agency on social media. It is a significant moment for anyone in the tech industry. When the government can compel your data without a warrant, the First Amendment starts to look very fragile. You should watch how these tech firms respond to the inquiry, as it will set the standard for how they protect your information from administrative overreach.

🧠 Lawmakers are demanding to know how often DHS uses subpoenas without judicial review.
⚡ The inquiry follows evidence that critics of agency policy were specifically targeted.
🎓 Major tech platforms must now disclose their internal protocols for handling these federal demands.
🔍 Civil liberties groups are pushing for new legislation to require a judge’s approval for all data seizures.

https://www.washingtonpost.com/nation/2026/03/02/subpoenas-free-speech-congress-investigation/
#DataPrivacy #DigitalRights #TechLaw #security #privacy #cloud #infosec #cybersecurity

This dumb password rule is from EON.

By the time I'd finished reading the rules I've forgotten all of them.

https://dumbpasswordrules.com/sites/eon/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Waze.

After you request a password reset and you receive an email with instructions and link to reset your password, you are presented with this password reset form. Your password length is limited between 8 and 16 characters. Additionally the form breaks with an error if you use any special characters...

https://dumbpasswordrules.com/sites/waze/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Breaking, new, by me: Iran-backed Hackers Claim Wiper Attack on Medtech Firm Stryker

A hacktivist group with links to Iran's intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker's largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker's main U.S. headquarters says the company is currently experiencing a building emergency.

From the story:

"Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices."

"Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently."

https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

#stryker #handala #intune #wiper #cybersecurity

Alt...

A manifesto from the Handala hacking group, which security firms link to Iranian intelligence agencies. Stryker Corporation Hacked 2026-03-11 We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success. The Zionist-rooted corporation, Stryker, one of the key arms of the global Zionist lobby and a central ring in the ‘New Epstein’ chain, has been struck with an unprecedented blow. In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted. Stryker’s offices in 79 countries have been forced to shut down. All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption. A clear warning to all Zionist leaders and their lobbies who hide behind concrete walls and closed windows: The era of the ‘Epstein’ rings and the demons of our time is over. ‘Nimrod of this era,’ even if you close your windows, we will build our nests everywhere. Get ready for the mosquito...

This dumb password rule is from Whitcoulls.

Your password must:
- be between 7 and 15 characters
- contain a capital letter
- have no spaces (shown only when you go to change it)

https://dumbpasswordrules.com/sites/whitcoulls/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BOINC Bakerlab.

Passwords may only include ASCII characters, not even extended ASCII.

https://dumbpasswordrules.com/sites/boinc-bakerlab/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Nintendo.

Password between 8-20 characters, at least two "categories" of characters, and cannot use the same character more than twice in a row. At least it supports MFA.

https://dumbpasswordrules.com/sites/nintendo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Alibaba.

- At least 2 uppercase letters
- Plus 2 lowercase letters
- Plus 2 numbers
- Plus 2 punctuation marks

Phew, too many rules, because why not, if [Ma thinks AI stands for Alibaba Intelligence](https://www.youtube.com/watch?v=f3lUEnMaiAU),
then password rules can be equally intelligent too.

Also, ...

https://dumbpasswordrules.com/sites/alibaba/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

been checking last few days #blighters who are kicked out trying to get at our #VOIP #PBX - they don't even seem to be wanting to use the #SIP #trunks for getting free #telephone calls for actually talking to people (even spam/coldcalls), but appear to be edgelords attempting to use them for their own private vendetta and DDOS some individual/business phone as INVITE attempts are all to the same USA number(s)

I'm assuming its not someone trying to call their *own* phone to find when someone *has* left a trunk open, as that would surely create a data trail authorities could pick up on?

#hacking #cybercrime #cybersecurity

More reasons to ditch US Big Tech:
This is highly worrying from a cyber point of view: President Trump's Cyber Strategy for America

https://www.whitehouse.gov/wp-content/uploads/2026/03/President-Trumps-Cyber-Strategy-for-America.pdf

> This is highly worrying from a cyber point of view: President Trump's Cyber Strategy for America
https://www.whitehouse.gov/wp-content/uploads/2026/03/President-Trumps-Cyber-Strategy-for-America.pdf
>
> This document reframes cyberspace as a US-dominated military domain. It calls for offensive operations as a standard policy instrument. It boasts openly about destroying foreign critical infrastructure. Not only that, it also pledges to impose American “norms” on the global internet.
>
> It calls for deregulation at the very moment when any serious security expert agrees that regulation is essential for setting a baseline security bar.
>
> “Adversary” is not defined in this pamphlet, and any foreign organization may now fall easily inside the definition at any time. (akin to disabling all Microsoft infrastructures for the International Criminal Court, ICC, in 2025, or declaring Anthropic to be a “supply chain risk”).
>
> If the U.S. treats foreign technology as an adversarial risk, how can any government or organization trust U.S. technology any longer?
>
> This is the foundational strategic question now: how long are we willing to build our IT infrastructures on systems that another power, governed by executive orders, has declared to be part of their military arsenal?

Source: https://www.linkedin.com/feed/update/urn:li:share:7435955619792216066/?originTrackingId=TWIwavEFeQdojh5LYKQLqg%3D%3D

#murica #trump #BigTech #sovereignty #cybersecurity #CloudExit

This dumb password rule is from LCL.

You have to enter your 6-digit password using this Frenchy keypad.

https://dumbpasswordrules.com/sites/lcl/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

"Russian state hackers are engaged in a large-scale global cyber campaign to gain access to #Signal and #WhatsApp accounts belonging to dignitaries, military personnel and civil servants. The Dutch intelligence and security services MIVD and AIVD can confirm that targets and victims of the campaign include Dutch government employees."

Read the details here:
https://english.defensie.nl/latest/news/2026/03/09/russia-targets-signal-and-whatsapp-accounts-in-cyber-campaign

#phishing #socialengineering #privacy #cybersecurity #Netherlands #security #government #signalapp

This dumb password rule is from Omnivox.

Password length must be 8 to 20 characters long with lower case characters and numbers only.

https://dumbpasswordrules.com/sites/omnivox/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Cyberattacks on government agencies and infrastructure — hardly a comprehensive list, but a sample listed in this article:
https://therecord.media/new-jersey-county-says-malware-attack-took-down-phones
h/t @patrickcmiller
https://infosec.exchange/@patrickcmiller/116196318958184049
#cybersecurity #cyberattack #NewJersey

This dumb password rule is from Deutsche Kreditbank AG (DKB).

Passwords for the online banking web frontend do not have a max length constraint, but using the same password to
log in to the official iOS DKB app requires the password to be no longer than 38 characters.

https://dumbpasswordrules.com/sites/deutsche-kreditbank-ag-dkb/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from KPMG Talent Community.

While stating otherwise, the site actually *accepts a backslash* in the password
and displays a forward slash as the example of the disallowed backslash
Password:
- Must be at least 8 characters long
- Must contain at least 1 number
- Must contain at least 1 letter
- Must contain at least 1 spec...

https://dumbpasswordrules.com/sites/kpmg-talent-community/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Easybank (Austrian direct bank).

- At least 8 and at most 16 (!) characters
- **Must start with 5 digits (do we really want to know what's going on there?)**
- At least one uppercase and one lowercase letter
- (Some) special characters are permitted, most are not
- "Simple" patterns are prohibited
- PINs are case sensitive (at l...

https://dumbpasswordrules.com/sites/easybank-austrian-direct-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

🆕 blog! “Book Review: The Electronic Criminals by Robert Farr (1975)”
★★★⯪☆

What can a fifty-year-old book teach us about cybersecurity? Written just as computing was beginning to enter the mainstream, The Electronic Criminals takes us into a terrifying new world of crime!

Fraud over Telex! Ransomware of physical tapes! Stealing passwords and…

👀 Read more: https://shkspr.mobi/blog/2026/03/book-review-the-electronic-criminals-by-robert-farr-1975/
⸻
#BookReview #CyberSecurity

🆕 New event added:

📌 BSidesAdelaide
📅 Jul 27-28, 2026
📍 Adelaide (SA) 🇦🇺
🔗 https://www.bsidesadelaide.com.au

#infosec #cybersecurity #conference #Bsidesadelaide #Australia

This dumb password rule is from MarketWatch.

- Cannot be longer than 15 characters.
- Must contain one number.
- Cannot contain spaces, %, & or +.

https://dumbpasswordrules.com/sites/marketwatch/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

EU Chat Control drops mandatory encryption-breaking scans — huge privacy win after years of resistance! 🎉

But now pushes mandatory age verification across apps, risking anonymity while letting Big Tech "voluntarily" scan. Fight continues in trilogues. 🛡️

🔗 https://tuta.com/blog/chat-control-criticism

#TechNews #Privacy #Chat #Control #ChatControl #EU #Europe #Encryption #AgeVerification #Surveillance #DigitalRights #Resistance #Cybersecurity #Anonymity #BigTech

This dumb password rule is from Wells Fargo Identity Theft Protection.

Your password on an Identity Theft Protection service is limited to
between 8 and 20 characters. Your username is allowed to be longer than
your password.

https://dumbpasswordrules.com/sites/wells-fargo-identity-theft-protection/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Taco Bell.

Password may include special characters, except for #.

https://dumbpasswordrules.com/sites/taco-bell/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Coppell, TX - Water Utility.

Local Utility with a password restriction of 30 characters. Better than some for sure, but still dumb.

https://dumbpasswordrules.com/sites/coppell-tx-water-utility/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Singapore Airlines.

`/[0-9]{6}/`

https://dumbpasswordrules.com/sites/singapore-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from PayPal.

Must be between 8 and 20 characters, no spaces, uppercase and lowercase, one symbol...

The rule limits special characters to !@#$%^&*(). but my current password has a "-" in it so someone decided to restrict this further which is totally backwards. Things are meant to get better not worse!

https://dumbpasswordrules.com/sites/paypal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

CNN: Hacked traffic cameras and US intelligence: How a plot to kill Iran’s supreme leader came together

".... The traffic cameras on the streets of Tehran provided a real-time view of the targets.

Hacked years ago, the cameras allowed Israel to map the city in detail, establish patterns of movement, and build an intricate, complex picture of what was happening inside an enemy capital, according to an Israeli official. ..."

https://lite.cnn.com/2026/03/03/middleeast/us-israel-plot-kill-iran-khamenei-latam-intl

#cybersecurity #alpr #cameras

*** how much do you want to bet this same network exists within the US? Ring, Flock Cameras, generic security cameras of all types... traffic cameras... you name it. China? Israel? The US? Everyone? Anyone? Once you build the Panopticon... you never know who is peering through the other side.

#privacy #cybersecurity

This dumb password rule is from Kryterion Webassessor.

I was quite surprised to see this when I was registering for my Google Professional Cloud **Security** Engineer certification. Nice part is that they **don't allow quotes** as special character, so I assume there possibly might be some other issues on their backends. :-)

https://dumbpasswordrules.com/sites/kryterion-webassessor/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Think you’re an anonymous on-line with your fake user name? Recent studies demonstrate that Large Language Models are becoming highly efficient at de-anonymizing internet users. By analyzing linguistic patterns, these models can link pseudonymous accounts to real identities with 85% accuracy. This process does not rely on leaked databases or IP addresses. It focuses entirely on the unique way you construct sentences and use specific vocabulary across different platforms.

The era of hiding behind a screen name is effectively over because your writing style is a biometric marker. A model can scan millions of posts to find a match between an anonymous whistleblower and a public profile. This capability transforms stylometry from a niche forensic tool into a scalable method of mass surveillance.Time to rethink digital privacy when our own habits of expression become the very data points that betray us.

🧠 LLMs identify users by matching unique linguistic fingerprints.
⚡ The accuracy rate for identifying individuals across platforms is 85%.
🎓 Anonymity now requires actively masking your natural prose.
🔍 Automated deanonymization poses a direct threat to journalists and whistleblowers.

https://arstechnica.com/security/2026/03/llms-can-unmask-pseudonymous-users-at-scale-with-surprising-accuracy/
#Privacy #Cybersecurity #AI #DataProtection #security #cloud #infosec

This dumb password rule is from Fidelity.

No more than 20 characters and leave out characters commonly used by
programmers. We don't want you to hack the mainframe.

https://dumbpasswordrules.com/sites/fidelity/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

There's a new wave of spam - all around the Fediverse.

Please remember, there's no "Mastodon Moderation Team" sending out strange verification messages.

That's all spam.

#Mastodon #Fediverse #FediTips #Spam #CyberSecurity

This dumb password rule is from Deutsche Kreditbank AG (DKB).

Passwords for the online banking web frontend do not have a max length constraint, but using the same password to
log in to the official iOS DKB app requires the password to be no longer than 38 characters.

https://dumbpasswordrules.com/sites/deutsche-kreditbank-ag-dkb/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

🚨 New Video: Virtue is Inconvenient - The Nitrokey 3 Review

In my last video, I crowned the YubiKey 5 as the "King of Keys" but it has a fatal flaw. It is proprietary. For those of us who believe in digital sovereignty and the right to audit our own hardware, blind trust is not an option.

Then there is Nitrokey 3A NFC. It promises open-source firmware, transparent design, and code written in memory safe Rust. But does "open" actually mean "good?" Today, we look at whether the moral high ground is worth the inconvenience, why the Android experience might be a deal breaker, and who should actually buy this device.

Part 4 of the Sovereign Authentication series.

100% human made. #NoAI

▶️ YouTube: https://www.youtube.com/watch?v=7I65RPlxqdY

📺 PeerTube: https://gnulinux.tube/w/gtTcaBH4GTEKMunR8CUiaX

Support the mission: ☕ https://liberapay.com/terminaltilt

#TerminalTilt #NoAI #Privacy #Security #PasswordManager #Nitrokey #Yubikey #Yubico #FOSS #OpenSource #Linux #Cybersecurity #SelfHosted #DeGoogle #DigitalSovereignty #QueerCreator #DisabledCreator #HumanMade #TechEthics

This dumb password rule is from Benergy4.

12 to 25 characters, only these special chars allowed: @+/'!#$^?:,.(){}[]~-.
Also, security questions.

https://dumbpasswordrules.com/sites/benergy4/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Taco Bell.

Password may include special characters, except for #.

https://dumbpasswordrules.com/sites/taco-bell/

#password #passwords #infosec #cybersecurity #dumbpasswordrules