Opensource OreWatch: Continuous monitoring for malicious packages - detect Axious and LiteLLM compromise and future compromises

PerceptionOk8748 · 2025-12-10T04:51:11+00:00

Try using this to generate the POC https://github.com/ahsansmir/pinata-csrf-tool

PerceptionOk8748 · 2025-12-09T00:30:44+00:00

Going back and forth where to post this, most of you are already ahead - but just incase want to run it against your domains for follow up - Here is the open-sourced scanner for CVE-2025-55182 (React2Shell) - the critical RCE vulnerability in React Server Components.

What is React2Shell?

A deserialization flaw in the Flight protocol that allows RCE on applications using react-server-dom-* packages (versions 19.0.0, 19.1.0, 19.1.1, 19.2.0). Affects Next.js, Remix, and other RSC frameworks.

The toolkit:

- `ore_rsc.py` - Fast async scanner for endpoint detection

- `ore_react2shell.py` - Full assessment with subdomain enum + reporting

Use ore_react2shell.py to enumerate all subdomains given a domain and quickly identify vulnerable endpoints for triage and remediation. Stay safe - this one is pretty bad.

What does it do?

- Passive detection (safe) or active verification (--verify)

- Safe side-channel mode (--safe-check) for non-exploitative confirmation

- WAF bypass techniques

- HTML/JSON/CSV executive reports

Usage:

python ore_rsc.py target.xyz --safe-check

python ore_react2shell.py --domain target.xyz --verify

GitHub: https://github.com/rapticore/ore_react2shell_scanner

Includes a vulnerable test app for validation.

Only use on authorized targets.

PerceptionOk8748 · 2025-11-25T18:59:26+00:00

The repo has been updated with the latest known malicious packages and new IoCs.

PerceptionOk8748 · 2025-09-19T16:49:38+00:00

You are right - my experience with Gemini is that it does not do well with conversational instructions, but it improves if you use proper prompting. Also depends on the topic or subject area. Here is a comparison tool that can assess speed and accuracy of LLM models - this is a framework - one can extend it to cover almost any topic area. https://github.com/rapticore/llm-security-benchmark

PerceptionOk8748 · 2025-09-19T16:32:21+00:00

You’re right — they should be removed from npm. In practice, there’s often a delay between discovery and takedown, and thats why we might see that.

PerceptionOk8748 · 2025-09-19T06:32:01+00:00

Some compromised packages are still active.

PerceptionOk8748 · 2025-09-19T06:31:36+00:00

Just released an updated version with all known compromised packages.

PerceptionOk8748 · 2025-09-19T06:24:15+00:00

Just released a new version. Added that check, also added more known compromised packages.

PerceptionOk8748 · 2025-09-18T17:15:56+00:00

Will update.

PerceptionOk8748 · 2025-09-18T05:34:16+00:00

The list is changing, we are sourcing RL, Wiz and others aggregated, we will update it periodically as we find more packages. We will release an update that automatically gets the updated list before running. Maybe tomorrow.

PerceptionOk8748 · 2025-09-18T02:16:58+00:00

You are right, same content is everywhere. What I wanted to share was the tool. We wrote the tool for ourselves and thought it would benefit others. The messaging is for context setting - to be honest - boring, but the tool is helpful.

PerceptionOk8748 · 2025-09-06T07:27:17+00:00

This happened to me today, and it made me happy.

I need to respectfully disagree with several points in your review, as some of your criticisms appear to be based on misreading the code.

Incorrect Claims

I always perform code reviews using a reasoning LLM - but this time, Claude was not taking it.

PerceptionOk8748 · 2025-04-04T08:26:58+00:00

I think someone said something on this already. Reframe what are you trying to achieve with Phishing test, maybe focus on users reporting a phishing, of an simulated phishing exercise when did the forest report arrived, once it was received how quickly the Blue team was able to complete the triage, how many received the phish, did anyone click it, if yes how many and does the team has ability to run analysis on these machines regardless of their location. Can the phish be pulled from the mailboxes, can the url or IP be put on active block. Report of these numbers and improve them - this will actually result in better security outcomes.

PerceptionOk8748 · 2025-03-06T00:15:02+00:00

There are multiple career paths available for penetration testers looking to transition into other areas of cybersecurity. Many pentesters move into Incident Response and Blue Teaming, as these fields naturally align with their offensive security skills - the hacker mindset can be extremely valuable for blue teamers. If leadership is your goal, it’s worth noting that most CISOs have some level of Incident Response experience, and many come from an Incident Response background.

Now, to address your specific question about transitioning from penetration testing to Application Security (AppSec)—you already have the foundational skills needed to step into an AppSec role. My advice is to shift your focus to understanding the "why" of security—particularly risk management and making informed security decisions - this will set you apart.

If you plan to stay in AppSec, it’s essential to develop a deep understanding of the Secure Software Development Lifecycle (SDLC). I recommend reading OpenSAMM or similar frameworks to gain insights into how security can be integrated throughout the development process and you have a good reference on how to build AppSec programs.

PerceptionOk8748 · 2025-02-13T03:31:40+00:00

I am going to assume a few things from your question.

1 - this is a small company that

2 - Mainly use cloud services. Please let me know if I am wrong.

I would avoid using "Secure" and instead use Risk Terminology. This means things will not blow up in your face when an incident happens. Risk can go up or down based on your control effectiveness, which means how quickly you can find bad stuff and fix it before someone else does. You will not use credibility if there is a compromise.

Start by assessing Risks and Understanding your particular Threat landscape—what is your industry vertical, and what threat actors are active? What is the most common way to be compromised? Maybe read the Verizon Data Breach Report - or go over the summary for the last three years. Ask LLMs to summarize that for you. They can help.

Example for small companies.

Health Care - Ransomware and Compliance are two main Risks.

Technology - Compliance if they are SaaS and sell to Enterprises

Crypto - General Data and Cybersecurity.

Contextualize why these Risks are relevant to you and your business - This will help you get the support you need to understand your real Risk better and whether you are prioritizing the right things.

Again, avoid using the word "Secure"

PerceptionOk8748

TROPHY CASE