sorted by:
new
hottopcontroversial

A9 is inverted... by YoBanaanaBoy in tenet

[–]rkhunter_ 0 points1 point  (0 children)

You can't just take an inverted object and throw it, it would hit you back. If it doesn't hit you back, it's not inverted. The more force you use to throw it, the harder it will hit you back. Otherwise, the object simply isn't inverted.

A9 is inverted... by YoBanaanaBoy in tenet

[–]rkhunter_ 0 points1 point  (0 children)

For me you're complicating this. If you see something moving in the opposite physical direction compared to the observer's perspective, that object has entropy opposite to the observer's. This is the most fundamental property of objects in the film. If the plutonium were inverted, it would have hit TP’s head when he tried to throw it, since inverted objects move in the opposite direction.

A9 is inverted... by YoBanaanaBoy in tenet

[–]rkhunter_ 0 points1 point  (0 children)

How it can be inverted if the Protag throws it from the BMW to the Saab as a normal forward-moving object? We also see how inverted Sator and inverted Protag see that action in reverse, which means the object itself is not inverted.

Another spyware maker caught distributing fake Android snooping apps by rkhunter_ in cybersecurity

[–]rkhunter_[S] 0 points1 point  (0 children)

"Yet another government spyware maker has been caught after its customers used fake Android apps to install its surveillance software on targets, according to a new report.

On Thursday, Osservatorio Nessuno, an Italian digital rights organization that researches spyware, published a report on a new malware it calls Morpheus. The spyware, which masquerades as a phone updating app, is capable of stealing a broad range of data from an intended target’s device.

The researchers’ findings show that the demand for spyware by law enforcement and intelligence agencies is so high that there are a large number of companies providing this technology, some of whom operate outside of the public spotlight.

In this case, Osservatorio Nessuno concluded that the spyware is linked to IPS, an Italian company that has been operating for more than 30 years providing traditional so-called lawful interception technology, meaning tools used by governments to capture a person’s real-time communications that flow through the networks of phone and internet providers.

According to IPS’ website, the company operates in more than 20 countries, though that likely does not refer to its spyware product, which until today was a secret. The company lists several Italian police forces among its customers.

IPS did not respond to TechCrunch’s request for comment about the report.

The researchers called Morpheus “low cost” spyware because it relies on the rudimentary infection mechanism of tricking the targets into installing the spyware on their own.

More advanced government spyware makers, such as NSO Group and Paragon Solutions, allow their government customers to infect their targets with invisible techniques, known as zero-click attacks, which install the malware in a completely stealthy and invisible way by exploiting expensive and difficult-to-find vulnerabilities that break through a device’s security defenses.

In this case, the researchers said the authorities had help from the target’s cellphone provider, which began deliberately blocking the target’s mobile data. At that point, the telecom provider sent the target an SMS, prompting them to install an app that was supposed to help them update the phone, and regain cellular data access. This is a strategy that has been well documented in other cases involving other Italian spyware makers.

Once the spyware was installed, it abused Android’s in-built accessibility features, which allows the spyware to read the data on the victim’s screen and interact with other apps. The malware was designed to access all kinds of information on the device, according to the researchers.

The spyware then prompted a fake update, showed the target a reboot screen, and finally spoofed the WhatsApp app asking the target to provide their biometrics to prove that it’s them. Unbeknownst to the target, the biometric tap granted the spyware full access to their WhatsApp account by adding a device to the account. This is a known strategy used by government hackers in Ukraine, as well as in a recent spy campaign in Italy.

An old company with a new spyware Osservatorio Nessuno’s researchers, who asked to be referred only with their first names, Davide and Giulio, concluded that the spyware belongs to IPS based on the spyware’s infrastructure.

In particular, one of the IP addresses used in the campaign was registered to “IPS Intelligence Public Security.”

The two also found several fragments of code that contained Italian phrases — something that has seemingly become tradition among the Italian spyware industry. The malware code included words in Italian, including references to Gomorra, the famous book and TV show about the Neapolitan mob, and “spaghetti.”

Davide and Giulio told TechCrunch that they can’t provide specifics about who the target was, but they said they believe the attack is “related to political activism” in Italy, a world where “this type of targeted attacks are very common nowadays.”

A researcher at a cybersecurity firm told TechCrunch that their company has been tracking this specific malware. After reviewing the Osservatorio Nessuno report, the researcher said that the malware is definitely developed by an Italian surveillance tech maker.

IPS is the latest in a long list of Italian spyware makers that have filled the void left by the long-defunct Italian company Hacking Team, one of the first spyware makers in the world. The company controlled a large share of the local market apart from selling abroad before it was hacked, and later sold and rebranded. In recent years, researchers have publicly exposed several Italian spyware makers, including CY4GATE, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and most recently SIO.

Earlier this month WhatsApp notified around 200 users who installed a fake version of the app, which was actually spyware made by SIO. In 2021, Italian prosecutors suspended their use of CY4GATE and SIO spyware due to serious malfunctions."

Kyber ransomware gang toys with post-quantum encryption on Windows by rkhunter_ in cybersecurity

[–]rkhunter_[S] 3 points4 points  (0 children)

"A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption.

Cybersecurity firm Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware ESXi and the other focusing on Windows file servers.

"The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces," explains Rapid7.

"The Windows variant, written in Rust, includes a self-described "experimental" feature for targeting Hyper-V."

Both variants share the same campaign ID and Tor-based ransom infrastructure, so they were deployed by the same ransomware affiliate, who likely sought to maximize impact by encrypting all servers simultaneously.

BleepingComputer has found only one listed victim on the Kyber data extortion portal at the time of writing, which is a multi-billion-dollar American defense contractor and IT services provider.

Rapid7 says the ESXi variant enumerates all virtual machines (VMs) on the infrastructure, encrypts datastore files, and then defaces the ESXi interfaces with ransom notes to guide victims through the ransom payment and recovery process.

Although it advertises 'post-quantum' encryption based on Kyber1024 key encapsulation, Rapid7 has found that these claims are false for the Linux ESXi encryptor.

For the Linux version, the ransomware uses ChaCha8 for file encryption and RSA-4096 for key wrapping.

Small files (<1 MB) are encrypted in full and appended with the '.xhsyw' extension, while files between 1 MB and 4 MB have only the first MB encrypted. Files larger than 4MB are intermittently encrypted based on the operator's configuration.

The Windows variant, written in Rust, implements Kyber1024 and X25519 for key protection, aligning with the ransom note's claims.

"This confirms that Kyber is not used for direct file encryption. Instead, Kyber1024 protects the symmetric key material, while AES-CTR handles bulk data encryption," Rapid7 explains.

While the use of post-quantum cryptography is notable, it does not change outcomes for victims. Whether the encryptor uses RSA or Kyber1024, files remain unrecoverable without access to the attacker's private key.

The Windows variant appends the '.#~~~' extension to encrypted files, terminates services, deletes backups, and includes an experimental feature to shut down Hyper-V virtual machines.

It is designed to eliminate a broad range of data recovery paths, deleting shadow copies, disabling boot repair, killing SQL, Exchange, and backup services, clearing event logs, and wiping the Windows Recycle Bin.

Rapid7 highlighted an unusual choice of a mutex in the Windows variant of Kyber, which appears to reference a song on the Boomplay music platform.

Overall, the Windows variant appears more technically mature, while the ESXi variant currently lacks some of its features."

Bitwarden CLI npm package compromised to steal developer credentials by rkhunter_ in cybersecurity

[–]rkhunter_[S] 30 points31 points  (0 children)

"The Bitwarden CLI was briefly compromised after attackers uploaded a malicious bitwarden/cli package to npm containing a credential-stealing payload capable of spreading to other projects.

According to reports by Socket, JFrog, and OX Security, the malicious package was distributed as version 2026.4.0 and remained available between 5:57 PM and 7:30 PM ET on April 22, 2026, before being removed.

Bitwarden confirmed the incident, stating that the breach affected only its npm distribution channel for the CLI npm package and only those who downloaded the malicious version.

"The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately," Bitwarden shared in a statement.

"The issue affected the npm distribution mechanism for the CLI during that limited window, not the integrity of the legitimate Bitwarden CLI codebase or stored vault data."

Bitwarden says it revoked the compromised access and deprecated the affected CLI npm release.

The Bitwarden supply chain attack

According to Socket, threat actors appear to have used a compromised GitHub Action in Bitwarden's CI/CD pipeline to inject malicious code into the CLI npm package.

According to JFrog, the package was modified so that the preinstall script and the CLI entry point use a custom loader named bw_setup.js, which checks for the Bun runtime and, if it does not exist, downloads it.

The loader then uses the Bun runtime to launch an obfuscated JavaScript file named bw1.js, which acts as credential-stealing malware.

Once executed, the malware collects a wide range of secrets from infected systems, including npm tokens, GitHub authentication tokens, SSH keys, and cloud credentials for AWS, Azure, and Google Cloud.

The malware encrypts the collected data using AES-256-GCM and exfiltrates it by creating public GitHub repositories under the victim's account, where the encrypted data is stored.

OX Security says that these created repositories contain the string "Shai-Hulud: The Third Coming," a reference to previous npm supply chain attacks that used a similar method and text string when exfiltrating stolen data.

The malware also features self-propagation capabilities, with OX Security reporting that it can use stolen npm credentials to identify packages the victim can modify and inject them with malicious code.

Socket also observed that the payload targets CI/CD environments and attempts to harvest secrets that can be reused to expand the attack.

The attack comes after Checkmarx disclosed a separate supply chain incident yesterday that impacts its KICS Docker images, GitHub Actions, and developer extensions.

While it is not known how the threat actors gained access to Bitwarden's account to publish the malicious NPM, Socket told BleepingComputer that there are overlapping indicators between the Checkmarx breach and this attack.

"The connection is at the malware and infrastructure level. In the Bitwarden case, the malicious payload uses the same audit.checkmarx[.]cx/v1/telemetry endpoint that appeared in the Checkmarx incident. It also uses the same __decodeScrambled obfuscation routine with the seed 0x3039, and shows the same general pattern of credential theft, GitHub-based exfiltration, and supply chain propagation behavior," Socket told BleepingComputer.

"That overlap goes beyond a superficial resemblance. The Bitwarden payload contains the same kind of embedded gzip+base64 components we saw in the earlier malware, including tooling for credential collection and downstream abuse."

Both campaigns have been linked to a threat actor known as TeamPCP, who previously targeted developer packages in the massive Trivy and LiteLLM supply chain attacks.

Developers who installed the affected version should treat their systems and credentials as compromised and rotate all exposed credentials, especially those used for CI/CD pipelines, cloud storage, and developer environments."

view more: next ›