Another day, another dependency that decided to betray us.
š Cloudreve's Predictable Secrets
Cloudreve versions before v4.10.0 used a weak PRNG seeded with time to generate APP_KEY. Attackers can bruteāforce that seed in under 3 hours, forge admin JWTs, and hijack any instance initialized preāv4.10.0. If you havenāt rotated the secret or upgraded, your admin account is effectively public. Patch: upgrade to 4.13.0 or rotate APP_KEY now. Details
š¦ Axios npm Supply Chain Hit
A hijacked maintainer token dropped malicious axios 1.14.1 and 0.30.4 with a credentialāstealing postinstall script. It harvested cloud tokens, SSH keys, etc., then selfādestructed. If you pulled those versions, your secrets are likely compromised. Action: `npm ls axios`, kill 1.14.1/0.30.4, reinstall clean, rotate exposed creds. Reddit thread
ā” Ash's Atom Table Exhaustion
Ash < v3.22.0 has a Module.type handler that blindly creates Erlang atoms from user input (e.g., "Elixir.Attack123"). Since atoms arenāt garbageācollected, flooding the atom table (~1M limit) crashes the BEAM VMātotal denial of service. No patch? Upgrade to v3.22.0 or apply commit 7031103. Advisory
āøļø Axios RAT in Kubernetes Images
The same axios compromise (1.14.1/0.30.4) dropped a crossāplatform RAT. Images built between 00:21ā03:29 UTC today may be infected and running in your cluster. Scan running images with `grype` or `syft`, replace any hits, block C2 traffic, and rotate secrets the pods touched. Kubernetes guide