all these stupid VPN ads act like TLS has never existed

@christopherkunz @danielp choose your poison:
* Have your home dir wiped
* Have your home dir pushed to the public GitHub and a public remote control chanel deployed to your host.
I personally think it's an easy choice 😅.

There's a nasty #OpenSource #SupplyChain worm going around named Shai-Hulud. It's also capable of exposing some projects' long-lived PyPI API Tokens. Read more on what's happening, and what you can do to protect your projects.

TL,DR: Adopt Trusted Publishing 🔐🚀📦

https://blog.pypi.org/posts/2025-11-26-pypi-and-shai-hulud/

@verbrecher @claushoumann you forgot to add: registers the host as a GitHub action runner to remote control it through a malicious workflow containing a voluntary injection vulnerability.
Yeah, that's thing really is friendly.

@glasspusher

The greatest research skill you can have is being a nosy bitch who wants to find out

cr: @NC_Renic

The narrative about #FortiWeb (CVE-2025-64446) exploitation is going to end up being about attacker behavior and compromise, which is fair enough, except that this looks to have been entirely preventable.

How are we still letting suppliers get away with silent patches in frequently exploited products in 2025? Customers need to be voting for better supplier behavior with their wallets, or with their legal teams.

https://www.vulncheck.com/blog/fortinet-forti-web-exploitation-hits-silently-patched-vulnerability

@zhuowei AMI Secure Boot platform key has found by binarly in the PKFail research: https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem

Certain·es ont remarqué que l’association est en sommeil depuis environ un an. En effet, nous sommes très peu au sein de l’association et nos vies ces derniers temps ont été mouvementées, ne nous permettant pas de nous investir davantage.

C’est pourquoi nous faisons cet article afin de lancer un appel : si le sujet de la vie privée sur mobile (et plus particulièrement Android) vous intéresse et que vous voulez participer à faire vivre Exodus Privacy, rejoignez-nous !

https://exodus-privacy.eu.org/fr/post/sante-association-et-nous-rejoindre/

> Thomas Chauchefoin has once again generously sent us a number of security bug reports, most of which had patches attached. Thanks Thomas!

This time I got 2 more RCEs on git.sr.ht and hg.sr.ht and a leak of private lists on lists.sr.ht o/

This is getting harder, can't wait for the next review to poke at a few new things! And kudos to SourceHut for writing super readable code and landing fixes in a matter of minutes.
https://mastodon.social/@lobsters/115130362456397695

Did you know that an exposed App_Key can lead to someone executing their own code in Laravel apps?

Scary stuff, but it does not need to be. Hear from GitGuardian's cybersecurity researcher on how to protect yourself!

https://youtu.be/Vw1i66Lftk0

@swapgs the 90s called, etc.

@jerry @jawnsy Alright technical limitation it is then.
Those lens are freaking expensive which is why I only own a 70-200 f/4 non stabilized (canon here) and it already cost me quite some money back then. Doesn't really allow for moon shots tho.

Anyway, your results are still pretty clean with the 600mm. I guess the doubler is not really worth it in most situations.

@jerry @jawnsy I'm quite puzzled. I've never tried shooting the moon with a long tele, and actually don't own any such lens, but I find the parameters surprising.
Why did you choose to shoot at f/9 (f/14) rather than the sharpest high aperture available? Would have gained some precious 10th of shutter speed to hopefully gain some additional sharpness. Also, I would expect most lenses to start dropping in image quality at f/14 due to the diffraction.
Anything I need to learn about moon shots or are those just due to technical limitations?

PHOTOS
While Salty has decided to take some good times on the coast 😎, the team has found time to put online photos of #pts25 taken by our own @julioloayzam ❤️

Feel the soul of the event 👉 https://www.flickr.com/photos/yobibe/albums/72177720327694710

And all files available on our archives site: https://archives.pass-the-salt.org/Pass%20the%20SALT/2025/photos/PhotosPassTheSALT2025-by-jlm

Si vous ne deviez lire qu'une seule nécro d'Ozzy Osbourne, ce serait celle de Lelo Jimmy Batista. Évidemment.
https://archive.is/PWRUu

Laravel: APP_KEY leakage analysis https://www.synacktiv.com/en/publications/laravel-appkey-leakage-analysis

@obivan see https://blog.gitguardian.com/exploiting-public-app_key-leaks/ for Gitguardian's side of the same story.

Or donc, #JeChercheUnJob

Idéalement, où mes 20+ années d'expérience dans "la tech" au sens large pourraient bénéficier à l'#environnement, l'#éducation, la #santé.

Il y a peu de domaines de la tech qui me font peur. J'ai fait du front, du back, de l'embarqué, du desktop, de l'intégration.

Je connais très bien l'écosystème #Java, un peu moins #Nodejs et #Python - et j'apprends vite.

Je me reconnais à 100% dans cette description des "généralistes experts" : https://martinfowler.com/articles/expert-generalist.html