HackerTrans
トップ新着トレンドコメント過去質問紹介求人

brene

no profile record

投稿

ElectricSQL database takeover vulnerability found by AI

casco.com
5 ポイント·投稿者 brene·3 か月前·2 コメント

The Blueprint of a North Korean Attack on Open-Source

casco.com
32 ポイント·投稿者 brene·3 か月前·12 コメント

コメント

brene
·先月·議論
How does this compare vs. Turbopuffer?
brene
·3 か月前·議論
Rene from Casco here. While our agents were performing a security test, they discovered a database takeover vulnerability. It's a good example of how SQL injection is still a test path that needs to be explicitly be validated. Really want to give props to the ElectricSQL team from issue reported to issue fixed and deployed, it took ~2 hours.
brene
·3 か月前·議論
Just debugging the issue :-)
brene
·3 か月前·議論
are you using Safari's Lockdown Mode?
brene
·3 か月前·議論
Author here. We were analyzing a compromised contributor account targeting better-auth when we noticed something interesting about the attack vector. Most coverage of supply chain attacks focuses on the "what happened" but I wanted to document the "how it actually works" with the deobfuscated code.

Wwo things stood out: 1. hiding the payload in next.config.mjs is clever because GitHub's UI truncates long lines so the malicious string is literally invisible when scrolling through the file. second, storing the c2 payload on binance smart chain means theres no server to take down. The axios attack was mitigated by removing the GitHub-hosted payload. This one can't be.

2. found 30+ repos with the same signature string. Pretty sure there's way more we didn't catch with basic string matching.

happy to answer questions about the deobfuscation process or the c2 protocol analysis.
brene
·6 か月前·議論
Do you see this project merge with the Chonkie at some point? Or do you intend to keep it separate?
brene
·7 か月前·議論
How does it deal with loops? I’ve often see workflow builders struggle at that?
brene
·8 か月前·議論
I actually wonder is there a way to feed back some consistently reedited code into the context window of your coding agent tools, so that future edits require less tokens?
brene
·10 か月前·議論
Hi Rene from Casco here. I think the post just referenced us as a customer because we use it for pentesting. For us, Prism solves the "browser agents can reliably auth into any website" problem.
brene
·10 か月前·議論
Hi - Rene from Casco here. Thought to share a bit about our journey of dealing with auth for browser agents before Prism. We have a diverse set of customers whose login experience differ dramatically. Sometimes it's directly accessible on request, other times, you have to click through into a "login menu", other times we'd be dealing with Google sign-in and OTP.

We initially tried manually uploading session cookies to our browser agent after we authenticate locally. But soon realized how unscalable that is. We needed a general purpose API that allows our agents to auth into any application reliably. We needed something like Prism because making an agent reliable for our vertical is hard enough and I don't want us to maintain infrastructure just for the purposes of managing test user credentials and session management. If you're using browser agents and they've "hit the auth wall", then you know what I'm talking about.

Thanks for building Prism for us and letting us be a pilot customer. The API is straightforward and a pleasure to use. Can't wait for user sign-up and GitHub auth support to come soon.