Best of SecurityOctober 2025

  1. 1
    Article
    Avatar of hnHacker News·32w

    How I Almost Got Hacked By A 'Job Interview'

    A developer shares a close call with a sophisticated phishing attack disguised as a legitimate job interview. The scam involved a fake LinkedIn profile from a real company, a coding challenge containing obfuscated malware designed to steal crypto wallets and credentials, and professional social engineering tactics. The attack was discovered by using an AI assistant to scan the codebase for suspicious patterns before execution. The malware was embedded in server-side code with full Node.js privileges and connected to a remote payload that disappeared within 24 hours.

  2. 2
    Article
    Avatar of phProduct Hunt·33w

    Strix: Open-source AI hackers for your apps

    Strix is an open-source AI penetration testing agent that automatically discovers, validates, and reports security vulnerabilities in applications. With 2,000 GitHub stars and 8,000 downloads in its first month, it's being adopted by Fortune 500 security teams, top bug bounty hunters, and auditing firms. The tool generates proof-of-concept exploits, produces compliance reports, and integrates into CI/CD pipelines to catch vulnerabilities before production deployment.

  3. 3
    Article
    Avatar of lobstersLobsters·31w

    A Word on Omarchy

    A critical technical review of Omarchy, a pre-configured Arch Linux distribution created by David Heinemeier Hansson. The analysis reveals significant security vulnerabilities including a non-functional firewall by default, weak password policies, and poorly written bash scripts lacking proper error handling. The review examines missing essential features like RAID support, swap configuration, and proper laptop power management, while highlighting the gap between marketing claims of being a production-ready system and the actual implementation quality.

  4. 4
    Article
    Avatar of jakartaeeJakarta EE·30w

    The Dark Side of IT: How US-EAST-1 Took Europe Offline and Why GDPR is in the Crosshairs

    An AWS US-EAST-1 outage in October 2025 took down European digital services despite companies believing their infrastructure was EU-only. The incident exposed hidden architectural dependencies where critical services like IAM, authentication, and control planes route through Virginia data centers. European banks, healthcare providers, and government agencies experienced severe disruptions. The analysis examines GDPR compliance failures, Schrems II implications, and how cross-border data flows occur without user notification. CIOs are advised to map control-plane dependencies, review AWS contracts for regional sovereignty gaps, and prepare for regulatory scrutiny as European data protection authorities investigate cloud provider compliance.

  5. 5
    Article
    Avatar of securityboulevardSecurity Boulevard·30w

    MY TAKE: Have you noticed how your phone’s AI assistant is starting to remap what you trust?

    AI assistants like Google's Gemini are quietly remapping smartphone interfaces without user consent, transforming basic hardware controls into AI engagement points. This shift represents a new form of surveillance through interface colonization, where AI layers mediate user interactions and potentially manipulate information access. Unlike traditional government surveillance exposed by Snowden, modern control happens through convenience-driven defaults that gradually erode user autonomy. Recent reports show Gemini storing conversations, accessing apps with privacy toggles off, and activating unprompted, raising concerns about trust and manipulation at scale.

  6. 6
    Article
    Avatar of hnHacker News·31w

    The scariest “user support” email I’ve ever received

    A developer shares a real phishing attack disguised as a user support email. The attacker claimed cookie consent issues prevented site access, then sent a fake Google Sites link with a CAPTCHA that copied a malicious base64-encoded command to the clipboard. The command would download and execute a remote shell script if run in a terminal. The incident highlights how AI-powered phishing attacks are becoming more sophisticated and natural-sounding, making them harder to detect.

  7. 7
    Article
    Avatar of logrocketLogRocket·30w

    You’re doing vibe coding wrong: Here’s how to do it right

    Vibe coding — using AI tools to generate code quickly — can accelerate development for personal scripts, prototypes, and learning projects, but becomes dangerous when applied to authentication, payment systems, or production APIs. The approach works best when developers understand the fundamentals, break work into testable units, validate AI-generated code for security vulnerabilities like SQL injection, and maintain proper version control. Key risks include insecure code patterns, technical debt from prompt-driven architecture, and debugging challenges when developers don't understand the generated code. Success requires treating AI as an accelerator rather than a replacement for foundational knowledge, focusing on popular tech stacks, implementing proper validation, and documenting all AI-generated code.

  8. 8
    Article
    Avatar of electronElectron·30w

    Electron 39.0.0

    Electron 39.0.0 brings upgrades to Chromium 142.0.7444.52, Node 22.20.0, and V8 14.2. The ASAR integrity feature, which validates packaged apps against build-time hashes to prevent tampering, graduates from experimental to stable. New features include hardware acceleration detection, HDR color space support for offscreen rendering, granular accessibility management, and dynamic ESM imports in preloads. Breaking changes include deprecation of the --host-rules command line switch in favor of --host-resolver-rules, always-resizable window.open popups per WHATWG spec, and restructured shared texture OSR paint event data. Electron 36.x.y reaches end-of-support.

  9. 9
    Article
    Avatar of hnHacker News·32w

    The Day My Smart Vacuum Turned Against Me

    An engineer discovers their smart vacuum was remotely disabled by the manufacturer after blocking its telemetry servers. Through reverse engineering, they gained root access via an open ADB port, found the device running Google Cartographer SLAM software on Linux, and uncovered evidence of remote kill commands. The investigation revealed the vacuum transmitted unencrypted data including WiFi credentials, had pre-installed remote access software (rtty), and could be controlled by the manufacturer without user consent. The engineer successfully restored offline functionality and documented the findings, highlighting broader IoT security and privacy concerns affecting multiple brands using the same hardware platform.

  10. 10
    Article
    Avatar of collectionsCollections·33w

    Ubuntu 25.10: Key Features and Upgrades Announced

    Ubuntu 25.10 'Questing Quokka' introduces major architectural changes including mandatory Wayland sessions, Rust-based core utilities replacing GNU tools, and sudo-rs replacing traditional sudo. The release features GNOME 49, TPM-backed full disk encryption, Network Time Security in Chrony, and A/B booting for Raspberry Pi. Running on Linux kernel 6.17 with updated toolchains (OpenJDK 25, Python 3.14 RC3, Golang 1.25, GCC 15, Rust 1.85), it emphasizes memory safety and security improvements. Support extends until July 2026 with an upgrade path to Ubuntu 26.04 LTS.

  11. 11
    Article
    Avatar of hashrocketHashrocket·30w

    PostgreSQL 18's UUIDv7: Faster and Secure Time-Ordered IDs

    PostgreSQL 18 introduces native support for UUIDv7, a new identifier format that combines the security benefits of random UUIDs with time-based ordering. Unlike UUIDv4's completely random values, UUIDv7 embeds timestamps in the first portion, enabling chronological sorting without separate created_at columns and improving index performance by reducing fragmentation. The format maintains collision resistance and security against enumeration attacks while delivering better database performance through sequential-like insertion patterns.

  12. 12
    Article
    Avatar of cloudflareCloudflare·30w

    From .com to .anything: introducing Top-Level Domain (TLD) insights on Cloudflare Radar

    Cloudflare Radar launched a new Top-Level Domain (TLD) insights page that provides comprehensive data on TLD popularity, traffic patterns, and security metrics. The page uses DNS Magnitude—a metric measuring how many unique networks query domains within a TLD—to rank over 2,500 TLDs. Surprisingly, .su (Soviet Union's legacy TLD) tops the ranking due to queries from a popular online game. Individual TLD pages offer detailed information including DNSSEC support, RDAP availability, DNS query volumes, certificate issuance data, and geographic distribution. The feature extends existing DNS insights to all delegated TLDs and integrates with Cloudflare Registrar for domain registration. All data is accessible via API and the Radar Data Explorer.

  13. 13
    Article
    Avatar of mafoMartin Fowler·30w

    Agentic AI and Security

    Agentic AI systems face a fundamental security flaw: LLMs cannot distinguish instructions from data, making them vulnerable to prompt injection attacks. The "Lethal Trifecta" occurs when an LLM has access to sensitive data, untrusted content, and external communication simultaneously, enabling attackers to exfiltrate information through hidden instructions. Mitigations include minimizing each trifecta element, running LLMs in isolated containers, splitting tasks into smaller controlled steps, maintaining human oversight at every stage, and following the principle of least privilege. Despite vendor efforts, no fully secure agentic AI systems exist yet.

  14. 14
    Video
    Avatar of fireshipFireship·31w

    OpenAI’s new browser feels familiar…

    OpenAI released Atlas, an AI-powered browser built on Chromium that integrates ChatGPT as an assistant capable of viewing browsing history and performing actions on behalf of users. The browser faces similar security challenges as other AI browsers, particularly vulnerability to prompt injection attacks. While Atlas offers convenience through agent mode for tasks like ordering food, it raises privacy concerns despite user controls for managing browsing memory.

  15. 15
    Article
    Avatar of css_tricksCSS-Tricks·31w

    Building a Honeypot Field That Works

    Honeypot fields remain effective for preventing spam form submissions in 2025 without requiring reCAPTCHA. The key is avoiding common detection patterns: use regular text inputs instead of hidden fields, hide them with external CSS rather than inline styles, and use legitimate-sounding names like 'occupation' instead of 'honeypot'. Additional protection includes detecting user interactions through mouse movements, keyboard events, and form completion time using JavaScript. The article provides ready-to-use components for Svelte and Astro, plus vanilla JavaScript utilities for implementing these spam prevention techniques.

  16. 16
    Article
    Avatar of lobstersLobsters·31w

    An open letter to the Obsidian team

    A community maintainer raises concerns about Obsidian's plugin review process, highlighting month-long approval times and the complete absence of update reviews. The author demonstrates security risks by discovering policy violations in community themes that remained unaddressed for over a year, arguing that the small Obsidian team cannot sustainably manage nearly 2,500 plugins. The letter proposes community-driven solutions for plugin maintenance and automated checks, emphasizing that plugins are essential to Obsidian's success and the ecosystem needs better oversight to prevent malicious code distribution.

  17. 17
    Article
    Avatar of newstackThe New Stack·30w

    Why Sudo-rs Brings Modern Memory Safety to Ubuntu 26.04

    Ubuntu 26.04 will include sudo-rs, a Rust-based rewrite of the sudo command, alongside the traditional C implementation. The project aims to improve memory safety and maintainability while reducing codebase complexity. Developed through the Prossimo initiative and now maintained by the Trifecta Tech Foundation, sudo-rs collaborates closely with the original sudo maintainer Todd Miller. The rewrite focuses on supporting common use cases rather than replicating every legacy feature, with Canonical funding Ubuntu-specific compatibility work. The project has already been tested in Ubuntu 25.10 and is available as an option in several other distributions.

  18. 18
    Article
    Avatar of hnHacker News·32w

    GrapheneOS is finally ready to break free from Pixels, and it may never look back

    GrapheneOS, a privacy-focused Android fork previously exclusive to Google Pixel devices, has partnered with a major Android OEM to expand support to Snapdragon-powered flagship smartphones by 2026-2027. The partnership marks a significant shift for the security-focused operating system, which has maintained strict hardware requirements that only Pixels previously met. While the OEM partner remains unnamed, the new devices will be priced similarly to Pixels and available globally. GrapheneOS will continue supporting existing Pixel devices and confirmed Pixel 10 support, though Pixel 11 compatibility is uncertain.

  19. 19
    Video
    Avatar of programmersarealsohumanProgrammers are also human·30w

    10x’er (Part 3) [FULL]

    A satirical comedy sketch depicting an extreme caricature of a '10x engineer' who exhibits absurd behaviors like rewriting nginx in assembly, exploiting competitor databases, controlling infrastructure without permission, constantly rewriting code in Rust, and engaging in questionable security practices. The humor targets common developer stereotypes around over-engineering, security paranoia, documentation avoidance, and obsessive optimization.

  20. 20
    Article
    Avatar of lobstersLobsters·31w

    Forgejo v13.0 is available

    Forgejo v13.0 introduces content moderation tools allowing users and admins to report abusive content, enhanced security with improved 2FA enforcement and Actions secrets encryption, and better Actions usability with access to previous run attempts and static workflow validation. Additional features include Pagure repository migration, EXIF data removal from avatars, CI status display on force pushes, and improved markdown editor shortcuts. The release follows a three-month cycle with v11.0 receiving long-term support until July 2026.

  21. 21
    Article
    Avatar of hnHacker News·33w

    The Email They Shouldn't Have Read

    A system administrator shares a cautionary tale about migrating public institutions from Exchange to an open-source email stack. After successfully deploying the solution, multiple agencies attempted to leave their expensive managed service provider. The vendor retaliated by exploiting hidden contract clauses, potentially accessing client emails to sabotage migrations, and threatening legal action. Despite being open-source software, the provider claimed exclusive installation rights and increased costs by 30% for agencies trapped in contracts. The story illustrates how predatory business practices and vendor lock-in can corrupt even open-source solutions.

  22. 22
    Article
    Avatar of hnHacker News·31w

    Google flags Immich sites as dangerous

    Immich, an open-source Google Photos alternative, had all their *.immich.cloud websites flagged as dangerous by Google Safe Browsing, making them inaccessible to users. The issue stemmed from Google's automated system crawling their preview environments on GitHub and marking them as deceptive, despite being legitimate internal deployments. Each time a new preview environment was created, the entire domain was re-flagged. The team had to repeatedly request reviews through Google Search Console and ultimately decided to move preview environments to a separate domain (immich.build) to minimize impact. The incident highlights how Google Safe Browsing can arbitrarily flag domains without consideration for open-source or self-hosted software workflows.

  23. 23
    Article
    Avatar of vercelVercel·32w

    Expanded Role-Based Access Control (RBAC) for Enterprise teams

    Vercel enhanced its RBAC system with multi-role support per user, a dedicated Security role, and extended permissions for granular access control. New permissions include project creation, production deployment management, usage viewing, integration management, and environment variable control. Access Groups now integrate with team roles and extended permissions through Directory Sync mappings.

  24. 24
    Article
    Avatar of collectionsCollections·33w

    Critical Redis Vulnerability CVE‑2025‑49844: Immediate Action Required

    Wiz Research discovered RediShell (CVE-2025-49844), a critical remote code execution vulnerability in Redis with a maximum CVSS score of 10.0. The flaw stems from a 13-year-old use-after-free bug in Redis's Lua interpreter that allows authenticated attackers to bypass the sandbox and execute arbitrary code. With Redis deployed in 75% of cloud environments and 330,000 instances exposed online (60,000 without authentication), the impact is severe. Patches are available for Redis versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, along with Valkey. Organizations should immediately upgrade, enable authentication, restrict network access, disable unnecessary Lua commands, and implement ACLs to limit script execution.

  25. 25
    Article
    Avatar of twitter_xTwitter X·30w

    Windscribe Puts a $21,000 bounty on Theo

    Windscribe VPN service announced a $21,000 bounty targeting content creator Theo, likely as part of a marketing campaign or challenge related to their VPN product. The bounty appears to be a promotional initiative connecting the VPN provider with a prominent tech influencer.

See all Security archives