π Disclosure: A lightweight proof-of-concept (PoC) tool was developed by hackteam.red for internal red teaming and authorized penetration testing. The PoC will not be released publicly, but it is actively used to assess Yandex Cloud Object Storage configurations for clients who explicitly permit such testing. π Overview Yandex Cloud provides an S3-compatible Object Storage service that allows customers to host static websites via public endpoints like: http://.website.yandexcloud.net While this is a convenient feature for developers and enterprises, misconfigurations or oversight can lead to unintended public exposure of sensitive technical documentation, internal architecture details, or β in worst cases β source code and configuration files. ...
Hunting API Keys in the Wild: How I Built FleaMarket to Find (and Help Fix) Real Leaks on GitHub
TL;DR: I built an ethical, open-source scanner called FleaMarket that finds exposed API keys in fresh GitHub repos. In a recent scan, it discovered live Google/Gemini keys in public .env files β and I helped owners secure them before any abuse occurred. π΅οΈββοΈ Why Hunt for Secrets? API keys in public code are like leaving your house keys under the doormat. Even if you think no one will look β bots do. Thousands of keys are scraped every hour, leading to: ...
Building a VS Code Phishing Simulation for Security Awareness Training - Simulation Lazarus - APT 38
π Table of Contents Introduction The Real Threat: Lazarus Group How the Attack Works Building the Simulation Technical Deep Dive Setting Up Your Own Campaign Ethical Considerations Detection and Prevention Conclusion π¨ Introduction In early 2026, cybersecurity researchers uncovered a sophisticated attack campaign by the North Korean APT group Lazarus, targeting developers through fake job interviews. The attack leveraged VS Codeβs workspace trust feature to automatically execute malicious code when developers opened seemingly legitimate project repositories. ...