Risky Context, W4

Write-ups on the GitHub supply chain attack, ByBit cryptocurrency heist, and a curious case of 'Shadow AI'. A list of useful posts, along with some tools to help pentesters, auditors, and risk assessors.

Risky Context, W4

Welcome everyone, to another edition of 'Risky Context'. This is the weekly dose for pentesters, auditors, and risk assessors in the world of security. Don't forget to subscribe and share this newsletter.

Incidents/ Write-ups

  1. James Berthoty has collated details on the tj-actions/changed-files supply chain attack and put them in a structured manner. Brings home the point to pay/ donate for open source if you use them. The repo in question was maintained by one person who's received only few donations. This, considering the fact that the action was used by over 23,000 repositories. This is not sustainable. Read the blog for more details. StepSecurity also wrote about itand made their github action free for all. However, the original github action is free of the malware as well. In addition, Swastik Mukherjee has written succinct notes about the compromised GitHub Action as a LinkedIn post.
  2. Notes on ByBit cryptocurrency heist
    1. By Vaughan Shanks in his LinkedIn post. He has listed various sources for his notes, including Mandiant report, in-depth analysis by NCC group. Good read.
    2. By Gal Nagli (Wiz staff, also happens to be a world class bug bounty hunter), as a LinkedIn post. He refers to a blog post, that he has written along with few other contributors. Worth a read.
  3. Renee Bos writes about a case of 'Shadow AI', on LinkedIn. A Disney employee who downloads an AI tool from GitHub, giving cyber-criminals access to his password manager. More info - WSJ Tech Briefing Podcast episode, Futurism post

On AI

  1. Linas Beliunas writes about zippy, the robotic chef, who is trained to cook Michelin-quality dishes. Best part, it costs USD 12/hr. His LinkedIn post
  2. Novo Nordisk apparently has started using AI to draft clinical study reports. Paywalled article here.
  3. Bureaucrats have also started using AI. Seems a natural order of things, considering boss' order to use AI more to increase efficiency. Now that AI generates, consults, and advise for policies, what's next - state sponsored AI poisoning?
  4. Roberto Rodriguez, in his blog-post, shares his journey of building an AI agentic workflow engine with open source framework, Dapr.
  5. Anthropic CEO talks about AI and its future on an episode of Hard Fork. Worth listening.
  6. Christian Zot has generated a 50-point checklist to test nginx, using AI. While some items are applicable for almost all web servers, many points are specific to nginx. Have a read.

Thought provoking posts

  1. Arstechnica reports that from March 28, 2025, everything you say to Amazon echo devices will be sent to Amazon. Kathy Reid, says, in her LinkedIn post
This means everything you say in your home - your domestic environment - is sent to a corporate whose goal is to generate revenue from that speech data.
  1. James Berthoty writes a great post on his blog about how firewall vendors like CheckPoint and PaloAlto have stopped fighting for their share of CNAPP pie and have moved on to AI. worth reading.
  2. Sygnia has published their field report for 2025, based on their incident response investigations throughout 2024. Worth a read.
  3. Sandeep Wawdanehas written a blog post, highlighting NFC intent vulnerabilities in android apps. He has also built an app to help test these issues firsthand.

Tools

  1. Formatify - a BurpSuite request converter extension, created by Siddharth Joshi. Instantly converts HTTP requests into multiple formats like cURL, python, powershell, and more. Get it here.
  2. ExportHunter - Created by Bhargav Gajera for testing exported android activities. One can generate and launch APK to call activities with bundles, without using ADB or Android Studio. Saves ton of time. His LinkedIn post, tool link.
  3. Matt Adams, creator of StrideGPT, released an LLM threat modeling benchmark, TMBench. Here's what he has to say about it (excerpts from 'about' page of the benchmark)
    1. ...My mission with TM-Bench is to provide an open, transparent benchmark for evaluating and improving LLM-based threat modeling capabilities. I believe that rigorous evaluation is essential for responsible AI deployment in security contexts...
    2. ...TM-Bench is the first benchmark in the world to evaluate the capability of Large Language Models for threat modeling. While other benchmarks exist for general AI capabilities or even some security tasks, TM-Bench is uniquely focused on the complex task of identifying security threats in system designs...
  4. Hashcat is an excellent tool for cracking hashed passwords. However, I haven't met anyone who remembers hash numbers for all hash types. Jonathan Hodgson has written a blog post on how he used FZF (a fuzzy finder for command line) along with awk and sed to create a shortcut (work on bash and zsh) that simply works. Head over to the excellent piece.

At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.

‎Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r