Weaponized file name flaw makes updating glob an urgent job
Infosec In Brief Researchers have urged users of the glob file pattern matching library to update their installations, after discovery of a years-old remote code execution flaw in the tool's CLI.
Glob is used to find files using wildcards, is typically run as a library API, and is an all but universal part of the JavaScript stack. This vulnerability lives in glob's CLI tool – specifically the tool’s –c flag used to execute commands on matching files.
Spotted by security researchers at automated infosec outfit AISLE, the project's GitHub page describes the 7.5-rated vuln (CVE-2025-64756) as follows.
"The implementation assumed filenames were trustworthy data, but this assumption was wrong," AISLE researchers noted. The researchers suspect the flaw went unnoticed for so long because, despite glob being downloaded more than ten million times a week on average, the CLI tool is rarely used, "and even fewer know that –c executes through a shell."
Glob versions v10.2.0 through v11.0.3 are vulnerable, and even then only in specific environments that process files from untrusted sources on POSIX systems with CI/CD pipes or build scripts that invoke glob –c or glob –cmd.
Glob v10.5.0, v11.1.0, and v12.0.0 fix the issue; glob users who can check off all the vulnerability criteria are advised to update as soon as possible.
CISA warns of drone threat
The USA’s Cybersecurity and Infrastructure Security Agency (CISA) last week warned critical infrastructure managers to "be air aware" as the threat from unmanned aircraft systems (UAS – aka drones) continues to grow.
Drones, CISA said, can be used to deliver hazardous payloads that could damage infrastructure and harm people, conduct surveillance, and even possibly assist in cyberattacks.
"We continue to observe concerning UAS activity over sensitive critical infrastructure sites, which could interfere with regular facility operations, disrupt emergency response or authorized flight operations, and provide intelligence to malign actors," CISA noted.
While the agency doesn't have any information to suggest domestic or foreign extremists are currently using drones to plan attacks, intelligence suggests they have considered it.
Do you know where your DNS is pointing?
ESET researchers have discovered an attacker-in-the-middle kit being used by Chinese-aligned threat actors that could be deploying malicious updates on networks while leaving scant evidence of its activities.
ESET said the PlushDaemon APT group is behind the “EdgeStepper” network implant that hijacks DNS traffic and sends it to malicious nodes controlled by the threat actors.
The vendor thinks attackers install EdgeStepper by exploiting existing vulnerabilities in software running on network devices, or by gaining access to those devices using default or weak passwords. Once installed, EdgeStepper monitors traffic, and when it detects a device attempting to connect to a domain linked to software updates it snags the traffic and pushes out a malicious update package, further infecting machines on a compromised network.
Samourai cofounders head to prison
The cofounders of cryptocurrency laundering service Samourai Wallet are headed to prison, the Justice Department announced last week.
Samourai CEO Keonne Rodriguez will be up to five years behind bars, while his cofounder and CTO William Lonergan Hill, scored himself four years in Club Fed, for their roles operating the service, which the Justice Department said was actively promoted to criminals as a place to transmit their ill-gotten gains.
The service was used to launder more than 80,000 Bitcoin, amounting to around $2 billion at the time.
Cox caught in Oracle's E-Business Clop mess
Media conglomerate Cox Enterprises has admitted theft of 9,479 people's data stored in its Oracle E-Business instances as a result of ransomware gang Clop's reported attack on Big Red’s software.
Cox began sending breach notification last week. The Register has seen some of the mails, which mention exposure of customer names and include blank fields to report other stolen info. The state of Maine's breach notification page, likewise, doesn't include any specifics as to what was exposed.
Cox, which has a number of subsidiaries including the Cox Communications broadband service, has been caught up in a lot of security incidents over the years, including a rather embarrassing incident in which an employee was tricked into handing over a database containing hundreds of thousands of customer records to a hacker who pretended to be a member of the firm's IT department. At least Cox can blame this one on a third party.®
