Tag: api

Massive GitHub Leak: 39M API Keys Credentials Exposed How to Strengthen Security

Apr 3, 2025 10:42 AM

Tags: api, credentials, cyber, data-breach, github, leak, risk

Over 39 million API keys, credentials, and other sensitive secrets were exposed on GitHub in 2024, raising considerable alarm within the developer community and enterprises globally. The scale and impact of this leak have underscored the growing risks tied to improperly handled credentials and highlighted the urgent need for robust security practices. GitHub, the world’s…
Legacy Stripe API Exploited to Validate Stolen Payment Cards in Web Skimmer Campaign

Apr 3, 2025 7:42 AM

Tags: api, breach, data, exploit, programming, threat

Threat hunters are warning of a sophisticated web skimmer campaign that leverages a legacy application programming interface (API) from payment processor Stripe to validate stolen payment information prior to exfiltration.”This tactic ensures that only valid card data is sent to the attackers, making the operation more efficient and potentially harder to detect,” Jscrambler researchers Pedro…
Verizon Call Filter API flaw exposed customers’ incoming call history

Apr 2, 2025 10:47 PM

Tags: access, api, data-breach, flaw, vulnerability

A vulnerability in Verizon’s Call Filter feature allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/verizon-call-filter-api-flaw-exposed-customers-incoming-call-history/
GitHub expands security tools after 39 million secrets leaked in 2024

Apr 2, 2025 8:56 PM

Tags: api, credentials, data-breach, github, tool

Over 39 million secrets like API keys and account credentials were leaked on GitHub throughout 2024, exposing organizations and users to significant security risks. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/github-expands-security-tools-after-39-million-secrets-leaked-in-2024/
Stripe API Skimming Campaign Unveils New Techniques for Theft

Apr 2, 2025 6:55 PM

Tags: api, attack, malicious, theft

A novel skimming attack has been observed by Jscramber, using the Stripe API to steal payment information by injecting malicious scripts into pages First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/stripe-api-skimming-campaign-new/
Malicious actors increasingly put privileged identity access to work across attack chains

Apr 2, 2025 12:55 PM

Tags: access, ai, api, apt, attack, authentication, best-practice, breach, cisa, cisco, cloud, corporate, credentials, cybercrime, cyberespionage, data, detection, email, endpoint, exploit, framework, group, healthcare, identity, infrastructure, login, malicious, malware, mfa, microsoft, network, open-source, password, phishing, phone, ransomware, service, social-engineering, strategy, threat, tool, vpn, windows

Lateral movement: Leveraging privileged access to act in plain sight: Once situated on the corporate network, compromised credentials also allow attackers to expand access to other internal systems with a reduced likelihood of being discovered or triggering malware detection.According to Talos, nearly half of investigated identity attacks targeted Active Directory, with another 20% targeting cloud…
Unitree Go1: Gefährliche Backdoor in populärem Roboterhund entdeckt

Apr 2, 2025 12:55 PM

Tags: api, backdoor, china, risk

Ein Roboterhund aus China konnte mit einem bestimmten API-Key aus der Ferne gesteuert werden – mit erheblichen Risiken für Personen in der Nähe. First seen on golem.de Jump to article: www.golem.de/news/unitree-go1-gefaehrliche-backdoor-in-populaerem-roboterhund-entdeckt-2504-194933.html
10 best practices for vulnerability management according to CISOs

Apr 2, 2025 8:56 AM

Tags: api, attack, automation, best-practice, business, ceo, cio, ciso, control, cybersecurity, data, detection, framework, group, incident response, metric, mitre, penetration-testing, programming, ransomware, risk, risk-management, service, software, strategy, technology, threat, tool, update, vulnerability, vulnerability-management

1. Culture Achieving a successful vulnerability management program starts with establishing a cybersecurity-minded culture across the organization. Many CISOs admitted to facing historical cultural problems, with one summing it up well. “Our cybersecurity culture was pretty laissez-faire until we got hit with Log4J and then a ransomware attack,” he told CSO. “These events were an…
New Malware Loaders Use Call Stack Spoofing, GitHub C2, and .NET Reactor for Stealth

Apr 2, 2025 8:56 AM

Tags: api, cybersecurity, detection, github, malware

Cybersecurity researchers have discovered an updated version of a malware loader called Hijack Loader that implements new features to evade detection and establish persistence on compromised systems.”Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls),” Zscaler ThreatLabz researcher Muhammed Irfan V…
Wiz’s Security GraphDB vs. DeepTempo’s LogLM

Apr 2, 2025 12:55 AM

Tags: access, ai, api, attack, automation, best-practice, breach, business, cisa, cloud, container, credentials, cve, cybersecurity, data, data-breach, defense, detection, exploit, flaw, framework, guide, iam, identity, infrastructure, intelligence, Internet, jobs, kev, leak, LLM, login, malicious, mitre, ml, network, phishing, risk, social-engineering, strategy, technology, threat, tool, update, vulnerability, vulnerability-management, zero-day

How can a friendly Eye of Sauron help the Wizards? Cloud security is evolving beyond silos. Wiz’s meteoric rise has been powered by a fresh approach: an agentless, graph-based view of risk context across the cloud stack that supplanted a number of point solutions and created the Cloud-Native Application Protection Platform category (CNAPP). If you want…
The urgent reality of machine identity security in 2025

Apr 1, 2025 9:55 PM

Tags: access, ai, api, automation, breach, business, cloud, compliance, computing, credentials, crypto, cyber, encryption, exploit, identity, intelligence, resilience, risk, threat, unauthorized, vulnerability

The growth of machine identities and the associated risks Machine identities are experiencing exponential growth, with 79% of organizations predicting increases over the next year and 16% of those expecting radical growth of 50 to 150%. Cloud-native technologies, microservices, and artificial intelligence (AI) drive this surge because they’re environments where identities are created and discarded…
How CISOs can use identity to advance zero trust

Apr 1, 2025 9:55 PM

Tags: access, api, attack, authentication, automation, business, ciso, compliance, control, credentials, cyberattack, cybersecurity, data, governance, iam, identity, malware, organized, resilience, risk, risk-assessment, strategy, tactics, threat, unauthorized, vulnerability, zero-trust

Identity: The decision point Perimeter-based security models built to keep attackers out won’t work when 60% of breaches now involve valid credentials. As my colleague Andy Thompson says, “It’s much easier to log in than hack in.”Every entity (human or non-human) accessing a resource (applications, data or other entities) requires an identity. That’s why identities are so…
Salt Security: Focused on Solving Real Business Problems

Apr 1, 2025 9:55 PM

Tags: api, attack, best-practice, breach, business, compliance, data, data-breach, detection, exploit, finance, GDPR, governance, government, HIPAA, incident response, infrastructure, mitigation, monitoring, PCI, privacy, programming, risk, service, soc, strategy, threat, tool, unauthorized, vulnerability

In today’s digital landscape, APIs (Application Programming Interfaces) have become integral to business operations, enabling seamless integration and innovation. However, this increased reliance on APIs has also introduced significant security challenges. Salt Security offers a comprehensive solution to these challenges, providing organizations with the tools they need to protect their digital assets effectively. This blog…
API testing firm APIsec exposed customer data during security lapse

Mar 31, 2025 7:19 PM

Tags: api, data, data-breach, Internet

tion>
Unsolved Challenge: Why API Access Control Vulnerabilities Remain a Major Security Risk

Mar 31, 2025 4:13 PM

Tags: access, api, authentication, control, risk, tool, vulnerability

Despite advancements in API security, access control vulnerabilities, such as broken object-level authentication (BOLA) and broken function-level authentication (BFLA), remain almost impossible to detect. This blog will explore why these vulnerabilities are so difficult to detect, the limitations of current security tools, and the implications for businesses relying on API-driven applications. It will also discuss…
New Python-Based Discord RAT Targets Users to Steal Login Credentials

Mar 29, 2025 5:13 AM

Tags: access, api, control, credentials, cyber, cybersecurity, exploit, login, malware, rat

A recently identified Remote Access Trojan (RAT) has raised alarms within the cybersecurity community due to its innovative use of Discord’s API as a Command and Control (C2) server. This Python-based malware exploits Discord’s extensive user base to execute commands, steal sensitive information, and manipulate both local machines and Discord servers. Bot Initialization and Functionality…
Nine-Year-Old npm Packages Hijacked to Exfiltrate API Keys via Obfuscated Scripts

Mar 29, 2025 5:13 AM

Tags: api, blockchain, crypto, cybersecurity

Cybersecurity researchers have discovered several cryptocurrency packages on the npm registry that have been hijacked to siphon sensitive information such as environment variables from compromised systems.”Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers,” Sonatype researcher Ax Sharma said. “However, […] the latest First seen…
PCI DSS 4.0 Compliance Requires a New Approach to API Security

Mar 27, 2025 9:37 PM

Tags: api, compliance, data, exploit, finance, malicious, PCI, service, threat

Retailers, Financial Services, and the API Security Wake-Up Call With the PCI DSS 4.0 compliance deadline fast approaching, Cequence threat researchers have uncovered troubling data: 66.5% of malicious traffic is targeting retailers. And attackers aren’t just after payment data. They’re weaponizing APIs to exploit every stage of the digital buying process. The conclusions in this……
CVE-2025-29927: Next.js Middleware Authorization Bypass Flaw

Mar 27, 2025 7:34 PM

Tags: access, api, attack, control, cve, cvss, data, exploit, flaw, malicious, risk, router, theft, unauthorized, update, vulnerability

IntroductionOn March 21, 2025, a critical vulnerability, CVE-2025-29927, was publicly disclosed with a CVSS score of 9.1, signifying high severity. Discovered by security researcher Rachid Allam, the flaw enables attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. This poses a risk to applications that rely on Middleware to…
Reality Bites: You’re Only as Secure as Your Last API Deployment

Mar 27, 2025 1:34 PM

Tags: access, api, application-security, attack, authentication, best-practice, breach, business, compliance, control, data, data-breach, endpoint, exploit, finance, fintech, flaw, framework, governance, guide, healthcare, mobile, monitoring, risk, service, startup, strategy, threat, tool, unauthorized, update, vulnerability

In agile and DevOps-driven environments, APIs are frequently updated to meet evolving business demands, from adding new features to addressing performance issues. However, each deployment introduces potential security risks, as new code, configurations, and endpoints can expose vulnerabilities. In an environment of continuous integration and continuous deployment (CI/CD), the security of an organization’s APIs hinges…
CoffeeLoader: A Brew of Stealthy Techniques

Mar 26, 2025 10:34 PM

Tags: access, antivirus, api, attack, backup, cloud, communications, computer, control, data, detection, edr, encryption, endpoint, group, Hardware, iphone, malware, mobile, network, open-source, RedTeam, software, threat, tool, vulnerability, windows

IntroductionZscaler ThreatLabz has identified a new sophisticated malware family that we named CoffeeLoader, which originated around September 2024. The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products. The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call…
Securing Canada’s Digital Backbone: Navigating API Compliance

Mar 26, 2025 8:35 PM

Tags: api, attack, authentication, best-practice, breach, compliance, cyber, data, detection, encryption, flaw, framework, governance, government, infrastructure, monitoring, regulation, risk, service, strategy, threat, vulnerability

Highlights: Understanding Canadian API Standards: Key principles for secure government API development. Critical Importance of API Security: Why robust protection is vital for citizen data. Compliance and Trust: How adherence to standards builds public confidence. Key Security Considerations: Essential practices for Canadian organizations. Salt Security’s Alignment: How the Salt API Security Platform supports Canadian government…
Understanding RDAP: The Future of Domain Registration Data Access

Mar 26, 2025 6:13 AM

Tags: access, api, attack, authentication, china, compliance, control, cyber, cybercrime, cybersecurity, data, detection, exploit, framework, fraud, GDPR, incident response, infrastructure, intelligence, Internet, law, malicious, malware, phishing, privacy, regulation, service, threat, tool, vulnerability
The Unseen Battle: How Bots and Automation Threaten the Web

Mar 25, 2025 6:13 PM

Tags: api, automation, control

New research from F5 Labs examined over 200 billion web and API traffic requests from businesses with bot controls in place. First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/03/the-unseen-battle-how-bots-and-automation-threaten-the-web/
API Security: Another Critical Asset Under Threat

Mar 24, 2025 6:13 PM

Tags: api, cyber, defense, threat, vulnerability

Adam Arellano of Traceable by Harness on Creating Multi-Layered Defense. Increasingly, APIs are in cyber adversaries’ crosshairs. What creates vulnerability complexities in API environments, and what can be done to create a more effective, multi-layered defense? Adam Arellano of Traceable by Harness discusses how AWS and Traceable tackle this challenge. First seen on govinfosecurity.com Jump…
Cloudflare now blocks all unencrypted traffic to its API endpoints

Mar 23, 2025 10:13 PM

Tags: api, endpoint

Cloudflare announced that it closed all HTTP connections and it is now accepting only secure, HTTPS connections for api.cloudflare.com. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/cloudflare-now-blocks-all-unencrypted-traffic-to-its-api-endpoints/
Imperva Named a Leader in Forrester Wave: Web Application Firewall (WAF) Solutions: A Continued Legacy of Excellence

Mar 21, 2025 3:13 PM

Tags: api, firewall, waf

In today’s digital-first environment, protecting web applications and APIs is a critical priority for businesses. Organisations seek trusted solutions that balance robust protection, scalability, and ease of use. It’s no surprise that Imperva has been named a Leader in the Forrester Wave: Web Application Firewall (WAF), Q1 2025. For us, this recognition further solidifies Imperva’s……
Cloudflare Shifts to HTTPS-Only for APIs, Closing All HTTP Ports

Mar 21, 2025 7:13 AM

Tags: api, cyber, data, privacy, unauthorized

Cloudflare has announced that it will shift its APIs to HTTPS-only connections, effectively closing all HTTP ports. This strategic decision aims to protect sensitive data from being intercepted by unauthorized parties during transmission. The change marks a crucial step forward in the company’s mission to safeguard users’ privacy and ensure the integrity of online communications.…
70% of leaked secrets remain active two years later

Mar 20, 2025 7:13 AM

Tags: api, breach, credentials, data-breach

Long-lived plaintext credentials have been involved in most breaches over the last several years, according to GitGuardian. When valid credentials, such as API keys, … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/03/20/leaked-secrets-threats-in-cybersecurity/
How to detect Headless Chrome bots instrumented with Playwright?

Mar 20, 2025 6:14 AM

Tags: api, browser, chrome, credentials, tool

Headless Chrome bots powered by Playwright have become a go-to tool for bot developers due to their flexibility and efficiency. Playwright’s cross-browser capabilities, coupled with an API similar to Puppeteer and the lightweight nature of Headless Chrome, make it a powerful choice for tasks like web scraping, credential First seen on securityboulevard.com Jump to article:…