Attackers who breached Codecov for over 2 months also reportedly hacked into hundreds of networks. The full extent of this incident is yet to unfold in the upcoming weeks.

Photo by JJ Ying on Unsplash

On April 1st software testing firm, Codecov became aware of a security incident.

The company learned, that for over two months, Codecov’s Bash Uploader scripts used by hundreds or thousands of their customers had been altered with a malicious line of code that exfiltrated information in the environment variables present on the users’ CI/CD environments to an attacker’s IP address.

Hundreds of Bank of America customers had trouble accessing their bank accounts yesterday due to Avast and AVG antivirus engines flagging the site as “malware.”

Photo by Austin Distel on Unsplash

According to reports, hundreds of Bank of America customers had trouble accessing their bank accounts yesterday due to Avast and AVG antivirus engines flagging the site as “malware.”

Naturally, seeing a virus alert when visiting their banking website would worry any customer.

“I’m using Home Banking site for Bank of America. When I try to log in I get: HTML:PhishingBank-COV [Phish] virus warning… Bank of America says everything is fine on their end and that it is an error with Avast,” stated a Reddit user.

It’s not your usual erotica: it transcends normal. Don’t read it!

Photo by Tim Mossholder on Unsplash

Yesterday, spending a regular afternoon on Twitterverse this popped up on my feed:

The $9.99 Transpact escrow fee could end up being 10x more, if you use a money transfer service, like TransferWise.

When buying and selling domains online, escrow services help protect the assets and both parties until terms have been mutually agreed to, and money has changed hands.

For any kinds of transactions, from real estate to goods and services to domain names, an escrow workflow remains roughly the same. Instead of a buyer paying the seller directly and awaiting receipt of the goods and services (with the risk of fraud and non-delivery of goods by the seller), the buyer pays the funds to a “middle man” called escrow agent, who holds onto these funds. …

Numerous user complaints ask the same question. And, what to do if your account is compromised?

Streaming service accounts get compromised all the time either due to data breaches, credential stuffing attacks from leaked databases, or simply because of users employing weak passwords.

How accessible a streaming service makes it for a rightful account owner to attempt recovery is what counts.

However, in the case of Hulu it may not be so simple, especially when a compromised account is too old, and let me explain why.

Yes, it happened to me (shame!). An ages-old disposable Hulu account I hadn’t used since college days, and which was setup with a lax password to trial the service, got…

Researcher awarded a $10,000 bounty for reporting the bug

Photo by Luis Villasmil on Unsplash

Originally published at on July 7, 2020.

PlayStation has disclosed a severe use-after-free vulnerability, after over three months since it was reported.

The vulnerability discovered by researcher Andy Nguyen exists in PS4 Firmware versions 7.02 and below. After constructing a demonstrable Proof of Concept (PoC) exploit, the researcher had responsibly reported the flaw to the company in March 2020.

If exploited in conjunction with a WebKit/Chromium vulnerability (such as CVE-2018–4386, in PS4 firmware versions up to 6.72), an attacker could:

  • Achieve a fully chained remote attack on a console.
  • Steal or modify user data.
  • Dump and run pirated games…

Security company has accused an Israeli domain registrar for registering thousands of malicious domains powering Chrome malware

Photo by Michael Geiger on Unsplash

Originally published at on June 26, 2020.

It is not unusual for malware to use malicious C&C servers and domains. However, what we learn this week is something entirely different, sinister and going at a much larger scale.

In a report published by the Awake Security Threat Research Team this week, we learn of an internet domain registrar which has enabled domain registrations, of which almost 60% are for malicious domains!

The Israeli company, CommuniGal Communication Ltd. aka GalComm continues to run its operations today.

“Of the 26,079 reachable domains registered through GalComm, 15,160 domains, or almost 60%, are…

Customers advised carrying alternate cards and payment methods

Originally published at on June 26, 2020.

In an email sent out today to Curve card customers, it is stated that their card would no longer be working, at least temporarily.

Curve is an all-in-one credit card product in UK which lets customers carry a single card, and switch between different credit and debit cards using the company’s app while using the same Curve card.

The bug could let an attacker take control of your computer from any malicious website they controlled!

Bitdefender Safepay

What happens when the very antivirus designed to keep you and your organization safe becomes a threat vector for the attackers to exploit?

Yesterday, I broke the news story on Bleeping Computer about a remote code execution vulnerability which was recently discovered and disclosed by security researcher and blogger Wladimir Palant.

Palant explained how the vulnerability, CVE-2020–8102, impacted BitDefender versions up until the one released recently: “An automatic update to product version or later fixes the issue,” stated the company in an advisory.

Vulnerability Identifier: CVE-2020–8102
Date disclosed: June 22nd, 2020
Impacted components: Bitdefender Safepay
CVSS Score: 8.8 …

Timestamps on documents suggest the leak spans 24 years worth of data.

Photo by Chris Yang on Unsplash

A group that goes by the name Distributed Denial of Secrets (DDoSecrets) has published 269 GB worth of data with hundreds of documents, images and sensitive information from over 200 police departments.

The legitimacy of this data has been confirmed by the National Fusion Center Association (NFCA) to KrebsOnSecurity.

Originally released via a tweet on Juneteeenth (Jun 19th) 2020, the dump, according to DDoSecrets, contains “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources. Among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.”

Ax Sharma

Security Researcher | Tech Columnist |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store