Arbitrary Command Injection

Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Arbitrary Command Injection due to the improper sanitazation of user-supplied depName in the packagesToInstall and packagesToUninstall functions of hermit manager. An attacker can execute arbitrary...

Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies

Summary The user-provided string depName in the hermit manager is appended to the ./hermit install and ./hermit uninstall commands without proper sanitization. Details Adversaries can provide a maliciously named hermit dependency in conjunctions with a tweaked Renovate configuration file to trick...

EUVD-2026-2095

Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies...

GHSA-36J9-MX87-2CFF Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies

Summary The user-provided string depName in the hermit manager is appended to the ./hermit install and ./hermit uninstall commands without proper sanitization. Details Adversaries can provide a maliciously named hermit dependency in conjunctions with a tweaked Renovate configuration file to trick...

EUVD-2022-33751

Malicious code in bioql PyPI...

EUVD-2022-33750

Malicious code in bioql PyPI...

EUVD-2022-33748

Malicious code in bioql PyPI...

EUVD-2022-33749

Malicious code in bioql PyPI...

Apple's New "Lockdown Mode" Protects iPhone, iPad, and Mac Against Spyware

Apple on Wednesday announced it plans to introduce an enhanced security setting called Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura to safeguard high-risk users against "highly targeted cyberattacks." The "extreme, optional protection" feature, now available for preview in beta versions ...

A week in security (June 27 – July 3)

Last week on Malwarebytes Labs: Ransomware review: June 2022 AstraLocker 2.0 ransomware isn’t going to give you your files back YTStealer targets YouTube content creators ZuoRAT is a sophisticated malware that mainly targets SOHO routers Amazon Photos vulnerability could have given attackers acce...

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

A week after it emerged that a sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in...

Google Warns Spyware Being Deployed Against Android, iOS Users

Google is warning victims in Kazakhstan and Italy that they are being targeted by Hermit, a sophisticated and modular spyware from Italian vendor RCS Labs that not only can steal data but also record and make calls. Researchers from Google Threat Analysis Group TAG revealed details in a blog post...

Kazakh Govt. Used Spyware Against Protesters

An agent of the Kazakhstan government has been using enterprise-grade spyware against domestic targets, according to Lookout research published last week. The government entity used brand impersonation to trick victims into downloading the malware, dubbed “Hermit.” Hermit is an advanced, modular...

Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy

An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed. Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company...

WordPress Hermit plugin SQL injection vulnerability

WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.The WordPress Hermit plugin 3.1.6 and previous versions are vulnerable to SQL injection, which stems from the la...

WordPress Hermit plugin跨站脚本漏洞

WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blog sites on servers with PHP and MySQL. WordPress Hermit plugin cross-site scripting vulnerability, no details of the vulnerability are currently...

WordPress Hermit plugin SQL注入漏洞

WordPress is the WordPress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress Hermit plugin 3.1.6 and previous versions are vulnerable to SQL injection, which can be exploited by...

WordPress Hermit plugin cross-site request forgery vulnerability

WordPress is a set of blogging platforms developed by the WordPress Foundation using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress Hermit plugin cross-site request forgery vulnerability, which can be exploited by attackers to delet...

CVE-2022-29411

SQL Injection SQLi vulnerability in Mufeng's Hermit 音乐播放器 plugin = 3.1.6 on WordPress allows attackers to execute SQLi attack via &id...

CVE-2022-29412

Multiple Cross-Site Request Forgery CSRF vulnerabilities in Hermit 音乐播放器 plugin = 3.1.6 on WordPress allow attackers to delete cache, delete a source, create source...