Latest Cybersecurity News

The Silent War for Your Data: How China's State Hackers Are Weaponizing Telecom Networks

-
Image
        The Silent War for Your Data: A CISO Briefing on How China's State Hackers Are Weaponizing Telecom Networks     By CyberDudeBivash • September 26, 2025 Executive Briefing   There is a persistent, undeclared cyber conflict taking place within the foundational infrastructure of the global internet. State-sponsored threat actors, designated by Western intelligence agencies as Advanced Persistent Threats (APTs) originating from the People's Republic of China, are engaged in a long-term campaign to compromise and control telecommunications networks. This is not about smash-and-grab ransomware; it is a strategic campaign of espionage and the pre-positioning of disruptive capabilities. This executive briefing will provide a clear-eyed assessment of the threat, the sophisticated 'Living Off the Land' tactics being used, and the necessary strategic shift to a Zero Trust architecture required to ensure business resilience in this new era. ...
Post a Comment

PyPI Phishing Alert: The 3 Simple Steps to Prevent Your Account from Being HACKED and Your Packages Trojanzied

-
CyberDudeBivash

PyPI Phishing Alert: The 3 Simple Steps to Prevent Your Account from Being HACKED and Your Packages Trojanized

Author: CyberDudeBivash · Secure supply-chain practices for Python publishers

Protect your privacy with Turbo VPN →

Why you’re seeing PyPI phishing right now

Maintainers are being targeted with emails and DMs that pressure them to “verify” or “unlock” their PyPI account. The links open look-alike domains and prompt you to enter your username, password, or API token. Once an attacker steals your credentials, they can take over your project and trojanize future releases for every downstream user.

The 3 steps (do these today)

1) Enable Two-Factor Authentication (2FA)

  • Use a security key (WebAuthn/FIDO2) or an authenticator app (TOTP).
  • Store backup codes offline; add at least two 2FA methods.
  • Turn on any PyPI setting that requires 2FA for sensitive actions (password changes, token creation).

2) Remove long-lived API tokens (prefer Trusted Publishers)

PyPI supports Trusted Publishers using OpenID Connect (OIDC) from CI (e.g., GitHub Actions). This avoids copying a password-like token into CI/CD. If you must use tokens, make them project-scoped, short-lived, and rotate after every release.

# .github/workflows/release.yml
name: Publish to PyPI (Trusted Publisher)
on:
  push:
    tags: [ "v*" ]
permissions:
  id-token: write    # required for OIDC to PyPI
  contents: read
jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with: { python-version: "3.11" }
      - run: pip install build
      - run: python -m build
      - name: Publish
        uses: pypa/gh-action-pypi-publish@release/v1   # no API token needed
Trusted Publisher example: publish without storing long-lived tokens.

3) Don’t bite the bait (anti-phishing habits)

  • Only sign in at https://pypi.org — type it or use a bookmark. Avoid look-alike domains.
  • Never share credentials or API tokens via web forms or chat. No staff will ask for them.
  • Use a password manager, unique passphrase, and enable alerts for new logins or token creation.
  • Suspect you clicked? Rotate password & tokens immediately and review recent releases.

Five-minute health check for your project

  • ✅ 2FA enabled with a security key + authenticator fallback
  • ✅ Publishing via Trusted Publishers or short-lived, project-scoped tokens
  • ✅ Release job does not echo secrets; logs are sanitized
  • ✅ CI requires code review and tags to publish
  • ✅ Offline list of maintainers and emergency rotation steps

If you think you interacted with a phish

  1. Rotate your PyPI password and revoke/replace all API tokens (project-scoped, short-lived).
  2. Audit the last releases and tags; verify hashes & contents.
  3. Notify co-maintainers and downstreams. If trojanization is possible, yank and publish a clean build.
  4. Enable 2FA and move to Trusted Publishers to prevent a repeat.

More from CyberDudeBivash

Join the CyberDudeBivash ThreatWire Newsletter

Get timely threat intelligence, hardening checklists, and a free copy of the Defense Playbook Lite.

Subscribe on LinkedIn

Recommended by CyberDudeBivash

Turbo VPN
Encrypt traffic and protect yourself on public Wi-Fi.
Privacy Multi-platform
Get VPN →
HSBC Premier Banking
Global banking with premium support and secure tools.
Global Premium
Explore →
Tata Neu Super App
Shop, pay, and earn rewards in one app.
Shopping Rewards
Shop Now →
Rewardful
Launch and track a SaaS affiliate program in minutes.
SaaS Affiliate
Start Free →
YES English Program
Improve English for global roles.
Career Skills
Learn →

Disclosure: Some links are affiliate links (Rewardful, HSBC, Tata Neu, Turbo VPN, YES English). We recommend tools that align with our security guidance.

Hashtags:
#CyberDudeBivash #ThreatIntel #SupplyChain #PyPI #Python #Phishing #2FA #WebAuthn #OIDC #TrustedPublisher #CI #DevSecOps #SecureRelease #SecurityKeys

Comments

Post a Comment

Popular posts from this blog

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

-
Image
  TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...
Read more

Hackers Injecting Malicious Code into GitHub Actions to Steal PyPI Tokens CyberDudeBivash — Threat Brief & Defensive Playbook

-
Image
  SUMMARY  Attackers are modifying GitHub Actions workflows (via compromised accounts, malicious PRs, or forged commits) to add steps that exfiltrate PyPI (or other package registry) publishing tokens. With those tokens they publish backdoored packages or download private packages — a supply-chain multiplier. Defend by eliminating long-lived secrets, switching to OIDC/ephemeral credentials, hardening workflow controls, monitoring workflow changes and secret usage, and rotating tokens immediately if you suspect compromise. How attackers typically operate  Gain write access to repo or CI/CD config (via compromised developer account, stolen token, privilege abuse, or merge of malicious PR). Modify or add a workflow file that runs in the repo’s runner context (self-hosted or GitHub-hosted). Add steps that read repository secrets (e.g., PYPI_TOKEN ) or create credentials files ( ~/.pypirc ), then send the token to attacker-controlled endpoints or push a malicious p...
Read more

Exchange Hybrid Warning: CVE-2025-53786 can cascade into domain compromise (on-prem ↔ M365) By CyberDudeBivash — Cybersecurity & AI

-
Image
  Executive summary CVE-2025-53786 is a post-authentication elevation of privilege in Microsoft Exchange hybrid deployments . If an attacker first gains admin on an on-prem Exchange server , they can abuse the legacy “shared service principal” trust used by Hybrid Configuration to escalate into Exchange Online —potentially leading to full cloud+on-prem domain compromise . CISA issued Emergency Directive ED-25-02 with a deadline of 9:00 a.m. EDT on August 11, 2025 for U.S. federal agencies; Microsoft urges all hybrid customers to take the same steps: apply the April 2025 Hotfix Updates , migrate to the dedicated Exchange Hybrid app , and reset/clean up service principal credentials . cisa.gov +1 TECHCOMMUNITY.MICROSOFT.COM +1 Why this is dangerous: actions initiated from the on-prem Exchange side may not show up as obviously malicious in M365 audit trails, making cloud abuse harder to spot if you’ve not modernized the trust. TechRadar What is actually vulnerable? (trust...
Read more