OpenHack @OpenHackAI

Excited to launch OpenHack! 🚀 A fully open source agentic security scanner to hunt and verify security vulnerabilities. Upto 40x cheaper, it is on par with Claude Opus 4.6 on CVE-Bench for finding logic based vulnerabilities in web apps.

OpenHack is a fully open source harness. Check out the Github repository: github.com/openhackai/ope…

We're giving away free credits for everyone to try out OpenHack! Install using `pipx install openhack` and signup to get started.

Introducing OpenHack. An Open Source Agentic Security Scanner that hunts and verifies vulnerabilities using open source models exclusively. Upto 40x cheaper, it is on par with Claude Opus 4.6 on CVE-Bench. Check it out at openhack.com!

Subsequent versions (11.0.0 and later) included the "peacenotwar" dependency, which dropped text files on users' desktops as a declared form of "non-violent protest". This incident affected major projects including Vue.js framework and Unity 3D gaming engine. The vulnerability was tracked as CVE-2022-23812 and received a critical severity rating of 9.8/10.

This was done as a form of protest against Russia's invasion of Ukraine. The destructive code used an IP geolocation service to identify affected users and then overwrote accessible files, permanently deleting their contents. These malicious versions were online for about five hours before being replaced. (2/n)

Fun fact: In March 2022, the maintainer of node-ipc deliberately introduced malicious code into versions 10.1.1 and 10.1.2 that would overwrite files with heart emojis (❤️) on systems with IP addresses located in Russia or Belarus. (1/n)

OpenHack @OpenHackAI

3 weeks ago

‼️ Another day, another NPM package compromise node-ipc versions 9.1.6, 9.2.3, and 12.0.1, which together have over 800,000 weekly downloads, were published containing an obfuscated stealer/backdoor in the CommonJS bundle that activates on import.

1 2 4 751 0

The malware performs host fingerprinting, enumerates local files, steals credentials including AWS, Azure, GCP keys, SSH private keys, Kubernetes configs, Docker tokens, GitHub CLI tokens, and AI tool configurations, then exfiltrates them via DNS TXT queries and HTTPS POST to sh.azurestaticprovider.net

‼️ Another day, another NPM package compromise node-ipc versions 9.1.6, 9.2.3, and 12.0.1, which together have over 800,000 weekly downloads, were published containing an obfuscated stealer/backdoor in the CommonJS bundle that activates on import.

Microsoft surpassed Claude Mythos using their new harness, MDASH (multi-model agentic scanning harness)! MDASH uses GPT-5.4, Claude Opus 4.6, Sonnet 4.6 and absolutely smashed it on CyberGym. microsoft.com/en-us/security…

Microsoft just dropped and just surpassed Mythos using Claude Opus 4.6, Sonnet 4.6 and GPT-5.4. Proof that a great harness goes a really, really long way.

‼️TanStack, Mistral and many more popular NPM packages hit by ongoing mini Shai Hulud Supply Chain attack! List of NPM packages: TanStack — @tanstack/* (router, start, devtools, adapters, vite/nitro plugins across React, Solid, Vue) Mistral AI — @mistralai/mistralai, @mistralai/mistralai-gcp, @mistralai/mistralai-azure UiPath — @uipath/* (Apollo, CLI, Robot, Maestro, Orchestrator, packager tools, SDKs, agent/insights/identity tooling) BeProduct — @beproduct/nestjs-auth (19 versions hit) Mesa Dev — @mesadev/sdk, @mesadev/rest, @mesadev/saguaro Squawk — @squawk/* (aviation data: airports, airways, navaids, NOTAMs, flightplan, weather, ICAO registry) TallyUI — @tallyui/* (commerce connectors for Shopify, WooCommerce, Vendure, Medusa; POS, theme, components) ML Toolkit TS — ml-toolkit-ts, @ml-toolkit-ts/xgboost, @ml-toolkit-ts/preprocessing Draftlab / DraftAuth — @draftlab/auth, @draftlab/db, @draftlab/auth-router, @draftauth/core, @draftauth/client Dirigible AI — @dirigible-ai/sdk Supersurkhet — @supersurkhet/cli, @supersurkhet/sdk Taskflow Corp — @taskflow-corp/cli Tolka — @tolka/cli Unscoped maintainers — safe-action, ts-dna, cross-stitch, cmux-agent-mcp, agentwork-cli, git-branch-selector, git-git-git, wot-api, nextmove-mcp

@vxdb Censys is the goat

❗️ShinyHunters have also removed Canvas from their extortion page. It is very likely they settled.

OpenHack @OpenHackAI

4 weeks ago

ShinyHunters removed list of schools from their website. It seems like Instructure has privately negotiated with ShinyHunters and is working on getting Canvas back online.

5 1 13 14K 5

It’s a speculation. ShinyHunters removed Canvas / Instructure from their extortion page when the list of schools was also removed. Historically, nothing has really stopped ShinyHunters from leaking anything; they leak everything on their server based out of Russia: http://91.215.85.103/pay_or_leak/

ShinyHunters removed list of schools from their website. It seems like Instructure has privately negotiated with ShinyHunters and is working on getting Canvas back online.

OpenHack @OpenHackAI

4 weeks ago

🚨 BREAKING: Instructure, the company behind Canvas - the LMS tool used by almost every university in the United States, has been breached by popular threat actor ShinyHunters. List of breached schools: http://91.215.85.103/pay_or_leak/instructure_affected_schools_list.txt

1 1 10 19K 7

Archived link: web.archive.org/web/2026050704…

@SaulT20 Yes, just a simple txt file with the list of schools.

🚨 BREAKING: Instructure, the company behind Canvas - the LMS tool used by almost every university in the United States, has been breached by popular threat actor ShinyHunters. List of breached schools: http://91.215.85.103/pay_or_leak/instructure_affected_schools_list.txt

Marcus Hutchins, the guy famous for stopping the WannaCry Ransomware, probably has the best take on Mythos doing vulnerability research