Recently I followed the tracks of an attacker who had exploited administrator rights on an unpatched Windows 10 System. Further attacks on other internal systems were initially stopped by Windows 10 AppLocker. The execution of powershell/cmd where also forbidden by AppLocker. Minutes later, the hacker had overcome this security measure and continued his attack. AppLocker obviously had to have a vulnerability.
On the morning of 3 May 2019, unknown hacker launched a coordinated attack against GitHub, Bitbucket and GitLab. The repositories of hundreds accounts appear to have been completely wiped. The hacker claims to have downloaded the entire code and demands a Bitcoin payment for returning the code. We found out how the hack was done and how to protect against it.
All jQuery versions below 3.4.0 are affected by a new hacking technique called prototype pollution. Successful exploitation could allow an attacker to modify existing object properties, including security properties such as cookies or tokens. Privilege escalation, content manipulation, application hijacking and even remote code execution is possible.