Spec ID: Tying Activity to Actors, Not Devices

Just another day a threat actor thought they could blend in through a living off the land technique. 🥸🏕️ In this case, an automated task at an employee workstation silently launched cmd.exe to execute a randomly-named JavaScript file via a hidden Node.js instance dropped in the user's AppData folder. We identified the activity as malicious within seconds and automatically contained the compromised user account by revoking sessions and disabling access. While endpoint containment wasn't enabled at the time, this customer enabled it shortly after containing the host. 💪

Tired of taking screenshots and copying console logs just to fix tiny UI bugs? Meet Ayn, is an AI-powered tool designed to save frontend developers time and headaches. Instead of manually feeding context to your IDE agent, Ayn uses Google Cloud Gemini 2.5 Computer Use to automatically scan your website. Just ask it to find problems on your webpage, and it will orchestrate the prompts to: 📸 Gather screenshots automatically 💻 Pull logs straight from the console 🧠 Feed the data into a large language model to diagnose the exact issues and provide solutions Ayn can instantly identify a broken link, a hover animation error, a console error, and missing alt text! Huge shoutout to the Freetail Hackers HackTX 2025 winner, Best Use of Gemini 2.5 Computer Use Model! Nathan Negera, Abel Tadele, Kidus Beshah, and Bemnet Beshah! 👏 🔗 Check out how they built it on Devpost and connect with the team! https://lnkd.in/gbwHBpiP

Every time you visit LinkedIn in a Chrome-based browser, a JavaScript routine scans your browser for 6,000+ installed extensions. They call it fraud detection. Researchers are calling it surveillance. Maybe it's both. 👀 Which raises the question: How much do you actually know about your digital footprint...and who's looking at it? Full article from Cristian Dina at TNW: https://lnkd.in/eDEEedFz

Launching brin: the universal allowlist for agents. If your agent has web search, it's hitting untrusted pages. If it accepts email, it's reading attacker-controlled content. If it's working on a repo with outside contributors, it's trusting code from people it knows nothing about. Most teams rely on the model itself to flag threats in that context. We tested how well that works. 485 real artifacts. Claude 4.6 Opus with a security-focused system prompt. The model missed 57% of the threats brin had already identified. Add brin to your agents and workflows today. One GET request. No SDK, no auth. Free to use. Open data. Link in comments 👇

Most developers think JWT = secure. That’s a dangerous assumption. You can see and break JWT auth with bad implementation yourself below: https://lnkd.in/gSVriuQr 5 issues with login authentication from server to client using JWT auth: • alg=none bypass • Payload tampering • Key confusion (RS256 → HS256) • Token leakage (XSS) Specify alg on verify to avoid two issues. • alg=none • Key confusion (RS256 → HS256) Still for login auth from client to server it's not a good idea to use JWT tokens. To understand in details checkout these resources: https://lnkd.in/gz7HKk4D https://lnkd.in/g92dKXPQ https://lnkd.in/gMgpMQiY

Ever wondered why some accounts get flagged even when the proxy looks fine? The answer may be browser fingerprints. 🌐 Platforms can collect details like your OS, browser type, screen size, fonts, WebRTC, Canvas, and WebGL to build a unique browser identity. ⚠️ So even with a proxy:  • your setup can still look suspicious  • accounts can still be linked  • fingerprint mismatch can still expose risk 💡 Safer setups usually need:  ✔️ isolated browser profiles  ✔️ consistent fingerprint signals  ✔️ proper proxy matching ⭐️With DICloak (https://lnkd.in/gTnihu7T), you can keep profiles separate and manage fingerprint settings with more control. 🔗Learn more (https://lnkd.in/gfDR7_Dt) #DICloak #antidetectbrowser #fingerprints #webrtc

A new evolution of the GlassWorm campaign highlights a growing risk in developer environments. Attackers are now using malicious extensions to compromise not just one tool—but every IDE installed on a system. At the center of this campaign is a fake extension named “specstudio.code-wakatime-activity-tracker,” which impersonates the popular time-tracking tool WakaTime. Read More: https://lnkd.in/gqaJsxw6

OID-See v1.1.0 is live. This one’s a bit different - it shifts from scoring signals in isolation to looking at when those signals actually matter. Permissions, publishers, reachability... none of them are inherently risky on their own. Risk shows up when they intersect with tenant posture. So instead of: “this looks risky” You get: “this becomes risky under these conditions” Less noise. More context. More defensible output. Also a big shoutout to my first external contributor Suryendu Bhattacharyya for adding new auth methods - much easier to just run it now 🙌 Release + write-up: https://lnkd.in/eQNugC2X

The integration you need isn’t in the catalog. Now what? Most teams end up choosing between waiting, hacking together scripts outside their pipeline, or giving up on the tool entirely. None of those help you ship. RudderStack's Custom Device Mode Integration changes that. Your team can connect any browser-based tool using a simple JavaScript interface while still getting consent enforcement, event filtering, transformations, and isolation built in. No workarounds. No blind spots. Just full control over how data moves. Get the full story. Link in comments ⬇️

How 70,000 Passport Scans Were Exposed: The Deadly Chain of JS Minification and IDOR + Video Introduction: In a recent real‑world incident, a security researcher discovered over 70,000 passport scans exposed through a seemingly secure web application. The breach was not the result of a single critical vulnerability, but a chain of two medium‑severity issues: hardcoded API credentials hidden inside a minified JavaScript bundle, combined with an Insecure Direct Object Reference (IDOR) that allowed unauthorized access to any user’s documents....