I've been following the development of Deno for some time. It kind of pushes all my buttons: a Rust-based Node alternative with an active web developer community?? Yes please.
As a developer, I've been looking for excuses to use Deno because, frankly, it's so much fun. It makes JavaScript/TypeScript enjoyable again by shipping sane defaults and making delightful choices about dependency management.
Deno also has some truly incredible features that go beyond the web development ecosystem. I want to focus on these features. I've wanted to explore Deno from an offensive security perspective for some time, but a new development in version 2.3 made this imperative: deno.exe—the standalone binary that constitutes the entire tool—is now code-signed on Windows.
Great news for Deno! But because of what Deno can do, it's also good news for those who would do nefarious things with it.
Code signing is a guarantee that the binary you got is the one you're supposed to have. It's supposed to be a higher level of trust than simply a hash checksum, since this is Microsoft telling you a trusted developer shipped this program.
It also means (for now), that Defender SmartScreen gives deno.exe a pass.
So what can Deno do for the red team and the ne'er-do-wells? I've put together a small sampling of demonstrations of Deno's capabilities.
I'm focusing somewhat on the "ClickFix" attack vector, since it is so prevalent at the time of writing, and apparently so effective. So with each of these, I want you to imagine some version of a user opening Win+R and pasting a short command in.
The number of reported cyber incidents and online threats in Switzerland rose sharply last year, according to the National Cyber Security Centre (NCSC).
Last year, almost 63,000 cyber-related incidents were reported to the National Cyber Security Centre (NCSC) in Switzerland, an increase of 13,500 cases over the previous year. Between July and December, the NCSC recorded more than 28,000 incidents, slightly fewer than in the first half of 2024.
Fraud, phishing and spam messages continue to be the most frequently reported incidents. The increase on the previous year is mainly due to the phenomenon of false calls in the name of the authorities, with almost 22,000 reports compared with around 7,000 the previous year.
On the other hand, the number of e-mail threats has dropped. Over the past four years, fraudsters have used the telephone more as a communication channel.
Berne, 06.05.2025 — Le dernier rapport semestriel de l’Office fédéral de la cybersécurité (OFCS) montre comment les cybercriminels opèrent à l’échelle internationale et quels moyens ils utilisent pour diffuser leurs attaques. En raison des cybermenaces désormais mondiales et de la dépendance croissante aux solutions logicielles globales, la coopération interétatique gagne en importance dans ce domaine. Pour renforcer la cybersécurité en Suisse, l’obligation de signaler les cyberattaques contre des infrastructures critiques est entrée en vigueur le 1er avril 2025. Les principes de cette obligation sont harmonisés avec les normes internationales et les directives de l’UE.
Premier point de contact pour la population en cas de cyberincidents, l’OFCS reçoit déjà depuis 2020, via un formulaire en ligne, des signalements volontaires concernant des incidents survenus dans le cyberespace. L’analyse de ces signalements montre comment les cybercriminels opèrent à l’échelle internationale et développent de nouvelles méthodes et stratégies pour diffuser leurs attaques. Le dernier rapport semestriel de l’OFCS présente ces développements ainsi que la situation en matière de cybermenaces – en Suisse et dans le monde – au deuxième semestre 2024.
De juillet à décembre 2024, l’OFCS a reçu 28 165 signalements concernant des cyberincidents, soit un peu moins qu’au cours du premier semestre. Sur toute l’année 2024, il en a enregistré 62 954, soit 13 574 de plus que l’année précédente. Ces fluctuations s’expliquent principalement par les vagues d’appels au nom de fausses autorités. Le rapport entre les signalements de la population (90 %) et ceux des entreprises, associations ou autorités (10 %) est resté stable. S’agissant des entreprises, on constate une forte hausse des arnaques au président (719 en 2024 contre 487 en 2023). Comme à l’accoutumée, les catégories les plus fréquemment mentionnées par les personnes qui ont rempli le formulaire en ligne étaient « Fraude », « Hameçonnage » et « Spam ». En ce qui concerne les jeux-concours frauduleux, l’OFCS a même reçu au deuxième semestre 2024 trois fois plus de signalements que d’ordinaire.
A messaging service used by former National Security Advisor Mike Waltz has temporarily shut down while the company investigates an apparent hack. The messaging app is used to access and archive Signal messages but is not made by Signal itself.
404 Media reported yesterday that a hacker stole data "from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the US government to archive messages." 404 Media interviewed the hacker and reported that the data stolen "contains the contents of some direct messages and group chats sent using [TeleMessage's] Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat."
TeleMessage is based in Israel and was acquired in February 2024 by Smarsh, a company headquartered in Portland, Oregon. Smarsh provided a statement to Ars today saying it has temporarily shut down all TeleMessage services.
"TeleMessage is investigating a recent security incident," the statement said. "Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation. Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational."
Last week, Waltz was photographed using the TeleMessage Signal app on his phone during a White House cabinet meeting. Waltz's ability to secure sensitive government communications has been in question since he inadvertently invited The Atlantic Editor-in-Chief Jeffrey Goldberg to a Signal chat in which top Trump administration officials discussed a plan for bombing Houthi targets in Yemen.
Waltz was removed from his post late last week, with Trump nominating him to serve as ambassador to the United Nations.
Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.
The Go ecosystem, valued for its simplicity, transparency, and flexibility, has exploded in popularity. With over 2 million modules available, developers rely heavily on public repositories like GitHub. However, this openness is precisely what attackers exploit.
No Central Gatekeeping: Developers freely source modules directly from GitHub repositories, trusting the naming conventions implicitly.
Prime Target for Typosquatting: Minimal namespace validation enables attackers to masquerade malicious modules as popular libraries.
Introduction: The Silent Threat#
In April 2025, we detected an attack involving three malicious Go modules which employ similar obfuscation techniques:
github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads. Socket’s scanners flagged the suspicious behaviors, leading us to a deeper investigation.
A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub.
The campaign was detected last month and relied on three malicious Go modules that included “highly obfuscated code” for retrieving remote payloads and executing them.
Complete disk destruction
The attack appears designed specifically for Linux-based servers and developer environments, as the destructive payload - a Bash script named done.sh, runs a ‘dd’ command for the file-wiping activity.
Furthermore, the payload verifies that it runs in a Linux environment (runtime.GOOS == "linux") before trying to execute.
An analysis from supply-chain security company Socket shows that the command overwrites with zeroes every byte of data, leading to irreversible data loss and system failure.
The target is the primary storage volume, /dev/sda, that holds critical system data, user files, databases, and configurations.
“By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable” - Socket
The researchers discovered the attack in April and identified three Go modules on GitHub, that have since been removed from the platform:
github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
