News

• Specter Bash 2025 – October 6–9, 2025 | Denver, CO is SpecterOps' annual training event with a Halloween twist. Over four days, participants take part in SpecterOps courses on Red Team Operations, Tradecraft Analysis, Identity-driven Offensive Tradecraft, and Detection, led by the team behind BloodHound. When classes wrap up, evening sessions and community gatherings keep the energy going and give plenty of opportunities to connect with one another. Can’t attend in person? They have virtual options too! Last Week in Security readers get an exclusive 25% discount with code LWIS. Get the full details and register here. Sponsored

• Addressing the unauthorized issuance of multiple TLS certificates for 1.1.1.1 - I'm a bit surprised a company as security focused as Cloudflare didn't notice a rouge certificate for their service for 7 months, and reported to them three separate times, two of them being mistriaged. Even if an attacker had the certificates, they would still need to intercept traffic to decrypt/respond to it.
• npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack - Supply chain attacks have been ramping up, and this attack on JavaScript's Node Package Manager (NPM) looks to be one of the biggest to date in terms of potential impact. Good news is the payload was just a cryptocurrency stealer. Imagine if it had been ransomware, or a stealthy APT.
• Firefox 32-bit Linux Support to End in 2026 - This lines up with, Firefox users on Windows 7, 8 and 8.1 moving to Extended Support Release also ending support in 2026, despite the operating systems having no support from Microsoft since January 2023.
• Futurehome smart hub owners must pay new $117 subscription or lose access - This is ransomware and should be illegal.

Techniques and Write-ups

• Windows Internals: Secure Calls - The Bridge Between The NT Kernel and Secure Kernel - "This post will be taking a look at the architecture which allows NT, which is in a completely isolated region of physical memory from the Secure Kernel, to “hand off” execution to the Secure Kernel, as well as showcase some of the common patterns NT and SK use in regards to copying and encapsulating parameters and output from VTL 0 <-> VTL 1 and VTL 1 <-> VTL 0." Connor's posts are always worth the read, and he dropped Vtl1Mon (Virtual Trust Level (VTL 1) secure call tracing), to explore on your own.
• Exploiting the Impossible: A Deep Dive into A Vulnerability Apple Deems Unexploitable - Deep in Apple's file-copy API there was a race condition which Apple said was unexploitable. Spoiler: it was exploitable and required two patches to finally fix.
• Reverse engineering of Apple's iOS 0-click CVE-2025-43300: 2 bytes that make size matter - How about some more deep technical Apple exploitation? Parsing user generated content continues to be a hard problem, and this one was likely worth up to $7 million USD.
• Vibe Coding: A Pentester’s Dream - Some real world examples of AI-created code being confidently insecure. Our jobs are safe, for now.
• [PDF] The Renaissance of NTLM Relay Attacks: Everything You Need to Know - NTLM relay attack continue to be effective, and even disabling NTLM doesn't save you from relaying as Kerberos can be relayed in some instances.
• Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more - Integrity checks are only as good as the content they check, and in Electron apps, the checks don't cover the whole app. This post introduces "snapshot tampering."

Tools and Exploits

• BloodHound OpenGraph Challenge - OpenGraph is live in BloodHound 8.0, and SpecterOps wants to see what you can do with it. Share your research, writeups, or talks for a chance at challenge coins, swag, and even SpecterOps training or a trip to SO-CON 2026. Submit your work here. Sponsored

• dittobytes - Metamorphic cross-compilation of C++ & C-code to PIC, BOF & EXE.
• sneaky_remap - A C and Go /proc/pid/maps cloak of invisibility for shared object files.
• once-campfire - Campfire is web-based chat application. [Formally a $299 product by basecamp]
• tls-preloader - LD_PRELOAD library to bypass TLS certificate verification for debugging and testing. See more at, TLS NoVerify: Bypass All The Things.
• killerPID-BOF - Kill a process by specifying its PID. Short post here .
• MeetC2 - (MeetC2 a.k.a Meeting C2) - A framework abusing Google Calendar APIs.
• raw-disk-parser - A tool to interact with Windows drivers to perform a raw disk read and parse out target files without calling standard Windows file APIs.
• orsted - Orsted C2 Framework.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Plex security incident - Jellyfin is looking better and better every day.
• eccm - Ethernet Cable Connection Manager.
• Secrover - Open-source security reports — no paywalls, just actionable insights.
• FFmpegs Pages - Simple media processing for everyone.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.