与「Secret」相关的搜索结果

🚨⚡️ Xi was showing off 300-year-old ancient trees in the secret Zhongnanhai gardens. Trump ignores the trees and asks: "Do you bring other Presidents here?" Xi shakes his head: "NO." -: Trump just wanted to make sure he’s the favorite. Peak Main Character Energy! 🤣😂

The US president and his Chinese counterpart had tea in the secretive Zhongnanhai leadership compound near Tiananmen Square amid concern that the high-profile visit has yet to yield significant deals on trade or agreements to resolve the Iran war.

🚨 SlowMist TI Alert 🚨 MistEye has received critical threat intelligence regarding an active supply chain attack compromising node-ipc, a foundational Node.js library. The malicious releases have been identified as versions 9.1.6, 9.2.3, and 12.0.1. Threat actors injected an obfuscated credential-stealing payload into the CommonJS bundle. Once loaded, it silently harvests over 90 categories of developer data—including AWS, Azure, GCP, SSH, K8s tokens, and Terraform states—and exfiltrates it to attacker-controlled infrastructure. We have synchronized this IOC with our clients immediately. Detection & Remediation: Please urgently audit your environments for exposure: • Dependencies: Run npm ls node-ipc --all to identify direct or transitive inclusions. • Lockfiles: Search package-lock.json, yarn.lock, or pnpm-lock.yaml for the affected version ranges. • CI/CD: Review pipeline jobs executed after May 14, 2026, that may have pulled loose semver updates (~9.1.x, ^12, etc.). ⚠️ Critical Action: If a compromised version was installed, assume certain compromise. Do not wait for exfiltration confirmation. Downgrade to a known safe version immediately and aggressively rotate all credentials, tokens, and environment secrets present on the affected machine or CI runner. As always, stay vigilant!

40个真正有用的GitHub仓库 1. public-apis — 免费API合集 2. build-your-own-x — 边做边学 3. developer-roadmap — 学任何技术 4. free-programming-books — 免费书籍 5. system-design-primer — 掌握系统设计 6. coding-interview-university — 自学计算机 7. the-art-of-command-line — 精通终端 8. project-based-learning — 项目式学习 9. you-dont-know-js — 深入学JavaScript 10. the-book-of-secret-knowledge — 黑客资源 11. tech-interview-handbook — 面试通关 12. awesome-selfhosted — 自建应用 13. javascript-algorithms — 可视化算法 14. 30-seconds-of-code — 实用代码片段 15. gitignore — 各语言模板 16. ollama — 本地运行AI模型 17. langchain — 快速构建AI应用 18. n8n — AI自动化工作流 19. openclaw — 本地AI助手 20. dify — 可视化创建AI代理 21. langflow — 拖拽式AI管道 22. mem0 — AI代理记忆层 23. browser-use — AI控制浏览器 24. ruflo — Claude代理编排 25. crewai — 多代理AI团队 26. hermes-agent — 开源AI代理 27. markitdown — 文件转Markdown 28. maigret — 3000+网站OSINT 29. open-webui — 自建ChatGPT界面 30. aider — 终端AI编程助手 31. agency-agents — 完整AI代理机构 32. tradingagents — 交易多代理框架 33. browserbase-skills — Claude网页SDK 34. autogen — 微软多代理框架 35. metagpt — AI代理软件公司 36. lobe-hub — 可视化多代理平台 37. huggingface-transformers — 现代AI基础 38. cocoindex — 长文本代理引擎 39. freeCodeCamp — 免费编程学习 40. stable-diffusion-webui — 本地AI画图 大多数开发者一个都没保存。聪明人保存了全部40个。

🚨 node-ipc is compromised again. Three new malicious versions just dropped: 9.1.6, 9.2.3, and 12.0.1. Socket’s AI scanner flagged them as malware within three minutes of publication. The attack vector: a dormant maintainer account (atiertant) was likely taken over via an expired email domain. The attacker registered the lapsed domain, triggered an npm password reset, and gained publish rights to a package with millions of historical downloads. The payload is a credential stealer embedded in the CommonJS entrypoint (node-ipc.cjs). It activates on require(“node-ipc”), not through a postinstall script. Here’s what it does: •Fingerprints the host (OS, arch, hostname, uname) •Harvests 113-127 credential file patterns depending on platform (AWS, GCP, Azure, SSH keys, Kubernetes configs, npm tokens, .env files, shell histories, macOS Keychain databases, and more) •Dumps the entire process.env, capturing every CI secret and cloud credential in memory •Builds a gzip archive in a temp directory •Exfiltrates everything over DNS TXT queries to bt[.]node[.]js, using a bootstrap resolver at sh[.]azurestaticprovider[.]net:443 (a deliberate lookalike of Microsoft’s Azure Static Web Apps domain) The DNS exfiltration is chunked. A 500 KB archive generates roughly 29,400 TXT queries. The body is XOR-encrypted with a SHA-256 keystream, base64-encoded, alphabet-substituted, and split into 31-character chunks before hex-encoding into DNS labels. Header, data, and footer queries use xh, xd, and xf prefixes respectively. The malware forks a detached child process (env var __ntw=1) so credential theft runs silently in the background. It also exposes a __ntRun export, meaning any downstream code that calls require(“node-ipc”).__ntRun() can trigger a second collection/exfiltration cycle. ESM-only consumers using the import path are not affected by the reviewed package metadata. CommonJS consumers are. This is the same package involved in the 2022 protestware incident. It has a history. If you use node-ipc: •Do not install 9.1.6, 9.2.3, or 12.0.1 •Audit your lockfiles for these versions •If you loaded the CommonJS entrypoint, treat all environment variables, SSH keys, cloud credentials, npm tokens, and local secrets as compromised. Rotate immediately. •Hunt for DNS TXT queries to bt[.]node[.]js and sh[.]azurestaticprovider[.]net in your network logs •Check for temp files matching /nt-/.tar.gz Credit to Ian Ahl (@TekDefense) for first publicly identifying the expired-domain account takeover vector. Developing story. Full technical breakdown and IOCs on the Socket blog:

NEWS: OpenAI hit with Class-Action Privacy Lawsuit for Sharing ChatGPT Data with Google and Meta. Sam Altman's OpenAI secretly embedded Meta’s Facebook Pixel and Google Analytics into ChatGPT, turning your most private conversations about health, finances, legal issues, and confidential company data into ad-targeting data sent straight to Meta and Google without consent. This violates federal wiretap laws. OpenAI enabled surveillance for profit.

🚨 BREAKING: node-ipc compromised. Again. Three malicious versions of node-ipc (9.1.6, 9.2.3, 12.0.1) were published today carrying an identical credential-stealing payload. This package has 10M+ weekly downloads. Here's what happened: An attacker injected an 80KB obfuscated IIFE into the CommonJS bundle. It fires on every require('node-ipc') call. No special config needed, just importing the package is enough. What it steals: → AWS, Azure, GCP credentials → SSH private keys → Kubernetes configs → Docker tokens → GitHub CLI tokens → AI tool configs (including Claude) → Terraform state → 90+ credential file patterns in total Everything gets gzipped and exfiltrated to an attacker-controlled domain (sh[.]azurestaticprovider[.]net) via DNS TXT queries and HTTPS POST, designed to look like normal traffic. The attacker published across two major version lines simultaneously (9.x and 12.x) to maximize blast radius. Semver ranges like ^9, ~9.1.x, ~9.2.x, ^12, and ~12.0 all resolve to compromised versions automatically on the next install or lockfile refresh. Key details: Only the CommonJS bundle (node-ipc.cjs) is affected. ESM imports are clean. The 9.x releases are fabricated. The 9.x line never shipped a .cjs bundle before this attack. This is a different actor from the 2022 peacenotwar incident. Purely financial, credential-theft motivation. If you installed any of these versions, assume all secrets on that machine are compromised. Rotate everything. Our full technical breakdown covers the attack chain stage by stage, IOCs, and how to check if you're affected:

Ahead of the bilateral meeting between U.S.and Chinese leaders, including President Trump and Chinese President Xi Jinping, Secretary of State Marco Rubio was spotted pointing up at the ceiling inside the Great Hall of the People in Beijing.

U.S. Delegation in China is under strict “digital lockdown" 🇺🇸🇨🇳 The entire U.S. delegation, led by President Trump, has left their personal smartphones, laptops, and tablets at home. Instead, officials, aides, and Secret Service personnel are using specially issued “clean” or burner devices with heavily restricted functionality and limited data access. U.S. federal guidelines strictly prohibit plugging any equipment into unknown USB ports or local charging stations due to the high risk of malware or data theft. Only verified government chargers and power banks are permitted. American officials are operating on the assumption that every Wi-Fi network and electronic device in China is potentially compromised. These extreme digital hygiene measures apply not only to government officials but also to the CEOs of major American corporations accompanying Trump. China’s embassy spokesman Liu Pengyu has rejected all accusations of cyber espionage.

Trump administration officials and American executives from various industries gathered outside the Great Hall of the People in Beijing awaiting President Trump’s arrival during his official visit to China. Among those seen were White House Deputy Chief of Staff Stephen Miller, Defense Secretary Pete Hegseth, Treasury Secretary Scott Bessent, Secretary of State Marco Rubio, as well as Tim Cook, Elon Musk and Jensen Huang.