Great article!
I also found this open source tool for sandboxing to be useful: https://github.com/bullfrogsec/bullfrog
Interesting project, I think I just found a way to crash the sandbox, just reported via an advisory.
Readit NewsDeleted Comment
vin10 commented on How are cyber criminals rolling in 2025? vin01.github.io/piptagole... · Posted by u/vin10
I work for a cybersecurity company, and I think that the method they used to check these links with the mentioned security companies was not a reflection of how they detect. I'm sure that many of these companies do not have these domains in their DBs of bad sites but if you were to run these products and then visit the site then heuristic detection would have likely flagged the sites.
I would have expected at least Virustotal to flag them if that were the case. It does more than just looking up in a database of known malicious URLs and I think the reputation of the domains is the key factor here.
https://www.virustotal.com/gui/url/6dd23e90ee436e1ff066725aa...
> BitDefender - government
> Sophos - government
> Forcepoint ThreatSeeker - government
vin10 commented on How are cyber criminals rolling in 2025? vin01.github.io/piptagole... · Posted by u/vin10
I'm curious if the link inside the pdf would have been detected.
It is the same for nested links as well. They mostly have a chain of links, each one taking you to a new one with hop count ranging anywhere from 5 up to 10 or more.
vin10 commented on Unfashionably secure: why we use isolated VMs blog.thinkst.com/2024/07/... · Posted by u/mh_
> If you wouldn't trust running it on your host, you probably shouldn't run it in a container as well.
- From a Docker/Moby Maintainer
vin10 commented on Abusing url handling in iTerm2 and Hyper for code execution vin01.github.io/piptagole... · Posted by u/vin10
There is also another escape sequence, OSC 1337, apparently already implemented in iTerm2 [0], which makes iTerm2 open the URL instead of printing it:
The hypothetical new control code is different because it does not display a hyperlink; it directly opens the link using the appropriate system URL handler.
It is guarded by a warning and requires explicit approval similar to browsers but yes, it does broaden the attack surface: https://gitlab.com/gnachman/iterm2/-/commit/fc9ae5c90f53cb1e...
vin10 commented on Abusing url handling in iTerm2 and Hyper for code execution vin01.github.io/piptagole... · Posted by u/vin10
>Any links using those schemes when clicked, would open the MacOS terminal to perform the corresponding action.
I'm unclear which of these are being described:
1: when printed and clicked, they may be handled by the terminal, and the terminal's handling allows more behaviors than it should, allowing code execution
2: when printed, these urls are automatically executed by the shell, allowing code execution
Neither are good of course, but they're different levels of badness, and I feel like I must be missing a single critical word somewhere to be able to figure out which it is.
---
That said, oh boy I do not want this:
>Most terminal emulators these days allow using Osc 8 to directly generate hyperlinks from arbitrary text.
Is there a standard way to disable it? That sounds awful, terminals don't have even a small fraction of browsers' malicious-link-defense mechanisms (as demonstrated). I always want to see the full url in a terminal.
It is the first one, they need to be printed and clicked.
Apart from this a major issue is DNS based dynamic filtering which is way batter to get right in a Kubernetes environment with something like Cilium. IP lists are impossible to manage with modern level of third party integrations.