npm is a dumpster fire. Yet another malicious package discovered that it automagically brought into many projects thanks to dependencies. In other news, I learned about snyk, which is a pretty cool tool.
https://snyk.io/vuln/npm:eslint-scope
In dev news, the #1 development GUI of all time is being updated. Notepad!
https://www.theverge.com/platform/amp/2018/7/12/17563704/microsoft-windows-notepad-app-update
Apple wrote some code to appease the Chinese government and it was kind of a mess.
https://objective-see.com/blog/blog_0x34.html
Vuln-lab found a neat XSS vulnerability on an AT&T site's profile feature.
http://seclists.org/fulldisclosure/2018/Jul/44
Remember when I said "Spectre is not exploitable"? Yeah, I was wrong. Again, and again, and again...
https://arstechnica.com/gadgets/2018/07/new-spectre-like-attack-uses-speculative-execution-to-overflow-buffers/
New variation of my favorite Weblogic vuln - CVE-2017-10271.
https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/
I wrote the tests for this vulnerability for Nikto.
https://github.com/sempf/nikto/commit/530351343da18f684b57fbf7431717cf24f9eb4e#diff-05c4b2da09480ffee5450fdf8fa8faac
And that's the news.