JackTheHypeRipper blog

 🚨 OX Security dropped a report on four popular VS Code extensions - combined 128.5 million installs - and found that all four could be abused to steal files, scan internal networks, or execute arbitrary code on developer machines. Three CVEs remain unpatched months after disclosure. Let me pick one, which I personally use: Markdown Preview Enhanced (~8.5M installs) - CVE-2025-65716, CVSS 8.8 High - UNPATCHED Yet another one: built by an enthusiast developer, not a security-hardened enterprise product lab. 8.5 million installs of something someone built lovingly and which suddenly faces a Fortune-100-scale security response expectation. CVE-2025-65716 (CVSS 8.8) - the bug is a JavaScript injection in the preview pane. A malicious .md file can execute injected JS when you preview it. Your own notes and README files are fine. The bug bites when you open and preview an external, hostile Markdown file from an untrusted source - not just by having the extension installed and quietly si...

🚨 Apple patched a zero-day in dyld - the iPhone component that's been there since iOS 1.0 - and the internet got a little crazy. Apple's advisory: "extremely sophisticated attack against specific targeted individuals." It's more like "you'd know if you were on the list". Let's rip it! 😎 Three CVEs Walk Into a Bar This isn't a single shot. It's a three-act heist - and all three acts were required: CVE-2025-14174 (CVSS 8.8) - WebKit out-of-bounds memory access in the ANGLE/Metal renderer. Attacker sends a sneaky iMessage or crafts a nasty webpage. Your browser silently loads it. Code executes - but sandboxed. Bouncer lets you into the lobby, not the vault. CVE-2025-43529 (CVSS 8.8) - WebKit use-after-free. Same entry vector, different technique. A backup key to the same lobby door. Insurance. CVE-2026-20700 (CVSS 7.8) - dyld memory corruption. Meet the doorman exploit. dyld is the component that loads every library into every app on your ...

🇬🇧 🇺🇸 For English scroll down! 👇 --- 🇵🇱 Cześć ziomalki i ziomale! Gotowi na pierwszego szota cyber-espresso? ☕️ Dla zniechęconych postami z serii FUD Thursdays, tutaj będzie mniej technicznie i po naszemu 😋 🇵🇱 Pokażę Wam jeden "myk", którego oszuści użyli ostatnio w komunikacji ze mną na OLX. Postaram się Wam wytłumaczyć, po co to zrobili, bo uważam, że jak się coś zrozumie i zna się kontekst, to łatwiej to zapamiętać i wyłapać w przyszłości. Na wstępie zaznaczę, że choć OLX służy tu za przykład, to podobne triki spotkacie wszędzie gdzie ktoś może do Was napisać, a sam OLX robi co może, aby takie próby blokować. I za to należy się im (OLXom, nie oszustom) szacun! 👊 Ale do rzeczy! Wystawiłem przedmiot na OLX. Zero zainteresowania, minęły tygodnie i cisza. A tu nagle wiadomość: "Dziеń dоbrу, сzу pоѕt wсiąż аktυаⅼnу? prоѕzę о rеzеrwасję, pоdоbаłо mі ѕіę wѕzуѕtkо, zаpⅼасę z dоѕtаwą" (pisownia originalna) I zaraz potem: "trаnѕаkcја wуmаgа pоtwіеrdzеnіа — ...

  🚨 LayerX dropped a report on a zero-click RCE "CVSS 10/10" flaw 🌋 in Claude Desktop Extensions (DXT), claiming 10k+ users exposed. Apocalypse incoming? Or just spicy headlines to catch some attention? 😎 Let's dehype this FUD 🕷️🕷️🕷️ - no CVSS 11 zombies yet! ☠️💀 Zero-click? Really? 🤨 Installing a DXT - 1st click Accepting a Google Calendar invite - 2nd click Talking to your AI like it can read your mind (we do the same when we talk to people) - let's call that the 3rd click 😒 FUD Facts ✅ Yes, risky DXTs can hand over the ROOT keys!  🔑 But so does any untrusted software from GitHub, NPM, or PIP - no repo is malware-proof, even after decades of battles. This ain't malware; it's weak chaining logic in MCP. DXTs? Mostly hobbyist vibes from AI enthusiasts,  not Fortune 500 security squads. Double-click install from mcpservers.org/desktopextensions.com - well... beware! 🚨 Not Anthropic's fault!  Claude model is fine; MCP is their open standard (now L...

  🇬🇧 🇺🇸 After the warm welcome for the main blog, I'm launching "Hyper Ipper Coffee Break" – a biweekly mini-series with practical, non-technical cyber safety bits and quick scam-spotting guides.   Full posts will be in Polish with a condensed English summary. For English 🇬🇧 🇺🇸 scroll down! 👇 ----- 🇵🇱 Cześć przyjaciele i znajomi! 👋 SIORB KAWĘ I BROŃ SIĘ PRZED CYBER-ZŁOLAMI! ☕️ 🦹‍♂️ Po ciepłym przyjęciu bloga i FUD Thursdays wielu z Was pisało:   "Ej, może coś prostszego? Po polsku? Tak do kawy?".   I oto jest – ✨"Hyper Ipper do kawusi"✨ – lekka seria, trochę z jajem, do czytania do kawusi. Dla Ciebie i dla babci. Jak babcia poczyta, to pan z mocnym akcentem, co dzwoni z banku, sam jej zrobi Blika na wełniane skarpety. 🧶 😎 "Hyper Ipper do kawusi", czyli co? - Co dwa tygodnie (żebym się nie zasapał) - Dla ziomali po polsku i krótko po angielsku (dla dudes & chaps abroad) - Krótsze niż instrukcja ekspresu, dłuższe od sms-a dzi...

Hi 👋 🤙 I’m Jacek Fleszar (Jack) , a cybersecurity expert based in Poland, with 20+ years in the field. Most of my career was in international banks, and among other teams, I worked in the fascinating world of Cyber Intelligence. My true passion has always been cybersecurity itself - in every form. I love it from the deeply (socio)technical side to the truly (psycho)logical puzzles. Cyber is simply my sandbox with shiny but a bit dirty toys. Life can be as unpredictable as a zero-day! After some tough personal turns in recent years and a career shift toward development, I stayed quiet for a while - stepping back from public talks, conferences, and social spaces. But now it’s time to re-emerge, reconnect, and share again! 🚀 That’s why I’m launching FUD Thursdays to tackle Fear, Uncertainty, and Doubt. Each week, I’ll dissect the most hyped cybersecurity stories and cut through the noise! The name’s inspired by Poland’s Fat Thursday tradition - when we eat way too many doughnuts b...

🚨 @JackTheHyperipper : Notepad++ "hijack" hype? Let's look & Rip it! 😎 Discriminating, selective targeting + only v8.8.1–8.8.8, June-Dec 2025 updates. Worry if: 💀 Logs:  gup.exe/AutoUpdater.exe/update.exe  → non-official OR getDownloadUrl.php redirects 🤔 Having v8.8.9+ now does not guarantee you didn't update in June-Dec so check network logs for the time frame anyway. ✅ Manual DLs? Safe. Hush your chief! Official link: Notepad++ Statement #Hyperipper #HypeHush #ChiefHush #Hushtag TheHyperipper Post on X