SECURITY Archives | Animated Creativity

vm2 sandbox escape strikes again: CVE-2026-24118 and the case against running untrusted JS in your Node process

May 8, 2026 by

Close-up of colourful JavaScript source code on a dark monitor — photo by Peaky on Pexels

Today’s CVE drop: a dozen vulnerabilities in vm2, the popular Node.js sandbox library, with three of them at CVSS 9.8 — full sandbox escape, arbitrary code execution on the host. CVE-2026-24118 leverages JavaScript’s __lookupGetter__ to break out. CVE-2026-24120 bypasses …

Apple’s first 2026 zero-day is in dyld: CVE-2026-20700 and what targeted-spyware tells you about modern iOS exploits

May 7, 2026 by

iPhone showing Apple ID Activation Lock screen — photo by Safwan CK on Pexels

Apple shipped iOS 26.3 yesterday with 38 security fixes, one of which was the first actively exploited zero-day of 2026: CVE-2026-20700, a memory-corruption bug in dyld — Apple’s dynamic linker, the very piece of code that loads every other …

The ‘fake plugin’ WordPress malware family: how to spot random-named directories in bulk

April 22, 2026 by admin

One of the most common WordPress malware patterns I’ve cleaned in the last two years isn’t a webshell or a credential stealer — it’s a “fake plugin” or “fake theme.” The attacker creates a directory in wp-content/plugins/ or wp-content/themes/ with …

fwknop port-knocking for SSH: making port 22 invisible from the internet without locking yourself out

April 5, 2026 by

Aged blue door secured with a padlock and chains — photo by Ltf0graphy on Pexels

The default state of 22/tcp on a public IP is “constantly probed by every botnet on the planet.” Even with key-only auth and fail2ban, the noise floor of failed SSH attempts is real — my auth.log picks up 3,000–5,000 hostile …

SSH ProxyJump: reach private servers through a bastion without copying keys to it

March 1, 2026 by admin

Close-up of fiber optic patch panel with yellow and white connectors plugging into blue ports — visual metaphor for ProxyJump tunneling traffic through one server to reach another (photo: Brett Sayles / Pexels)

You have a private server in a VPC that’s only reachable through a bastion host. The “obvious” way to SSH there is the wrong way: copy your private key onto the bastion, then SSH from bastion to the private box. …

Dropping privileges in a long-running bash script: setpriv vs runuser vs su, and why sudo -u is the wrong choice here

November 28, 2025 by

Bunch of vintage skeleton keys hanging from a dark door — photo by Peter Dyllong on Pexels

Last quarter I had a long-running bash daemon that needed to start as root (to bind a privileged port and read a key file in /etc) and then immediately drop to an unprivileged user before doing anything else. The …

The one SQL query that catches almost every backdoor admin in WordPress

November 24, 2025 by admin

Close-up of WordPress JavaScript source code displaying themes:update functions and wp.updates handlers — typical view when auditing WordPress code (photo: Markus Spiske / Pexels)

If a WordPress site of yours has been compromised — even briefly, even silently — there’s a very good chance it now has at least one administrator account that you didn’t create. Most WP malware families plant one as part …

Block xmlrpc.php and hide wp-login.php server-wide on OpenLiteSpeed

November 21, 2025 by admin

Rack of running 1U servers in a data center, multi-color network cables

Every WordPress site running with default config is being hammered right now by brute-force scripts hitting xmlrpc.php and wp-login.php. If you run multiple sites on a single OpenLiteSpeed (LSWS) box, dropping a per-site .htaccess rule on each one is …

Get WordPress off MySQL root: per-site users in one Python loop

September 6, 2025 by admin

A single key resting in a locker door, symbolizing per-site database credentials with no shared master key (photo: Jakub Zerdzicki / Pexels)

If you run more than one WordPress site on a single server and every wp-config.php has DB_USER = 'root', your eight sites are effectively one site as far as a compromise is concerned. One vulnerable plugin on any of …

SSH brute-force fingerprints: how to read /var/log/auth.log without grep madness — awk one-liners that actually work

August 23, 2025 by

Multi-pane terminal session showing log output and system monitoring on a dark monitor — photo by Tima Miroshnichenko on Pexels

Open /var/log/auth.log on a public-facing server and you’ll see thousands of lines per day — failed logins, accepted logins, sudo events, cron registrations. The signal you usually care about (who’s brute-forcing me, from where, against which users?) is buried in …