Lobsters Cybersecurity digest

The author developed an open-source Little Snitch-inspired firewall for Linux using eBPF and Rust to improve privacy. The tool allows users to monitor and block outgoing network connections. While Linux proves more transparent than macOS, the project highlights persistent data telemetry in common apps and emphasizes user control over system dependencies.

Recent breakthroughs in quantum computing hardware and algorithms necessitate an immediate transition to post-quantum cryptography. With experts now projecting a 2029 deadline, traditional protocols like ECDSA and RSA must be replaced by quantum-resistant standards like ML-DSA and ML-KEM. Practitioners must prioritize implementation speed over complex hybrid models to mitigate imminent security risks.

The author argues that supply-chain security in the Rust ecosystem is a shared responsibility rather than solely an issue for crates.io to solve. Despite limitations in automated sandboxing and detection, users should actively audit dependencies. Relying on community volunteers instead of corporate-funded infrastructure means users must exercise common sense and utilize available security tools like cargo-vet.

Adding dependencies increases supply chain security risks, as shown by the XZ and Trivy incidents. Automated tools like Dependabot can exacerbate this by introducing compromised code without human oversight. The author advises caution when adding dependencies and recommends manual updates to maintain software integrity, echoing the Go philosophy that minimal dependencies are safer.

The author used a unique email for BrowserStack and later received unsolicited messages. Apollo.io initially claimed they generated the address via algorithms, but later admitted receiving it from BrowserStack through a 'customer contributor network.' This highlights concerns regarding data privacy, potential third-party data sharing, and the lack of transparency in business practice.

A developer scraped over 84,000 Firefox extensions from the Mozilla Add-ons store to test the browser's performance at scale. The experiment revealed significant stability issues, extreme memory consumption, and exposed various security risks, including phishing and adware within the extension ecosystem. The browser became effectively unusable when all extensions were installed simultaneously.

Formal verification successfully produced memory-safe code in lean-zip, eliminating common vulnerabilities. However, autonomous fuzzing revealed a critical heap buffer overflow in the Lean runtime and a denial-of-service in unverified parser code. This demonstrates that verification is powerful but limited by the correctness of the trusted computing base and the scope of specified properties.

Obfuscating email addresses protects them from automated spam harvesters. While no method is perfect, using techniques like JavaScript conversion, AES encryption, CSS 'display: none', or user interaction events effectively deters most unsophisticated bots. Conversely, simple methods like plain text, HTML comments, or basic encoding offer minimal protection but remain surprisingly common in practice.

The author outlines 'brocards' for vulnerability triage in open source projects to efficiently filter out non-vulnerable reports. These heuristics help maintainers dismiss submissions that lack a coherent threat model, rely on assumptions already requiring exploit capability, describe unreachable scenarios, correctly follow standards, or impose costs exceeding their actual security impact.

This guide details how to store SSH keys in a Trusted Platform Module (TPM) on Linux. Unlike storing keys in files, utilizing a TPM provides hardened security against extraction. The author recommends importing keys generated on offline machines to prevent loss during BIOS updates, and provides step-by-step commands for setup using tpm2-tools.

Malicious versions of the Axios npm package were discovered as part of a multi-stage supply chain attack. The compromised versions deliver a remote access trojan that executes arbitrary commands and exfiltrates system data across Windows, macOS, and Linux. The malware uses sophisticated obfuscation to evade detection before self-deleting to hide its tracks.

The Forgejo March 2026 report covers the upcoming v15.0.0 release, recent security patches for v11 and v14, and updates to the Forgejo Runner. Policies were updated to strictly prohibit AI-generated code. Infrastructure improvements include restrictive repository hosting on code.forgejo.org, and Fedora has officially migrated to its own Forgejo instance.