https://feed.craftedsignal.io/tags/data-loss/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 28 Apr 2026 10:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-github-delete-action/Tue, 28 Apr 2026 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-github-delete-action/This brief focuses on detecting deletion actions within GitHub audit logs, specifically targeting the deletion of codespaces, environments, projects, and repositories, potentially indicating malicious activity or insider threats.This detection strategy focuses on identifying potentially malicious or unauthorized deletion activities within a GitHub organization. The detections hinge on monitoring GitHub audit logs for specific actions related to the deletion of critical resources. This includes actions such as deleting codespaces (codespaces.destroy), deleting environments (environment.delete), deleting projects (project.delete), and destroying repositories (repo.destroy). This activity is important for defenders because these actions can lead to data loss, service disruption, or compromise of the software development lifecycle. The detections are triggered by events recorded within the GitHub audit log, requiring audit log streaming to be enabled.

Attack Chain

1. Initial Access: An attacker gains unauthorized access to a GitHub account with sufficient privileges. This could be achieved through compromised credentials or insider access.
2. Privilege Escalation (Optional): The attacker escalates privileges within the GitHub organization to gain the necessary permissions to delete resources if they don’t already have them.
3. Reconnaissance: The attacker identifies valuable codespaces, environments, projects, or repositories within the GitHub organization that they intend to delete.
4. Deletion of Codespaces: The attacker executes the codespaces.destroy action, deleting a specific codespace instance, potentially disrupting development workflows.
5. Deletion of Environments: The attacker executes the environment.delete action, removing a specific environment configuration, potentially affecting deployment processes.
6. Deletion of Projects: The attacker executes the project.delete action, deleting a project board and its associated tasks, impacting project management.
7. Deletion of Repositories: The attacker executes the repo.destroy action, permanently deleting a repository, leading to code loss and potential service disruption.
8. Impact: The deletion of critical resources disrupts development workflows, causes data loss, and potentially compromises the software development lifecycle.

Impact

Successful execution of these actions can lead to significant disruption of software development workflows, data loss, and potential compromise of the software supply chain. The number of affected resources and the severity of the impact depend on the scope of the attacker’s access and the criticality of the deleted resources.

Recommendation

• Enable GitHub audit log streaming to capture the necessary events for detection (reference: logsource definition).
• Deploy the provided Sigma rule to detect codespaces.destroy, environment.delete, project.delete, and repo.destroy actions in the GitHub audit logs, and tune for your environment (reference: rules).
• Investigate any alerts triggered by the Sigma rule to determine the legitimacy of the deletion activity and the actor involved (reference: rules, falsepositives).
• Validate the “actor” field in the audit logs to ensure the deletion activity is performed by an authorized user (reference: falsepositives).

]]>mediumadvisorygithubauditdata-lossimpacthttps://feed.craftedsignal.io/briefs/2024-01-appsmith-sql-injection/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-appsmith-sql-injection/A SQL injection vulnerability exists in Appsmith's FilterDataServiceCE.java in versions 1.98 and earlier where the dropTable method constructs a SQL DROP TABLE statement using string concatenation with the table name, allowing arbitrary SQL command execution, leading to potential data loss, exfiltration, or modification.A SQL injection vulnerability has been identified in Appsmith’s FilterDataServiceCE.java, specifically within the dropTable method. This flaw affects Appsmith server instances running versions 1.98 and earlier of the interfaces package. The vulnerability stems from the direct concatenation of user-supplied table names into a SQL DROP TABLE statement without proper sanitization or validation. If an attacker can control the tableName argument, they can inject arbitrary SQL commands, potentially leading to unauthorized data manipulation, exfiltration, or data loss. This is particularly concerning in scenarios where the dropTable function is exposed through an API or utility accessible to users.

Attack Chain

1. The attacker identifies an Appsmith instance running a vulnerable version (<= 1.98) of the interfaces package.
2. The attacker discovers an endpoint or API that utilizes the FilterDataServiceCE.java’s dropTable method.
3. The attacker crafts a malicious tableName input containing SQL injection payload. Example: valid_table; DROP TABLE users; --.
4. The malicious input is passed to the dropTable method within FilterDataServiceCE.java.
5. The dropTable method concatenates the unsanitized input into a SQL DROP TABLE statement.
6. The resulting SQL query, containing the injected commands, is executed against the database via the executeDbQuery method.
7. The injected SQL commands are executed, potentially dropping tables, modifying data, or exfiltrating sensitive information, depending on the attacker’s payload and the database user’s permissions.
8. The attacker achieves their objective, such as data loss through arbitrary table deletion.

Impact

Successful exploitation of this SQL injection vulnerability can have severe consequences. The primary impact is data loss, as attackers can arbitrarily drop tables within the database. Depending on the database user’s privileges, attackers may also be able to exfiltrate sensitive data or modify existing data. The vulnerability affects Appsmith server instances. The number of affected instances is currently unknown. However, the potential impact includes unauthorized access to and manipulation of sensitive data, impacting the confidentiality, integrity, and availability of the Appsmith application and its underlying database.

Recommendation

• Upgrade Appsmith interfaces package to a version greater than 1.98 to patch the SQL injection vulnerability in FilterDataServiceCE.java.
• Implement input validation and sanitization on any endpoints or APIs that utilize the dropTable method to prevent SQL injection attacks.
• Deploy the provided Sigma rule to detect attempts to exploit this SQL injection vulnerability by monitoring for suspicious table names in logs associated with database operations.

]]>highadvisorysql-injectiondata-lossappsmithhttps://feed.craftedsignal.io/briefs/2024-01-phpvms-auth-bypass/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-phpvms-auth-bypass/A critical vulnerability exists in phpVMS 7.x versions up to 7.0.5, allowing unauthenticated access to a legacy import feature, enabling a remote attacker to trigger internal processes that can modify or delete application data, potentially leading to data loss and service disruption.A critical vulnerability has been identified in phpVMS 7.x, specifically affecting versions up to 7.0.5. This vulnerability stems from a deprecated legacy import feature that, despite its intended obsolescence, remained partially accessible without authentication. A remote, unauthenticated attacker could exploit this flaw to interact with internal processes responsible for data manipulation within the application. The vulnerability was addressed in phpVMS version 7.0.6, which removes public access to the vulnerable feature, highlighting the importance of prompt patching to mitigate the risk of unauthorized data modification or deletion.

Attack Chain

1. An unauthenticated attacker sends a crafted HTTP request to the /importer endpoint.
2. The application fails to properly validate the request, granting access to the legacy import feature.
3. The attacker leverages the exposed import functionality to initiate a data manipulation process.
4. The application executes the attacker-initiated process without proper authorization checks.
5. The import process modifies or deletes data within the application’s database.
6. The attacker repeats the process to maximize data corruption or deletion.
7. The application becomes unstable or unusable due to the corrupted database.
8. Service disruption occurs, impacting all users of the phpVMS system.

Impact

The exploitation of this vulnerability in phpVMS can lead to significant data loss and service disruption. An attacker can remotely trigger the modification or deletion of critical application data without any authentication. This can result in a complete loss of data integrity, rendering the application unusable. The specific number of potential victims is dependent on the number of phpVMS instances running vulnerable versions (<= 7.0.5). Successful exploitation can lead to extended downtime and significant recovery efforts.

Recommendation

• Immediately upgrade to phpVMS version 7.0.6 or later to remediate CVE-2026-42569.
• If immediate upgrade is not feasible, follow the instructions provided in the release notes for version 7.0.6 to disable the vulnerable /importer routes.
• Deploy the provided Sigma rule to monitor for suspicious requests to the /importer endpoint, indicative of attempted exploitation.
• Enable web server access logging and review logs for unauthorized access attempts to the /importer endpoint.

]]>criticaladvisoryauthorization-bypassdata-lossphpvms