What My Livewire Honeypot Caught in Its First 60 Hours
The livewire-honeypot was deployed to capture real-world exploitation of CVE-2025-54068. It successfully detected an Indonesian operator using Livepyre to exploit a vulnerability. The captured payloads indicate attempts to harvest credentials from compromised PHP applications.
- ▪The honeypot is a FastAPI service mimicking a vulnerable Laravel application.
- ▪It was deployed on a DigitalOcean droplet and captures payloads in an SQLite database.
- ▪The first exploitation attempt involved a payload that downloaded a credential-harvesting script.
Opening excerpt (first ~120 words) tap to expand
I built livewire-honeypot earlier this month to catch in-the-wild exploitation of CVE-2025-54068. This is its first real-world deployment. Yesterday it caught an Indonesian operator running Livepyre, dropping a payload that pointed at xantibot[.]pw — a C2 that has been operating since at least February 2026 and does not appear in any threat-intel feed I can search. Honeypot livewire-honeypot is a FastAPI service that pretends to be a Laravel application running a Livewire 3 version vulnerable to CVE-2025-54068. The CVE is an unauthenticated RCE through Livewire's component-update hydration path. Synacktiv's writeup covers the bug; their public exploit tool is Livepyre. The trap is deployed at veritron.space on a $6/month DigitalOcean droplet, behind nginx with a Let's Encrypt cert.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Hacker News (Newest).
Discussion
0 commentsMore from Hacker News (Newest)
