Z00T

‼️ The alienation continues: more security researchers are sticking up the middle finger after feeling squeezed by Microsoft and GitHub. MSRC emailed Black Hat USA 2026 presenters asking which MSRC cases, VULN-IDs, or CVEs their talks would cover. GitHub told a researcher to delete his public PoC repos and flagged his accounts under ToS.

‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs." The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can. Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept. He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."

For a report I've submit report to MSRC months ago, showed full remote capabilities. MSRC closed saying it's "Local only". I comment: "I showed a 0 click proof of concept here. Why was it closed?" MSRC:" The assessment decision remains unchanged." Me:"Ok but I proved remote with X PoC and you can see the video I've even attached a few months ago that shows it in action" MSRC: " Please feel free to submit a new report with additional details."

❗️🚨 BREAKING: Security researchers are now handing Nightmare-Eclipse vulnerabilities for free, in what looks like both a show of support and a reaction to how Microsoft treats researchers. First up: "Bitskrieg," violates Secure Boot trust and fully bypasses BitLocker. It seems aimed squarely at Microsoft's recent blog, where the company said its Digital Crimes Unit would bring cases against threat actors "and those that enable their criminal activity," language many researchers read as a threat pointed at them.

> be Bowie Knife99 > just a guy with an Xbox > buy Forza Horizon 6 on launch day > drive like you always do - like a lunatic > ram, swerve, and pit-maneuver strangers into walls > the Drivatar system silently records every felony > uploads an AI clone of your driving to the cloud > deploys hundreds of you into other people's races, 24/7 > within days, thousands cry about you on Reddit, X, and Steam > the community calls you "the Herobrine of Forza" > official Xbox UK tweets "Happy Bank Holiday Monday to everyone except bowie knife99" > a fan opens a fake X account in your name to taunt your victims thousands of players are at war with hundreds of clones of you. you don't know any of this is happening. happy bank holiday.

ShinyHunters compromised Canvas (to a currently unknown extent) which resulted in a "this system has been compromised" to over 9,000 universities. As ridiculous as that sounds, I'm not memeing. It has been speculated it is actually over 9,000 universities. ShinyHunters is having their ALPHV moment. They're now going to get attention at a serious scale outside of the information security circle.