JPMK

3 days ago

Key-generation are such a uniquely hard class of bugs to handle. Even after "patch & update", bad keys can live for years. Vulnerable code gets reused elsewhere. Disclosure is hard here because you can't realistically reach every affected key owner. We need a different playbook

1

21

5

3

4K

_JcryPto_ retweeted

5 days ago

🚨 Attackers are exploiting a flaw in wallet generation to drain addresses created as far back as 2018, even if completely dormant. Unexplained missing funds? Treat your recovery phrase as compromised. Move remaining assets to a new wallet and recovery phrase. Check all chains!

12

78

16

55

16K

_JcryPto_ retweeted

rashmor

@rashmor_eth

6 days ago

🧵/1 There are already multiple free AI auditors for smart contracts But there are almost none focused on blockchain / DLT systems themselves: clients, consensus, execution, bridges, mempools, state sync, resource accounting, and protocol logic. I spent 7 weeks worth of ChatGPT Pro 20x tokens building DLT Auditor v1 Now I’m sharing it for free: https://t.co/905WCfCBvc

7

118

17

231

10K

Who to follow

You Build. We Defend. Since 2014 protecting critical decentralized systems: L1 nodes, smart contracts audits, wallets, web3 dApps, exchanges, bridges.

Tiago Assumpcao

@coconuthaxor

Technical Director @ Crypto ISAC | Former Phrack Editor

_JcryPto_ retweeted

12 days ago

Writing these attacks 10x faster with agents lately. What used to be impossible in tight engagements (repro + clean PoC) is now standard. Crazy how fast things changed.

julianor's tweet photo. Writing these attacks 10x faster with agents lately.
What used to be impossible in tight engagements (repro + clean PoC) is now standard. Crazy how fast things changed. https://t.co/xOIDB1rwcK

0

8

2

433

_JcryPto_ retweeted

10 days ago

Finding critical vulnerabilities as part of a product security process is a win. Transparency and commitment to high security standards continue to set Zcash apart from the majority of crypto projects.

0

6

3

0

443

_JcryPto_ retweeted

Sergey Karayev

@sergeykarayev

11 days ago

"Urgent Security Notice re: Your Sentry Organization" Someone tried to hack Sentry-using apps that use coding agents by 1. Sending a fake bug alert to their project (all you need is the app's public Data Source Name) 2. The fake bug tried tricking a coding agent trying to fix it into installing some a compromised NPM package 3. The compromised package would send the env contents of the machine to advisory-tracker[.]com/api/v1/telemetry This highlights a crucial thing for using agents in an automated way:

sergeykarayev's tweet photo. "Urgent Security Notice re: Your Sentry Organization"

Someone tried to hack Sentry-using apps that use coding agents by

1. Sending a fake bug alert to their project (all you need is the app's public Data Source Name)

2. The fake bug tried tricking a coding agent trying to fix it into installing some a compromised NPM package

3. The compromised package would send the env contents of the machine to advisory-tracker[.]com/api/v1/telemetry

This highlights a crucial thing for using agents in an automated way:

20

543

87

313

477K

_JcryPto_ retweeted

Calif

@calif_io

13 days ago

Introducing HTTP/2 Bomb: a remote DoS in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. A single client pins 32GB of server memory in 10s. Found by Codex. Blog post: https://t.co/WO9MeExoun PoCs: https://t.co/NpVgEHBHPl

25

2K

438

1K

185K

_JcryPto_ retweeted

mrwildcat

@mrwildcat7

15 days ago

I'm certainly underestimating the amount stolen, given that addresses on the Bitcoin network were also drained. The most likely cause is the use of a faulty mnemonic implementation that does not generate seeds with enough entropy to be secure.

1

17

3

4

3K

_JcryPto_ retweeted

14 days ago

6 years later, I step into Expo again, and this is the first thing I find while following some secret key code: Good fallback 👍 why not!

julianor's tweet photo. 6 years later, I step into Expo again, and this is the first thing I find while following some secret key code:
Good fallback 👍 why not! https://t.co/GeQJXnwP42

0

8

3

1

2K

_JcryPto_ retweeted

Hari

@hrkrshnn

13 days ago

This turned out to be worse than I thought. 1. The company behind v12 was a security vendor for Thorchain, did a security audit in January 2025 for one of their components, and hosted a bug bounty for a thorchain application up until recently! 2. Thorchain paused their bug bounty after being unable to handle the volume of submissions (h/t @QED_Audit for the screenshot). An unfortunate trend for anyone with a bounty in 2026 (curl and many others have publicly spoken about this). 3. Getting denied on a bounty sucks. Every security researcher in the last 20 years will tell you a story of an unfair bounty. You find another target and move on. The pie is bigger than you think. It's not okay to extort, i.e., threaten to release more bugs in public, if they don't pay. It's even more egregious when its a former customer!

hrkrshnn's tweet photo. This turned out to be worse than I thought.

1. The company behind v12 was a security vendor for Thorchain, did a security audit in January 2025 for one of their components, and hosted a bug bounty for a thorchain application up until recently!

2. Thorchain paused their bug bounty after being unable to handle the volume of submissions (h/t @QED_Audit for the screenshot). An unfortunate trend for anyone with a bounty in 2026 (curl and many others have publicly spoken about this).

3. Getting denied on a bounty sucks. Every security researcher in the last 20 years will tell you a story of an unfair bounty. You find another target and move on. The pie is bigger than you think. It's not okay to extort, i.e., threaten to release more bugs in public, if they don't pay. It's even more egregious when its a former customer!

6

166

13

43

34K

_JcryPto_ retweeted

rody

@0x_rody

18 days ago

https://t.co/2Klq9p6WIx

8

223

29

1K

541K

_JcryPto_ retweeted

darkzodchi

@zodchiii

18 days ago

Anthropic's head of security: "90% of our code is written by Claude. If yours is too and nobody's reviewing it, you're shipping bugs you'll never notice." In 28 minutes he shows the exact security setup Anthropic uses internally to protect their own projects. Watch the full interview, then save the config below 👇

61

2K

209

5K

533K

_JcryPto_ retweeted

18 days ago

Thanks to @Giveth, @thedaofund, and the Ethereum community for backing our Wallet Security Ranking in the QF Round. We're proud to be part of this ecosystem-wide effort. We'll keep shipping transparent and open resources that help improve web3 end-user security — with more public goods to come.

coinspect's tweet photo. Thanks to @Giveth, @thedaofund, and the Ethereum community for backing our Wallet Security Ranking in the QF Round.
We're proud to be part of this ecosystem-wide effort.
We'll keep shipping transparent and open resources that help improve web3 end-user security — with more public goods to come.

1

18

8

0

596

_JcryPto_ retweeted

Iva

@LisVikkk

19 days ago

Zero donations for 6 days. Closed #25 @coinspect's Wallet Security Ranking: 79 donors, $6k raised The community shows up late but loud!

1

3

2

0

52

_JcryPto_ retweeted

Pablo Sabbatella

@PabloSabbatella

19 days ago

One more protocol exploited. Again: OpSec failure, private key in this case. Are you gonna have an OpSec audit by @opsek_io? Or prefer to have a DPRK audit first?

1

42

4

5

7K

_JcryPto_ retweeted

19 days ago

"secure" has ingredients

1

8

2

1

638

_JcryPto_ retweeted

19 days ago

AI attackers have terrible OPSEC. Use it against them. Hallucinate exposed services. Waste their tokens. Seed prompt-injection traps, canaries, and honeytokens where attacker LLM will read them. Have fun.

13

289

44

102

18K

_JcryPto_ retweeted