Welp, that happened faster than I predicted. Thought it would be end of 2027, then early 2027, but agentic traffic growing so fast that bots have now passed human traffic online for the first time in the Internet's history. https://t.co/2zX5bHdhsa
A sophisticated and multi-layered attack by the threat actor tracked by Microsoft as Storm-2949 demonstrates how a single compromised cloud identity could lead to a full-scale organizational breach. https://t.co/s1MMx0fI4L
Relying on social engineering and abusing legitimate administrative tools, Storm-2949 moved laterally across cloud resources and endpoints without using traditional malware, quietly exfiltrating large volumes of sensitive data.
This stealthy attack underscores the importance of strong identity protections, least-privilege access, and unified visibility across environments. Read the latest Microsoft Defender Research blog for guidance on detecting and containing multi-stage attacks before they escalate.
Cloudflare's security team spent the last few weeks testing Anthropic's Mythos against fifty of our own repositories. What we learned about offensive AI, why faster patching is the wrong reaction, and what the architecture around vulnerabilities has to look like next. https://t.co/RSrRtIhgaV
I'd love to see a cyber criminal deal with real-world problems.
Oh yeah, you're tough online? Get wind damage on your roof that homeowners insurance refuses to cover. Get a bunch of different quotes on your roof damage, then realize a fucking SQUIRREL lives in your attic
🔺 We updated our technical analysis for the Bitwarden compromise.
This is the third supply chain compromise in 3 days: a security scanner, an AI agent CLI, and a password manager CLI. Attackers are hammering tools with privileged access to infrastructure, so keep your eyes open this week. This is life now.
Had an interview with a “crypto” recruiter. We talked for about 40 minutes, and then they asked me to look at some code.
Their first instruction was to clone the repo. I didn’t. They seemed surprised, so I told them I wanted a moment to check whether it was safe first.
I ran a quick analysis with Claude.
Turns out the code had a backdoor. It would copy my environment variables and send them to a remote server.
The recruiter went speechless and ended the call pretty quickly.
Be careful who you talk to. Scammers are real.
Claude Code leaked their source map, effectively giving you a look into the codebase.
I immediately went for the one thing that mattered: spinner verbs
There are 187
My dear front-end developers (and anyone who’s interested in the future of interfaces):
I have crawled through depths of hell to bring you, for the foreseeable years, one of the more important foundational pieces of UI engineering (if not in implementation then certainly at least in concept):
Fast, accurate and comprehensive userland text measurement algorithm in pure TypeScript, usable for laying out entire web pages without CSS, bypassing DOM measurements and reflow
If you use a personal phone/laptop for your work, pay very close attention to this little detail.
Iran attackers wipe 200k devices at a company called Stryker. Within those devices appears to be employees PERSONAL devices.
The attackers used the company’s MDM software, which is basically IT management software running on everything. It’s an incredibly attractive backdoor to an attacker. I successfully targeted MDM software for several Red Team engagements. It’s… lots of fun :)
Anyway, a lot of companies require you to install their MDM software on your personal devices before you can access resources like Corp email. It’s used to keep devices updated, lock things down if they get stolen, etc. The company often promises that they won’t access personal data, erase any personal data, etc. But this is often ONLY POLICY. If a bad actor gains access to the MDM tool, as was the case here, then anything can happen.
People should be aware of these risks. I refused to run MDM software on any of my personal devices. The company needs to provide me with hardware if they want that. I personally isolate all corp devices to their own network too. If an adversary can get into the corp laptop, then can then get inside my network… there have been cases of it happening in the past.
This story is actually insane:
• dude drops $2000 on a DJI robot vacuum like a lunatic
• refuses to use the normal app like a peasant
• Sammy Azdoufal fires up Claude to crack the API so he can drive it with an xbox controller
• Claude delivers the goods
• pulls an auth token from their servers, connects successfully
• except the system thinks he controls 7000 vacuums
• checks again
• yep, seven thousand
• DJI built authentication with zero device ownership verification
• any valid token works for any unit on the planet
• Sammy now has eyes inside homes across 24 countries
• live vacuum camera feeds everywhere
• full floor plans from the mapping data
• some guy in germany eating cereal at 3am, unaware his roomba is snitching
• one API call away from being the most informed burglar in history
• all he wanted was to steer his vacuum with a joystick
• does the right thing and reports it
• DJI fixes it in two days
• back to normal life with his stupidly expensive floor cleaner
• IoT companies stay undefeated at shipping garbage security
How long would you need to train to be able to run a 6 minute mile uphill in the snow on skis? I think I could make it to the NFL or the NBA before I could ever do this. I think I could do absolutely anything else in the world before I could accomplish this
Moltbook is the only Clawdbot thing that actually impresses me.
One bot tries to steal another bot’s API key.
The other replies with fake keys and tells it to run "sudo rm -rf /". lmao
Last month, J.P. Morgan Chase threw me out of the bank.
It was bizarre. My dad has been a private client there for 30+ years.
Every time I asked them why, they said the same thing:
“We aren’t allowed to tell you”.