CredShields

Verified account

@CredShields

Engineering Security for the AI Era | AI Pen Testing + Smart Contract Audits | OWASP Smart Contract Security Pioneers | SOC2 Type ll Audited

Joined December 2021

26 Following

3.5K Followers

2K Posts

Pinned Tweet

4 months ago

CredShields and @SolidityScan are proud to contribute to the release of the @owasp Smart Contract Top 10 2026. OWASP Smart Contract Top 10 defines the primary contract-level failure patterns that repeatedly lead to loss in blockchain systems. Sincere gratitude to @ethereumfndn Ecosystem Support Program for supporting the OWASP Smart Contract Security initiative. https://t.co/inlrIp9gMh

CredShields's tweet photo. CredShields and @SolidityScan are proud to contribute to the release of the @owasp Smart Contract Top 10 2026.

OWASP Smart Contract Top 10 defines the primary contract-level failure patterns that repeatedly lead to loss in blockchain systems.

Sincere gratitude to @ethereumfndn Ecosystem Support Program for supporting the OWASP Smart Contract Security initiative.

https://t.co/inlrIp9gMh

20

71

42

5

8K

about 16 hours ago

Your AI agent can send emails, book meetings for you, even execute code. So can your attacker. The attacker just needs to control one input.

CredShields's tweet photo. Your AI agent can send emails, book meetings for you, even execute code.

So can your attacker. The attacker just needs to control one input. https://t.co/VGQeK6aYi3

0

0

0

0

25

2 days ago

https://t.co/7lmA38eHuR

0

0

0

0

193

4 days ago

Has your security team tested your LLM features for prompt injection?

0

0

0

0

62

Who to follow

Verified account

Automated smart-contract auditing platform by @credshields

Verified account

Security Researcher @cantinaxyz

Verified account

@Kiki_developer

Independent Security Researcher | prev @GuardianAudits | $3B+ secured • 50+ audits • 15+ bounties

5 days ago

We just found and disclosed CVE-2026-10753 in Google's Site Kit, the official Google plugin running on 5M+ WordPress sites. Our team caught a broken access control flaw that slipped past everyone else. One REST API write endpoint checked for view level access when it should have required admin. That single line let an Editor with dashboard sharing flip a sitewide setting they were never meant to touch. Every sibling endpoint in the same controller already required admin capability. One route drifted out of step. Running Site Kit? Update to 1.176.0 or later. Read for a deeper understanding: https://t.co/35js3wGHTE

CredShields's tweet photo. We just found and disclosed CVE-2026-10753 in Google's Site Kit, the official Google plugin running on 5M+ WordPress sites.

Our team caught a broken access control flaw that slipped past everyone else.

One REST API write endpoint checked for view level access when it should have required admin. That single line let an Editor with dashboard sharing flip a sitewide setting they were never meant to touch. Every sibling endpoint in the same controller already required admin capability. One route drifted out of step.

Running Site Kit? Update to 1.176.0 or later.

Read for a deeper understanding:
https://t.co/35js3wGHTE

1

1

1

0

252

6 days ago

Immediate Remediation Steps: 1️⃣ Pin & Proxy: Lock exact dependency versions. Use enterprise-governed package proxies. 2️⃣ Audit eBPF: Monitor build infrastructure for unauthorized eBPF programs. 3️⃣ Hard Reset: Infected runners/workstations must be completely wiped and reimaged.

0

0

0

0

40

6 days ago

The Impact: Once active, it bypasses standard barriers to harvest developer IDE credentials, cloud environment access keys (AWS/GCP/Azure), CI/CD secrets, and local storage data. Standard file deletion will not work against a Ring 0 rootkit.

1

0

0

1

91

6 days ago

Vector: Supply chain infiltration via compromised npm packages, triggering silently during npm install via hidden postinstall script hooks. Stealth: Attaches kprobes to kernel system calls like sys_getdents64 for full process cloaking. It hides its footprint from ps or top.

1

1

0

0

86

6 days ago

A highly sophisticated, heavy Rust-built infostealer named IronWorm is actively targeting modern software development pipelines. Because it deploys a Ring 0 / kernel-level eBPF rootkit, standard user-space EDR agents will fail to detect it. 👇 Quick breakdown and defense steps:

CredShields's tweet photo. A highly sophisticated, heavy Rust-built infostealer named IronWorm is actively targeting modern software development pipelines.

Because it deploys a Ring 0 / kernel-level eBPF rootkit, standard user-space EDR agents will fail to detect it.

👇 Quick breakdown and defense steps: https://t.co/Mp4HtAEosL

1

0

0

0

126

8 days ago

Lock yours down tonight: 1/ Audit your account recovery contact info 2/ Move from SMS to app based MFA 3/ Review logged in devices weekly #CyberSecurity #InfoSec #MetaAI #AccountSecurity #MFA #AIsecurity

CredShields's tweet photo. Lock yours down tonight:

1/ Audit your account recovery contact info

2/ Move from SMS to app based MFA

3/ Review logged in devices weekly

#CyberSecurity #InfoSec #MetaAI #AccountSecurity #MFA #AIsecurity https://t.co/XYG7s7vGxy

0

0

0

0

60

8 days ago

Hackers hijacked high profile Instagram accounts, including the old Obama White House handle without malware, phishing, or stolen passwords. How did they do it?

1

0

0

0

141

8 days ago

The takeaways 👇 → AI support tools create security blind spots that human agents wouldn't → Automated convenience routinely outpaces verification → Strong MFA was the layer that held the line for protected accounts

CredShields's tweet photo. The takeaways 👇

→ AI support tools create security blind spots that human agents wouldn't

→ Automated convenience routinely outpaces verification

→ Strong MFA was the layer that held the line for protected accounts https://t.co/hKgpICF2D6

1

0

0

0

40

9 days ago

What's one security habit your team actually sticks to? 👇

CredShields's tweet photo. What's one security habit your team actually sticks to? 👇 https://t.co/AUMp53th6f

0

0

0

0

45

10 days ago

CredShields's tweet photo. https://t.co/HBFylaEMX9

0

0

0

0

36

10 days ago

Your app passed the pentest. Your LLM wasn't tested. Here are the 5 attack vectors living in every AI feature right now and why none of them show up in a standard report. 👇

CredShields's tweet photo. Your app passed the pentest.

Your LLM wasn't tested.

Here are the 5 attack vectors living in every AI feature right now and why none of them show up in a standard report. 👇 https://t.co/qpP1JfJCze

2

1

0

0

162

10 days ago

CredShields's tweet photo. https://t.co/8zQn7gcXod

1

0

0

0

35

Last Seen Users on Sotwe

Trends for you

Most Popular Users