d4rpell νχ

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

🚨Cyber Alert ‼️ 🇪🇸Spain - Ahorramas Qilin claims to have breached Ahorramas, allegedly compromising internal corporate documents and operational data related to retail store infrastructure and administrative processes. Threat actor: Qilin Sector: Wholesale / Retail Data exposure (claimed): Not specified Data type: Identity documents, financial records, customer complaint forms, signed contracts, IBAN details, store layout plans, CCTV images Observed: May 05, 2026 Status: Pending verification ESIX©: 5.40 Full details and impact assessment on https://t.co/eB7qgxKFAa

Serious allegations regarding Riot’s Vanguard anti-cheat system continue to grow, including: • Claims that a Vanguard developer worked on a Vanguard spoofer called "Saturn" and other cheat related projects (a Javelin Anti-cheat Emulator) • Claims that another Vanguard developer also defended the first Vanguard developer to EA and said he was not part of Riot • Concerns that Vanguard may not fully delete user data after GDPR requests • A leaked Vanguard panel screenshot appeared online • Allegations that the first Vanguard developer mentioned also sent gifs in Discord servers containing signatures of a cheat blacklisted by Riot to ban legit people via Discord as Vanguard would think that the gif on your Discord is a cheat. • Claims that a third Vanguard developer leaked Vanguard blacklisted signatures and private information • Concerns that Vanguard can capture activity outside of League/Valorant when tabbing out often This post reflects my personal opinion and interpretation. It does not claim any verified facts, and should not be taken as a statement of proven truth.

To be secure in 2026 you have to shut down your bug bounty program on HackerOne. Lovable got hacked because HackerOne's incompetent triage team closed multiple valid vulnerability reports starting February 22, 2026 as "intended behavior." Poorly trained monkeys. Zero escalation to Lovable's security team. AI bots auto-closing critical findings. The result? Public project chat history and source code were exposed for MONTHS until a researcher was forced to go public. Two companies. Same platform. Same failure. Same lies. ClickUp. Lovable. Both breached because HackerOne buried critical reports while collecting your bounty fees. HackerOne is NOT a security partner. They are a liability. They close real vulnerabilities. They protect their own metrics over your data. They let researchers get attacked while they stay silent. Stop paying HackerOne to get hacked. https://t.co/Sb1AoiOG6L

A 17 year old high schooler told his mom he needed a Steam Deck for school. She said no, it's a gaming console. He said it runs Linux. She didn't know what that means. Bought it for his birthday. $280. He never installed a single game on it. Opened the terminal, installed Claude Code and typed his first command while holding the device like a PlayStation controller. Thumbsticks on both sides. Code editor in the middle. The most ridiculous dev setup anyone has ever seen. At second 0:09 you can read what he typed into the terminal: claude your code looks like absolute shit Claude didn't argue. Just started rewriting the shader, adding bloom effects, fixing chromatic aberration and improving the particle system. On a gaming console held in two hands on a couch. His friends play Fortnite on their Steam Decks. He builds software on his while lying in bed. He set up Claude Code with custom skills, hooks that auto run tests every time a file is saved and memory that remembers every project across sessions. The stuff most developers pay $200 a month for and use at maybe 20% capacity. He runs it on a $280 handheld and squeezes out every feature. Within three weeks he had built and sold four small apps to local businesses. A booking page for a barber shop, an inventory tracker for a vape store, a menu site for a taco truck and a scheduling tool for a dog groomer. All built on a Steam Deck in his bedroom. All coded by Claude while he gave instructions with his thumbs. Made over $13,000 in his first month. His mom still thinks he plays games on it. His teacher caught him using it during study hall. Looked at the screen expecting a game. Saw green code scrolling and Claude asking: Do you want to make this edit to main.js ? Teacher had no idea what she was looking at. Told him to put it away. He closed the lid. Claude kept running inside. A $280 gaming console that his mom bought thinking it was a toy is now a development workstation that earns more per month than her car payment. Setup time: 20 minutes once. Time he saves every day: 3 to 5 hours. Money made in month one: $13,000. Games installed: zero. His grandpa asked him to install FIFA last weekend. He said the console is busy. Grandpa asked doing what. He said working. Grandpa didn't ask again.

LinkedIn extrae información privada tuya y la envía a empresas de seguridad Israelíes Microsoft y LinkedIn está llevando a cabo una de las mayores operaciones de espionaje corporativo de la historia moderna. Cada vez que alguno de los mil millones de usuarios de LinkedIn entra, un código oculto busca en su ordenador el software instalado, recopila los resultados y los transmite a los servidores de LinkedIn y a empresas externas, entre ellas una firma de ciberseguridad estadounidense-israelí. Al usuario nunca se le pregunta. Nunca se le informa. La política de privacidad de LinkedIn no lo menciona. https://t.co/Y2Ht8sCusr

🚨 Three Windows zero-days released by Nightmare-Eclipse are being used in the wild by threat actors. BlueHammer (CVE-2026-33825): LPE, Abuses Windows Defender’s signature-update pipeline and VSS to breach protected registry hives, dump SAM hashes/identities, and escalate privileges. RedSun: LPE to SYSTEM abusing Defender's own cloud remediation to overwrite System32 binaries. UnDefend: Unprivileged DoS that starves the AV of updates while spoofing healthy EDR telemetry.

🚨🇧🇷 A cybersecurity researcher from Brazil exposed a large scale scam operation by buying a "Ledger" hardware wallet off a Chinese marketplace — suspiciously cheap and the packaging looked original from a distance. Here's what he found after cracking the thing open: The "hardware wallet" Inside the shell was a completely different chip — the kind you'd find in a cheap IoT gadget, not a wallet designed to protect your crypto. The markings had been physically sanded off to hide what it actually was. The firmware pretended to be a real Ledger version that doesn't even exist (Ledger Nano S+ V2.1). And here's the kicker: every seed phrase and PIN you'd type into it was stored in plain text and sent straight to the attacker's server (kkkhhhnnn[.]com). Instantly... It was built to drain wallets across ~20 different blockchains. The fake app The seller kindly included a "Ledger Live" app to go with it. It was a modified copy — not even signed properly, the attackers didn't bother with the basics — and it silently siphoned off data the moment you used it. Just when you thought this was it, the same crew is also pushing malware for Windows, macOS, and even iOS — using TestFlight to sneak past Apple's App Store review entirely. The researcher has sent a full report to Ledger's security team. A deeper technical breakdown is expected once they've finished their analysis. This was shared on Reddit by u/Past_Computer2901

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions. I spent long hours going through all of it, none of which has ever been publicly released. It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion. Enjoy the findings!