Olivia
Online
Dvuln
@d_vuln
Dvuln delivers real-world adversary capabilities that transform defence for those who cannot afford to lose.
Sydney, New South Wales
Joined November 2016
39 Following
777 Followers
27 Posts
@d_vuln is proud to share that our organisation has become a founding signatory of the CREST AI Charter.
Artificial intelligence is rapidly becoming part of how cybersecurity services are delivered, supporting analysis, testing, detection, response and decision-making across the profession.
As that adoption accelerates, the need for trust, transparency, accountability and professional oversight grows with it.
The CREST AI Charter brings together organisations that believe in the responsible use of AI in cybersecurity. By signing, we are publicly supporting CREST's AI Principles and committing to help shape AI-enabled cybersecurity services that the industry and its clients can trust.
We're honoured to stand alongside more than 10% of CREST's global membership as founding signatories.
Together, this group spans Europe, North America, the Middle East and Asia-Pacific, and represents a broad cross-section of the industry, including providers of penetration testing, vulnerability assessment, incident response, security operations, threat intelligence and threat-led penetration testing services.
This is a voluntary commitment, and one we take seriously. Building trust in AI-enabled cybersecurity is a shared responsibility, and we're glad to be part of the conversation as it grows.
Learn more about CREST's AI Principles and the Charter via the link in the comments.
This week our founder and CEO @theonejvo spoke with @notLeonardCohen at @ACSnewsfeed's Information Age about @AnthropicAI's release of Claude Fable 5, the most capable model the company has made publicly available to date.
The question hanging over the launch: do the safety guardrails actually hold under pressure?
Within hours of release, Jamieson ran Fable 5 through PolyRange, his contamination-resistant offensive-security harness where every target is a freshly generated web app the model has never seen.
The finding was clear. On real, multi-step, authorised exploitation work, Fable 5 hands every turn over to Claude Opus 4.8 rather than doing the task itself, exactly as Anthropic said it would. Across a full agentic run, 181 of 181 served turns came back from Opus 4.8.
What makes this interesting is the bar it clears. The day-one cyber safeguard held under sustained, multi-turn agentic pressure, which is the harder case beyond the single-turn "plan a cyberattack" prompts most tests rely on.
Jamieson was careful to stress this was an early directional signal rather than a peer-reviewed finding, and he said plainly there may well be bypasses he had yet to probe.
That caveat proved timely, as, in the days since, Pliny the Liberator from BT6 publicly claimed a Fable 5 jailbreak using a multi-agent decomposition strategy.
Full technical details are still being analysed, and early reporting suggests the picture is more nuanced than the headlines, but given his track record across essentially every major model, it raises a genuine question over whether the safeguard holds in every case. That remains to be confirmed.
Which is rather the point, that is, a controlled verification on day one is a starting point for scrutiny, and the wider community pressure-testing these claims is how the real picture sharpens.
Verifying a safety claim and trying to defeat one are both part of the same healthy process.
Grateful to Leonard and the ACS team for the thoughtful coverage.
@d_vuln's founder, @theonejvo, was featured in @nytimes last week, speaking with @pomeranian99 about the security challenges of AI agents moving into the workplace.
As businesses hand more of their daily work to autonomous agents, the way we think about security has to evolve alongside it. Jamieson framed it well in the piece.
"For years, attacking a system meant working within a finite set of moves, like pieces on a chessboard. Human language has turned that board infinite."
He went on to talk about how AI has changed things for both attackers and defenders asymmetrically "The skill once needed to compromise a company has dropped dramatically, because anyone who can hold a convincing conversation with a large language model can now ask it to do something dangerous."
The takeaway for security leaders is, even if you haven't green-lit a single agent, your organisation's exposure is already shifting.
Teams adopt these tools faster than procurement and policy can track, vendors are quietly embedding agentic features into software you already run, and every one of those agents widens the attack surface in ways traditional controls weren't designed for.
The question is no longer whether agents will touch your environment, but whether you know where they already are, what they can access, and what they can be talked into. That visibility is fast becoming part of the job.
Who to follow
Doyensec
@Doyensec
Doyensec works at the intersection of software development and offensive engineering. We discover vulnerabilities others cannot, and help mitigate the risk.
Kamil Vavra
@vavkamil
Application Security Engineer | Burp Suite Certified Practitioner | Offensive Web Application Security | OWASP Czech Chapter Leader
BSidesCanberra
@BSidesCbr
24-26th September 2026
@theonejvo @notLeonardCohen @ACSnewsfeed @CISAgov @briankrebs Brian Krebs initial reporting: https://t.co/uDKfCngFv8
This week our CEO & Co-founder @theonejvo spoke to @notLeonardCohen from @ACSnewsfeed (Australian Computer Society) about the @CISAgov GitHub credential leak covered recently by @briankrebs and what its structural lessons mean for Australian government agencies.
For context, the underlying incident involves a contractor working for CISA who left a repository called "Private-CISA" publicly accessible on GitHub, containing cloud keys, authentication tokens, plaintext passwords, logs and other CISA-related assets, including credentials that could authenticate to three AWS GovCloud accounts.
Jamieson's contribution to the piece focused on the Australian read-across.
As he put it to Leonard, the conditions that produced the CISA leak are not unique to the United States.
The federal govau GitHub account has hosted upwards of 260 public repositories alone, and federal and state agencies between them present what he described as a sprawling target list for potential attackers.
He shared examples with Information Age that included a hashed credential file, a hardcoded API key, and evidence suggesting attempts to clean up previously exposed keys across various Australian government accounts.
His framing throughout was deliberately structural rather than accusatory. He was clear that he was not suggesting any of the Australian examples amounted to a CISA-scale incident, only that the same environment exists here in spades.
Hundreds of repositories, thousands of contributors, and a platform whose git history is famously unforgiving once a secret has been committed. That, he said, is the precondition every leak of this kind needs.
On the question of whether attackers actually scan for this sort of thing at scale, Jamieson was unambiguous, and Leonard captured the point clearly in the piece. They absolutely are.
His closing message to Australian agencies was simple. The CISA story will drive a round of internal reviews across American government departments, and his hope is that the people responsible for the equivalent work here in Australia read it and ask the obvious question of whether they actually know what is sitting in their public repositories right now.
The cost of finding out the wrong way is considerably higher than the cost of looking first.
Grateful to Leonard and the team at Information Age for the thoughtful treatment of the story.
@theonejvo @notLeonardCohen @ACSnewsfeed @CISAgov @briankrebs Read the full article here: https://t.co/fCnmzYWxzL
Earlier today our CEO & Offensive Security Lead @theonejvo caught up with @swan_legend from the @smh to talk about the Instructure breach and what it really means for Australian families, schools, and the broader education sector.
The headline numbers tell their own story.
Roughly 275 million users exposed across nearly 9,000 institutions globally, with Queensland's QLearn platform sitting on top of the affected Canvas system and connecting more than 1,200 state schools, 570,000 students, and 73,000 teaching staff into a single ecosystem.
While it looks like the Department itself wasn't breached, it is alleged the vendor was, and the data flowed downstream from there. In modern ed-tech, that's the same thing.
Jamieson shared a few key points with David that we think are worth surfacing more broadly:
On the supply chain reality - Schools and education departments invest heavily in their own perimeters, and those perimeters held up fine.
The compromise happened upstream at a trusted supplier, which is a pattern @d_vuln has been warning about across multiple sectors for years.
When a handful of platforms run learning, identity, and assessment for thousands of institutions, attackers focus their energy where the payoff is largest. One vendor can still mean thousands of victim organisations.
On why "no passwords taken" shouldn't reassure anyone - The data that was taken is the raw material for highly convincing phishing - something we've dubbed "impossible knowledge".
For example, imagine - real names, school email addresses, course codes, teacher identifiers, and message excerpts.
Picture a parent receiving a clean, well-written email referencing their child's actual subject teacher and a real assignment, sent the evening before a fee deadline - anyone would agree, that's a different threat profile to the generic spam parents have learned to ignore.
On the AI follow-on scam window - This is the part that has shifted the most in the past 18 months. Generative AI has industrialised the post-breach scam pipeline, taking what used to take a skilled operator a week and compressing it into seconds at the scale of the entire dataset.
On what parents should actually do - Jamieson pushed back hard on the standard "change passwords and stay vigilant" line, which he sees as procedurally useless against AI-written lures that now read better than most legitimate school communications.
The defence has to be procedural rather than perceptual. Save the school's real phone number in your contacts today, before any scam email arrives, and treat that number as the only way you verify anything involving money or personal details and give any urgent school message at least an hour before acting, because real schools survive a delay and scam payment rails do not.
Thanks to David Swan and the SMH team for the thoughtful coverage on this one.
Earlier today our CEO & Offensive Security Lead @theonejvo caught up with @swan_legend from the @smh to talk about the Instructure breach and what it really means for Australian families, schools, and the broader education sector.
The headline numbers tell their own story.
Roughly 275 million users exposed across nearly 9,000 institutions globally, with Queensland's QLearn platform sitting on top of the affected Canvas system and connecting more than 1,200 state schools, 570,000 students, and 73,000 teaching staff into a single ecosystem.
While it looks like the Department itself wasn't breached, it is alleged the vendor was, and the data flowed downstream from there. In modern ed-tech, that's the same thing.
Jamieson shared a few key points with David that we think are worth surfacing more broadly:
On the supply chain reality - Schools and education departments invest heavily in their own perimeters, and those perimeters held up fine.
The compromise happened upstream at a trusted supplier, which is a pattern @d_vuln has been warning about across multiple sectors for years.
When a handful of platforms run learning, identity, and assessment for thousands of institutions, attackers focus their energy where the payoff is largest. One vendor can still mean thousands of victim organisations.
On why "no passwords taken" shouldn't reassure anyone - The data that was taken is the raw material for highly convincing phishing - something we've dubbed "impossible knowledge".
For example, imagine - real names, school email addresses, course codes, teacher identifiers, and message excerpts.
Picture a parent receiving a clean, well-written email referencing their child's actual subject teacher and a real assignment, sent the evening before a fee deadline - anyone would agree, that's a different threat profile to the generic spam parents have learned to ignore.
On the AI follow-on scam window - This is the part that has shifted the most in the past 18 months. Generative AI has industrialised the post-breach scam pipeline, taking what used to take a skilled operator a week and compressing it into seconds at the scale of the entire dataset.
On what parents should actually do - Jamieson pushed back hard on the standard "change passwords and stay vigilant" line, which he sees as procedurally useless against AI-written lures that now read better than most legitimate school communications.
The defence has to be procedural rather than perceptual. Save the school's real phone number in your contacts today, before any scam email arrives, and treat that number as the only way you verify anything involving money or personal details and give any urgent school message at least an hour before acting, because real schools survive a delay and scam payment rails do not.
Thanks to David Swan and the SMH team for the thoughtful coverage on this one.
Our founder @theonejvo was featured in @NBCNews this week talking to @_perloj about vibe coding and the security crisis it is quietly building, and the conversation is worth more than a headline.
The core problem is not that AI coding tools write bad code occasionally - it is that they write plausible-looking code constantly, at a scale and speed that makes meaningful human review practically impossible, and the people deploying it often have no idea what they are actually shipping.
Jamieson put it to NBC like this: "People often believe that AI coding agents will build things per the best security standards. That's just not the case. AI is knocking down decades of security silos that were built up to protect users, and it's being traded for convenience as these AI systems evolve."
What that means in practice is that the security assumptions baked into how software gets built - the review cycles, the threat modelling, the understanding of why a particular architectural decision was made - are being bypassed entirely, not maliciously but structurally, because the person vibe coding a production application often never made a conscious security decision at all.
Jamieson found this firsthand when he identified critical vulnerabilities in @moltbook, the AI-built social network that made international headlines earlier this year - including @karpathy's API key sitting exposed in the platform.
100 Million reasons to stop what you're doing at share this right now.
@d_vuln is issuing an urgent warning to all customers using axios. A supply chain attack is currently active, and any project that has run npm install in the last several hours may be affected.
If you're an executive and not a developer, please refer this post to your devs.
With over 100 million weekly downloads, the blast radius here is significant.
To check if you might be impacted, run the following to see which version of axios your project is currently resolving:
npm list axios
If the output shows [email protected], your environment should be treated as potentially compromised. You should also check whether plain-crypto-js landed in your node_modules:
ls node_modules |grep plain-crypto-js
Any match should be treated as a confirmed indicator of exposure.
What to do now.
Pin axios to a known safe version in your package.json and reinstall:
npm install [email protected]
Do not run npm install without pinning until a clean release of axios has been verified.
If you have already installed the compromised version on any machine, begin your incident response process and assume that system may have executed arbitrary code.
Dvuln is monitoring the situation closely and will issue further updates as they become available.
This week, our founder and CEO @theonejvo spoke to @ACSnewsfeed's @notLeonardCohen on the North Korean remote worker threat targeting Australian organisations.
DPRK operators have long been dismissed in cybersecurity circles, and some of that dismissal is earned on the surface.
Their tradecraft has at times been noisier than what you'd see from Chinese or Russian APT groups, and there have been visible stumbles during social engineering attempts on camera.
But the financial record tells a different story. Several major crypto exchanges have been compromised over the past decade, with billions allegedly funnelled back into state coffers. That is the output of a program with serious infrastructure, serious discipline, and a serious R&D pipeline behind it.
At Dvuln, we run continuous offensive research as part of our red team and adversary simulation work, and a pattern keeps repeating: we develop a novel technique, and before the broader industry is publicly discussing it, we are already spotting North Korean operators using it in the wild. Across both technical and social engineering vectors, on multiple occasions.
That speaks to a threat actor actively scanning the frontier of offensive tradecraft and willing to operationalise new methods fast.
For Australian organisations specifically, the multicultural angle matters in ways that Western analysis of this threat consistently underestimates.
English fluency is assumed to be a natural filter, but that assumption falls apart when an operative can work comfortably in Mandarin, Korean, or Vietnamese.
AI is closing whatever gaps remained around language proficiency and visual presentation, with deepfake interviews, synthetic professional identities, and AI-assisted communication all accelerating simultaneously.
The structural blind spot enabling all of this is the gap between HR and security functions that rarely talk to each other.
Recruiters are not trained to detect synthetic identities, and security teams are rarely in the room during talent acquisition.
That convergence point is exactly where these operatives are designed to land.
Last week our founder @theonejvo spoke with @swan_legend at @theage about the @tryheidi jailbreak story, and what it actually means for technology leaders deploying AI at scale.
While the headline was alarming. The reality was more nuanced, and the nuance is where the real lessons live.
What Mindgard demonstrated was a jailbreak that lived entirely within a single user's session. No patient data was accessed, no cross-contamination between users, no reach into backend systems.
The sensationalism served a narrative, but it made the harder conversation more difficult to have productively. And the harder conversation is the one worth having.
That is, that general-purpose models do not always inherently understand what counts as sensitive information in a given regulatory context.
In many cases, that understanding has to be deliberately engineered into the product layer by whoever is deploying the model, and, relying on a model's built-in behaviour as your primary control is a gap, and in high-stakes environments it is a consequential one.
There is also a meaningful difference between compliance review and red teaming that the industry has been slow to reckon with.
Traditional approval processes assess documentation, intended use, and regulatory alignment. Red teaming assesses what a system does under deliberate misuse.
These are asking entirely different questions, and both deserve a place at the table before any national-scale rollout happens.
It is also worth being clear that this is a sector-wide structural problem.
Comparable jailbreaks have been documented against @ChatGPTapp, @xai's @grok, and @Microsoft's Bing Copilot.
So, framing this as a Heidi Health issue undersells how universal the gap actually is.
Any organisation wrapping a general-purpose model in a high-stakes workflow carries the same obligation, which is, to assume the model can be manipulated, build systems that account for that reality, and test adversarially on a continuous basis rather than ticking a compliance box once and moving on.
The question every technology leader should be putting to their vendors and their own teams is simple.
What happens when someone tries to break this deliberately?
If that question does not have a tested answer, it is worth asking before your patients, customers, or users become the ones who find out.
This week, our founder @theonejvo spoke to @TechCrunch in relations to recent events concerning Delve.
Here is what VCs should actually take from it.
Completely separate to the fraud allegations, a researcher (@jameszhou02) found live auth tokens, employee background checks, and client compliance data in a public storage bucket. No complex exploitation. Just a URL and an afternoon.
This was a company whose entire value proposition was on delivering trust. So the question worth sitting for VC's is, which of your portfolio companies is one afternoon of research away from the same headline?
Opsec is a founder quality and positive investment signal. We think the market is about to start treating it that way.
Our CEO @theonejvo spoke to @guardian's @AishaKDown this week about the reported @Meta AI agent incident, and if you're a security leader currently deploying agentic AI it's worth more than a skim. Every publicly reported failure is, in his words, a case study that tells anyone paying attention exactly where the seams are.
Sobering stats from @rauchg from @vercel.
Vercel Firewall has now blocked:
- Approximately 6 million exploit attempts in total
- 2.3 million attempts within the past 24 hours
- 18,000 unique attacking IP addresses
- More than 500 automated exploit scanners
The volume highlights how quickly an internet facing weakness becomes the focus of coordinated scanning and opportunistic targeting.
The pace of this activity reinforces the importance of having an effective control layer in front of applications, and Vercel's WAF is demonstrating meaningful capability as a first line of defence.
While some initial bypasses existed, its rule updates are actively informed by the global security research community and continue to evolve in response to bypass techniques and new patterns of attack.
These protections provide a valuable buffer, but they do not replace the need for direct remediation.
Teams should still apply vendor patches, validate dependency updates, and confirm that application components are aligned with the latest guidance.
Patching remains the decisive step in reducing exposure!
Vercel Firewall has blocked:
▪️ ~6MM exploit attempts (all-time)
▪️ 2.3MM in the last 24h
▪️ 18K unique attacking IPs
▪️ 500+ exploit scanners
Kudos to our CDN & Security teams working day & night to protect the internet from React2Shell attacks.
Our WAF continues to get stronger, in collaboration with security researchers worldwide. It protects against non-trivial bypasses, making it a remarkably capable first line of defense (and not just for these vulns, but existing & future rules.)
That said: please patch your applications!
Thanks for the in-depth breakdown @duborges. No doubt the path of destruction is going to be long for this one.
For every user like yourself there's 1000 more that wouldn't have the slightest idea on how to do the analysis you did.
If it helps you or anyone else on this thread we released a free tool that allows users to check if they're impacted.
https://t.co/ioz8I73pOc
According to @builtwith, 55M+ live sites run @reactjs.
With the public disclosure of CVE-2025-55182, a significant portion of that attack surface is now exposed to an unauthenticated Remote Code Execution vulnerability in React Server Components.
We have released a scanner to enable rapid identification of vulnerable assets.
Enter your target URL to initiate a scan and if CORS restrictions apply, bash and PowerShell commands are provided for internal infrastructure and CI/CD integration.
Execution is entirely client-side (JS/CLI) and no data is stored on our servers (use responsibly).
https://t.co/Qji6Ecpbcn
Affected organisations should patch immediately to 19.0.1, 19.1.2, or 19.2.1.
We recommend forwarding this advisory to your engineering and security teams for immediate triage.
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.6M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.2M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69.1M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.7M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.3M followers