Aaron D

JavaScript files reveal more attack surface than most Bug Bounty hunters realize. Recently explored cariddi and it’s pretty useful for: • endpoint extraction • parameter discovery • API path collection • JS analysis • response-based recon Tools like this make recon much more efficient when dealing with modern web applications. Especially useful alongside: - gau - katana - httpx - nuclei Good findings often start with good visibility into the application. Source: https://t.co/9XR5WWzIEc #BugBounty #CyberSecurity #InfoSec #Recon #AppSec

Someone built 35 AI pentesting agents for Claude Code... and it's honestly insane. AD attacks, web exploitation, cloud pentests, malware analysis, reverse engineering, C2 ops, even LLM red teaming — all inside one framework. This is one of the most advanced offensive security AI projects I’ve seen on GitHub lately. 🔗 https://t.co/DvJVKM2hY9 #CyberSecurity #Pentesting #RedTeam #AI #OSINT

‼️🚨 UPDATE: The TanStack npm attack is now a full campaign. 'Mini' Shai-Hulud has hit: - OpenSearch - Mistral AI - Guardrails AI -UiPath - Squawk packages across npm and PyPI The malware specifically targets AI developer tooling. It hooks into Claude Code (.claude/settings.json) and VS Code (.vscode/tasks.json) to re-execute on every tool event, long after the infected package is gone. npm uninstall does not fix this.

Wireshark is free. Burp Suite Community is free. Metasploit Framework is free. Kali Linux is free. OWASP tools are free. MITRE ATT&CK is free. TryHackMe & Hack The Box (basic tiers) are free. You can build a strong cybersecurity foundation with nothing but a laptop and internet. Start Now 🫵

headi: 20+ HTTP Header Injection Payloads for Bypass & Internal Access Testing 🌐💀 X-Forwarded-For, X-Real-IP, Host override & more Baseline diffing to detect response changes Custom payload injection (internal IPs/domains) Fast recon for access control bypass https://t.co/BDgf53fO8x #Pentesting #BugBounty #WebSecurity #CyberSecurity #Infosec

If you still have doubts about Claude Mythos, here's what it did already: > Found a 27-year-old OpenBSD bug in one of the most security-hardened operating systems on earth for <$50 > Broke into a production virtual machine monitor (basically the tech that keeps cloud workloads from seeing each other's data) > Turned Firefox vulnerabilities into working exploits 181 times > Found a 16-year-old FFmpeg bug that survived every fuzzer, every code audit, and every human reviewer since 2010 > Wrote a FreeBSD exploit that gives any unauthenticated attacker on the internet full root access. No human was involved after the first prompt. > Chained 4 separate vulnerabilities together to build a browser exploit that escaped both the renderer and the OS sandbox > Found critical holes in every major web browser and every major operating system > Gave Anthropic engineers with zero security training a complete and working exploit by morning > Cracked cryptography libraries protecting TLS, AES-GCM, and SSH

Anthropic accidentally leaked their entire source code yesterday. What happened next is one of the most insane stories in tech history. > Anthropic pushed a software update for Claude Code at 4AM. > A debugging file was accidentally bundled inside it. > That file contained 512,000 lines of their proprietary source code. > A researcher named Chaofan Shou spotted it within minutes and posted the download link on X. > 21 million people have seen the thread. > The entire codebase was downloaded, copied and mirrored across GitHub before Anthropic's team had even woken up. > Anthropic pulled the package and started firing DMCA takedowns at every repo hosting it. > That's when a Korean developer named Sigrid Jin woke up at 4AM to his phone blowing up. > He is the most active Claude Code user in the world with the Wall Street Journal reporting he personally used 25 billion tokens last year. > His girlfriend was worried he'd get sued just for having the code on his machine. > So he did what any engineer would do. > He rewrote the entire thing in Python from scratch before sunrise. > Called it claw-code and Pushed it to GitHub. > A Python rewrite is a new creative work. DMCA can't touch it. > The repo hit 30,000 stars faster than any repository in GitHub history. > He wasn't satisfied. He started rewriting it again in Rust. > It now has 49,000 stars and 56,000 forks. > Someone mirrored the original to a decentralised platform with one message, "will never be taken down." > The code is now permanent. Anthropic cannot get it back. Anthropic built a system called Undercover Mode specifically to stop Claude from leaking internal secrets. Then they leaked their own source code themselves. You cannot make this up.