Ukraine launches TrophyLab: we are opening access to captured Russian weapon technologies for our global partners. Every missile, drone, and vehicle seized on the battlefield is now a source of knowledge for the free world.
Through this secure platform, allied governments, labs, and defense tech manufacturers gain access to deep technical data, reports, and vulnerabilities. Users can also request physical equipment for testing, significantly shortening the development cycle for countermeasures.
What was meant to be the enemy's secret advantage is being dismantled to defend democracy. Join the platform:
🔗 https://t.co/xoeCfXsIy3
Americans are struggling to pay for groceries and gas while Elon Musk becomes a TRILLIONAIRE.
When the federal government is for sale, the rich get richer and everyone else gets shafted.
The system is rigged.
Trump just put a random mortgage banker — whose chief qualification appears to be targeting Trump’s domestic enemies — in charge of our nation’s intelligence agencies.
America, do you feel safer yet?
Half of offsec lives on platforms whose ToS prohibit half of offsec.
Rootshell, Packet Storm, https://t.co/9iIUJdS0sa, milw0rm had this figured out 20 years ago. Maybe it's time to stop pretending GitHub/Lab is neutral infrastructure.
I see a lot of stuff about Vanta today, so let me throw some cold water on that:
Vanta recommends an audit firm, Advantage Partners, whose entire management team consists of former Vanta employees.
The compliance automation industry is so broken.
i went to https://t.co/0yaHjrptb3. opened the page source. found a hardcoded API key in the javascript. copied it. sent one GET request.
got back 959 email addresses and 3,165 internal feature flags.
employees from Home Depot. Fortinet. Autodesk. Tenable. Rakuten. Mayo Clinic. Permira. Akin Gump. government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland Australia, and New Zealand. a Microsoft contractor. 71 clickup employees.
fortinet sells enterprise firewalls. tenable makes Nessus, the vulnerability scanner half the industry runs. their employees emails are exposed because clickup hardcoded a third party API key in a javascript file that loads before you even log in.
this was first reported to clickup through hackerone on January 17, 2025. its now April 2026. the key has not been rotated. i just pulled the response five minutes ago. every email is still there.
clickup raised $535 million at a $4 billion valuation. claims 85% of the Fortune 500 use their platform. looks like the proof is in the page source.
An AI red team startup breached a random YC startup, posted about it, and tagged me as if I'd support that. Absolutely not.
I call out unethical behavior and false promises of security. My goal is to make things better. Exposing a startup to show off your skills isn't okay.
We open sourced the tool used to detect the Axios supply chain compromise! I built it Friday after a red eye home from RSAC. Also, wrote up the full story, including the hectic moments after that first critical alert
https://t.co/HAm8eMr8vO