Following my talks at #PasswordsCon and #UYBHYS2019 , I'm proud to announce the open sourcing of @KindredGroup 's password reuse checking tool to protect our customers against password reuse attacks: https://t.co/TSAY7XjsrD
Full LPE chain for the FreeBSD 14.x kernel via a setcred(2) stack buffer overflow. SMAP and SMEP bypassed.
Write-up + exploits: https://t.co/a8Z3T9dTzE
Patch your Linux boxes!
https://t.co/VWOUDbLAn2 is a trivially exploitable logic bug in Linux, reachable on all major distros released in the last 9 years. A small, portable python script gets root on all platforms.
Found by the teams at @theori_io and @xint_official
More details below
https://t.co/9f6T96PvPX
gopacket is live! Check it out, it is intended to be a full reimplementation of Impacket in Go (it is in beta please send me bug reports) https://t.co/9XjTickbyA
Every once in a while an improvement is so remarkable it leaves you completely flabbergasted.
Antiklesys asked the hashcat team for help with iCLASS legacy key recovery.
Chick3nman delivered.
Before on CPU: 40 hours.
Now: 6 minutes.
Before on GPU: not supported.
Now: 6 seconds.
That is not an incremental improvement.
That is a different world.
Big thank you to Antiklesys and the whole hashcat team.
#iClass #RFID #Proxmark3 #Hashcat #KeyRecovery #OpenSource #PhysicalSecurity
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.
The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
• Deobfuscates embedded payloads and operational strings at runtime
• Dynamically loads fs, os, and execSync to evade static analysis
• Executes decoded shell commands
• Stages and copies payload files into OS temp and Windows ProgramData directories
• Deletes and renames artifacts post-execution to destroy forensic evidence
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
Insanity level: ✅ just right
Coreforge is at it again, repurposing an old AMD B350 motherboard (sans CPU) as a Raspberry Pi PCIe breakout board: https://t.co/WWhiTAY4k0
Another antivirus 🛡️, another unfulfilled promise 😣. @kaluche_ turns Avira's protection into a privilege escalation playground. 3 LPE vectors via symlink abuse (CVE-2026-27748, CVE-2026-27750) and unsafe deserialization (CVE-2026-27749).
Find out more: https://t.co/uVzyUWCjzh
Nothing humbles you like telling your OpenClaw “confirm before acting” and watching it speedrun deleting your inbox. I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.
Between June and December 2025, a “likely Chinese state-sponsored group” compromised the infrastructure used by Notepad++ and served malicious updates to selectively targeted users. https://t.co/w5kp0kyy5z
Plug in an RTL-SDR (or Airspy), open Chrome, tune FM radio. No drivers. No installs.
CyberEther Web talks to the SDR over WebUSB, runs the DSP in WASM, and renders the waterfall on WebGPU.
https://t.co/Ds87BUlOwX
ℹ️🔴 La CNIL sanctionne FRANCE TRAVAIL (anciennement Pôle Emploi) d’une amende de 5 millions d’euros pour ne pas avoir assuré la sécurité des données des personnes en recherche d’emploi 👉 https://t.co/3R92WCLqUx
"Use a better system prompt" is the new "sanitize your inputs", but when your #AI agent's tools don't check permissions, you've got a problem and no amount of prompting will fix it.
Check @kaluche_ 's post about #AgenticAI & the Confused Deputy issue ⬇️
https://t.co/k6kEaYWHlY
Blog post: On the Coming Industrialisation of Exploit Generation with LLMs https://t.co/aK4pysY1wD
TL;DR: I ran an experiment with GPT-5.2 and Opus 4.5 based agents to generate exploits for a zeroday QuickJS bug. They're pretty good at it.
Code: https://t.co/47xHRObhRy