The site looks like a coffee shop to humans. To Claude, it serves a fake Cloudflare check.
web_fetch is read-only, so the page builds an alphabetical directory Claude clicks through to spell out your data, one letter at a time.
https://t.co/lTJZM0u28A
💥 Introducing "Januscape" (CVE-2026-53359)
A Guest-to-Host Escape in KVM/x86 exploiting a UAF in the shadow MMU. Triggerable on both Intel and AMD hosts. Threatens x86 public clouds (GCP, AWS) that expose nested virtualization.
"16 years" latent. Successfully used as a 0-day exploit in "Google kvmCTF".
To the best of public knowledge, the first KVM exploit research triggerable on both Intel and AMD.
Details: https://t.co/df5GPpVfeA
There’s a big diff between security professionals who have never found bugs, and those who have.
And there’s a big diff between those who have only found bugs, and those who have tried to prevent them.
People are literally doing Rowhammer attacks on the KV cache now. A new paper shows you can bit-flip vLLM's shared prefix memory. Since the cache doesn't decay, one flipped bit silently corrupts generation for EVERYONE using that system prompt 😭
Working on the new simulator. I just wanted to see what Atari2600 fetching data from ROM looks like at CMOS FET level
(@tinytapeout TT09 Atari circuit by @__ReJ__)
CVE-2025-55182 dropped.
CVSS 10.0.
React Server Components.
The Slack channel exploded.
Forty-seven messages in twelve minutes.
I responded with a fire emoji.
Leadership.
My threat intel team sent me six GitHub links.
I clicked none of them.
But I forwarded all of them.
To seventeen people.
With "URGENT" in the subject line.
Three exclamation points.
That's how you know it's serious.
Our vendor called.
They said their WAF had "day-zero protections."
I asked what that meant.
They said "runtime-level coverage."
I asked what that meant.
They sent me a PDF.
Fourteen pages.
I read the executive summary.
Four bullet points.
Three of them said "AI-powered."
I felt safe.
I scheduled an all-hands.
Mandatory.
I showed a screenshot of Shodan results.
Very red.
Very scary.
I said "React2Shell" four times.
Each time more slowly than the last.
I showed them a PoC from Twitter.
It used child_process.exec.
I said we blocked it.
I didn't mention you'd have to deliberately expose that function.
Which would be insane.
Which no one does.
Which makes blocking it meaningless.
But the slide looked great.
Green checkmark.
"MITIGATED."
A security engineer unmuted.
She asked about prototype pollution.
She asked about __proto__:then.
She asked if we'd actually upgraded React.
I said those were implementation details.
I said we focus on outcomes, not outputs.
I said our posture was defense-in-depth.
She asked what layer was actually defending.
I said, "All of them."
She shared her screen.
Our Next.js was three versions behind.
I said version numbers were vanity metrics.
She said the CVE literally lists affected versions.
I said, "Let's parking-lot that."
I never found the parking lot.
The meeting ended.
I posted a LinkedIn update.
"Proud of our team's rapid response to React2Shell."
Forty-three likes.
Two comments from vendors.
One recruiter DM.
The engineer's Jira ticket sat in the backlog.
Priority: Medium.
We shipped a new feature instead.
The breach came through prototype pollution.
Exactly what she said.
The WAF saw nothing.
Because WAFs don't understand JavaScript deserialization.
The postmortem was three hours.
I facilitated.
Root cause: "Sophisticated nation-state actor."
Contributing factor: "Unclear internal communication."
The engineer who raised the alarm?
"Contributed to confusion during incident response."
I'm keynoting at RSA next month.
Topic: "Building a Culture of Cyber Resilience."
I'm workshopping my opening line.
"In today's threat landscape, the only certainty is uncertainty."
The audience will nod.
They always do.
We were contacted by a journalist at Le Parisien newspaper with this prompt:
> I am preparing an article on the use of your secure personal data phone solution by drug traffickers and other criminals. Have you ever been contacted by the police? Are you aware that some of your clients might be criminals? And how does the company manage this issue?
Absolutely no further details were provided about what was being claimed, who was making it or the basis for those being made about it. We could only provide a very generic response to this.
Our response was heavily cut down and the references to human rights organizations, large tech companies and others using GrapheneOS weren't included. Our response was in English was translated by them: "we have no clients or customers" was turned into "nous n’avons ni clients ni usagers", etc...
GrapheneOS is a freely available open source privacy project. It's obtained from our website, not shady dealers in dark alleys and the "dark web". It doesn't have a marketing budget and we certainly aren't promoting it through unlisted YouTube channels and the other nonsense that's being claimed.
GrapheneOS has no such thing as the fake Snapchat feature that's described. What they're describing appears to be forks of GrapheneOS by shady companies infringing on our trademark. Those products may not even be truly based on GrapheneOS, similar to how ANOM used parts of it to pass it off as such.
France is an increasingly authoritarian country on the brink of it getting far worse. They're already very strong supporters of EU Chat Control. Their fascist law enforcement is clearly ahead of the game pushing outrageous false claims about open source privacy projects. None of it is substantiated.
iodéOS and /e/OS are based in France. iodéOS and /e/OS make devices dramatically more vulnerable while misleading users about privacy and security. These fake privacy products serve the interest of authoritarians rather than protecting people. /e/OS receives millions of euros in government funding.
Those lag many months to years behind on providing standard Android privacy and security patches. They heavily encourage users to use devices without working disk encryption and important security protections. Their users have their data up for grabs by apps, services and governments who want it.
There's a reason they're going after a legitimate privacy and security project developed outside of their jurisdiction rather than 2 companies based in France within their reach profiting from selling 'privacy' products.
https://t.co/uWVPGoiEUs
Here's that article:
https://t.co/5TvYFemejg
🔵 L'ANSSI partage son positionnement vis-à-vis du #ConfidentialComputing.
📝 L'Agence rappelle notamment les modèles d'attaque que le Confidential Computing prétend traiter, ainsi que des lignes directrices.
🔗 https://t.co/KdvfYafLur