My First RCE by Reverse Engineering an EXE File With the Help of AI
A secure web app → a JS file leaking a download endpoint → a .NET binary → AI-assisted reverse engineering → a localhost WebSocket with no origin check → RCE
Write-up: https://t.co/CN6VM92hqA
Absolutely. Kagi exists to honor the creators, writers, and bloggers who give the web its soul.
We're here to surface their work, support it, and keep it discoverable.
These are my designs for the Aaron Swartz monument to remind us of the Core Internet Values:
1. Freedom of Speech
2. Freedom of Access to Info
3. Right to Privacy
Apple pasó 5 años construyendo una protección para blindar su sistema operativo.
Tres investigadores la esquivaron en 6 días usando Claude Mythos.
Apple diseñó MIE como la gran defensa de seguridad de los chips M5 y A19, una capa creada específicamente para bloquear la mayoría de hacks modernos incluso aunque existiera un bug dentro del sistema.
Según la propia compañía, impedía todos los exploits públicos conocidos en iOS moderno.
Pero el equipo de Calif encontró otra ruta.
No rompieron la protección directamente.
La rodearon.
Y lo más loco es la velocidad:
→ descubrieron el bug el 25 de abril
→ el 1 de mayo ya tenían un exploit funcional desarrollado con ayuda de Claude Mythos.
Un ataque extremadamente raro que no necesita modificar memoria crítica ni ejecutar malware de la forma tradicional.
Solo llamadas normales del sistema desde una cuenta sin privilegios, hasta conseguir acceso root en macOS.
Y fueron personalmente a Apple Park para entregar el informe técnico.
El paper completo tiene 55 páginas y se publicará cuando Apple lance el parche.
Posiblemente la historia del año en ciberseguridad.
claude mythos just broke Apple's $2 billion defense system. it did so by discovering a completely different attack vector to break in
only took it 5 days costing ~$35K of mythos api time (the same exploit class costs $5-10M on grey market)
the researchers that commandeered the exploit produced a 55-page report that was delivered to Apple HQ in-person (hoping they release it after patching).
most shocking part for me is apple's MIE worked as intended. mythos just discovered a new way to side-step it entirely by poisoning the data the M5 chip ingested.
at this point i think we have to accept that mythos walks the walk.
As the anthropic red-team explicitly confirmed this week - this is NOT a compute resource issue. its national defense.
These tools power 90% of real-world hacks in 2026, and most people only know 3 👀
— Nmap → Network scanning & recon
— Metasploit → Exploitation framework
— Burp Suite → Web app testing
— Nessus → Vulnerability scanning
— Wireshark → Network traffic analysis
— OWASP ZAP → Web security scanner
— sqlmap → SQL injection automation
— Nikto → Web server scanning
— Gobuster → Directory brute-forcing
— Aircrack-ng → WiFi security testing
— John the Ripper → Password cracking
— Hashcat → Advanced password cracking
— Nuclei → Fast vulnerability scanning
— Wfuzz → Web fuzzing
— Snort → Intrusion detection
If you’re serious about cybersecurity, you don’t just know these… you understand when to use each.
How many have you actually used?