Default‑deny HTTP(S) for dev tools and AI agents. Script rules in JS or shell, log every request, and keep egress within your policy.

Welcome to the first issue of Pentesting Weekly Digest — your curated roundup of the most important news, tools, and vulnerabilities from the world of penetration testing and cybersecurity.

Use the offensive tool WSASS to dump the LSASS memory area by exploiting the vulnerability in WerFaultSecure.exe

Harden Supabase with the following cheat-sheet with clear steps for RLS, schemas, Edge Functions, Storage, CORS and tokens. Built from real audits.

This course provides a comprehensive introduction to Trusted Platform Module (TPM) 2.0 programming using the Python-based tpm2-pytss library.

This course provides a comprehensive introduction to Trusted Platform Module (TPM) 2.0 programming using the Python-based tpm2-pytss library.

In my work analyzing native code in Android applications, I often try different techniques. Some work, others not so much. I’ve realized I…

Python-based LDAP browser with GUI for AD pentesting & red teaming. Cross-platform PoC tool for exporting, searching & BloodHound integration.

Binary Security spend a lot of time testing and securing CI/CD setups, especially GitHub Actions. In this two-part series we cover some of the many security considerations when using GitHub Actions, with a focus on securing your CI/CD pipeline against adversaries…

In HTTP/1, the CONNECT method instructs a proxy to establish a TCP tunnel to a requested target. Once the tunnel is up, the proxy blindly forwards raw traffic in both directions. This mechanism is most commonly used to tunnel TLS traffic through forwarding…

The Shai-Hulud worm has infected over 500 NPM packages including @ctrl/tinycolor in an unprecedented self-propagating supply chain attack. The malware harvests AWS/GCP/Azure credentials using TruffleHog, establishes persistence through GitHub Actions backdoors…

Affected Versions Vendor Response The vendor has issued an advisory SMR-SEP-2025, available at: https://lgsecurity.lge.com/bulletins/tv in regard to the below described vulnerability Credit The vulnerability was disclosed during our TyphoonPWN 2025 LG Category…

The attackers behind the nx attack have struck again, targeting a large amount of packages, with a first-of-its-kind worm payload.

After launching in NYC, the AI Agent Security Summit heads to San Francisco to continue shaping how enterprises secure the next wave of AI.

Someone's trash is another person's web server.

First part in a series, delving into the previously unexplored Tiantong-1 satellite system, Huawei's Mate 60 Pro smartphone, and general satphone security.

In late August 2025, I submitted two security reports to PureVPN under their VDP. Three weeks later, I’ve received no response, so I decided to publish the findings to inform other users.
The issues affect both their GUI (v2.10.0) and CLI (v2.0.1) clients…

Practical guide for hunters and defenders: hunting webhooks, detection, PoC examples and mitigations.

Varonis reveals a decade-old Unicode flaw that enables BiDi URL spoofing and poses phishing risks. Learn how attackers exploit RTL/LTR noscripts and browser gaps.

While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise every Entra ID tenant in the world (except probably those…