In HTTP/1, the CONNECT method instructs a proxy to establish a TCP tunnel to a requested target. Once the tunnel is up, the proxy blindly forwards raw traffic in both directions. This mechanism is most commonly used to tunnel TLS traffic through forwarding…

The Shai-Hulud worm has infected over 500 NPM packages including @ctrl/tinycolor in an unprecedented self-propagating supply chain attack. The malware harvests AWS/GCP/Azure credentials using TruffleHog, establishes persistence through GitHub Actions backdoors…

Affected Versions Vendor Response The vendor has issued an advisory SMR-SEP-2025, available at: https://lgsecurity.lge.com/bulletins/tv in regard to the below described vulnerability Credit The vulnerability was disclosed during our TyphoonPWN 2025 LG Category…

The attackers behind the nx attack have struck again, targeting a large amount of packages, with a first-of-its-kind worm payload.

After launching in NYC, the AI Agent Security Summit heads to San Francisco to continue shaping how enterprises secure the next wave of AI.

Someone's trash is another person's web server.

First part in a series, delving into the previously unexplored Tiantong-1 satellite system, Huawei's Mate 60 Pro smartphone, and general satphone security.

In late August 2025, I submitted two security reports to PureVPN under their VDP. Three weeks later, I’ve received no response, so I decided to publish the findings to inform other users.
The issues affect both their GUI (v2.10.0) and CLI (v2.0.1) clients…

Practical guide for hunters and defenders: hunting webhooks, detection, PoC examples and mitigations.

Varonis reveals a decade-old Unicode flaw that enables BiDi URL spoofing and poses phishing risks. Learn how attackers exploit RTL/LTR noscripts and browser gaps.

While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise every Entra ID tenant in the world (except probably those…

Find out the best Capture The Flag that match your interests. Prove your mettle and win exciting prizes like job opportunities and cash rewards from leading ... | 2025 | 1557733

Another week, another mix of hardware-level hacks, fresh zero-days, and even law-enforcement news. Let’s break down what mattered most.

EDR-Freeze exploits the vulnerability of WerFaultSecure to suspend the processes of EDRs and Antimalware, halting the operation of Antivirus and EDR

Were tracking an ongoing, widespread infostealer campaign targeting Mac users through fraudulent GitHub repositories.

What's electron?, the design of electron desktop app, the story bug of the bug, the static code of the bug and how to find it, how to develop it and explain the code, explain how to discover it,...

Why vendors can’t and shouldn’t be trusted