I was recently flying between HKG & LHR via British Airways. I’d done the same flight back in 2023, and remember relying on the in-flight entertainment for the 14 hour journey. However, this time on my way to London, they had an interesting offer: Free WiFi…

ZeroPath's AI-based static analyzer uncovered 170 verified issues in curl, from C footguns to logic and RFC compliance bugs across HTTP/3, SMTP, IMAP, TFTP, Telnet, and SSH/SFTP, with curl maintainer Daniel Stenberg praising the quality -- proof that AI source…

Local LLMs prioritize privacy over security. Our research reveals a 95% backdoor injection success rate.

2 min read

We found a path traversal vulnerability in Smithery.ai that compromised over 3,000 MCP servers and exposed thousands of API keys. Here's how a single Docker build bug nearly triggered one of the largest AI supply chain attacks to date.

Join Chris Young's workshop to discover the 9 core principles of infrastructure security. They are proven, repeatable, and often ignored.

AI browsers remain vulnerable to prompt injection attacks via screenshots and hidden content, allowing attackers to exploit users' authenticated sessions.

Walkthrough of how to embed frida noscripts in apps to distribute proper mods. Supports frida 17+.

A detailed account of how my personal AWS account was compromised, the attack timeline, and lessons learned from a cloud security incident.

After a major takedown, LockBit is back with version 5.0, targeting Windows, Linux, and ESXi systems worldwide. Check Point Research reveals new victims.

Edera uncovers TARmageddon (CVE-2025-62518), a Rust async-tar RCE flaw exposing the real dangers of open-source abandonware and supply chain security.

Adversis releases a Burp Extension for NextJS Hash-to-Function Mapping

In June, 2025, Shubs Shah and I discovered a vulnerability in the online poker website ClubWPT Gold which would have allowed an attacker to fully access the core back office application that is used for all administrative site functionality.

Hack, Learn, Improve… Platform to learn cyber security with real world challenges

EDR-Redir uses BindLink Filter and Windows Cloud Filter to inject, corrupt, and disable EDRs.

Posted by reallylonguserthing - 27 votes and 2 comments

CoPhish attack exploits Microsoft Copilot Studio to steal OAuth tokens through malicious AI agents targeting Microsoft Entra ID accounts.

Sometimes you search endlessly and find nothing. Other times, the gold just drops into your lap. This is a story about how we accidentally found a pretty impactful vulnerability.