In 2022, a subtle XSS bug slipped into esbuild, one of the most widely used JavaScript bundlers on the planet. Despite billions of downloads, it remained unnoticed, hiding inside a function that appeared to safely escape HTML. But a missing quote escape created…

Summary Sliver is a powerful command and control (C2) framework designed to provide advanced capabilities for covertly managing and controlling remote systems.

I first heard about the word "ASM" (i.e., Attack Surface Management) probably in late 2018, and I thought it must be some complex infrastructure for tr...

The fastest way to explore and analyze JSONL files on your desktop. Perfect for security analysts, SOC teams, and DevOps engineers.

541K subscribers in the netsec community. /r/netsec is a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise — to provide value to security practitioners, students, researchers, and hackers…

Analysing 3.2M exposed databases with Netlas to reveal global risks, failed controls, and exposure trends across major DB systems

1.0 The Silicon Root of Trust: Pre-Boot & Hardware Primitives


The security of the macOS platform on Apple Silicon is not defined by the kernel; it is defined by the physics of the die. Before the first instruction of kernelcache is fetched, a complex, cryptographic…

A new wave of the Shai-Hulud malware is compromising hundreds of npm packages and destroying user home directories. Get live updates and mitigation steps.

A case study on how Binance’s listenKey design bypasses IP whitelisting, why Bugcrowd dismissed it, and what this teaches us about API…

Discover how Bot-Delegated TOCTOU vulnerabilities in GitHub Apps can compromise CI/CD pipelines, with detailed case studies and hardening strategies.

Unlike black-box AI SOC tools, Digital Security Teammates from Secure.com deliver 70% less manual work with full transparency.

Welcome to watchTowr vs the Internet, part 68.

That feeling you’re experiencing? Dread. You should be used to it by now.

As is fast becoming an unofficial and, apparently, frowned upon tradition - we identified incredible amounts of publicly exposed passwords…

You can be a successful security researcher without knowing much about math. But if you want to see the matrix, you need to get…

Learn how to perform and understand lateral mouvement though GPO mechanism during pentest and red team assessments.

This blog post explores a bug, (CVE-2025-64755), I found while trying to find a command execution primitive within Claude Code to demonstrate the risks of web-hosted MCP to a client.

This blog post provides a dive into HTTP/3’s evolution for security engineers, an overview of our research journey, and what led us to develop the open-source tool QuicDraw, which can be used for...