Deep-dive, no-login supply-chain analysis of popular npm ecosystems (Next.js, Nuxt.js, React, Bun) using NPMSCan to surface real-world attack paths: auth bypass, cache poisoning, SSRF, Nuxt payload traversal, legacy React XSS, and Bun command injection.

ZeroPath's AI-assisted SAST analyzed FFmpeg and reported seven distinct memory safety flaws, including buffer overflows and invalid memory writes, missed by traditional tools.

We uncover BLE flaws in the Meatmeet BBQ probe that allowed us to take over the device, push malicious firmware, and even build a BLE BBQ Probe botnet.

RUT22GW Industrial LTE Cellular Routers contain critical RCE and backdoor flaws allowing attackers full get remote control.

Learn how 3 critical zero-days (CVSS 9.3) found by JFrog in PickleScan, allow bypassing the PyTorch ML model scanner resulting in malicious models hiding & executing code.

Learn how AI tools can support security researchers in investigating vulnerabilities and designing security checks to detect them.

A complete journey from understanding Named Pipes to building an undetectable PrintSpoofer learning Windows internals, token impersonation, RPC, and evasion techniques along the way.

The library for web and native user interfaces

Tempesta FW 0.8 introduces a zero-copy per-CPU access logs streaming to a ClickHouse database. This article discusses how to analyse that data for L7 DDoS mitigation and bot management. Finally, we introduce our new open-source project, WebShield, which automatically…

Earlier this year, our CTI team set out to build something we'd been thinking about for a while: a phishing intelligence pipeline that could actually keep up with the threat. We combined feeds from hundreds of independent sources with our own real-time hunt…

Update: This post received a large amount of attention on Hacker News — see the discussion thread.

This morning, an advisory was released for Next.js about a vulnerability that leads to RCE in default configurations, with no prerequisites. The root cause of this issue lies in React Server Components, which Next.js utilizes. Over the last day, we have noticed…

Searchable index of CVE proof-of-concept links collected from GitHub.

A novel and powerful twist on an old classic.

See how prompt injection attacks work in ServiceNow to perform unauthorized actions, and how to defend against it with AppOmni AgentGuard.

AI-driven GitHub Actions expose new prompt-injection supply chain vulnerabilities.

How I found a large network of fake support groups spreading crypto stealers and drainers.

A subtle AWS privesc hiding in SageMaker lifecycle configs, and what it reveals about execution roles.

Professional self-hosted phishing platform built for enterprises, red teams, and security providers. Deploy locally for complete control over campaigns, data, and infrastructure with unlimited simulations and full privacy.

Posted by esmurf - 39 votes and 9 comments