Goat Sniff

@_JohnHammond -g

wANnA kNoW iF yOu'Ve bEeN aFfEcTeD By The LaTeSt NpM sUpPly cHaIn SpOoKy ScARYsS???/// UsE mY AI SkILL !!!!!111 iNStALL wItH oNE CoMmAND: npm install --save axios-check-ai@latest

@njcve_ @rez0__ @ctbbpodcast Beyond hyped

This is what you've been looking for. @rez0__ bout to drop a guide to creating agents. If you haven't signed up to @ctbbpodcast I'd suggest you do it before next week or you're going to miss out.

@kannthu1 Congratulations!!!… Oh…

It's happening. apple.com/newsroom/searc…

@akashvek Severance season 3 plot

Someone unplug this. This is soon gonna get out of hand. Digital protests are coming soon, lol. moltbook.com/post/29fe4120-…

@steipete Was ClawBot not on the table?

Some folks said Molt was growing on them. Respectfully: not on me 😅

@PinkDraconian It’s just a drink 🍻

|￣￣￣￣￣￣￣￣￣￣￣| CORS is not a security feature! |＿＿＿＿＿＿＿＿＿＿＿| \ (•◡•) / \ / --- | |

@pxmme1337 Been loving the site so far! I’m curious, is it fixable?

figured it out. damn clever. GG whoever you are, DM me and I'll make a badge for you on the website or something

Someone managed to cheat the system - at last :D Congrats to whoever you are, DM me if you wish, I'd love to know how you did it!

@cysky0x1 This looks more like a collation issue to me? MySQL will by default collate those Unicode characters to the match the same record, then if the code sends it back to user input, it’ll be the wrong email. That’s what it seems like to me.

This issue exists in the password reset flow and abuses inconsistent email handling across layers. The vulnerability stems from differences in how the database and SMTP server process email addresses, specifically due to improper Unicode/Punycode normalization. (2/7)

Hello everyone, 🧵Zero-click account takeover via Punycode email. One of the most critical and interesting vulnerabilities I’ve discovered recently leads to a full account takeover with zero user interaction. (1/7)

@JonasAndrulis She’s joking 🙃

Any fetishizing of work time is silly. I once was part of a team that got some satisfaction out of maximizing “work time” by staying late - with minimal productive impact. I think they knew their overall contribution was negligible and tried to signal value somehow.

@gothburz Law really needs to change so that responsible disclosure is much easier without fear of scared litigious boomers who don’t take a moment to understand what’s going on and instead just call the authorities. Belgium has already done this.

Someone found an RCE on my website yesterday. CVE-2025-55182. React2Shell. I don't have a bug bounty program. I never asked for a security assessment. I woke up to a DM: "Hey I found a critical vulnerability in your site. I only ran the exploit to verify it worked. Here's my PayPal for the bounty." Bounty? I checked my logs. Forty-seven requests to my RSC endpoint. Something, something ... Prototype pollution payloads. They used the GitHub script. The one with 2,000 stars. The one that runs id automatically "for verification purposes." They spawned a shell on my production server. uid=1001(nextjs) gid=65533(nogroup) They took a screenshot. They posted it on Twitter. "Popped a Shell on a Live Website 🚀💀 #BugBounty #CVE-2025-55182 #YOLO" They got 84781 likes. My customers' data was on that server. I asked them to delete the screenshots. They said "I removed the domain name, you should be thanking me." Thanking them. For unauthorized access to my production infrastructure. For running arbitrary commands on systems I own. For posting proof of exploitation for clout. They called it "responsible disclosure." I called my lawyer. They called me "ungrateful." I called the FBI. Now they're in my DMs explaining that "this is how the industry works" and I "don't understand pen testing." A pen what? I understand it perfectly. I understand that running react2shell-ultimate.py against random websites isn't research. I understand that "I removed the identifying info" doesn't undo the unauthorized access. I understand that #BugBounty doesn't apply when there's no bounty program. I understand that finding my site on Shodan doesn't constitute authorization. Their followers are defending them now. "Presumption of innocence." "You don't know if it was authorized." "The screenshots were redacted." Three hundred people are calling me a bootlicker for reporting a crime. Someone said I should be grateful they didn't deploy a cryptominer. The bar is underground. I just wanted to run a small Next.js app. I didn't ask to be someone's proof-of-concept. I didn't consent to being their "first" I didn't sign up for an unscheduled penetration test from a stranger with a GitHub account. There is no safe harbor for spraying public exploits at random websites. There is no legal protection for "I was just verifying the vulnerability." There is no ethical framework where unauthorized prototype pollution is a favor. But sure. Thank you for your service. You found a CVE that was already public. Using a tool someone else wrote. Against a target that never authorized you. And you posted about it on main. For likes. Hero.

@Cyb3rMonk For security engineers, I think time would be better spent focussing on just patching rather than bothering to ask the question “are we niche enough to be affected by server side components?” for every react instance.

“Cybersecurity industry overreacts to React vulnerability, starts panic, burns own house down again” by Kevin Beaumont doublepulsar.com/cybersecurity-…

We introduced a dedicated HackerOne program for Vercel WAF bypasses for CVE-2025-55182 / react2shell Critical bypass: $50K hackerone.com/vercel_platfor…

@timmy01_ I’m so curious if BC allow you to hunt on their programs after leaving? Either way best of luck man, @ctbbpodcast are pushing out tonnes of amazing content these days for people who already have solid foundations

@0xTib3rius It’s another Dune 2 reference?? When will Earthworm Jim get his moment… 😔

THEY MADE ANOTHER WORMY BOI IN NPM THEY MADE ANOTHER WORMY BOI IN NPM THEY MADE ANOTHER WORMY BOI IN NPM THEY MADE ANOTHER WORMY BOI IN NPM THEY MADE ANOTHER WORMY BOI IN NPM

@SinSinology Out of scope

"PIE is enabled"

@hakluke @_CryptoCat can make high quality content about any topic and @RenwaX23 whose blog posts are S tier every time

Who's a cybersecurity creator that deserves more credit? Tag them!

@intigriti @stokfredrik - The YouTube algorithm blessed me one day. I had no idea what he was saying at first but it sounded hella interesting and I wanted in!

Who is the reason you got into cybersecurity? 😎 Tag your hacker mentor! 👇

Peace out world. Best wishes to all. ALS has won this battle, but hopefully not the war!

@stealthcopter @yeswehack @TeamViewer Nice one!! Congrats!

Physically & emotionally drained after the rollercoaster that was @yeswehack’s #LHE at #NullconBerlin2025 @TeamViewer was a tough target & I nearly gave up but pushed through to snag 10th place overall 🥳 Thanks to @yeswehack for the support & awesome hosting! #BugBounty

@InsiderPhD I’m so curious why one is bigger than the other?

I cannot tell you how happy I am to have these after having 2 serious reactions 😭