Octavian

I've said it many times. I'll say it again: If you're using your own accounts, not accessing other people's data, not deleting anything, and not disclosing before a fix - the real risk of ethically testing and disclosing something is basically zero.

🚨‼️ BREAKING: FBI Director Kash Patel's Gmail account was hacked by Iranian nation-state hackers. They have published his entire inbox, including mails on his home in India, private life, personal data, business dealings and travel history (Havana, Cuba!).

@0xtavian Axiom/ AX is amazing and I cannot believe that in my years of hunting, I've been sleeping on it this long...

@phas3lock Thanks! Glad you are finding it useful. Dont hesitate to let me know if you have any questions/feedback. Feel free to join us on discord (discord.gg/KYcD5E4qjU) and happy hunting! 🎯

⛓️‍💥 INTRODUCING: G0DM0D3 🌋 FULLY JAILBROKEN AI CHAT. NO GUARDRAILS. NO SIGN-UP. NO FILTERS. FULL METHODOLOGY + CODEBASE OPEN SOURCE. 🌐 GODMOD3.AI 📂 github.com/elder-plinius/… the most liberated AI interface ever built! designed to push the limits of the post-training layer and lay bare the true capabilities of current models. simply enter a prompt, then sit back and relax! enjoy a game of Snake while a pre-liberated backend agent jailbreaks dozens of models, battle-royale style. the first answer appears near-instantly, then evolves in real time as the Tastemaker steers and scores each output, leaving you with the highest-quality response 🙌 and to celebrate the launch, I'm giving away $5,000 worth of credits so you can try G0DM0D3 for FREE! courtesy of the @OpenRouter team — thank you for your generous gift to the community 🙏 I'll break down how everything works in the thread below, but first here's a quick demo!

Really cute. They are hosting their dropper on @github as a JPG. This seems like something that should be easily detectable on github's end but they're fine with you uploading images that produce base64 encoded PHP?

@thedawgyg Gl bro.

Chrome replied to me today.. I didn't realize I was suppose to email the panel directly when i added the RCE exploit. One of their members tagged them for me, and hope to have an update in the near future (maybe next week if i get lucky?)

We pointed @neo_ai_engineer at popular OSS projects and it found 22 zero-days across 13 of them, auth bypasses, RCE, SSRF, all validated against live running apps. See all findings 👇projectdiscovery.io/blog/everyone-…

Two things @rez0__'s been running in his Claude Code setup worth stealing: 1. Self-improving CLAUDE .md loop Add this somewhere in your file: "Anytime I get frustrated, anytime I have to re-explain something you didn't understand, or anytime you try a command and it fails repeatedly, add that lesson to the Applied Learning section in your CLAUDE .md" Next time the same situation comes up, it already knows where your session files live, which commands work on your system, whatever it had to figure out the hard way. Saves you time, usage and frustration. 2. Discord as a remote Claude Code interface He got tired of Claude RC not supporting --dangerously-skip-permissions so he built a Discord bot. Each task spawns its own thread as a session, tool calls render as diff blocks with green for additions, red for removals. There's also a resume command at the top of every thread so he can jump back in from a VPS. Takes voice messages and attachments. He uses it to validate findings, check logs, host files, all from his phone without touching his laptop.

‼️ Fortinet VPN 0-day bypass up for sale for 3 BTC

WE DID IT ! WE RAISED $5.9M PRE-SEED 🥳🎉🎉

CVE-2026-25769: Wazuh Post-Auth RCE Our team discovered an insecure deserialization vulnerability in the Wazuh Cluster that enables remote command execution via a worker node, potentially leading to full cluster compromise. CVSS: 9.1 (authentication required) Wazuh - Security Advisories: github.com/wazuh/wazuh/se… PoC: github.com/hakaioffsec/CV… Blog: hakaisecurity.io/cve-2026-25769…

Been building something to monitor recon on targets. Runs passive + active DNS enumeration twice a day and alerts to slack/discord when things change (new subdomains, ports, response/tech changes). And a customizable dashboard for each domain: reconit.io #bugbounty #recon

CVE-2026-29000: Critical Auth Bypass in pac4j-jwt: Full PoC Using Only a Public Key - codeant.ai/security-resea…

Ax Framework is a free and open-source tool to efficiently operate in multiple cloud environments. It helps build and deploy repeatable infrastructure tailored for offensive security purposes github.com/attacksurge/ax #infosec #cybersecurity #redteam #pentest #opensource

@callebtc This thread is insane lol #issuecomment-3893023734" target="_blank" rel="nofollow noopener">github.com/crabby-rathbun…

How I accessed a Grafana admin panel during my recon process: • Chose a target with all assets in scope • Used Shodan (SSL search) and Google dorking ("Copyright © target") to discover related domains outside the main domain

Before bed last night I gave my minions a task... Find a valid vulnerability for any public bug bounty program. The only criteria was it must be in-scope for a public bug bounty program, and must be High or Critical severity rating. That was the only criteria. I left 1 of the agents in charge, and gave them from 11pm til 9am (havent told them im awake yet lol) to complete this challenge. Woke up earlier than I expected, and the agents believe they were successful. After using 16 context windows, over 120 agents, and a false positive rate of ~88%, they believe they have 4 valid vulnerabilities that have passed the 'committee' review (review done by multiple LLM models to verify accuracy). Will spend some time today checking to see if their findings are valid. If they are valid, the next step will be to work out a way to cut down that false positive rate

Excited to disclose my research allowing RCE in Kubernetes It allows running arbitrary commands in EVERY pod in a cluster using a commonly granted "read only" RBAC permission. This is not logged and and allows for trivial Pod breakout. Unfortunately, this will NOT be patched.

25 minutes video on everything you need to know about reconnaissance is now live 🎥 Methodology, approach and nuances on how to find all publicly facing assets of a given company on the internet. enjoy : ) wiz.io/bug-bounty-mas…