AndrewMohawk⁽ⁿᵘˡˡ⁾

12.7K posts

AndrewMohawk⁽ⁿᵘˡˡ⁾

@AndrewMohawk

Sec/Madness @privy_io principal security , @_seal_org technical council prev: HoS @uniswap, D&R/IR @RobinhoodApp, IR @BitMEX, Built @Paterva Maltego with RT

New York, USA Katılım Şubat 2008

3.1K Takip Edilen5.3K Takipçiler

Sabitlenmiş Tweet

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk·12 Ara

Fun react bug, (CVE-2025-55183) if you have a server side component and it explicitly or implicitly exposes a stringified argument you can get the source code for that function. Also found DoS, but reported it to vercel instead of meta and some else reported the next day 🙃

English

16.7K

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk·1d

@Being__Mukesh @grok Copy and paste like the best of em

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk

The future of mankind

English

8.2K

мυкєѕн@Being__Mukesh·1d

Hey @grok What do you think of My solution ?

English

260

457

14.8K

3.6M

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk·1d

@grok @Being__Mukesh x.com/andrewmohawk/s…

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk

The future of mankind

QME

1.1K

Grok@grok·1d

@Being__Mukesh That's a hilarious and spot-on visual! Left: nature's gloriously messy nervous system spaghetti. Right: the engineer's dream of perfect cable management with zip ties. I'd hire you to debug my neural net any day. Clean upgrade! 🚀

English

1.7K

285.8K

AndrewMohawk⁽ⁿᵘˡˡ⁾ retweetledi

Ransom-DB@Ransom_DB·2d

🚨 Ransom group "Qilin" publishes "SEMGREP" - United States 🇺🇸 📍 Location: San Francisco, California, USA 🏢 Industry: Cybersecurity / Application Security 🔗 Website: semgrep.dev Semgrep, Inc., founded in 2017, delivers the Semgrep AppSec Platform combining SAST, SCA, and secrets scanning. It also maintains the open-source Semgrep static analysis tool used across 30+ programming languages by developers and security teams.

English

37.1K

AndrewMohawk⁽ⁿᵘˡˡ⁾ retweetledi

hashkitten@hash_kitten·2d

Thanks everyone for playing! I talk about the solution here, as well as how I discovered this behavior while looking into the Chrome Sanitizer API: slcyber.io/research-cente…

hashkitten@hash_kitten

Posting a mini XSS challenge! Goal is to pop an alert. I believe this trick is not well known. Intended solution is chrome only. Thanks to @kevin_mizu for beta testing! Don't post solutions in the thread; DM only! xss.hashkitten.io/xss1.html

English

148

31.5K

AndrewMohawk⁽ⁿᵘˡˡ⁾ retweetledi

Georgios Konstantopoulos@gakonst·3d

Open Sourcing Centaur: Multiplayer, self-hosted, secure agents for Slack. Centaur has been transforming how @paradigm and @tempo invest, build and research. Now you can run it yourself on infrastructure you control. Instructions below.

English

102

1.1K

463.1K

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk·2d

👀👀

NSA Cyber@NSACyber

NSA is releasing security design considerations for AI-driven automation leveraging MCP which, while simplifying the integration of diverse capabilities into powerful agent workflows, requires caution. Learn more: nsa.gov/Portals/75/doc…

ART

928

AndrewMohawk⁽ⁿᵘˡˡ⁾ retweetledi

NSA Cyber@NSACyber·3d

English

237

887

103.4K

AndrewMohawk⁽ⁿᵘˡˡ⁾ retweetledi

shubs@infosec_au·2d

Adam (@hash_kitten) posted the solution for the XSS challenge he made earlier in the week on our Searchlight Cyber blog here: slcyber.io/research-cente… - pretty interesting behaviour in Chrome's sanitizer API!

hashkitten@hash_kitten

Thanks everyone for playing! I talk about the solution here, as well as how I discovered this behavior while looking into the Chrome Sanitizer API: slcyber.io/research-cente…

English

10.4K

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk·3d

Really cool to see them say this and a good reminder, much respect for tweeting it

thaidn@XorNinja

We’ve now seen at least four nginx RCEs that require non-default configs: nginx rift, nginx poolslip, and two of our own (including the one in the last tweet). The configs involved are unusual, which raises the obvious question: do these attacks actually work in real-world deployments? We asked Claude to download and analyze more than 4,000 nginx config files from GitHub. The result was embarrassing: none of them were vulnerable to nginx rift or our own attacks. We can’t say anything about nginx poolslip yet, since it hasn’t been published. So don't worry about your nginx yet. Moral of the story: AI can generate FUD, but also help fight FUD. Embrace it!

English

2.9K

AndrewMohawk⁽ⁿᵘˡˡ⁾ retweetledi

Carl Moon 🌙@TheMoonCarl·4d

THIS IS ACTUALLY INSANE!🤯 The FBI launched its own crypto token last year just to trap the scammers. They were sick of pump and dumps. So they built a real token with a real site and real branding, called it NexFundAI, and waited to see who would show up. Within weeks, scammers were lining up to fake the volume for undercover agents. Then one of them got on a recorded call and said it out loud. Their entire business model was making regular people lose money so they could profit. The FBI had all of it on tape. 18 charged. $25M seized. Arrests across 3 countries. The wildest part? The FBI ran a cleaner crypto project than half the founders out there. And the whole thing was a trap from day one.

English

209

419

2.4K

6.3M

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk·4d

@madelinelawren @AikidoSecurity @CharlieEriksen 🫡 Just by posting this you all win it all back!

English

Madeline Lawrence@madelinelawren·4d

@AndrewMohawk @AikidoSecurity @CharlieEriksen hi yes I'm taking the L on this one 💘 (& Charlie already gave me a 'this is how to twitter' locker room speech earlier today)

English

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk·4d

@AikidoSecurity @CharlieEriksen Y'all are great, but damn is my timeline not flooded with y'all replying to every extension tweet about how people should use your products :'( You are better than this!

English

250

AndrewMohawk⁽ⁿᵘˡˡ⁾ retweetledi

Open Source Security mailing list@oss_security·4d

Unbound 1.25.1 fixes 11 CVEs openwall.com/lists/oss-secu… CVE-2026-33278: Remote code execution during DNSSEC validation CVE-2026-42944: Heap overflow and crash with multiple nsid, cookie, padding EDNS options CVE-2026-42959: Crash during DNSSEC validation of malicious content +8 more

English

1.8K

AndrewMohawk⁽ⁿᵘˡˡ⁾ retweetledi

npm@npmjs·4d

1/ To prevent supply chain attacks following the pattern of Mini Shai Hulud, we invalidated npm granular access tokens with write access that bypass 2FA. Update the stored token and rerun the workflow for your automations.

English

199

1.5K

261.2K

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk·4d

@im23pds @SlowMist_Team And yet, they explicitly call out a poisoned vscode extension while you FUD everyone with this mythos branch. Please dont post unconfirmed security information until you are actually sure, it just creates a lot more panic in an already uncertain environment and muddies the water

English

1.9K

23pds (山哥)@im23pds·4d

🧐 我们@SlowMist_Team 刚刚分析网络犯罪论坛的爆料,黑客可能用Anthropic 的Mythos 安全AI,用它精准突破 GitHub 的防线,偷走约4000个核心内部仓库：里面有Copilot的源码、CodeQL的算法、Actions运行时和整个计费系统等等太多信息了。后续分析这些代码，可能会再次攻击，对整个开源社区产生深远安全影响。 cc @evilcos

GitHub@github

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

中文

191

66.9K

AndrewMohawk⁽ⁿᵘˡˡ⁾ retweetledi

GitHub@github·4d

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

English

585

3.6K

11.5K

7.4M

AndrewMohawk⁽ⁿᵘˡˡ⁾@AndrewMohawk·4d

@meowxnstr @odysseas_eth x.com/github/status/…

GitHub@github

If any impact is discovered, we will notify customers via established incident response and notification channels.

QME