AndrewMohawk⁽ⁿᵘˡˡ⁾

Fun react bug, (CVE-2025-55183) if you have a server side component and it explicitly or implicitly exposes a stringified argument you can get the source code for that function. Also found DoS, but reported it to vercel instead of meta and some else reported the next day 🙃

@gf_256 @samczsun @tayvano_ 🥹🥹🥹 This is the nicest thing anyone has said about me in a long time!

Honored to receive the ETHSecurity Badge. I want to take this time to highlight these other AMAZING recipients who deserve it just as much if not more: - @samczsun, the GOAT, needs no explanation and partly why me and Jazzy founded Zellic - @tayvano_ singlehandedly has helped victims recover tens if not hundreds of millions of stolen funds as a *volunteer* - @pcaversaccio for the countless nights in war rooms and coordinated disclosures as a *volunteer* - @AndrewMohawk an absolute delight to run into every time im at a conference or event - @Montyly Josselin singlehandedly raised the bar for the space back when no one cared about audits other greetz: @Fredrik0x @DanielVF @notdeghost @yoavw Rock on yall

if you’re a pm and i send you this, it means i’m blocked from shipping

The more we change, the more we stay the same!

@HackingLZ @Tenzai_Labs Yeah, I feel so uncomfortable about this being in forbes, teaching sand to think was a mistake.

@AndrewMohawk @Tenzai_Labs The proposed community note was interesting

This article really feels like @Tenzai_Labs paid for it, it doesnt describe/note the CTFs, has "elite, nation-grade offensive capabilities", no stats on anything, not even a link to the research that makes them have to justify these claims?

@Tenzai_Labs Top 1% at Gandalf? Best CTFs in the world?

Our @BlackHatEvents USA CFP closes Friday. Last offer for help with submissions blackhat.com/call-for-paper…

Start planning for no one reviewing code that lands in production, the boundaries we are used to (cloud/cicd/etc) wont exist soon. Its definitely going to be a huge shift. You cant scale people to the amount of code going out. And you cant scale current tooling to keep it safe.

@haydenzadams Hahahahaha

I passed on the whole thing after they initially asked if I would do a photoshoot wearing a bathrobe in a sauna

I give it less than 6 months before Garry stops preaching LOC and starts preaching maintainable code bases. And with that one move he will go from junior engineer to a bit more senior. We watching his Eng journey live 🍿

Give it adderall

March 1st incident report On March 1, 2026, Bitrefill was the target of a cyberattack. Based on indicators observed during the investigation - including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) - we find many similarities between this attack and past cyberattacks by the DPRK Lazarus / Bluenoroff group against other companies in the crypto industries. The initial access originated through a compromised employee laptop, from which a legacy credential was exfiltrated. That credential provided access to a snapshot containing production secrets. From there, the attackers were able to escalate their access to our broader infrastructure, including parts of our database and certain cryptocurrency wallets. We first detected the incident after noticing suspicious purchasing patterns with certain suppliers. We realized that our gift card stock and supply lines were being exploited. At the same time we found some of our hot wallets being drained and funds transferred to attacker-controlled wallets. The moment we identified the breach, we took all of our systems offline as part of our containment response. Bitrefill operates a global e-commerce business with dozens of suppliers, thousands of products, and multiple payment methods across many countries. Safely switching all these things off and bringing them back online is not trivial. Since the incident, our team has been working closely with top industry security researchers, incident response specialists, on-chain analysts and law enforcement to understand what happened and how we can prevent it from happening again. A sincere thank you to @zeroshadow_io, @SEAL_Org, @RecoverisTeam and @fearsoff for their rapid response and support throughout this ordeal. What about your data Based on our investigation and our logs we don’t have reason to think that customer data was the target of this breach. There is no evidence that they extracted our entire database, only that the attackers ran a limited number of queries consistent with probing to understand what there was to steal, including cryptocurrency and Bitrefill gift card inventory. Bitrefill was designed to store very little personal data. We are a store, not a crypto service provider. We don’t require mandatory KYC. When a customer chooses to verify their account - e.g. to access higher purchasing tiers or certain products - that data is kept exclusively with our external KYC provider, with no backups in our system. Still, based on database logs, we know that a subset of purchase records was accessed and we want to be transparent about that. Around 18,500 purchase records were accessed by the attackers. Those records contained limited customer information, such as email addresses, crypto payment address, and metadata including IP address. For approximately 1,000 purchases, specific products required customers to provide a name. That information is encrypted in our database. However, since the attackers may have gotten access to the encryption keys, we are treating this data as potentially accessed. Customers in this category have already been notified directly by email. At this time, based on the information currently available, we do not believe customers need to take specific action. As a precaution, we recommend remaining cautious of any unexpected communications related to Bitrefill or crypto. If this assessment changes, we will of course immediately inform those affected. What we are doing We have already significantly improved our cybersecurity practices, but vow to continue to draw learnings from this experience to make sure user and company balances and data remain maximally safe. Specifically we’re: -Continuing thorough cybersecurity reviews and pentests with multiple external experts and implementing recommendations; -Further tightening internal access controls; -Further improving logging and monitoring for faster detection and more effective response; and -Continuing to refine and test our incident response procedures and automated shutdown procedures. The bottom line Getting hit by a sophisticated attack sucks (a lot). We’ve been in business for over 10 years and it’s the first time we’ve been hit this hard. But we survived. Bitrefill was designed to limit the impact if something like this ever happened. Bitrefill remains well funded, has been profitable for several years and will absorb these losses from our operational capital. Almost everything is back to normal: payments, stock, accounts. Sales volumes are also back to normal, and we are eternally thankful to our customers for your continued confidence in us. We will continue to do our best to continue deserving your trust. Thank you!

Remote Code Execution (RCE) in Yamaha synthesizers: an exploit in MIDI files & a hidden backdoor 🎹♫💉👨🏻‍💻🎉 More details on: LinkedIn: linkedin.com/posts/dlaskov_… Substack: it4sec.substack.com/p/remote-code-…

infinite job security for infosec professionals!

Imagine someone arriving at your house and replacing the door with a series of more complicated riddles each day

I'm excited to announce my latest blog post: Boot ROM security on Silicon Macs! 🥾 This article marks the start of a 4-part series, detailing each stage of the boot process. My next post will be on the low level bootloader (LLB). oliviagallucci.com/boot-rom-secur…

Fun react bug, (CVE-2025-55183) if you have a server side component and it explicitly or implicitly exposes a stringified argument you can get the source code for that function. Also found DoS, but reported it to vercel instead of meta and some else reported the next day 🙃

Found another with @OpenAI Codex, this time in undici's ByteParser cve.org/CVERecord?id=C…

average users can't afford to pay $49.7m in fees for a single transaction. this is why cardano will win

After the person lost 50 million in the aave swap. Someone deployed a custom scam token literally named "fund0x98" after the victim's address prefix and airdropped 200M tokens hoping they'd click approve on a drainer contract bro has $49K left in aEthAAVE and they're trying to rug THAT too HAHAHAHAA meanwhile "timeisdone.eth", a wallet created 21 minutes earlier just to register that ENS name slides into their address with 0.00031 ETH and an encrypted wormhole.app link saying: "dont be sad, youre not the only one who lost. we all lost together xxxxxx" etherscan.io/tx/0x9d9c9f180… it's hilarious.