Behi

1.3K posts

Behi

@Behi_Sec

Bug Hunter & Tool Builder. Racing to $1M in 2026 - tracking every dollar. 🐞 Bug Bounty: $53,760 💻 https://t.co/0Kfb8glzBs: $306

/dev/null Katılım Temmuz 2025

79 Takip Edilen6.4K Takipçiler

Behi@Behi_Sec·1d

How I feel about the current volume of supply chain attacks:

Socket@SocketSecurity

🚨 Supply chain attack on the Laravel Lang organization: 700+ historical versions across multiple community-maintained Laravel Lang packages were compromised with an RCE backdoor, including: laravel-lang/lang laravel-lang/http-statuses laravel-lang/attributes Laravel-Lang/actions The payload targets cloud creds, CI/CD secrets, Kubernetes tokens, Vault, browser data, password managers, SSH keys, and more.

English

2.9K

Behi@Behi_Sec·3d

Nice write-up! $148,337 RCE in Google Cloud Production. brutecat.com/articles/googl…

English

202

7.6K

Behi@Behi_Sec·5d

Man, my timeline is filled with Google new stuff(CLI, model, UI). This feels really good😃

Jack Wotherspoon@JackWoth98

Say hello to Antigravity CLI 🚀💻 🧑‍💻 - Written in Go for a snappy feel ✨ - Available with Gemini 3.5 Flash today 🤖 - Built for async workflows and subagents ⚒️ - Same tools and app server as Antigravity 2.0 Get started and install it today 👇

English

754

Behi@Behi_Sec·6d

Every single day!

Socket@SocketSecurity

🚨 BREAKING: Socket is investigating an active npm supply chain attack compromising hundreds of packages in the @antv ecosystem. The malicious publish wave appears tied to Mini Shai-Hulud and packages connected to the npm maintainer account atool.

English

1.7K

Behi@Behi_Sec·15 May

prompt to vulnerability discovery, this is the future

Logan Kilpatrick@OfficialLoganK

prompt to profitable company, this is the future

English

1.7K

Behi@Behi_Sec·8 May

@hshagshsu It is. They have many different products.

English

s@hshagshsu·8 May

@Behi_Sec Do you think google ai is still a good target for prompt injection?

English

Behi@Behi_Sec·7 May

A few months ago, I found a Prompt Injection vulnerability on Google Tasks. It was simple, yet tricky. Google rewarded me with a $15,000 bounty for it. Here's the full story:

English

591

27.1K

Behi@Behi_Sec·8 May

What???

Department of War 🇺🇸@DeptofWar

x.com/i/article/2052…

English

3.7K

Behi@Behi_Sec·8 May

The real question is: what was Firefox using before? Were they already using AI tools? Other models? This doesn’t prove that Mythos is especial.

Alex Albert@alexalbert__

With the help of Claude Mythos Preview, the Firefox team fixed more security bugs in April than in the past 15 months combined.

English

1.8K

Behi@Behi_Sec·8 May

@foo125973 They applied a downgrade to my report because of the requirement but it's still a case of the "Rogue Actions".

English

foo@foo125973·8 May

@Behi_Sec Ok. Changing tasks name without confirmation But attacker needs to be in the same space to able to inject his task first, and renaming tasks is annoying but doesn't sound critical. Am I missing something, where's that 15k$ impact?

English

Behi@Behi_Sec·8 May

It will be fun to use Opus to hack Anthropic😃

Anthropic@AnthropicAI

Our security bug bounty program is now public on HackerOne. We've run the program privately within the security research community, and their findings have strengthened our products. Now anyone can report vulnerabilities and get rewarded. Read more: hackerone.com/anthropic

English

3.1K

Behi@Behi_Sec·7 May

@darshan__072 Don't make it complicated and take regular breaks.

English

346

Darshan Kaiyalkar@darshan__072·7 May

@Behi_Sec how do you hunt consistently, because when i try it's burnout me.

English

347

Behi@Behi_Sec·7 May

OK, I'll publish the write-up for my Google Tasks bug in a few hours. It was rewarded a $15,000 bounty. 😃

English

305

9.7K

Behi@Behi_Sec·7 May

@PuneetT41564686 I am currently dealing with burn out but yeah mostly on Google.

English

309

Puneet Tripathi@PuneetT41564686·7 May

@Behi_Sec You are now hunting only on google or other bounty platform as well

English

387

Behi@Behi_Sec·7 May

@Rhynorater, @dmDUSTBIN, Here's the write-up guys.

English

2.5K

Behi@Behi_Sec·7 May

That's it for the thread. Hope you enjoyed it. Feel free to ask if you have any questions. And follow me for more content like this: @Behi_Sec

English

2.6K

Behi@Behi_Sec·7 May

13/ Now I had the full exploit chain. This is the attack scenario I sent to google: - Attacker & victim share a Google Chat space. - The attacker creates a malicious task containing instructions for Gemini to update all task titles, then assigns it to the victim. - Victim later uses Gemini to summarize or manage their tasks. - Gemini reads the assigned task, interprets the embedded instructions, and updates victim's tasks.

English

2.9K

Keşfet

@hshagshsu @foo125973 @darshan__072 @PuneetT41564686 @Rhynorater @dmDUSTBIN @elonmusk @BarackObama