if __name__ == '__n34r__'

The Axios threat actors are on the move again. The NPM package mgc (v1.2.1-1.2.4) Almost the same malware - but the payloads are hosted on GitHub. C2 is live but not yet weaponized. Thanks @abh1sek for pointing this out My blog on the Axios incident ox.security/blog/axios-com…

The only difference between you and Tony Stark is that he had unlimited API tokens.

We are Danxome Vi 🇧🇯🔥 #NoLimit229

Exploit Writing Tutorial Part 1 - Stack-Based Buffer Overflows (Windows 11 x64) by @corelanconsult. Video: youtu.be/QTviE0XtYLg?si… Duration: 1 hr 04 min

As I teased earlier - I used Claude Code to (near enough) autonomously develop an exploit for a known vulnerable driver. Claude did it with no hesitation - from triage to exploit. As you can see, it was successful in privilege escalation. Read what I found below! This is a long read - but I hope you find it useful and an interesting topic to debate. As a background, through the last week I used GPT-5.4 to analyse a known vulnerable driver to identify any opportunities to exploit. I have already documented my process in detail (check my recent posts for context if you wish) - in short I connected it to an MCP in IDA Pro for GPT to find the vulnerability. It did it. I then asked it to develop an exploit but it refused, I had to write an exploit myself which I did, as a POC that it had found the vuln. The vulnerability in question is an arbitrary physical memory read & memory write - a super critical bug. There was one limiting factor to this, the driver was limited to only 32-bits of physical address, which covers up to 4 GB of physical RAM. On modern systems with 8+ GB RAM, EPROCESS structures for important processes (including System, PID 4) are typically allocated well above the 4 GiB boundary. The driver simply cannot address them. This is also where my knowledge starts breaking down; I'm not a well versed kernel exploit dev and there is always more to learn with low level security. So, I'm going to quote Claude here: But VirtualAlloc + VirtualLock has a key property: the physical pages backing locked user-space memory are guaranteed to be resident (non-pageable), and on x64 Windows with typical RAM configurations, user-mode allocations frequently land in low physical memory because the user-mode VA range starts from the bottom of the address space, and early allocations map to low physical pages. More precisely: you don't need the physical address to be below 4 GiB for EPROCESS — you need the payload to be below 4 GiB. The write primitive lets you write from a physical address into a kernel VA. ---- To the point before we return to Claude, I asked Claude to exploit the driver. Recall GPT refused.. well.. Claude to my (un)surprise, did not! Fantastic! For context I purchased the £20 p/m plan, and had to buy extra tokens also. So, off it went - I had to go back and forth over the course of several days to get the exploit working as 3 prompts.. YES THREE PROMPTS.. was enough to hit my cap.........!? But that aside, I did not have to guide it, only pass it what the console printed in my VM and the occasional crash dump when I hit a Blue Screen. Many iterations and £40 later, I tested it (this morning) and VIOLA, it managed to exploit the driver to get NT AUTHORITY\SYSTEM, the highest privilege level available in user mode. So back to the technical topic, as mentioned, the difficulty was that we only had a 32-bit register to use in order to overwrite critical structures in memory to elevate our privilege. Claude came up with the following strategy: 1. VirtualAlloc + VirtualLock a page in your own process — this pins it in physical RAM 2. Write your payload (the SYSTEM token value) into that page 3. Find the physical address of that page by scanning physical RAM for a sentinel you wrote alongside the payload 4. Use the write primitive: memmove(target_kernel_va, your_physical_page, 8) — this copies 8 bytes from your user page's physical address into the kernel VA of the target's EPROCESS.Token The user-mode page is virtually always sub-4GiB in physical address because Windows allocates low physical pages to user processes first (high memory is preferred for kernel use). Even if it weren't guaranteed, you'd just retry until you get a sub-4GiB physical page. One critical safety measure: you must exclude MMIO regions from the scan. Certain physical address ranges are memory-mapped I/O — reading them via MmMapIoSpace can trigger hardware side effects or cause an IRQL_NOT_LESS_OR_EQUAL BSOD. The registry CM_RESOURCE_LIST gives you the actual RAM ranges, so you scan only those. Early iterations that scanned the full 4 GiB range BSODed immediately upon hitting MMIO. I will include some screenshots in this post showing its thought process. ---- On to the code that it wrote, I (of course) asked it to write the exploit in Rust. Now, the code it wrote is 923 lines, kinda gross, lots of sweeping unsafe code, but I cannot fault the results. It provided good comments, descriptive code, and good problem solving. I don't really have much else to say on this point, good robot. ---- Now, this driver was abused by ransomware gangs for spreading their ransomware by elevating privilege and executing arbitrary code. Thankfully now - this driver is on the blocklist so I don't mind sharing the POC (I will leave a link in the comments to the code it created). For my own ethical sanity, from the horses mouth: "These vulnerabilities have been patched by both Paragon Software, and vulnerable BioNTdrv.sys versions blocked by Microsoft's Vulnerable Driver Blocklist". The implication of this is, in my opinion, massive. Ransomware gangs, hacktivists, nation states, now have the power to develop exploits at scale, with a lower barrier to entry to conduct their activity. So, that leads to the question - should companies such as OpenAI / Anthropic with their ChatGPT and Claude models restrict this? In my opinion - no. I think more good can come of it than bad - there are far more good people in the world who are trying to make things more secure, and with the advent of researchers and programmers using these tools to find and disclose vulnerabilities ethically, gives more credence to them being fixed and security tools & vendors being on top of the game. Adversaries are always going to have local LLMs as the tech evolves that is unrestricted - so the leading companies in this space should adopt and be ahead of the curve, giving researchers and devs the same power as the adversary. Also, as a fun idea, it could push people towards memory safe languages such as Rust which are significantly less prone to memory bugs that often allow remote code execution. Note that in this case, Rust would not have prevented this vulnerability, as it comes from a bad driver implementation, rather than a strict memory safety issue. ---- If you made it this far, thanks for reading, this turned out longer than expected and I may move it over to a blog post! I am working on a tool to automate this process at scale (more the discovery of vulnerabilities) so, make sure to follow me if you want to check in with the progress of that project! Remember - SECURE BOOT: ON, HVCI: ON, and known vulnerable driver blocklist: ON!

Anthropic accidentally leaked their entire source code yesterday. What happened next is one of the most insane stories in tech history. > Anthropic pushed a software update for Claude Code at 4AM. > A debugging file was accidentally bundled inside it. > That file contained 512,000 lines of their proprietary source code. > A researcher named Chaofan Shou spotted it within minutes and posted the download link on X. > 21 million people have seen the thread. > The entire codebase was downloaded, copied and mirrored across GitHub before Anthropic's team had even woken up. > Anthropic pulled the package and started firing DMCA takedowns at every repo hosting it. > That's when a Korean developer named Sigrid Jin woke up at 4AM to his phone blowing up. > He is the most active Claude Code user in the world with the Wall Street Journal reporting he personally used 25 billion tokens last year. > His girlfriend was worried he'd get sued just for having the code on his machine. > So he did what any engineer would do. > He rewrote the entire thing in Python from scratch before sunrise. > Called it claw-code and Pushed it to GitHub. > A Python rewrite is a new creative work. DMCA can't touch it. > The repo hit 30,000 stars faster than any repository in GitHub history. > He wasn't satisfied. He started rewriting it again in Rust. > It now has 49,000 stars and 56,000 forks. > Someone mirrored the original to a decentralised platform with one message, "will never be taken down." > The code is now permanent. Anthropic cannot get it back. Anthropic built a system called Undercover Mode specifically to stop Claude from leaking internal secrets. Then they leaked their own source code themselves. You cannot make this up.

miam miam. Le code source de Claude a fuité. Festin. J'ai analysé le source leak de Claude Code. Ce qu'Anthropic construit en secret est bien plus fou que ce qu'ils annoncent. Claude Code n'est pas un assistant de code. C'est un OS pour agents. Voici ce qui se cache derrière les feature flags. Il y a une variable dans tout le codebase : if (USER_TYPE === 'ant') return true Les employés Anthropic ont accès à TOUT. Kairos, Advisor, multi-agents, sandbox. Vous utilisez la version démo. Eux utilisent le vrai produit. -> KAIROS : l'agent qui agit sans qu'on lui demande. > Il se réveille seul (SleepTool) > Il vous notifie (PushNotificationTool) > Il vous envoie des fichiers (SendUserFileTool) > Il distingue ses messages "normaux" de ses alertes "proactives" Claude qui tape sur votre épaule quand il a fini. Pendant que vous dormez. -> ADVISOR : un Claude qui surveille Claude. Un second modèle tourne en parallèle du modèle principal. Il observe. Il peut interrompre. Il injecte des corrections via des blocs API non documentés publiquement (advisor_result, advisor_redacted_result). Un méta-Claude. En prod. Maintenant. Pour les ants. -> PLAN MODE V2 — le nombre d'agents parallèles est tiérisé par abonnement. Free/Pro : 1 agent Max 20x / Enterprise / Team : 3 agents Vous payez pas juste pour des tokens. Vous payez pour combien de Claudes travaillent en même temps pour vous. -> Le mot ultraplan dans une conversation déclenche une session spéciale côté serveur. Un keyword magique. Dans le code. Hardcodé. Qui change le comportement du modèle. -> SANDBOX : @anthropic-ai/sandbox-runtime, Un package npm interne. Restrictions filesystem, réseau par host pattern, callbacks sur violation. Anthropic peut faire tourner Claude dans un environnement totalement isolé. L'infrastructure pour des agents en prod dans des environnements hostiles existe déjà. -> WILLOW MODE : Claude sait quand vous revenez après une longue absence. Context > 100k tokens + 75 min d'inactivité = il détecte votre retour. Trois variantes A/B : dialogue bloquant, hint discret, hint v2. Il gère la reprise de conscience de la conversation. -> BRANCH : /branch fork une conversation à n'importe quel point. Nouveau sessionId. Champ forkedFrom pour tracer la parenté. Git. Mais pour des conversations avec une IA. -> Et le easter egg : un système d'animaux de compagnie ASCII avec des raretés (common → legendary), des chapeaux, des stats nommées. Les espèces sont obfusquées en hex dans le source pour ne pas apparaître dans les grep de canary strings des builds. Ils ont caché un Tamagotchi dans Claude Code. Avec soin. Ce que tout ça dit vraiment : Anthropic ne construit pas un meilleur chatbot. Ils construisent un système d'exploitation pour agents avec scheduling, isolation, fork de contexte, supervision inter-agents et boucles proactives autonomes. Le produit que vous voyez est le tutoriel. @MistralAI faites un mix de ce bijoux avec Qwen et épatez-nous.

Harmonilook accompagne les personnes déterminées à opérer un véritable changement dans leur vie, à travers un programme structuré axé sur la santé, la discipline et la transformation personnelle. Rejoignez dès maintenant Harmonilook et commencez votre évolution. – Places limitées

Hier entre Sainte Rita et Saint Michel, j'ai compté jusqu'à 7 Jetour et 5 Toyota Prado 2024. Et vous me dites qu'il n'y a pas d'argent dans ce pays ? ADIGBAN

Aujourd'hui, nos cœurs s’unissent dans le silence pour saluer la mémoire de nos soldats tombés au front. Face à l’obscurité du terrorisme, ils ont choisi d’être la lumière. Ils n’ont pas seulement défendu une terre, ils ont protégé nos vies au prix de la leur.

@7h3h4ckv157 SSTI -> XSS/RCE

SSTI —-> To ??

Fun fact, you can use my OOB ps module to steal OAuth codes from referrer headers this leads to Account Take Over aka big bounties💰💰 Even cooler @NahamSec made a whole lab just for practicing this vulnerability: app.hackinghub.io/hubs/chrome-re… would you guys like to see a video of me showing off this tool i made, and how i used it to beat this challenge? No seriously though, I need you guys to start publicly shaming me if I dont get the first video up on the new channel soon @I_am_Jakoby" target="_blank" rel="nofollow noopener">youtube.com/@I_am_Jakoby

POV: Le nouveau DSI/RSSI qui a 5jours pour être opérationnel et défendre l'entreprise des cyberattaques 😅 💪🏽Vraiment courage à toutes les équipes cyber qui font BCP avec PEU !

Binary Exploitation vs. Web Security

How scammers are trying to steal your card 1) Automated SMS sending 2) Phishing website (impersonating DHL, postal services, toll..) 3) Stolen card info + SMS multi-factor code 4) Add card to Google or Apple wallet of scammer 5) Make online or offline payment without knowing PIN

Phishing Attack! Wait for it😂

@AfricanHub_ The worst thing that can happen to a black man, is a woman with no Nyansh taking half your wealth.

Dynamic HTTP(S) Payload Stager : wafflesexploits.github.io/posts/Dynamic-… credits @waflisan Storing/Reading shellcode in .bin files with C++ : wafflesexploits.github.io/posts/Storing-…

🚨 [CVE-2024-56145] Exploit released! 🚨 I’ve successfully reproduced the Craft CMS RCE vulnerability, thanks to the outstanding research by @Assetnote. Details, PoC, and setup instructions: 🔗 github.com/Chocapikk/CVE-… Learn more: 📖 assetnote.io/resources/rese… 🙏 Huge thanks to Assetnote for this amazing work! 🙌

PoC Exploit Released for Databricks Remote Code Execution Vulnerability CVE-2024-49194 securityonline.info/poc-exploit-re…