Last month I took Nightmare-Eclipse out for dinner. He's the person behind all those Windows zero-day PoC drops.
He wanted to eat fish — a specific kind of fish. I'm not really fond of fish, so I had no idea where you could even get it; it's always something my brain skips over when reading a menu.
I took him to a restaurant where he could have fish and I could have steak. When he took his first bite, he almost choked — he hadn't expected the bones to still be in it. I'd forgotten to warn him. After that, he started picking the fish apart with nothing but his knife. He went at it so methodically you'd think he ate fish like this for a living.
He's a bright young fella, to say the least: very calm and professional. And after hearing his story, it sounds to me like Microsoft really screwed him over and sent him off the rails.
I'm not allowed to say more, but this story still hasn't ended — that's for sure. Things will keep going like this for a while.
Summer time is for bikinis
GitHub has already banned our summer fun
So The Church has resurrected it xo
https://git.churchofmalware[dot]org/bikini_mirror/EXPLOITARIUM/src/branch/main
Welp it's official, blogger started removing my posts as well, crazy how even google is hating me now.
Is that like supposed to make stop ? Kinda feeling even more motivated.
Looks like our little Church is already making waves.
@vxunderground got triggered. Cute.
Go cry into your cat photos. We're not here for your approval, validation, or "industry standards."
We don't need your permission to exist.
‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."
They forgot to add
"We will only pursue legal action if you don't do it exactly like we told you to do it and even if you do it like we told you to, we will still sue you anyways."
That public threat could've been just an email for me, but you know I don't care enough.
Over the past several days, we have been listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile. We deeply value the security community, and will continue to take your feedback seriously.
To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.
We recognize the work that goes into researching and submitting a vulnerability. We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products. Each year we process a high volume of vulnerability reports. That volume continues to grow and will continue with the rise of AI-enabled research. We acknowledge that some interactions have fallen short and are working to learn from them.
Many of us have experience on both sides of this work, as researchers reporting vulnerabilities and as responders triaging and assessing them. That perspective informs how we approach this feedback and the importance we place on getting it right, particularly as the volume and complexity of research continues to grow.
The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.
@ChaoticEclipse0 We built you a gitea server that connects to our website 🦋 please email ek0ms or message us here for your login. We have your back 🏴☠️
@Breaking911 whatever, mountain lions legitimately just leave you alone. i've come across one out in the mountains by myself, he just checked me out and noped out. they are actually very shy.
A Santa Monica homeowner says she was relaxing in her yard Friday when she noticed what she initially believed was a house cat—until she realized it was a mountain lion. She took shelter inside her home big cat calmly lounged just a few feet away.
@ChaoticEclipse0 Hello fren 🦋 the church of malware stands with you 🏴☠️ we host your code on our website. Let us know if you need anything or if we can help. We have your back.