Marc Smeets

@_xpn_ @OutflankNL I think NL withdraw from entering at all. So you are lucky. Now go win it!

Oh @OutflankNL, I wouldn't bother entering the Eurovision this year... UK already has this won!! youtube.com/watch?v=xnls0L…

That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉

🖕Putin

35+ non-Office file formats fully weaponized & obfuscated by the OST Builder - coming soon! So many ways to run your shellcodes. This release becomes my hello world to the OST family 👋

Red teaming && racing, two of my main interests, now together in 1 event! Come and join me on May 27 at Racesquare Utrecht to hear me talk about red team tooling, and to jump in a virtual F1 car for a race. More info on this *free* event: the-s-unit.nl/fortra-event/

How to run a bug bounty program on the cheap: 1. Receive a vulnerability report and sit on it for a week. Do NOT triage yet. 2. Wait for another researcher reporting the same issue 3. Triage both reports as duplicate 4. Profit. Doubly validated bug at zero cost!!! #BugBounty

This is Microsoft's 5th WinRE BitLocker bypass in 3 years. CVE-2022-41099, CVE-2023-21563, CVE-2024-20666, BitUnlocker, now YellowKey

How it works: 1. Recovery tools look for a config file called RecoverySimulation.ini on the OS drive 2. If Active=Yes, it enables "test mode" for the recovery tools 3. Test mode unlocks your BitLocker drive but a flag called FailRelock tells it to skip relocking 4. cmd.exe spawns with full access to your "encrypted" drive

I just reverse engineered the YellowKey BitLocker bypass Microsoft shipped code that checks for a flag called "FailRelock" in every Windows 11 recovery image. When it's set to 1, after recovery unlocks your BitLocker drive, it never relocks it. All you need is a USB stick. This code only exists in the recovery environment. Not in normal Windows. They left an entire debug testing framework in production.

CVE-2026-40361 (msrc.microsoft.com/update-guide/v…), patched today, is a critical 0-click UAF/RCE bug in Microsoft Outlook that I discovered back in Q1. You definitely want to patch this sooner rather than later. The danger of such 0-click bugs in Outlook is that they are triggered as soon as the victim reads or previews the email - no clicking of links or attachments is required. Since the bugs reside in Outlook's email rendering engine, it is difficult to mitigate or block (though specifically setting Outlook to render emails only in plain text format is a valid mitigation). Fun fact about the discovery: after the discovery of the #BadWinmail bug a decade ago, I wanted to run an experiment in Q1 to see if I could find another 0-click RCE in Outlook. The result? It wasn't easy — I even built a dedicated system for it — but I eventually found this one. :) To understand why such bugs are so critical, check out the #BadWinmail video demo I released a decade ago: youtube.com/watch?v=ngWVbc…. They share the same attack vector (though #BadWinmail was a working exploit, while this one was a PoC). Essentially, anyone could compromise a CEO or CFO just by sending an email. The threat perfectly bypasses enterprise firewalls and is delivered directly to the inbox. Furthermore, note that Outlook (Classic) lacks an application sandbox, making this attack vector even more dangerous. Regarding defense and detection: if you are concerned about Outlook 0-click 0-days, my EXPMON system (pub.expmon.com) provides cutting-edge detection against such advanced threats. When I designed the original system in 2020/2021, I developed this functionality specifically considering the impact of #BadWinmail. The system accepts .eml or .msg formats, and email samples are deeply tested within an Outlook sandbox. For enterprise users, emails can be "dumped" from the mail server, and EXPMON can be deployed in a private network. Contact me for more details. P.S. I just noted that the title of the Microsoft Security Update (msrc.microsoft.com/update-guide/v…) lists this as a Microsoft Word bug, which may or may not be entirely accurate. I demonstrated this bug to MSRC by showing that it works in a real, live Outlook + Exchange Server environment. My bet is that because the bug resides in wwlib.dll — a shared DLL used heavily by both Outlook and Word — it likely affects both Outlook (via email) and Word (via a document file). Regardless of the title, it is a genuine Outlook 0-click RCE. #CVE-2026-40361 #PatchTuesday #Outlook #0click #EmailSecurity #EnterpriseSecurity #expmon #ThreatIntel #ExploitDetection

I want two features for my iPhone: 1. Turn off all notifications, all the time, from all apps, always, silence only (no badges, banners, etc). 2. Turn on all sounds, flashing, vibration, etc from any application if the notification originates from my wife.

@Autoweltmedia Yes. Here is an outside shot.

@MarcOverIP Is this, you?

BMW 125i, E82. Compact size and short wheelbase. N52 3.0 L naturally aspirated inline-six with 215 hp. On paper, it wasn’t that quick. But the throttle response, engine sound and rear-wheel drive gave it all an experience of a small sportscar. Especially from inside the cabin, its a proper 6 speed manual. It somehow felt quicker than the numbers suggested. Because everything about the car amplified speed, the looks, the sound of the 6 cylinder, shifting gears.

🚨 How the TanStack npm attack actually happened: 1. Attacker opened a normal-looking pull request (#7378) on the TanStack repo. 2. GitHub automatically ran CI tests on that PR. 3. Code inside the PR stole the workflow's GitHub Actions Cache write token during the test run. 4. The attacker used that token to plant poisoned files in the shared build cache. The PR could be closed afterwards. The poisoned cache stays. 5. The official release workflow later pulled from the cache, baked the malicious files into the build, and signed and published 84 malicious package versions to npm.

🚨 BREAKING: 84 TanStack npm packages were compromised in an ongoing Mini Shai-Hulud supply chain attack, adding suspected CI credential-stealing malware. Socket flagged every malicious version within six minutes of publication. This is a developing story.

@passthehashbrwn You didnt get the memo? We have a new picture for this now x.com/marcoverip/sta…

Tapping the sign

I officially reached the end of the Internet. Don’t ask me what I searched to find this.

DigiD nadat het Amerikaans wordt.

@rad9800 @C5pider Something something pushups or was it pullups?

@MarcOverIP @C5pider I can confirm, that I in fact have not been to x33fcon

N many years after working in cyber ...

@atoonk 🙈 no idea why this is still on my bookshelf

Cleaning up some stuff today. A bit of nostalgia 🤓Probably don’t need this anymore. Last time I opened it was well over a decade ago.