Maxi Soler

Feliz 25 de Mayo! 🇦🇷

@ryanaraine @ekoparty @juanandres_gs Wonderful! I can't wait to listen to this episode! @ekoparty

Podcast recording on the show floor at @ekoparty

@PabloSabbatella Do they have an official bug bounty program? If there’s no program, CERT/CC is your best ally to mediate. 70 days without a response already justifies escalating.

70 days ago, we reported a critical vulnerability to a top 5 Big Tech in one of their main platforms. They do not seem to be advancing in fixing the issue, which can be exploited right now. Communication with them is basically empty. Fucking shit show. I wonder why many people lose faith in white-hat hacking....

Los 5 pilares del Action Plan: 🛡️Democratizar la defensa cibernética 🛡️Coordinar entre gobierno e industria 🛡️Fortalecer la seguridad alrededor de las capacidades cibernéticas de frontera 🛡️Preservar la visibilidad y el control en el despliegue 🛡️Habilitar a los usuarios para que se protejan a sí mismos

🚨 CVE-2026-31431 "Copy Fail": 732 bytes de Python y ya sos root en casi TODAS las distros Linux desde 2017. Sin race conditions, sin offsets por kernel, 100% confiable. Un usuario local normal → root en Ubuntu, RHEL, Amazon Linux, SUSE… y hasta escape de contenedores vía page cache compartido. ℹ️ copy.fail #Linux #Security #CVE #CyberSecurity #ContainerSecurity

@immad @mercury Congrats @immad, @MaxTagher and Team! 🚀

1/ Today @Mercury received conditional approval from the OCC to establish Mercury Bank, N.A. I started Mercury in 2017 to build the bank I wish had existed as a founder. Nearly a decade later, we’re getting there. 🧵

@pingiskok Thanks for sharing it! I loved the examples. Some of them I didn't remember.

Every JWT writeup online covers 2–3 attacks and stops. I got tired of jumping between 40 blog posts, so I wrote the whole thing. All in one place. rmrf.tips/en #infosec #appsec #bugbounty #websec #jwt

Si trabajás con APIs y JWT, esta serie es lectura obligada. 20 partes que cubren desde cómo funciona el token hasta cómo explotarlo, y qué viene con la criptografía post-cuántica.

@PabloSanchez @brubankarg Bien ahi Pablo! Felicitaciones!

Después de mucho trabajo de todo el equipo de @brubankarg me enorgullece presentar: "BruFon". Somos el primer banco en Argentina que te ofrece en un solo lugar, todo lo que necesitás para viajar: el mejor tipo de cambio, asistencia al viajero y ahora datos móviles para que uses WhatsApp, Google Maps, Instagram, Tik Tok y todas tus apps sin importar en qué lugar del mundo estés. Brufon te da: → Datos móviles en más de 150 países sin chip físico → Control del consumo en tiempo real desde la app de Brubank → Exclusivo para usuarios suscriptos a Plan Ultra (2GB) y Plan Plus (1GB) En @brubankarg siempre estamos un paso adelante, innovando para brindar los mejores productos y servicios a nuestros clientes. Congrats a todo el equipo por el lanzamiento de un gran producto!

@rauchg HugOps to everyone working the incident! Firme, a no aflojar! 💪

Here's my update to the broader community about the ongoing incident investigation. I want to give you the rundown of the situation directly. A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. The details are being fully investigated. Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments. Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration. We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel. At the moment, we believe the number of customers with security impact to be quite limited. We’ve reached out with utmost priority to the ones we have concerns about. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitization of our environments. We’ve deployed extensive protection measures and monitoring. We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community. The recommendation for all Vercel customers is to follow the Security Bulletin closely (vercel.com/kb/bulletin/ve…). My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature. In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive env var creation and management. As always, I’m totally open to your feedback. We’re working with elite cybersecurity firms, industry peers, and law enforcement. We’ve reached out to Context to assist in understanding the full scale of the incident, in an effort to protect other organizations and the broader internet. I also want to thank the Google Mandiant team for their active engagement and assistance. It’s my mission to turn this attack into the most formidable security response imaginable. It’s always been a top priority for me. Vercel employs some of the most dedicated security researchers and security-minded engineers in the world. I commit to keeping you updated and rolling out extensive improvements and defenses so you, our customers and community, can have the peace of mind that Vercel always has your back.

🚨Vercel confirmó un incidente de seguridad: acceso no autorizado a algunos de sus sistemas internos. 🔍 Alcance limitado por ahora, pero la investigación sigue abierta. ✅ Recomendación oficial: revisar variables de entorno y activar el feature de env vars sensibles. 👀 Poco disclosure por ahora, a seguir de cerca.

Más info y detalles técnicos: red.anthropic.com/2026/mythos-pr…

Anthropic acaba de lanzar el Proyecto Glasswing: una alianza con AWS, Google, Microsoft, Apple y otros gigantes para usar esa misma capacidad para defender sistemas. Su modelo Claude Mythos encontró vulnerabilidades que llevaban décadas sin detectarse. 🔥 anthropic.com/glasswing

@feross @ljharb @jdalton Thank you for sharing, it's a great article! This information is vital for the community to be aware of and understand how to respond.

North Korea is targeting npm maintainers -- not for crypto, but for write access to packages downloaded trillions of times a year. Several Socket engineers were targeted in this campaign -- myself, @ljharb, @jdalton, and others. None of us fell for the bait. Unfortunately, the axios maintainer did. No shame in that -- these aren't phishing emails. They're weeks-long ops with fake companies, fake Slack workspaces, and spoofed meeting platforms built with realistic Zoom/Teams interfaces using the official SDKs for realism. Other confirmed targets: @matteocollina (Fastify, Pino, Undici, Node.js TSC Chair), @wesleytodd (Express TC), @voxpelli (mocha, neostandard). The common thread? High-trust maintainers with publish access to packages that sit deep in everyone's dependency tree. The attack chain: build rapport over weeks, schedule a video call, fake an audio error, prompt the target to install a "fix." That fix is a RAT. Once it's on your machine, they have your .npmrc tokens, browser sessions, AWS creds, keychain. 2FA doesn't matter. OIDC publishing doesn't matter. Game over. Security researcher @tayvano_ linked this to UNC1069, a DPRK-nexus group Mandiant has tracked since 2018. Why social engineer one rich person when you can compromise one maintainer and reach millions of machines? This is the threat model now. If you maintain popular packages, act accordingly. If you use open source (and you certainly do), act accordingly. Full writeup: socket.dev/blog/attackers…

🚨 Ataque activo contra maintainers clave de Node.js/npm: usan falsas entrevistas, Slack y videollamadas para robar credenciales, ejecutar malware y comprometer la supply chain a gran escala. socket.dev/blog/attackers…

🚨 GitHub warns: open source supply chain attacks are now targeting your API keys, not your code. Most common entry point: misconfigured GitHub Actions workflows. 🛡️ What you can do today: - Enable CodeQL on your workflows (free) - Pin third-party Actions to a full SHA - Replace secrets with OpenID Connect tokens github.blog/security/suppl…

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

@maurohouseless Envialo, no perdes nada.

@MaxiSoler Uuuh era ahi, lpm

Le reporte un bug a Audi Argentina, me dieron las gracias y yo reclame mi bounty.

@HackingDave Definitely! AI is opening up exciting new opportunities in security!

What I see in cybersecurity: AI has re-invigorated an industry that was largely stale for the past ten years. Complete new green field. Changes everything. New innovation happening everyday. Need to adapt or be left behind. This reminds me of the early 2000s, it’s exciting, addicting, and it’s going to be fun as hell.