AndrewMohawk⁽ⁿᵘˡˡ⁾

Fun react bug, (CVE-2025-55183) if you have a server side component and it explicitly or implicitly exposes a stringified argument you can get the source code for that function. Also found DoS, but reported it to vercel instead of meta and some else reported the next day 🙃

CTF in 2026

okay this is awesome

@S1r1u5_ I think for now it’s all related to how good the context, description and harnesses are. But it also changes every few minutes, so who knows. I wish I could play by proxy or remotely !

this year's pwn2own isn't just interesting because there will be lots of entries with AI+human. it is also interesting because a) anthropic burned a ton of tokens on firefox, basically running claude in a loop until it found something for a month, probably exhausting whatever claude can one shot. b) if someone submits full chain without much use of ai, it tells you one shotting plateaus and these models are bit like fuzzers than seasoned security reseachers. c) even if they used an llm to find the bug, this tells us scaffolding/harnesss design, prompting, and the operator matters a lot.

@nicowaisman Yeah I’m just curious on the depth and complexity of the bugs, but without actually knowing what they are it’s difficult. Anthropic opining about their sqli that a jnr Eng should pick up makes me wonder if anyone has depth/complexity (happy to be proved wrong!)

@AndrewMohawk This one CVE-2026-32194 (msrc.microsoft.com/update-guide/v…), is even more interesting because in an authenticated remote code execution that will give you a SYSTEM shell

cve.org/CVERecord?id=C… "Microsoft Devices Pricing Program Remote Code Execution Vulnerability" I really wish there was more visibility into any part of this, its super difficult to assess the landscape right now where CVEs have plummeted in value and slop makes it past ZDI

@thsottiaux Allow "low demand" tasks which are ones that dont need immediate results but can trigger when there is low compute load for things like continual learning / kb updates

With Codex the there is quite the gulf in load between peak and off-peak times, and we would like to achieve more of a smoother traffic pattern as that would be a more optimal use of our compute. We have ideas, but curious what you all think we should do? Would more usage during off-peak and surge multiplier during peak times make sense?

@thsottiaux longer off-peak runs / more concurrency during off-peak

The Internet Bug Bounty, which covered critical open source like Node.js, has been paused due to "AI-assisted research expanding vulnerability discovery"

Slop cannons are doing work

@EnochBowden @BaselIsmail Considering he has the "solution", I imagine we both understand what the source is and how close to home it may be :P

@BaselIsmail > AI LLMs hallucinate package names roughly 18-21% of the time. Source?

URGENT PSA - New supply chain attack vector that I found WILD > AI LLMs hallucinate package names roughly 18-21% of the time. Hackers have started pre-registering those hallucinated names on PyPI and npm with malicious payloads; they call it "slopsquatting" You can only imagine what's next

@sailingbikeruk @IceSolst @TKatsapas So do it? Use passkeys/yubikeys/pw manager, JIT access, step up auth etc, there are so many tools that can at least make credential phishing something completely non existent that no one should have to worry about it

@AndrewMohawk @IceSolst @TKatsapas What a stupid take. I *want* to login everywhere as a domain admin so I can do and use everything I need to. How does that work in your security philosophy?

When joining a new security team, the highest ROI action you can take is terminate Snyk as a vendor

@chamath @theallinpod You missed a part.

@TKatsapas @IceSolst People should click on every link, if something bad happens because of that its on the security team! Our only job is to make sure people can do the things they want to safely!

@AndrewMohawk @IceSolst Gurrr, this email tells me I just won $10 million, I better give them my social security info, and pay the $1k fee to unlock it. What I have seen in orgs, people still just dont understand basic security - the average Joe just doesnt stand a chance without training.

Big up to the @DriftProtocol for putting out such a thorough summary so promptly during an incident

@tldr_x @segall_max @privy_io four nay.. six.. nay.. eight shots of malibu for some reason?

@segall_max @privy_io Looking for Andrew in this picture (although I can’t remember the stakes of the bet)

The official wallet partner of barrys noho

🚨 ZERODAY: ImageMagick 🚨 Our autonomous pentester pwn.ai just dropped multiple zeroday chains in ImageMagick that achieve RCE and File Leak from a single .jpg or .pdf file, bypassing EVERY security policy (Default, Limited, AND Secure). 🤯 💥 Affects Ubuntu, Debian, WordPress & millions of servers globally. Happy Monday and Happy Hunting! 🥰 pwn.ai/blog/imagemagi…

Today, we introduce Oratomic. We are on a focused mission to build the world’s first fault-tolerant quantum computers and unlock their transformative applications. Quantum computers offer a fundamentally new way of understanding and interacting with the physical world. Our recent scientific advance finds that Shor’s algorithm is possible with as few as 10,000 reconfigurable atomic qubits: arxiv.org/abs/2603.28627 Our team integrates world-class expertise in quantum error correction, neutral atom systems, artificial intelligence, and optical engineering. We are working together to make fault-tolerant quantum computing a reality. To learn more about Oratomic and our team, visit oratomic.com