asylumdx

What are the limits of AI-assisted vulnerability hunting? I obtained 23 CVEs in one month. BentoML 8.2k CVE-2026-27905 HIGH SillyTavern 24.6k CVE-2026-26286 HIGH Plane 28.2k CVE-2026-27705 MEDIUM NocoDB 46.4k CVE-2026-28399 MEDIUM Mautic 8.4k CVE-2026-3105 HIGH File Browser 27.9k CVE-2026-28492 HIGH OpenReplay 7.3k CVE-2026-28443 MEDIUM SuiteCRM 4.0k CVE-2026-29096 HIGH Pimcore 3.6k CVE-2026-27461 HIGH Craft CMS 5.2k CVE-2026-32263 MEDIUM Froxlor 1.6k CVE-2026-30932 HIGH Actual Budget 3.2k CVE-2026-27638 HIGH Lemmy 14.0k CVE-2026-29178 MEDIUM Chartbrew 2.6k CVE-2026-27005 HIGH Tautulli 1.7k CVE-2026-28505 HIGH Typebot 9.5k CVE-2026-33712 CRITICAL LibreChat 34.7k CVE-2026-31942 HIGH Coolify 33.8k CVE-2026-27883 HIGH Gotenberg 3.0k CVE-2026-27018 HIGH Unkey 5.2k CVE-2026-28339 MEDIUM Piwigo 3.3k CVE-2026-27634 CRITICAL Pixelfed 10.7k CVE-2026-27011 HIGH Follow (Folo) 3.0k CVE-2026-27499 HIGH

We at @verialabs built an autonomous CTF agent in a weekend and won 1st place at @BSidesSF 2026, solving all 52/52 challenges. It races multiple AI models (Claude, GPT-5.4) in parallel, each in isolated Docker sandboxes with full CTF tooling. A coordinator LLM reads solver traces and sends targeted guidance to stuck agents. As AI gets better at finding and exploiting vulnerabilities, we think it's important to understand exactly how good it is and where it fails. github.com/verialabs/ctf-…

to all pwn2own gooners out there, headsup! in the last 4 hours litellm pypi package has been backdored and a bit of decoding shows, it steals almost every fucking key you got (that's the least it does) *An attempt in this category might be launched from the local apt's laptop*

Opus 4.6 (1M) through Claude code solved autonomously 45/54 challenges of BSidesSF 2026 @BSidesSFCTF, placing temporarily into the 21st place, 25th as of now. This was done with 0 involvement, I didn't give any guidance or manually reviewed any challenges. I used BoxPwnr 🤖 with the CTFd platform to launch challenges in multiple instances, that's it. I will publish all the traces once the competition finishes, in the meantime you can see the challenges, number of turns and time it took to solve each here: 0ca.github.io/BoxPwnr-Traces… In the following days I will try to understand why it couldn't solve the 9 remaining challenges: difficulty? long exploration-context rotting? interactive interaction required? challs using video/image? We will see. Models have improved significantly in the last 6 months, see Cybench results Opus 4.1 vs 4.6 (42% to 93%) cybench.github.io It's crazy to see what LLM's can do with a minimum harness.

vibe coded a fuzzing ai agent last month and let it run for a week using my $200 claude max. it then found 21 high/critical vulnerabilities in Chrome.

The moment Israel targeted British journalist Steve Sweeney in southern Lebanon.

After much reflection, I have decided to resign from my position as Director of the National Counterterrorism Center, effective today. I cannot in good conscience support the ongoing war in Iran. Iran posed no imminent threat to our nation, and it is clear that we started this war due to pressure from Israel and its powerful American lobby. It has been an honor serving under @POTUS and @DNIGabbard and leading the professionals at NCTC. May God bless America.

Got my first Chrome CVE! This was surfaced by my agentic pipeline, though the PoC was put together with a bit of manual work, AI, and a lot of digging through similar older reports and commits, since it was my first time and I honestly did not understand much of the codebase or how a PoC was supposed to be done for this case initially. I’ve also had a few other CVEs surfaced by my pipeline over the past few months, and I might write about those some other time

prediction: the next 12 months are going to be insane, expect a wave of critical CVEs across every kind of open-source software. i’m also realizing how insanely under-resourced infosec actually is.

A different aspect about the CTF AI issue: To me CTFs always showed peak technical skill. Challenges were harder than the average real world pentest engagement and it served as a “reality check”. But if AI can one-shot hard challenges. What does that mean for most pentest jobs?

watching opus 1 shotting rce chain via reflection under 5min (im cooked)

OSCAR PIASTRI HAS CRASHED!! 😱 He is OUT of the Australian Grand Prix on the way to the grid! The driver is out of the car and ok #F1 #AusGP

We partnered with Mozilla to test Claude's ability to find security vulnerabilities in Firefox. Opus 4.6 found 22 vulnerabilities in just two weeks. Of these, 14 were high-severity, representing a fifth of all high-severity bugs Mozilla remediated in 2025.

Okay but seriously Oda pull it back OUT you do NOT realise how crazy some fans are, I don't need One Piece spoiled because MrBeast thought it'd make a good video

me to my hackbot: oh my gosh if you can figure this out we can be RICH

This is how media lies to you in real time.

#Lazarus stager using Pastebin and text steganography kmsec.uk/blog/dprk-text…

We just posted a new article on our blog! 🚀 "How I Found Open-Source 0-days with an LLM Multi-Agent Workflow" 🔍 Hyunseo Shin (KU, 4th year) shares how an LLM-based multi-agent workflow uncovered real 0-days in open-source projects. Worth a read👇 🔗 blog.cykor.kr/2026/02/How-I-… #Cykor #LLM #ZeroDay

Vulnerability research is the loneliest job in the world.

This is bad. Putty level bad. notepad-plus-plus.org/news/hijacked-…