Bishop Fox

Full episode: bfx.social/3RWWlXh

Thomas Wilson on the GitHub Actions cache poisoning technique behind Mini-Shai-Hulud and why CI/CD trust assumptions are becoming a major real-world attack surface, from the Initial Access podcast.

Acompaña hoy en vivo a Juan Jasso en Hacking en la Nube 101, un taller práctico que abarca los fundamentos del pentesting en la nube, herramientas como CloudFox, las malas configuraciones y las rutas de ataque comunes en entornos cloud.

Happening now! Cloud environments introduce a completely different attack surface, and understanding how attackers enumerate and exploit them is becoming a core security skill. Join Juan Jasso live for Cloud Hacking 101, a hands-on workshop covering cloud pentesting fundamentals, CloudFox tooling, misconfigurations, and common cloud attack paths: bfx.social/4wFkphl

Sign up here or through our Discord server! English (May 20): bfx.social/497jH2q Español: (21 Mayo): bfx.social/4dp7JCu Discord: bfx.social/4dLFSxF

We’re excited to host Cloud Hacking 101, our first workshop to be available in both English and Spanish! In this hands-on workshop, Juan Jasso will walk through the fundamentals of cloud penetration testing, including how to use CloudFox to enumerate cloud environments, identify misconfigurations, and safely explore common attack paths across providers. This is perfect for people who want real, practical experience!

Read the full story: bfx.social/4tNffxm

AI helped build a web exploitation framework faster than would’ve been realistic before. Senior Operator I Tony West shares what it was actually like building Joro with AI-assisted development, including where the models helped and where they completely hallucinated integrations.

Sign up: bfx.social/4tEkleV

Happening today at 2 p.m. ET: Join AIMap creator Aashiq Ramachandran for a demo exploring how publicly exposed AI systems can be discovered, fingerprinted, scored, and tested in real time. From agent frameworks to exposed model endpoints, we’ll walk through what attackers can see and what defenders should be paying attention to!

Full episode here: bfx.social/49uel1c

“What if consumers were never the real target?” Sergio Villegas and John Untz discuss the recent Daemon Tools supply chain compromise and why consumers may have just been collateral damage.

We’re demoing our new open-source tool, AIMap, on May 14: bfx.social/4tvAFPg

AI systems are becoming part of the attack surface, but most teams still don’t have good visibility into what’s exposed, what tools are accessible, or how these systems behave under attack.

Full episode: bfx.social/4duNZOW

How do you spot AI-generated code? Start with the comments—comments that explain every tiny thing in excruciating detail—whether you asked for it or not. Oh, and the em-dashes. Sr. Managing Operator Richard Brown explains.

Full technical analysis: bfx.social/4duta6c

A failed login should not take 6 seconds. Bishop Fox researchers reproduced CVE-2026-42208 in LiteLLM’s proxy. The attack requires no authentication, still returns HTTP 401 responses, and uses timing delays to extract sensitive data. Observed in the wild roughly 36 hours after disclosure. Upgrade to 1.83.7 or higher.

Billy Giles is heading to Hack Space Con! His talk, "When Stealth Becomes the Enemy," challenges the idea that undetected access and complex exploit chains automatically equal success. Instead, he'll cover how to design engagements that actually improve defenses. Details: bfx.social/3PngzbR