Sabitlenmiş Tweet
Brandon()
602 posts
Microsoft Exchange Server users are urged to immediately mitigate a newly disclosed zero-day vulnerability that has been exploited in attacks.
SecurityWeek@SecurityWeek
Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild securityweek.com/microsoft-warn…
English
OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers to Attack
CVE-2026-44112 (CVSS 9.6 – Critical)
CVE-2026-44115 (CVSS 8.8 – High)
CVE-2026-44118 (CVSS 7.8 – High)
CVE-2026-44113 (CVSS 7.7 – High)
Cyber Security News@The_Cyber_News
🚨 OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers to Attack Source: cybersecuritynews.com/openclaw-chain… A chain of four critical vulnerabilities discovered in OpenClaw, one of the fastest-growing open-source platforms for autonomous AI agents, has left an estimated 245,000 publicly accessible server instances exposed to remote exploitation, credential theft, and persistent backdoor installation. Shodan and ZoomEye scans as of May 2026 reveal approximately 65,000 and 180,000 publicly accessible OpenClaw instances, respectively, totaling roughly 245,000 exposed servers. What makes this chain especially dangerous is that the attacker weaponizes the AI agent’s own privileges. #cybersecuritynews
English
Brandon() retweetledi
🚨 WARNING: The self-spreading “Mini Shai-Hulud” worm compromised npm & PyPI packages tied to TanStack, Mistral AI, Guardrails AI, OpenSearch & more.
The attack used GitHub OIDC token hijacking and cache poisoning to spread credential-stealing malware across 42 TanStack packages and 84 versions.
Check your dependencies immediately → thehackernews.com/2026/05/mini-s…
English
Brandon() retweetledi
Anthropic is increasing Pro, Max and Team plans limits.
Claude@claudeai
Effective today, we are: 1) Doubling Claude Code’s 5-hour rate limits for Pro, Max, and Team plans; 2) Removing the peak hours limit reduction on Claude Code for Pro and Max plans; and 3) Substantially raising our API rate limits for Opus models.
English
Looked at 1M conversations....
Anthropic@AnthropicAI
How do people seek guidance from Claude? We looked at 1M conversations to understand what questions people ask, how Claude responds, and where it slips into sycophancy. We used what we found to improve how we trained Opus 4.7 and Mythos Preview. anthropic.com/research/claud…
English
Brandon() retweetledi
@basedgunnar @rockkdev I think it's a good idea to get into the habit of going directly to the app instead of clicking links in emails, even if they seem legit.
English
@brandonbango @rockkdev I got it and just immediately reset all my passwords and devices. Looked legit until it took me to download something.
English
New Robinhood phishing chain that's kinda beautiful:
1. Attacker creates an RH account using the Gmail dot trick of your email (same inbox, different address)
2. Sets device name to HTML
3. RH's "unrecognized activity" email renders the device name unsanitized (html injection)
The result is a real email from noreply@robinhood.com, DKIM pass, SPF pass, DMARC pass, with a phishing CTA
Just because it's real, doesn't mean it's safe... $HOOD
English
I received this phishing email last night as well. On the surface it looks legit, and since it's from Robinhood and not a random email address, it did have me concerned for a minute.
First thing I checked was the and addresses and I noticed my email address had a dot in it. Obviously I didn't create my RH account with the dot in my email.
Next I logged into the app and there was no mentioned of the case # or an unrecognized device logged in. Just to be safe, I went to Devices and logged out all other devices.
If you're concerned it's worth changing your password, make sure MFA and/or a passkey is setup on your account.
Abdel@rockkdev
New Robinhood phishing chain that's kinda beautiful: 1. Attacker creates an RH account using the Gmail dot trick of your email (same inbox, different address) 2. Sets device name to HTML 3. RH's "unrecognized activity" email renders the device name unsanitized (html injection) The result is a real email from noreply@robinhood.com, DKIM pass, SPF pass, DMARC pass, with a phishing CTA Just because it's real, doesn't mean it's safe... $HOOD
English
Brandon() retweetledi
Bitwarden identified and contained a malicious package briefly distributed through the npm delivery path for the Bitwarden CLI in connection with the broader Checkmarx supply chain incident. No user vault data or production systems were compromised or at-risk. Additional details and updates are available here: community.bitwarden.com/t/bitwarden-st…
English
How A Roblox Cheat Download Triggered A $2 Million Hack At Vercel
An employee at a small AI startup called Context AI was searching for and downloading "auto-farm" scripts and game exploit executors, the kind of tool that automates grinding inside Roblox. Hidden in one of those downloads was Lumma Stealer, one of the most widely distributed pieces of infostealer malware currently in circulation.
The attacker used those credentials to breach Context AI, steal the OAuth tokens of its customers, and pivot into the Google Workspace of a Vercel employee who had signed up for Context AI's product and granted it "Allow All" permissions on their enterprise account.
Wow - link to the full article below.
English
Bitwarden CLI 2026.4.0 was compromised.
Socket@SocketSecurity
🚨 Bitwarden CLI 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline. We’ll continue updating our coverage as more details are confirmed. socket.dev/blog/bitwarden…
English
Ok, I finally figured out the issue with these Discord warning messages and it was classic user error 😅
A few weeks ago I installed Hermes to try it out and I left both OpenClaw and Hermes services running and both were receiving the Discord messages.
I disabled Hermes and back on OpenClaw only for now.
Brandon()@brandonbango
Ever since upgrading to OpenClaw 2026.4.12 (I think) with openai-codex, I've been getting max retry and invalid API response messages in Discord even though my agent replies. Anyone else seeing this too? I upgraded to the newest 2026.4.15 earlier, this doesn't happen with Telegram and I don't see anything in the logs. I have plenty of usage remaining on my plan. ----- Max retries (3) for invalid responses — trying fallback... Invalid API response shape. Likely rate limited or malformed provider response. Max retries (3) exceeded for invalid responses. Giving up.
English
@steipete I noticed this back on April 6th in the docs, but I couldn't get it to work with the version I was trying on 2026.4.2. It wouldn't create the auth-profiles.json file.
x.com/brandonbango/s…
Brandon()@brandonbango
Did Anthropic unblock first party harness?! Yesterday, this was failing and it appears the OpenClaw docs have been updated. claude -p --append-system-prompt 'A personal assistant running inside OpenClaw.' 'is clawd here?' Yes, Claude is here. What can I help you with?
English
Since this is blowing up on hacker news.
Boris said that CLI usage is allowed. Thus we added support for it, only to find out that we are still blocked there. It is trival to work around with a few renames, but I don't wanna play that game. So it's in a weird limbo where cli use should work in theory but doesn’t in practice.
x.com/bcherny/status…
Dan McAteer@daniel_mac8
Anthropic allows OpenClaw usage again. From @openclaw docs.
English
@embrron @daniel_mac8 @openclaw I couldn't get it to work on the OpenClaw version that I was on at the time.
x.com/brandonbango/s…
Brandon()@brandonbango
@daniel_mac8 @openclaw Unfortunately I still couldn't get it to work properly with OpenClaw v2026.4.2 because it wasn't generating the auth-profiles.json file for it. I think it was a bug but not sure - I ended up upgrading to the newest version and switching to GPT-5.4.
English
English
@daniel_mac8 @openclaw Unfortunately I still couldn't get it to work properly with OpenClaw v2026.4.2 because it wasn't generating the auth-profiles.json file for it. I think it was a bug but not sure - I ended up upgrading to the newest version and switching to GPT-5.4.
English