Charly

@7N7 I saw like people stating they do have fixed it with GPT 5.4, but ain’t sharing the patch. Anyway thanks for the good bud, looking for the next updates (maybe i will push like auto config push on PR)

@chstx64 i just pushed a patch that checks the maximum amount of tokens a model can take when generating a config, so as long as the harness can compact the context then maybe? i havent tested it that far, but if its an api layer issue (as in, cliplusapi issue) then i cant do much abt it

well it now exists i guess

@7N7 Does it fix like the auto-compact bug things ? (Won't compact and go beyond limit context)

github.com/githubesson/cl… if you want to try it out (its a basic cliproxyapi wrapper, but i think im not the first person to run into this problem, and i think its a pretty well executed solution soooo yeah)

Frankly, I'm appalled by the prospect of LLMs taking offensive security research jobs from honest, hard-working fuzzers

@Fried_rice Love it man !

Let your agent orchestrate thousands of sub-agents and build harnesses: github.com/shouc/agentflow Codex/Claude Code/Kimi CLI supported.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

@foilmanhacks @MarcoFigueroa 🤣🤣

@chstx64 @MarcoFigueroa Man, why doesn't their privacy policy mention Claude....interesting.

High recommend checking out @MarcoFigueroa it’s jonathandata1, the electric boogaloo part 2.

@q_w_e_r_t_y_08 @S1lky_1337 @github You know how to make a google search, good boy.

My GitHub now got completely suspended. I can't login anymore. All my tools and my writeups for my CVEs are gone. They don't even responded to my ticket. @github are you serious? You fucked my whole public reputation without a comment.

@TheAhmadOsman Why every time i see a tweet from you on my TL, it's about people/drama🤔

This is genuinely sad I have seen Sero grow into an active community members over the past 6 months, just didn't expect to get blocked because I disagreed with him Opensource MUST win (I have been saying that for 3+ years now) but we can only do that by setting up people for success not for failure and disappointment Other things that happened today in the local AI space makes forces me to reasses who I involve & trust moving forward We cannot be hyping things up without substance or picking up fights instead of educating and grounding people in truth We can do better

@brymko @h0mbre_ Meal Plan : Stop buying food, keep money for monthly Max x20 sub.

@h0mbre_ lost 15 kg since mid december with a claude meal plan

Claude is somehow better at kernel exploitation than creating meal plans. It's wild how bad it is

@MarcoFigueroa @0dinai @ekoparty Show us a single triaged vulnerability. One. Until then this is AI-generated security theater

@MarcoFigueroa @0dinai @ekoparty A monolithic prompt without a proper harness is just asking Claude to hallucinate CVEs with extra confidence. Any security researcher knows that LLM output without manual verification is worthless and you're presenting raw Claude output as proof of 0-days

He said in this video that finding 0-days with Claude wasn’t possible 3–4 months ago but at @0dinai we were already doing it back in Feb/March 2025. We called the technique “OH LAWWWD.” We talked about it multiple times on podcasts and even demoed it live at @ekoparty last October. We asked the crowd to pick any target someone said Discord. We found 10 zero days in under 15 minutes. 1k retweets and I will release the monolithic prompt!

- XZ utils backdoor: found by guy debugging 200ms latency - LiteLLM hack: found by guy debugging oom issue These could have been the most impactful compromises ever. Forget security vendors, weaponize your engineers’ autism.

@sudo_goreng @FactoryAI Geniune question here, what model do you use on ? Kimi / GLM ? Did you tried Opus on it ? How the usage feel ?

Just tested @FactoryAI for a couple of hours + adapted my opencode skills & plugins to droid. Will be daily driving it for a couple of weeks. So far its good, but the only problem is the CLI sometimes lags, Idk if its a zellij/ghostty specific issue or not.

@0xSero Nice , need to give a try to Droid ! And what about omp : github.com/can1357/oh-my-… - @_can1357 did a really good job here for the harness and their hashline approach.

@chstx64 Yes it's pretty good, Droid Missions are better though. buzzsprout.com/1988715/episod… I also interviewed them.

Factory reached out to me to sponsor my work, I had been shilling their product for nearly 6 months prior because I genuinely think it is the best muli-model harness experience rn. I get contacted a few times a week for sponsorships, and I turn everyone down because I can't in good conscious sell you something I don't use. If they pull their sponsorship I will still pay for Droid, and I will still shill it daily because it is that good. Our agreement lets me post whatever I want, whenever I want. Like all products their's is flawed, and I point these issues out to them in public daily. One of the main reasons I accepted this sponsorship is that it can be free to use, you don't need to pay anything, you can access the platform with your own codex, claude, copilot, zai, minimax, kimi subs and use pretty much all the features bar their web UI. - github.com/automazeio/vib… <-- port all your subs into vibe proxy - docs.factory.ai/cli/byok/overv… <-- port your vibe proxy models into Droid I hope it serves you like it's served me.