Maxwell ꓘ Dulin (Strikeout)

3K posts

Maxwell ꓘ Dulin (Strikeout)

@Dooflin5

Seattle/Centralia, WA Katılım Şubat 2013

953 Takip Edilen1.3K Takipçiler

Sabitlenmiş Tweet

Maxwell ꓘ Dulin (Strikeout)@Dooflin5·6 Oca

I taught a killer training of glibc malloc heap exploitation for several years. After some effort, the content is now open source and mostly ready to consume! Half of the videos are posted for the course. 🔥 github.com/SecurityInnova…

English

101

334

23K

Maxwell ꓘ Dulin (Strikeout) retweetledi

zhero;@zhero___·18 Mar

addicted to new-age slot machines, putting a coin into the token system hoping to make a fortune by doing like some without truly being anyone, ultimately becoming a poison for the ecosystems they interact with "science without conscience is but the ruin of the soul" as they say

English

3.7K

Maxwell ꓘ Dulin (Strikeout) retweetledi

John Saigle@johnsaigle·17 Mar

It's not right to suggest that static analysis tools are blind to these types of attacks. There are a lot of off the shelf lints that help here: - For Rust, Clippy has the invisible_characters enabled by default - Go has asciicheck and bidicheck (probably others too)

Hedgie@HedgieMarkets

🦔 Researchers at Aikido Security found 151 malicious packages uploaded to GitHub between March 3 and March 9. The packages use Unicode characters that are invisible to humans but execute as code when run. Manual code reviews and static analysis tools see only whitespace or blank lines. The surrounding code looks legitimate, with realistic documentation tweaks, version bumps, and bug fixes. Researchers suspect the attackers are using LLMs to generate convincing packages at scale. Similar packages have been found on NPM and the VS Code marketplace. My Take Supply chain attacks on code repositories aren't new, but this technique is nasty. The malicious payload is encoded in Unicode characters that don't render in any editor, terminal, or review interface. You can stare at the code all day and see nothing. A small decoder extracts the hidden bytes at runtime and passes them to eval(). Unless you're specifically looking for invisible Unicode ranges, you won't catch it. The researchers think AI is writing these packages because 151 bespoke code changes across different projects in a week isn't something a human team could do manually. If that's right, we're watching AI-generated attacks hit AI-assisted development workflows. The vibe coders pulling packages without reading them are the target, and there are a lot of them. The best defense is still carefully inspecting dependencies before adding them, but that's exactly the step people skip when they're moving fast. I don't really know how any of this gets better. The attackers are scaling faster than the defenses. Hedgie🤗 arstechnica.com/security/2026/…

English

980

Maxwell ꓘ Dulin (Strikeout)@Dooflin5·10 Mar

@sigp_io Finding bugs and throwing them over a wall is one thing. Maintaining software that is security sensitive requires good design and good process. There’s not many people doing the latter. I’d love to see an article about it.

English

Sigma Prime@sigp_io·9 Mar

Maintaining Lighthouse alongside doing audits has shaped how we approach security. If we were to break down some of those lessons, what would actually be useful?

English

1.4K

Maxwell ꓘ Dulin (Strikeout)@Dooflin5·3 Mar

maxwelldulin.com/BlogPost/IBC-C…

ZXX

773

Maxwell ꓘ Dulin (Strikeout)@Dooflin5·19 Şub

Great post and tool! I'm stoked to use this in the future. Thanks for taking the time to automate this.

✶@oxwizzdom

i read you guy's solana sec piece, “invocation security: Navigating Vulnerabilities in Solana CPIS,” and liked how you structured the five cpi attack classes. well, i built a rust static analyzer to automatically detect those patterns in anchor & native Solana codebase; hmm,

English

243

Maxwell ꓘ Dulin (Strikeout)@Dooflin5·19 Şub

@zerocipher002 Any updates on a release? There are very few Move programs on Immunefi, so I'm super curious to see what the bug was!

English

Zero Cipher@zerocipher002·10 Şub

$300,000 from a single bounty. Also yes, it was Move related. Move helps, but it doesn’t magically make protocols safe. The real bugs still live in assumptions, invariants, and integrations. Proud of what VulSight has been doing too. We’ve cleared over $500k in bounties in the last 2 months. If you’re a founder and you want an audit team that consistently finds criticals, we’re a DM away.

Immunefi@immunefi

Big congratulations to @VulsightSec for scoring their very first paid report on Immunefi. And it's huge, huge payout. Well done! You can pledge behind them here to earn IMU when they find bugs: immunefi.com/pledge/vulsigh…

English

133

6.7K

Maxwell ꓘ Dulin (Strikeout) retweetledi

Felix Wilhelm@_fel1x·16 Şub

Apply and work with some of the smartest people in the industry (and me)

asymmetric research@asymmetric_re

Our intern program is back, now with the option to work in-person in NYC or Zurich. We're looking for security research types who are curious, skilled, and ready to work on security challenges that matter. Apply below ↓

English

127

18.9K

Maxwell ꓘ Dulin (Strikeout) retweetledi

chrisdior.eth@chrisdior777·15 Şub

On becoming an expert: Everyone wants the title. Few are willing to crawl through the long, boring, ugly middle. The years of repetition, mistakes and doubt. That’s where mastery is built. And that’s why most never make it.

English

1.4K

Maxwell ꓘ Dulin (Strikeout) retweetledi

sebsrt@s3bsrt·13 Şub

I’ve been digging into HTTP Trailers and found some new smuggling techniques: sebsrt.xyz/blog/trailing-…

English

102

404

39.6K

Maxwell ꓘ Dulin (Strikeout) retweetledi

OtterSec@osec_io·12 Şub

Spend the summer in NYC (we cover rent). Work alongside our team on audits and tooling, learn how we actually do security research, and get support for your own projects. Apply below ↓

English

247

37.2K

Maxwell ꓘ Dulin (Strikeout) retweetledi

❄️ winter ❄️@_winter_wonders·10 Şub

the worst thing AI has done is not the ecological damage, or the security implications, or the massive job losses, it's that there's now an entire class of people who believe it's bad to learn things

English

517

3.6K

40.7K

Maxwell ꓘ Dulin (Strikeout) retweetledi

ilmoi@ilmoi·1 Şub

when you realize that matrix called the bad guys "agents" and 25 years later we literally invented them

English

516

20.8K

847.8K

Maxwell ꓘ Dulin (Strikeout) retweetledi

Zellic@zellic_io·16 Oca

Youssef Sammouda, a Zellic Security Researcher and Meta's #1 Bug Bounty Researcher (2019 - 2024), uncovered $312,500 worth of XSS vulnerabilities in Meta's Conversions API Gateway. The impact? Zero-click Facebook account takeover and more. Check out the full write-up below!👇

Youssef Sammouda (sam0)@samm0uda

$312,500 worth of stored/reflected XSS vulnerabilities in Meta’s Conversions API Gateway allowed Javascript code to run on any Facebook domain and millions of third-party websites. The flaw enabled zero-click Facebook account takeover and more: ysamm.com/uncategorized/…

English

184

17.6K

Maxwell ꓘ Dulin (Strikeout) retweetledi

slonser@slonser_·16 Oca

I really love this poll because it lets you discover a lot of great research from the past year that you might have missed. I've decided to highlight the Сlient-Side related research that I think is especially worth your attention.

PortSwigger Research@PortSwiggerRes

Voting is now live for the top ten web hacking techniques of 2025! Grab a coffee, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques: portswigger.net/polls/top-10-w…

English

9.5K

Maxwell ꓘ Dulin (Strikeout)@Dooflin5·14 Oca

@mmolgtm The styling on your post about the Maglev Compiler bug has corrupted styling. I thought you'd want to fix this. Thanks for the good write-ups! github.blog/security/vulne…

English

103

Maxwell ꓘ Dulin (Strikeout)@Dooflin5·3 Oca

@ControlZ_1337 The concept of recreating your individual brain to find bugs at scale is something I’ve thought about doing myself. I would love to chat about this and just general auditing methodology. Feel free to DM me.

English

ControlZ@ControlZ_1337·30 Ara

I think this might be the largest bounty so far for an AI-assisted finding. And yes, confession time: I used the AI tools I’ve been working on over the past few months to help find this bug. I’d love to say it was all me, but that wouldn’t be honest. The world is changing, and AI is clearly becoming a big part of it.

Immunefi@immunefi

Just a few days ago, the legends behind @_blockian found a max critical that earned them $250,000. Merry Christmas!

English

316

36.5K

Maxwell ꓘ Dulin (Strikeout) retweetledi

Douglas Day@ArchAngelDDay·31 Ara

Yo fellow Christians who tithe - fun fact I learned this year. You can donate stock, and when you do it's not subject to any capital gains tax. You can then immediately re-purchase the same amount back.

English

1.1K

Maxwell ꓘ Dulin (Strikeout)@Dooflin5·27 Ara

Iron sharpens iron like one man sharpens another - Proverbs 27:7 True for most things in life, and even hacking. Having a person to challenge you, push you to your limits is a must and keep you accountable is a must.

English

195

Maxwell ꓘ Dulin (Strikeout) retweetledi

Dacian@DevDacian·9 Ara

Recent private audit client was thinking about launching fast after an audit by another firm produced only 1 Crit. But they postponed the launch after our on-going audit produced 6 Highs and counting! The last audit before mainnet should feel like it wasn't worth it.

English

5.1K

Maxwell ꓘ Dulin (Strikeout) retweetledi

LiveOverflow 🔴@LiveOverflow·7 Kas

Fuzzing and vibe hacking is addicting like gambling: 1. Spend cash to buy token credits or compute 2. Hope to get bugs 3. Repeat

English

285

23.5K

Keşfet

@sigp_io @zerocipher002 @mmolgtm @ControlZ_1337 @elonmusk @BarackObama @taylorswift13 @cristiano