Nguyen The Duc

So, here is another gift for you about Imagemagick RCE 0-day that afftceted to GhostScript-9.50 😀 github.com/duc-nt/RCE-0-d… #RCE #imagemagick #ghostscript

Patch your Linux boxes! Copy.Fail is a trivially exploitable logic bug in Linux, reachable on all major distros released in the last 9 years. A small, portable python script gets root on all platforms. Found by the teams at @theori_io and @xint_official More details below xint.io/blog/copy-fail…

🚨: A civilization 2,000 light-years away pointing a powerful enough telescope at Earth right now would see the Roman Empire. They'd see Jesus alive.

🚨 BREAKING: Wiz Research discovered Remote Code Execution on GitHub.com with a single git push The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯

Centralization exposed inside Tron USDT 🚨 Here’s what is happening: Tether just executed the largest freeze in its history. More than $344,000,000 in USDT (TRC-20) blocked on Tron. By Tether itself. - Coordinated with OFAC and US law enforcement - Executed directly through the USDT smart contract - Funds are now visible but completely unusable This is how it works: - Tether has admin control over USDT contracts - Can blacklist any address - Can freeze balances instantly - Can permanently destroy funds Functions used: - addBlackList(address) - removeBlackList(address) - destroyBlackFunds(address) Now here’s where it gets interesting Timeline April 20 - Arbitrum freezes ~$71M linked to hackers April 21 - Justin Sun tweets: “the most decentralized blockchain in the world is Tron” April 23 - Tether freezes $344M on Tron No response from Justin Sun so far The irony writes itself Stay safe.

🚨Arbitrum just recovered $71 MILLION from the Kelp DAO exploiter… But HOW does a “decentralized” L2 have the raw power to freeze and seize hacker funds like that?! Was Arbitrum EVER actually decentralized?! Arbitrum was NEVER fully decentralized. It launched with “training wheels” on purpose and still runs on progressive decentralization (currently Stage 1 on L2Beat). The Security Council used its emergency multisig powers to trace, freeze, and move the funds to a governance-locked wallet - with law enforcement input and zero impact on normal users. This exact power is why it could act. Arbitrum Stopped Being Decentralized Since Aug 2021 (Mainnet Launch) 1. Aug 2021 (Mainnet launch): Fully team-controlled by Offchain Labs. Centralized sequencer + upgrade keys. 2. March 2023 (ARB airdrop + DAO launch): Governance handed to ARB token holders + Arbitrum DAO. Security Council (12-member elected multisig) created for emergency actions. This is when it officially became “progressively decentralized.” 3. 2023–2025: BoLD (permissionless fraud proofs) rolled out → stronger validation. But the Security Council + single sequencer remained in full control. This is the period where real momentum toward full decentralization stalled. 4. Today (2026): Still Stage 1 on L2Beat. Arbitrum stopped short of Stage 2 (no single-entity control). DAO governs day-to-day, but Security Council can upgrade with no delay in emergencies (9/12 signatures), and the sequencer is still operated by the team/foundation. Full Stage 2 remains a distant roadmap goal. Why It’s Not (Fully) Decentralized Security Council: 12 elected members (DAO votes every 6 months) with emergency override powers. They can pause, upgrade, or freeze in crises. Centralized Sequencer: Still run by Offchain Labs/Arbitrum Foundation (single operator risk). Upgrade Control: Council can bypass DAO delays for emergencies. Stage 1 Status (L2Beat): Has “limited training wheels” not fully trustless like Stage 2. Pros of this setup (why it’s actually smart right now): ✅ Real security in crises - $71M recovered instead of lost forever. Hackers get rekt. ✅ User protection - Safety net prevents contagion, dumps, and total loss. ✅ Faster adoption - Institutions & big money prefer chains with accountability. ✅ Progressive path - DAO + elected council + permissionless fraud proofs = measured move to decentralization. ✅ Proven model — Council acted transparently and ethically here. Builds long-term trust. Cons (the real risks): ❌ Centralization risk - Council could be captured or abuse power (censorship, bad upgrades). ❌ Not “code is law” - Some purists hate any human override. ❌ Trust assumptions - You’re trusting 9/12 council members stay honest. ❌ Slower to full decentralization - Still depends on people instead of pure code. ❌ Sequencer centralization - Single point of failure/liveness risk (though not funds risk).

Introducing Project Glasswing: an urgent initiative to help secure the world’s most critical software. It’s powered by our newest frontier model, Claude Mythos Preview, which can find software vulnerabilities better than all but the most skilled humans. anthropic.com/glasswing

NASA Artemis passing close to the Moon

CTF in 2026

The Drift multisig updated the state account and reassigned admin: solscan.io/tx/4BKBmAJn6Td… The overarching issue is that two multisig keys appear to have been compromised. Interestingly, this multisig was only created 10 days ago. Even further more interestingly, Drift had an event on the 25th of March (luma.com/yshbx8q2), the exploiter's first funding transactions came roughly 12 hours before this event started.

if AAVE goes to $154,320 he breaks even on his trade

CTF for the post LLM era: deploy real up-to-date open source projects and put flag in /flag.txt

@SpencerHakimian Not enough camels.

We scan 20,000+ luxury UAE real estate listings multiple times a day. The moment a price drops — we catch it, log it, and publish it before anyone else. Built for buyers, investors, renters, and anyone waiting for the right moment. Visit us at either link — both go to the same exact site: 🌍 panicselling.xyz 🇦🇪 luxurypricedrops.com

Fully onchain gaming is the future

Vitalik sprinting to his room to stop ETH from falling under $2000

So here’s what’s happening : In the Trust Wallet browser extension code 4482.js a recent update added hidden code that silently sends wallet data outside It pretends to be analytics, but it tracks wallet activity and triggers when a seed phrase is imported The data was sent to metrics-trustwallet[.]com a domain registered days ago and now down

Can't believe all this happened this year

Someone found an RCE on my website yesterday. CVE-2025-55182. React2Shell. I don't have a bug bounty program. I never asked for a security assessment. I woke up to a DM: "Hey I found a critical vulnerability in your site. I only ran the exploit to verify it worked. Here's my PayPal for the bounty." Bounty? I checked my logs. Forty-seven requests to my RSC endpoint. Something, something ... Prototype pollution payloads. They used the GitHub script. The one with 2,000 stars. The one that runs id automatically "for verification purposes." They spawned a shell on my production server. uid=1001(nextjs) gid=65533(nogroup) They took a screenshot. They posted it on Twitter. "Popped a Shell on a Live Website 🚀💀 #BugBounty #CVE-2025-55182 #YOLO" They got 84781 likes. My customers' data was on that server. I asked them to delete the screenshots. They said "I removed the domain name, you should be thanking me." Thanking them. For unauthorized access to my production infrastructure. For running arbitrary commands on systems I own. For posting proof of exploitation for clout. They called it "responsible disclosure." I called my lawyer. They called me "ungrateful." I called the FBI. Now they're in my DMs explaining that "this is how the industry works" and I "don't understand pen testing." A pen what? I understand it perfectly. I understand that running react2shell-ultimate.py against random websites isn't research. I understand that "I removed the identifying info" doesn't undo the unauthorized access. I understand that #BugBounty doesn't apply when there's no bounty program. I understand that finding my site on Shodan doesn't constitute authorization. Their followers are defending them now. "Presumption of innocence." "You don't know if it was authorized." "The screenshots were redacted." Three hundred people are calling me a bootlicker for reporting a crime. Someone said I should be grateful they didn't deploy a cryptominer. The bar is underground. I just wanted to run a small Next.js app. I didn't ask to be someone's proof-of-concept. I didn't consent to being their "first" I didn't sign up for an unscheduled penetration test from a stranger with a GitHub account. There is no safe harbor for spraying public exploits at random websites. There is no legal protection for "I was just verifying the vulnerability." There is no ethical framework where unauthorized prototype pollution is a favor. But sure. Thank you for your service. You found a CVE that was already public. Using a tool someone else wrote. Against a target that never authorized you. And you posted about it on main. For likes. Hero.