Faav

Here we go. my DEF CON CTF writeup, a little different from the others. Also, thanks to Pwn de Queijo for letting me play with you guys. davi1337.gitbook.io/public/defcon-…

Well I'm #10 on the USA Leaderboard now!

Faav is a beastttttt. Keep going bro!!

Been grinding out on HackerOne and I beat @rez0__ somehow, not sure how long this'll last though... 😅 (USA Leaderboard)

@brutecat You are fucking insaneeeeeeeee 🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥

StubZero: $148,337 RCE in Google Cloud Production brutecat.com/articles/googl…

Adam (@hash_kitten) posted the solution for the XSS challenge he made earlier in the week on our Searchlight Cyber blog here: slcyber.io/research-cente… - pretty interesting behaviour in Chrome's sanitizer API!

I managed to RCE Fortune 500 companies and made over $50,000 with this technique. A new npm supply chain technique we just disclosed. The trick is dumb-simple. We call it npx Confusion. 🧵

@davi1337_ real

lately i keep thinking about how ai killed the fun of learning. solving hard things used to feel rewarding, now everything feels easier but emptier. ai made weak people stronger and strong people unstoppable, but also created this illusion that we’re learning when maybe we’re not

A few months ago I found an SSTI on a large media company's bug bounty program. I got duped on the original report by four minutes, but came back a few months later and found a bypass that ended up being writeup worthy. phsi.se/posts/chaining…

This month has been my best month in bug bounty so far and I got my first testimonial!

For the upside down one you just watch a Minecraft Twitch stream for a few minutes. The upright one you have to go to Twitchcon in person and: Pickup Your Inventory Ribbon. Receive an empty Inventory Ribbon at the Swag Bag kiosk near badge pickup. One (1) Inventory Ribbon per person. Collect Emeralds when you engage with Minecraft content. Collect Emerald Stickers by attending qualifying sessions, attending Minecraft Arena Meet & Greets, and/or completing certain activities. You'll get one sticker per qualifying session/activity. Place a sticker in an empty Inventory slot. When you collect 3 Emerald Stickers, you are ready to redeem for a cape code. Redeem for your cape code. Redeem your completed Inventory Ribbon at the Cape Trader in the Minecraft Village (located in the Minecraft Arena) to receive your Cape Card with a unique in-game code! Staff will scan your wristband prior to receiving the Cape Code, as the redemption is tied to your TwitchCon registration

Just tell me what I have to do @efaav 🫩

Aaaand it's official! Orange Tsai (@orange_8361) of DEVCORE Research Team chained 3 bugs to achieve Remote Code Execution as SYSTEM on Microsoft Exchange, earning a whooping $200,000 and 20 Master of Pwn points. Full win! #Pwn2Own #P2OBerlin

"Join the Critical Thinkers, it's fun" they said...

@orange_8361 Damn

That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉

@696e746c6f6c @WorstWursts @Hacker0x01 EYYYY

Yay, I and @WorstWursts were awarded a $12,000 bounty on @Hacker0x01! by Amazon VRP. We finally got our critical report as paid! hackerone.com/696e746c6f6c #TogetherWeHitHarder

@infosec_au Crazy

cPanel's latest patch (11.134.0.26) for the pre-auth arbitrary file read issue (CVE-2026-29205) is incomplete. We made the call to not publish our research until a working patch is released. We are in touch with WebPro's security team.

XSS2RCE in Edge + Microsoft Store (2022). Forgotten Web APIs enabled RCE on any signed-in device; all now retired. jinmo.github.io/blog/2026/05/1…

Update 5:05 PT: The attack has now expanded well beyond @TanStack and @Mistral. 373 malicious package-version entries across 169 npm package names, including @uipath, @squawk, @tallyui, @beproduct, and more. The malware propagates by stealing your CI credentials and using them to publish new compromised versions. Full IOCs, affected package list, and detection steps: aikido.dev/blog/mini-shai…