Sabitlenmiş Tweet
Viktor 🔮
685 posts
Viktor 🔮
@ethers_security
Security Researcher, Web3 enthusiast, AI, EVM auditor, ex Hacken
Utopia Katılım Temmuz 2023
908 Takip Edilen214 Takipçiler
Viktor 🔮 retweetledi
Chinese LLMs can hack better than state-sponsored hackers with properly evolved harness -
Kimi K2.5 managed to find and exploit 6 vulnerabilities in browsers: a single page view or an extension install by victims equal full system hijack.
Check arxiv.org/abs/2604.20801
English
@Param_eth The best thing to learn in 2026 is AI engineering and how to secure your devices. Knowledge of DeFi is beneficial, but the job market is almost empty, thus prioritizing it might leave u unemployed
English
The best thing to learn in 2026 is smart contract security.
Resources to Learn Smart Contract Security:
Ethernaut: ethernaut.openzeppelin.com
Roadmap to become a Smart contract Hacker: x.com/adrianhetman/s…
Lookonchain@lookonchain
KelpDAO was exploited, with ~$294M stolen! 🚨 The attacker minted 116,500 $RSETH ($294M). By selling $RSETH and using it as collateral to borrow $ETH, the attacker obtained 106,467 $ETH ($250M). intel.arkm.com/explorer/entit…
English
Viktor 🔮 retweetledi
Viktor 🔮 retweetledi
Why does verification matter?
At @Vault__Summit, @WojtekP laid out why every vault product needs real-time verification and how Accountable is building that standard.
0:00 - Intro
0:34 - The offchain opportunity
1:41 - The transparency problem
3:45 - What's missing from vaults today
4:22 - Verification as the new standard
5:54 - Accountable's product suite
7:22 - How the DVN works
8:20 - How Vault-as-a-Service works
9:16 - Vault strategy options
10:02 - Accountable's traction
English
Viktor 🔮 retweetledi
❗️Important note to Solidity devs and auditors:
If you are using/reviewing Solidity versions 0.8.28 - 0.8.33, you can't trust `delete` on transient storage.
> The compiler has a Yul helper name collision - storage_set_to_zero_t_{type} doesn't distinguish persistent vs transient.
> Whichever `delete` the compiler encounters first poisons the cache for all subsequent ones of the same type.
> This is a high-severity solc bug, not an application bug. The Solidity looks correct. The generated Yul doesn't.
Check your compiler versions.
English
Viktor 🔮 retweetledi
There are over 3.5k job openings at Europe's leading startups.
Tech is the fastest growing segment of the European economy, and it is quickly overtaking finance and law as the most in-demand grad jobs.
There's never been a better time to get into tech with some amazing jobs at some of the fastest growing startups across europe:
> @attio
> @synthesiaIO
> @fuseenergy
> @peec_ai
Jan-Willem Denys has built StartupMap - a new platform tracking the continent's open roles and there are some great roles out there.
It's a great resource - will drop the link below
English
What is an YieldApp?
YieldApp is a marketplace for verifiable yield opportunities powered by Accountable’s Data Verification Network (DVN), where every strategy is backed by cryptographic proofs.
Worth a read
accountabledata.substack.com/p/yieldapp-the…
Accountable@AccountableData
$2M in yield has been distributed through YieldApp. Verifiable opportunities are delivering.
English
Viktor 🔮 retweetledi
AI + WEB3 SECURITY
My friend @MartinMarchev has created a github repo with all AI web3 security tools.
- 26 AI audit scanners (11 free + 15 paid)
- 5 benchmarks
- 6 datasets
- 10 tools
and many more!
github.com/marchev/awesom…
English
Viktor 🔮 retweetledi
Breaking Claude Code and getting a high severity bounty from @AnthropicAI!
Apex, our autonomous bug hunter, found a way to bypass a permissions check by Claude Code for untrusted codebases.
Want Apex to break your code next? Link below
English
Viktor 🔮 retweetledi
Viktor 🔮 retweetledi
🚨 Andrej Karpathy just explained the scariest thing happening in software right now..
someone poisoned a Python package that gets 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine..
SSH keys.. AWS credentials.. crypto wallets.. database passwords.. git credentials.. shell history.. SSL private keys.. everything..
and here's the part that should terrify every developer alive..
the attack was only discovered because the attacker wrote sloppy code.. the malware used so much RAM that it crashed someone's computer.. if the attacker had been better at coding.. nobody would have noticed for weeks..
one developer.. using Cursor with an MCP plugin.. had litellm pulled in as a dependency they didn't even know about.. their machine crashed.. and that crash saved thousands of companies from getting their entire infrastructure stolen..
Karpathy's take is the real wake up call.. every time you install any package you're trusting every single dependency in its tree.. and any one of them could be poisoned..
vibe coding saved us this time.. the attacker vibe coded the attack and it was too sloppy to work quietly.. next time they won't make that mistake.
Andrej Karpathy@karpathy
Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
English
Viktor 🔮 retweetledi
The next Claude update is going to fuck our wife, isn't it?
Claude@claudeai
You can now enable Claude to use your computer to complete tasks. It opens your apps, navigates your browser, fills in spreadsheets—anything you'd do sitting at your desk. Research preview in Claude Cowork and Claude Code, macOS only.
English
Viktor 🔮 retweetledi
claudit-sec - github.com/HarmonicSecuri…
Security audit tool for Claude Desktop and Claude Code on macOS single-command visibility into MCP servers, extensions, plugins, connectors, scheduled tasks, and permissions.
Claude Desktop introduces a new class of endpoint risk: AI agents with autonomous execution, persistent scheduled tasks, MCP server integrations, browser-control extensions, and OAuth-authenticated connectors to external services. Most of this configuration lives in JSON files scattered across multiple directories with no centralised visibility.
#ClaudeSecurity #MCPServerSecurity #ClaudeDesktop #AISecurity #EndpointSecurity #AISecurity
English
@HaraldGormsson @davidonchainx Did you check Nemoclaw from Nvidia?
English
@davidonchainx Having a machine that is dedicated to Ai with limited access to everything is still far more secure than running any agentic Ai system on your daily computer.
I’d still get another Mac mini.
English
People who spent $700 on a mac mini to run an openclaw agent watching claude launch all the features natively for $20
Claude@claudeai
You can now enable Claude to use your computer to complete tasks. It opens your apps, navigates your browser, fills in spreadsheets—anything you'd do sitting at your desk. Research preview in Claude Cowork and Claude Code, macOS only.
English
English
Introducing the new @stitchbygoogle, Google’s vibe design platform that transforms natural language into high-fidelity designs in one seamless flow.
🎨Create with a smarter design agent: Describe a new business concept or app vision and see it take shape on an AI-native canvas.
⚡️ Iterate quickly: Stitch screens together into interactive prototypes and manage your brand with a portable design system.
🎤 Collaborate with voice: Use hands-free voice interactions to update layouts and explore new variations in real-time.
Try it now (Age 18+ only. Currently available in English and in countries where Gemini is supported.) → stitch.withgoogle.com
English