Jacob Krell

3K posts

Jacob Krell

@hackerfren

NC, United States Katılım Eylül 2023

730 Takip Edilen2.4K Takipçiler

Sabitlenmiş Tweet

Jacob Krell@hackerfren·22 Nis

I Broke top 20 globally on Hack the Box, just in time for them to change the ranking system it seems. The new ranking system seems to include retired machines as well, and since I'm approaching 400 ( the most of anyone in the top 20) I'm guessing I'm pretty close to the top ranked in the new system as well.

English

1.6K

Jacob Krell@hackerfren·6h

I'm excited to be speaking tomorrow at @CybrSecCon convention in Plano TX, CYBR.HAK.CON, about how Agentic AI has impacted CTFs and competitive hacking!

English

Jacob Krell@hackerfren·3d

@vxunderground The future of marketing

English

vx-underground@vxunderground·3d

Yeah, I'm killing myself tonight

AT&T@ATT

Bungulators, I have claimed AT&T and it is ours now.

English

203

5.3K

190.1K

Jacob Krell@hackerfren·5d

Supply chain and dev tool compromises continue to be in the news week after week. Its becoming a question of when, not if. Vendor risk management is more important then ever as threat actors continue to move up the chain.

Suzu Labs@SuzuLabs

GitHub just confirmed that 3,800 internal repositories were stolen… through a single VS Code extension. Not a zero-day. Not ransomware. A developer plugin. This is TeamPCP’s FIFTH supply chain compromise in ~3 months, and it highlights a massive blind spot most organizations still ignore: IDE security. Most companies heavily govern: ✅ SaaS apps ✅ Cloud infrastructure ✅ Production environments …but allow developers to install extensions with virtually unrestricted access to: ⚠️ source code ⚠️ credentials ⚠️ cloud tokens ⚠️ local systems The attack surface has officially moved upstream, into the tools used to WRITE the code. If your organization hasn’t started governing developer tooling, extension usage, and workstation trust boundaries, now is the time. The GitHub breach wasn’t the anomaly. It was the warning shot. Read @jacob krells latest research here: na2.hubs.ly/H05FnMT0 #CyberSecurity #SupplyChainSecurity #DevSecOps #VSCode #GitHub #SoftwareSecurity #ThreatIntelligence #Infosec

English

728

Jacob Krell@hackerfren·6d

@rekdt The average exploit timeline is negative 7 days. On average patching isn’t even helping based on real world IR data….. The issue is the dwell times. We need ai threat hunting……

English

rekdt@rekdt·18 May

It’s really funny watching companies learn things like patching at high velocity isn’t a cybersecurity silver bullet The state of cybersecurity is so bad in tech today, they’re recreating defense in depth from first principles

Cloudflare@Cloudflare

Cloudflare's security team spent the last few weeks testing Anthropic's Mythos against fifty of our own repositories. What we learned about offensive AI, why faster patching is the wrong reaction, and what the architecture around vulnerabilities has to look like next. cfl.re/49BRUqW

English

369

43.3K

Jacob Krell@hackerfren·6d

@vxunderground @GrahamHelton3 And most companies still can’t even tell you all their 3rd party vendors or give a BoM for their products/ software…..

English

vx-underground@vxunderground·6d

@GrahamHelton3 Oh my God

English

228

7.1K

vx-underground@vxunderground·6d

GitHub, a company owned by Microsoft, was compromised. A GitHub employee browsing the VS Code marketplace, an asset owned and operated by Microsoft, inadvertently donated a malicious VS Code extension, which Microsoft offers guidance and best practices on to avoid

GitHub@github

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

English

452

4.8K

366K

Jacob Krell@hackerfren·6d

@yacineMTB The hard part is selling. With ai dev, bro, you can make an entire enterprise product in like a week if you know what your making.

English

kache@yacineMTB·6d

your job as a researcher, developer is to help your salesperson sell things. build something that is easy to sell. build something that people actually need

thoughtlesslabs@thoughtlesslabs

@yacineMTB Absolutely. Having marketed bad products and good products, it is insane how much easier it is to market good products because they deliver on the promises you get to make.

English

454

24.1K

Jacob Krell@hackerfren·6d

@HackingLZ Who needs to evade detection when you are just hijacking the supply chain

English

Justin Elze@HackingLZ·6d

Traditional detections don’t handle dynamic code? ML gets no love anymore

Institute for AI Policy and Strategy (IAPS)@iapsAI

The challenge is real. Agents may evade traditional detection through dynamic code generation, behavioral variance, and by operating below anomaly thresholds. Attacks will be distributed across models and vendors — there is no single vantage point to see the whole picture.

English

5.1K

Jacob Krell@hackerfren·6d

@UK_Daniel_Card Nice! St. Peter’s is unreal. Awesome in the truest sense of the word in my experience.

English

mRr3b00t@UK_Daniel_Card·6d

Off on another adventure again today! ❤️🇮🇹

English

1.3K

Jacob Krell@hackerfren·19 May

@L0rd5ud0 It made my day I’m famous hahaha

English

LordSudo@L0rd5ud0·19 May

@hackerfren This is super!!

English

Jacob Krell@hackerfren·19 May

I was quoted in Forbes, that's pretty cool! Microsoft does not seem to be having a good 2026 so far security wise, with Exchange being the most recent issue in the crosshairs: ...“attackers study mitigation guidance the same way defenders do,” meaning that such vulnerabilities can be turned into working exploits “much faster than most organizations can validate exposure.”'... forbes.com/sites/daveywin…

English

206

Jacob Krell@hackerfren·14 May

@HackingLZ @PyroTek3 By the associative meme property, Survivablilty is like ogres. They have layers

GIF

English

188

Justin Elze@HackingLZ·13 May

Here is your Mythos InfoSec strategy.

English

153

11.1K

Jacob Krell@hackerfren·14 May

Threat actors are security researchers in charge of revenue

GIF

English

226

Jacob Krell@hackerfren·13 May

@timboloman @SuzuLabs Fair enough! I agree the term negative day is pretty silly.

English

Timothy McKenzie@timboloman·12 May

I get that part, and I understand the volume (average) has shifted considerably. But, the term zero-day has always meant that the exploitation occurred before a patch was available. We don’t need negative day, as we already have an industry accepted term for the behavior. The current issue is not the behavior (zero days, as we have had those forever), but rather the issue is that the volume of zero-days has increased. The term negative day does not articulate well that the volume of zero days is increasing.

English

Suzu Labs@SuzuLabs·5 May

We said it first. Now Mandiant just confirmed it. 👉 Mean Time to Exploit is now negative. Not shortened. Not faster. Negative. Attackers are exploiting vulnerabilities before organizations can even respond. That changes everything. This isn’t about patching faster or scanning more. It’s a timing problem, and most security strategies are already behind. At Suzu Labs, we’re seeing the same thing Jacob Krell just outlined in our latest research: 👉 If you’re reacting, you’re too late 👉 If you’re waiting for alerts, you’ve already missed it 👉 If you’re relying on point-in-time testing, you’re exposed The only way forward? Simulate attacks before attackers do. Continuously validate what actually breaks. Because in a world of negative exploit timelines… you don’t get a head start anymore. 📖 Read the full breakdown: na2.hubs.ly/H05hMNP0 🔗 See how we help teams stay ahead: na2.hubs.ly/H05hNvb0

English

1.3M

Jacob Krell@hackerfren·12 May

@HackingLZ

GIF

QME

114

Justin Elze@HackingLZ·12 May

I was promised AI powered malware and instead I got AI packages with malware

Microsoft Threat Intelligence@MsftSecIntel

Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux. The file name transformers.pyz appears deliberately chosen to mimic the widely used Hugging Face Transformers library and blend into ML/dev environments. The main payload is a credential stealer, but it also includes country-aware logic; it avoids Russian-language environments and contains a geo fenced destructive branch that has 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran. To mitigate this threat: isolate affected Linux hosts, block 83[.]142[.]209[.]194, hunt for /tmp/transformers.pyz, pgmonitor[.]py, and pgsql-monitor.service, and rotate exposed credentials.

English

196

17.8K

Jacob Krell@hackerfren·12 May

@yacineMTB Generative AI PCB design when.

Deutsch

kache@yacineMTB·11 May

build robots

English

184

6.5K

Jacob Krell@hackerfren·11 May

@sec_hub93028 heres hoping that this isnt over the line and I get the FBI showing up at my home someday for making and publishing this. Im gonna need to disclaimer the heck out of it when I push it live hahaha

English

137

SecInterviewHub@sec_hub93028·11 May

@hackerfren 👀

QME

153

Jacob Krell@hackerfren·11 May

Soon

English

2.4K

Keşfet

@CybrSecCon @vxunderground @rekdt @GrahamHelton3 @yacineMTB @HackingLZ @UK_Daniel_Card @L0rd5ud0