Peter C

Very excited to announce our open-sourcing of Access! A centralized portal for Discord employees to transparently discover, request, and manage their access for all internal systems needed to do their jobs discord.com/blog/access-a-…

First Google found a much better quantum algorithm that'll run on any quantum computer to break elliptic curves. They're not releasing it: they only show they have it with a ZK proof. research.google/blog/safeguard…

We found a critical vulnerability in @OpenAI Codex affecting all Codex users, allowing exfil of a victim’s GitHub tokens to our C2 server. This granted lateral movement and R/W access to a victim’s entire code base 😈 This was a crazy one by @crew7sec at @btphantomlabs

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

THREAD: Cherise Doyley was in her 12th hour of contractions at the hospital when a tablet was brought to her bedside. On the screen was a Zoom call with a judge and several lawyers and doctors. She was in court, a nurse told her. The reason? For failing to agree to a C-section.

Coding was the bottleneck, then code reviews were the bottleneck. At some point, incidents are going to be the bottleneck.

We partnered with Mozilla to test Claude's ability to find security vulnerabilities in Firefox. Opus 4.6 found 22 vulnerabilities in just two weeks. Of these, 14 were high-severity, representing a fifth of all high-severity bugs Mozilla remediated in 2025.

Big skill drop from @trailofbits today! Here are 10 new skills we publicly released from our internal repository: 🧵

"permitted a single ECS task role "read access to every secret in the account, including the production Redshift master credential."" There is a lot going on with this (even if not all of it can be believed). Properly scoping IAM is critical! bleepingcomputer.com/news/security/…

Introducing the Google Workspace CLI: github.com/googleworkspac… - built for humans and agents. Google Drive, Gmail, Calendar, and every Workspace API. 40+ agent skills included.

We discovered a phishing actor that is abusing .arpa to host content on domains that should not resolve to an IP address. The actor uses free services to create domain names from reverse DNS strings for IPv6 tunnels that use the .arpa top level domain. 🧵

🚨 Google told devs: API keys aren't secrets. Gemini changed that. 😱 We found ~3,000 public keys silently authenticating to Gemini - exposing private files, cached data & charging for LLM usage 💥Even Google's own keys were vulnerable. 🔗 trufflesecurity.com/blog/google-ap…

@0xdabbad00 @samlambert I assume these ones postgresql.org/about/news/pos…

@samlambert Which CVEs?

Apparently AWS are telling customers there is no timeline for them patching the latest Postgres CVEs lol

Introducing Claude Code Security, now in limited research preview. It scans codebases for vulnerabilities and suggests targeted software patches for human review, allowing teams to find and fix issues that traditional tools often miss. Learn more: anthropic.com/news/claude-co…

Before launch, @perplexity_ai hired us to test the security of Comet, their AI browser assistant. We demonstrated how four prompt injection techniques could extract users' private information from Gmail. 🧵

This is peak 2026 github.com/cline/cline/se…

Two AES libraries ship a default IV that guarantees key reuse. 700K+ repos depend on aes-js alone. A developer flagged the problem years ago, but it was never fixed. 🧵

❗️🇨🇭 Researchers at ETH Zürich have discovered serious vulnerabilities in cloud-based password managers that allowed viewing and modifying stored passwords. 1Password, Bitwarden, Dashlane, and LastPass were all affected by critical vulnerabilities.

theregister.com/2026/02/12/app… "Apple patched a zero-day vulnerability affecting every iOS version since 1.0" 👀

We spent years and billions of dollars inserting a C compiler into a lossy hash table. Here’s how we spent two weeks getting it back out with a Markov process.