Chihuahua in charge NotMe

VERCEL GOT HACKED ShinyHunters - the group behind the Ticketmaster breach - is selling Vercel's internal database for $2M on BreachForums here's why every developer should care: - they have NPM tokens and GitHub tokens - Vercel owns Next.js - 6 million weekly downloads - one malicious push = global supply chain attack - Vercel confirmed the breach today, April 19 - they literally DMed the hackers on Telegram asking them to stop rotate your env variables RIGHT NOW

Google has a recording of every search you've ever made. Every place you've ever been. Every YouTube video you've ever watched. Go to myactivity.google.com right now. You'll find searches from 2015. Voice recordings. GPS coordinates. All stored. All linked to your name. Here's how to see it and delete it:

📺 Now OnDemand: AI-assisted red team tool development. See how to move from vague prompts to structured, reliable tooling using a “think then act” approach. Watch now and apply it in your own workflows. 🔗 go.sans.org/PuSy2Y

Last week, Anthropic announced Project Glasswing alongside Claude Mythos Preview, a model they described as so powerful at finding vulnerabilities they couldn't release it. The announcement featured AWS, Microsoft, Google, and Apple as partners, $100M in compute credits, and a clear message: this is dangerous, and only we can be trusted to deploy it safely. The results were real. Thousands of zero-days across every major OS and browser. A 27-year-old bug in OpenBSD. A 16-year-old bug in FFmpeg. Fully autonomous exploit chains that would have taken human researchers weeks. But here's what bothered me: all the credit went to the model. Read the technical blog carefully and a different picture emerges. The real innovation isn't the model. It's the workflow: - Rank every file in a codebase by attack surface - Fan out hundreds of parallel agents, each scoped to one file - Use crash oracles (AddressSanitizer, UBSan) as ground truth - Run a second verification agent to filter noise - Generate exploits as a triage mechanism for severity That's a pipeline. And pipelines are model-agnostic. At Lazarus AI, we spend our days deploying custom AI in places where "just use the closed API" isn't an option: regulated industries, enterprise, and government. When I saw Glasswing, my instinct was the same one I have every week: strip out the proprietary model, keep the architecture, run it on whatever model is best for the customer. Clearwing is a fully open-source vulnerability discovery engine. Crash-first hunting, file-parallel agents, oracle-driven verification, variant hunting, adversarial verification. Works with any LLM. I tested it with OpenAI Codex 5.4 and reproduced Glasswing's findings. I'm now reproducing results with our own ReAligned model - Qwen3.5 finetuned to Western alignment. Mythos is certainly a great model. The N-day exploit walkthroughs in Anthropic's blog show real reasoning depth. But it's an incremental improvement over Opus, the same way Opus was over Sonnet, and Sonnet over Haiku. It's not a leap to superintelligence. It's the next point on a curve we've been watching for years. What actually changed the game was the workflow. Defenders shouldn't have to wait for access to a gated model to secure their software. These vulnerabilities have been sitting in codebases for decades. The tools to find them should be available to everyone: the open source maintainer running FFmpeg on a Saturday, the startup that can't afford $125/M output tokens, the researcher in a country where Anthropic doesn't operate. Clearwing is MIT licensed and available now. github.com/Lazarus-AI/cle… Clearwing enables a wide variety of security activities. Handle with care. It is sharp.

Looking at Windows artifacts in isolation can be misleading. Prefetch shows execution. LNK files show access. Jump Lists show interaction. But what happens when they do not align? 👇 Playbook breaks it down 👉 go.sans.org/RKG6xY

Yo, a new Blog Post about Bypass All Sec Control in windows like (win def,applocker,WDAC,SmartScreen,ASR,PPL,Sysmon,Edrs) 0xdbgman.github.io/posts/sec-cont… #EDRS #Bypass #PPL #WDAC #Redteam #windowsDefender #ASR #Sysmon

Missed @jaredcatkinson & @JustinKohler10's talk at #SOCON2026? They announced BloodHound 9.0! Attack paths span SaaS, cloud, endpoints & identity providers. Attackers have exploited these connections for years. BloodHound 9.0 closes that gap. Learn how: ghst.ly/3OmSe5A

Marcus Hutchins, the guy famous for stopping the WannaCry Ransomware, probably has the best take on Mythos doing vulnerability research

BloodHound isn’t just AD anymore. With OpenGraph, it extends into GitHub, Jamf, and more. But most training hasn’t caught up. If you maintain coursework, @HugovdToorn shares what you should update. ⬇️ ghst.ly/4dzYnFL

TailVNC — Drop-in Windows VNC persistence over Tailscale. Single binary, Session 0 bypass, zero exposed ports. Built for offensive security & ops. Inspired by @Yeeb_ 's SockTail. github.com/wh0amitz/TailV… #redteam #Pentesting #CyberSecurity

Modifying group membership with NetExec🛠️ A classic situation: You have obtained a privileged user and want to add yourself to one of their groups, e.g. the Domain Admins. With NetExec's new modify-group module you can do that now via both SMB and LDAP. Made by @termanix.

🚨 BREAKING: Claude can now build your retirement plan like a Vanguard $500/hour wealth consultant (for free). Here are 5 insane Claude prompts that replace your retirement advisor, tax consultant, and investment strategist. (Save for later.)

@jaynitx @mindfulmaven_ Interesting.👀

Elon Musk on why the smartest people drop out of college: "You don't need college to learn. Learn stuff. Everything is available basically for free. You can learn anything you want for free. It is not a question of learning." Musk explains what college actually provides: "There is a value that colleges have, which is seeing whether somebody can work hard at something, including a bunch of annoying homework assignments, and still do their homework, and kind of soldier through and get it done. That's the main value of college. And also, you probably want to hang around with a bunch of people your own age for a while instead of going right into the workforce. So I think colleges are basically for fun and to prove you can do your chores. But they're not for learning." On hiring at his companies: "There is a requirement of evidence of exceptional ability. I don't consider going to college evidence of exceptional ability. In fact, ideally you dropped out and did something. Obviously, Gates is a pretty smart guy, he dropped out. Jobs was pretty smart, he dropped out. Larry Ellison, smart guy, he dropped out. Obviously not needed." Musk shares how education should work: "Generally, you want education to be as close to a video game as possible. Like a good video game. You do not need to tell your kid to play video games; they will play video games on autopilot all day. If you can make it interactive and engaging, you can make education far more compelling and far easier to do." He challenges the current system: "You really want to disconnect the whole 'grade level' thing from the subjects. Allow people to progress at the fastest pace that they can, or are interested in, in each subject. It seems like a really obvious thing." Musk criticizes traditional teaching: "Most teaching today is a lot like vaudeville. Somebody's standing up there lecturing to you. They've done the same lecture several years in a row. They're not necessarily all that engaged. That lack of enthusiasm is conveyed to the students; they're not very excited about it. They don't know why they're there. 'Why are we learning this stuff?' We don't even know why. A lot of things people learn, probably there's no point in learning them, because they never use them in the future." On whether university is necessary: "A university education is often unnecessary. That's not to say it's unnecessary for all people. But I think you learn about as much, the vast majority of what you're going to learn there, in the first two years. And most of it is from your classmates. If the goal is to start a company, I would say no point in finishing college." Musk started his own school for his kids: "I created a little school. It's small, only 14 kids now, and it'll have 20 in September. It's called Ad Astra, which means 'to the stars.'" He explains what makes it different: "There aren't any grades. There's no grade one, grade two, grade three. Not making all the children go in the same grade at the same time, like an assembly line. People are not objects on an assembly line. That's a ridiculous notion. Some people love English or languages. Some people love math. Some people love music. Different abilities at different times. It makes more sense to cater the education to match their aptitudes and abilities." Musk shares a key principle: "It's important to teach problem-solving, or teach to the problem, not to the tools. Let's say you're trying to teach people about how engines work. A more traditional approach would be: 'We're going to teach you all about screwdrivers and wrenches. You're going to have a course on screwdrivers, a course on wrenches.' This is a very difficult way to do it." He offers a better approach: "A much better way would be: 'Here's the engine. Now let's take it apart. How are we going to take it apart? Oh, you need a screwdriver, that's what the screwdriver is for. You need a wrench, that's what the wrench is for.' And then a very important thing happens: the relevance of the tools becomes clear." The result: "It seems to be going pretty well. The kids really love going to school. I think that's a good sign. I hated going to school when I was a kid; it was torture. The fact that they actually think vacations are too long, they want to go back to school. Weird, I know." Musk reframes what education really is: "If you think about it, what is education? You're basically downloading data and algorithms into your brain. And it's actually amazingly bad in conventional education. It shouldn't be this huge chore. The more you can gamify the process of learning, the better."

🚨 Security Detections MCP v3.1 is live 🚨 8,200+ detections. 6 platforms. 1 MCP server your AI can actually reason over. Ask it: "what's our ransomware coverage?" Get a real answer across Sigma, Splunk, Elastic, KQL, Sublime, and CrowdStrike CQL. New in 3.1: 📧 900+ @sublime_sec email detections (h/t @MSAdministrator) 🛡️ CrowdStrike CQL Hub (cql-hub.com) 🤖 Feed it a CISA alert, get a PR draft back ⚡ npx -y security-detections-mcp Get it -> github.com/MHaggis/Securi…

My BlueHammer version ( now redhammer) implements my VDM version patch, deploys and loads the BYOVD for my exploitkit. It bypasses the new signature for BlueHammer aswell. How is this still unpatched?

Blue Hammer by Nightmare-Eclipse Vulnerability Documentation & Reimplementation github.com/atroubledsnake…

🚨 BREAKING: Your internet fiber cable is secretly listening to you right now. Researchers from hong kong just dropped a paper at NDSS 2026 showing how they can spy on your conversations through the fiber optics in your walls. They successfully turned ordinary Fiber-to-the-Home (FTTH) cables into hidden, long-range microphones. No laser bugs. No physical implants. No drilling through walls. Just the broadband cable that is already sitting in your living room or office. By connecting a commercially available Distributed Acoustic Sensing (DAS) system to one end of the fiber, they can measure microscopic vibrations caused by sound waves in the room. Then, they use AI to reconstruct those vibrations into crystal-clear speech. Through walls. From adjacent rooms. From up to 50 meters away. It was tested on actually deployed infrastructure. The attack cost is dropping. Commercial gear is all that is required if an attacker has access to the other end of the fiber connection. Millions of homes and offices have FTTH installed. And every single one is potentially exposed.

Abusing Microsoft Outlook 365 to Capture NTLM 🔥 Telegram: t.me/hackinarticles ✴ Twitter: x.com/hackinarticles Attackers can abuse Microsoft Outlook 365 features to capture NTLM hashes, enabling credential theft and potential domain compromise. ⚡ Attack Highlights 📧 Send crafted email/meeting request 🔗 Embed malicious UNC path 📡 Force victim system to authenticate 🎟 Capture Net-NTLMv2 hash 🔄 Relay or crack credentials 🚀 Gain unauthorized access 💡 Outlook can automatically trigger authentication to attacker-controlled servers, leaking NTLM hashes without user interaction in certain scenarios. 📖 Article: hackingarticles.in/abusing-micros… #CyberSecurity #ActiveDirectory #NTLM #RedTeam #Pentesting #PrivilegeEscalation #InfoSec

@SecurePeacock Protocol SIFT with Claude code is interesting. 😃

This is very interesting for those working in DFIR: youtu.be/OsUg3TlAqjQ?si…

I just wrote a tutorial explaining how to combine Adaptix C2 with MacroPack and ShellcodePack! This provides multiple initial access and EDR evasion options to Adaptix C2 users. Tutorial includes: LNK, CLickOnce, DLL Sideloading, Exe, HTA, etc! #redteam blog.balliskit.com/tutorial-adapt…