Sebastian Demmer

Exclusive: Fast16 malware has raised questions about what it was designed to do. Researchers at @symantec finally confirm that it was subverting software used to simulate nuclear weapons explosions. Nuclear experts tell me Iran was the likely target zetter-zeroday.com/experts-confir…

That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉

For those who are interested in learning about the recent performance improvements in YARA-X: virustotal.github.io/yara-x/blog/ya…

We made a fake repo with fake bounties, and the bots are applying fake PRs, so we know who is fake, and we can ban them from the Coolify repo. IQ over 1000

existing Elastic defend behavior protection for Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability: github.com/elastic/protec… github.com/Nightmare-Ecli…

Excited to see @Google launch Intrusion Logging, the first purpose-built system to enable forensic investigations of advanced attacks on mobile. @AmnestyTech has worked with @Android as a design partner, during the development of Intrusion Logging and Advanced Protection Mode

Everyone is tweeting out "use pnpm & set a minimumReleaseAge of 7 days" but don't forget blockExoticSubdeps - which would also prevent the usage of a remote github reference here!

A while back @harmj0y released Koh, which keeps logon sessions alive after a user logs off - letting an attacker reuse their credentials after the session ended. Poking around today - I found event 6182 in the LSASRV ETW provider, which fires when this is detected. This is a timer-based event, not real-time, with the default timer being set to 30 seconds after logoff

Supply chain attacks are happening left and right with npm, PyPI and so many other places. It seems to be getting worse, everyone agrees. But what can you do about it? Some thoughts on possible approaches (all have tradeoffs). What did I miss? And what vendors actually work?

Have you noticed that those deep-dive stories about complex Windows malware have pretty much vanished, especially in recent years? It feels like the era of "blockbuster" Windows malware has just gone silent, and this blog post tries to give some answers why. r136a1.dev/2026/05/07/whe…

What does it take to build the foundation for a graph that can grow beyond Active Directory? In his latest blog post, Brandon Shearin reflects on a year building OpenGraph for BloodHound, & the work of turning ambiguity into architecture. Check it out ⤵️ ghst.ly/3QYKrvG

100/127 CVEs are reported by Google. Google’s internal tools kills the game chromereleases.googleblog.com/2026/05/stable…

💥 Introducing "Dirty Frag" A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail. No race, no panic on failure, fully deterministic. ~9 years latent. Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more. Even if you've applied the "Copy Fail" mitigation, your Linux is still vulnerable to "Dirty Frag". Apply the Dirty Frag mitigation. Details: dirtyfrag.io

Together with @bzvr_, @2igosha and Anton Kargin, we identified that the DAEMON Tools software has been compromised in a complex supply chain attack since April 8. We see thousands of infections across 100+ countries. If you use DAEMON Tools, run a malware scan immediately! [1/7]

Shipping Kubesplaining v1.0 today. A Kubernetes security CLI that maps every RBAC subject's privilege-escalation paths to cluster-admin, host root, and kube-system secrets, and shows you the chains.

This is some really nice work. A deep dive into what legitimate Windows network traffic looks like and how Impacket differs. Lots of goodness for both red and blue. Nice job @abdo_mhanni!

🎉 Announcing MSTICPy 3.0 🚀 A big step for our Python threat hunting library. (also passed the 1M downloads - currently 1.3M)!🍾 Release 3 is mainly a cleanup release, new Py version support, clearing out old junk. But new features also. See details: github.com/microsoft/msti…

A month ago, Saar Ron, John Lambert, and I shared a set of Kusto functions for building graphs in Kusto Explorer (Lift_To_Graph, Graph_Fold_By_Property, etc.). Today we're sharing IRQL — a dialect of tabular query primitives that sits on top of KQL and: • hides cluster/database locations behind named sources • normalizes schema drift so ipAddress / IPAddress / ClientIp / cip all read as one column • codifies regular data transformation logic into functions • names operators by intent — Get_Event_Authentication, Enrich_Ip_Employee, Extract_Email_Sender_Domain — so a hunt reads as steps instead of a wall of joins • makes queries easier for people and AI to understand Many of the tabular primitives have graph equivalents, so they compose directly with Lift_To_Graph for investigation workflows. This enables more operators to be applied to make sense of your lifted graph data. Functions + examples on KC7: gist.github.com/ddamenova/a24f… #Kusto #LiftToGraph #KnowledgeGraphs #KQL #Security

Wow. Apparently Google controls ~25% of global AI compute, with ~3.8 million TPUs and 1.3 million GPUs.

I want to keep everyone updated on the details of the security investigation. The team performed an in-depth analysis to search for root causes and to better understand the behavior of the threat actor. We cast a very wide net, pulling and processing nearly a petabyte of logs of the entire Vercel Network and API, extending well beyond the initial Context[.]ai compromise. We now understand that the threat actor has been active beyond that startup's compromise. Threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers. Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables. As a result: ◾We've deepened and widened our collaboration with partners across the industry, like Microsoft, AWS and Wiz, to further protect the broader internet. ◾ We've notified other suspected victims of this threat actor, independent of this event, encouraging them to rotate credentials and adopt best practices. We've also shipped a bunch more product enhancements. I'm extremely thankful to our team and industry partners for working around the clock. For more details on the ongoing investigation, refer to our security bulletin: vercel.com/kb/bulletin/ve…