Matt Johansen
47.2K posts
@mattjay
Founder of @vuln_u | Long Island elder emo surviving in ATX | AI and Cybersecurity news from an 18yr industry vet
cybergym.io just updated its leaderboard and MDASH is now #1 using a new multi-model approach. Huge credit to Taesoo Kim and the Autonomous Code Security team for pushing the frontier on AI-driven vulnerability discovery and defense microsoft.com/en-us/security…
🚨 UPDATE: 19 MILLION exposed NGINX instances hit by the 18-year-old NGINX RCE found by AI. Top exposure by country: - United States: 5,340,011 - China: 2,540,008 - Germany: 1,871,780 Note on ASLR as added security: not all of these instances will have ASLR disabled, but every one of them is running a version inside the vulnerable band. The vulnerability is a heap buffer overflow. ASLR randomizes memory layout, which makes reliable RCE much harder because the attacker cannot predict where their payload or useful gadgets land. But the overflow itself still happens. The corrupted memory still causes the NGINX worker process to crash. ASLR-enabled hosts are still trivially DoS-able. ASLR-disabled or non-PIE builds are RCE-able. Either way, patch ASAP!
further proof the magic is in the harness.
Someone showed up to a Huntress job interview pretending to be someone else. 👀 We're showing the footage, and the scammer's response, LIVE on _declassified Episode 2: Unfriendly Followers: The Black Market For Your Identity. Join us May 20: okt.to/qA35Qi
Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?
Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?
If you've been laid off from a cyber threat intel position and would like to come to @SLEUTHCON this year, please reach out.
We are aware of reports that a build of Forza Horizon 6 has been obtained prior to its release and can confirm this is not the result of a pre-load issue. We are taking strict enforcement action against any individuals found accessing this build including franchise-wide and hardware bans. We encourage fans to sit tight for the game’s release on May 19.
I just reverse engineered the YellowKey BitLocker bypass Microsoft shipped code that checks for a flag called "FailRelock" in every Windows 11 recovery image. When it's set to 1, after recovery unlocks your BitLocker drive, it never relocks it. All you need is a USB stick. This code only exists in the recovery environment. Not in normal Windows. They left an entire debug testing framework in production.
We were one of four initial grant recipients in @OpenAI's Trusted Access for Cyber program. Daybreak matters because frontier models now find bugs faster than maintainers can triage them, and that gap is about to get worse. Next-gen models can bury open-source maintainers in reports. While working with frontier labs this year, we have seen the bottleneck shift. Bug finding is easy, but triaging, disclosing, and fixing them takes disproportionate time and effort. Each finding still needs a human to confirm the bug, a static or dynamic check to reproduce it, a working proof-of-concept, and a minimal patch. That work is heavy, and right now it falls on the maintainer. On the OSS engagements we ran this year, we prioritized minimizing maintainer workload and keeping noise out of their inboxes. Every report we sent included a PoC, a fix patch, and a regression test. Anything that did not clear that bar did not get sent. Commonly used software has never been short of bugs. Cyber-tier models will surface them at machine speed with little human effort, and the volume will overwhelm OSS projects without clear processes for disclosure, triage, and remediation. If you maintain an OSS project, do four things: 1. Publish a SECURITY.md. If you already have one, verify the reporting flow still works end to end. 2. Set a high bar for submissions. Require a PoC, a fix patch, and a regression test wherever possible. 3. Build validation harnesses that quickly answer three questions: is the bug real, does the fix work, and does anything else break? 4. Sandbox those harnesses. Malicious reports are a credible threat once the cost of generating them drops to near zero. Bug finding is getting faster. Triage, verification, disclosure, and patching have to catch up.
