pyn3rd

My presentation video in BlackHat Asia 2023. Hope you like it!😄❤️@BlackHatEvents youtu.be/8Qyghv00vEQ?si…

Does OpenClaw 🦞 plan to ship with native runtime security (e.g., RASP-style detection), or is security expected to be handled via external hardening, isolation, and monitoring?:-) @steipete

@matthias_kaiser Love to hear that!

This week is my last week at my current employer. The last few months were quite intense, so after 18 months, I finally made the decision to start working as an independent vulnerability researcher. I wish the company all the best and speedy recovery. 1/2

@testanull “What I’m looking for is a poisoned one — the prefix is ORG, not COM. Just a slight difference :-D

@pyn3rd Oh i am still able to download it rn, try this: repo1.maven.org/maven2/com/fas…

If anyone has downloaded this JAR, please let me know. I’d really appreciate it. mvnrepository.com/artifact/org.f…

@testanull 404😄

@pyn3rd May be this will work: repo1.maven.org/maven2/com/fas…

👼GatewayToHeaven (CVE-2025-13292). I discovered a cross-tenant vulnerability in @GoogleCloud's #Apigee, allowing me to access other organizations' data (and sometimes even plaintext JWTs of end users). Below is the full breakdown of the exploit chain⛓️

@chudyPB @FuzzySec Best wishes!

@FuzzySec Good luck!

After 6+ years at IBM it’s time for me to say goodbye! When I joined Adversary Services the team was small, over my tenure it x²’d in size. It’s been an interesting ride, many shells in many places, cool tradecraft and some of the best operators in the business. Now the time has come to take on a new, exciting, challenge! But first, I’m taking an unstructured detour, catching up on some side-quests and touching grass in the real world ✌️

@SinSinology Lovely!

photos

I had a long chat today with a friend who’s a senior security engineer at Apple.

@SinSinology Kyoto Osaka Tokyo 😄

photos

Spending a few days in LA & SF. If you’re around and want to meet up and chat, DM me.:-)

@Y4tacker 对。2种姿势，1.覆盖config.ini，security-level为normal- 就可以，2.直接写一个start-scripts，这不需要

@pyn3rd 只发了利用的Step3 复活CVE-2024的步骤？

#CVE-2025-67303 ComfyUI-Manager Remote Code Execution

@GodfatherOrwa This was classified as informational because the feature is experimental and has not been officially released yet.

@pyn3rd Duplicate happens all the time , but why (informational) ? If the original report provides low quality of POC or not fully exploited, then submit a blocker to BC team to send it to the team I found some similar cases before and then triaged

First vuln of the new year ✅ First duplicate of the new year ✅ 2026, on to the next one.

@h3xkatana The context requires a more detailed explanation. The finding was a duplicate, and given that the feature hasn’t been officially released and the issue was already known, it was classified as informational.

@pyn3rd rce informational ?

I understand why it might appear honeypot-related, but it isn’t tied to my report. It’s a generic component with a fairly complex setup. The finding was a duplicate, and given that the feature hasn’t been officially released and the issue was already known, it was classified as informational.

@pyn3rd Mine informative, I hit their honeypot 😂

@Random_Robbie Nice! Let me know how it goes when you try it out.:-)

@pyn3rd Oooh interesting I've not played with that yet! Making a note to play with it when back in work

@Random_Robbie Aww, that’s really kind of her. Glad it turned into a happy ending.❤️

@pyn3rd She's an idiot but the lady whos car she hit came to check on her today and gave her some treats

My dog is an idiot just got hit by a car cause another dog was over the road and we had the door open due to a friend dropping off our daughter. Dog is fine just being sheepish.

@Random_Robbie True. Duplicates never sleep.:-)

@pyn3rd It happens