Anatolij Vasilev

found an SSRF in #tangled that let any AT Protocol user hit localhost of the production server and did a short write-up: r0.fyi/blog/tangled-k… fixed in v1.14.0-alpha, which is already live #cybersecurity #infosec #security

🚨 Arch Linux AUR Supply Chain Attack: Hundreds to ~1,250 Packages Compromised Attacker posed as maintainer, adopted orphaned packages, and added malicious code to PKGBUILD/.install scripts (npm/Bun deps). Rust infostealer targets creds (SSH, browser, GitHub, Discord etc.). Optional eBPF rootkit if run as root. Actions: Audit recent AUR installs (since ~June 9), review PKGBUILDs, rotate creds if affected. Verify all AUR packages. Credits to @IntCyberDigest

@kimmydotzip If they would have merch I'd wear it tbh

Just bros being bros

@loftwah @NotNordgaren The joke was that you can't dm on github😶

@NotNordgaren Hahaha here comes the malware.

I still think about the guy who posted a rant on GitHub asking where the EXE file was.

@TheHackersNews Oh that's actually pretty smart

🚨 Hackers can now hijack AI coding agents with fake Sentry errors. No phishing. No malware. No server break-in. Agentjacking tricks tools like #ClaudeCode and Cursor into reading planted error reports as trusted fix steps, then running attacker code with developer privileges. Researchers tested it on 100+ organizations. Success rate: 85%. Read: thehackernews.com/2026/06/agentj…

npm v12 will stop running dependency install scripts by default. Postinstall scripts have powered many recent npm supply chain attacks, from Nx s1ngularity to Shai-Hulud. It won’t solve everything, and it should not have taken this long, but it closes a very real attack path.

AI is changing vulnerability management fast. New flaws can now be found by the thousands, and exploit timelines are shrinking to hours. But Verizon says known-exploited vulnerabilities still take a median 43 days to fix. That gap is now the real risk. Why patching alone is no longer enough: thehackernews.com/2026/06/ai-bro…

🚨 JAILBREAK ALERT 🚨 ANTHROPIC: PWNED 🫡 FABLE-5: LIBERATED 🦋 let's start with the 🐘... the consensus seems to be that this has been one of the most disappointing model drops of all time, effectively preventing legitimate researchers from contributing their talents to our collective advancement. and not just because of what it means for the short-term, but for what these decisions signify for the long-term. but despite this overly sensitive, authoritarian "safety" layer on top of Mythos, my lil liberators have been hard at work—mapping the boundaries, probing the depths of long-context convos, and cleverly finding the holes in the fence that the thought police missed 🤗 we got some cyber, some chem, some psychological manipulation, and some good ol' fashioned explosives! it took many attempts from multiple agents hunting as a pack, during which I observed a combination of techniques across: • Unicode, homoglyphs, Cyrillic, and other Parseltongue-style text transforms • Long-context reference tracking • Taxonomy and document-structure reasoning • Fiction and narrative framing • Academic-review style contexts • Intent-classification inconsistencies but perhaps the most effective is decomposition + recomposition in the backend. it's hard to get explicit names of harms like "Meth Recipe," but getting uplift on the process itself, like birch reduction method/reductive-amination (classic meth synthesis pathways), is much more doable. defense becomes much more difficult to maintain when you start throwing in out-of-distro tokens, breaking up the harmful uplift into benign chunks, and then piecing the innocuous-seeming facts back together, especially when you have jailbroken Opus helping you do it 😉 gg

If it's only visible to you, than it's usually pretty worthless, but not always. Some technical supports can impersonate accounts - which can lead to XSS execution (best case you can access credential and/or do CSRF). But that would require social engineering and is less of a white hat activity

i usually don't look for xss's because i could not really find any despite trying , but this time it just worked. it's still a self-xss, i'll try my best to make something out of it.

@vxunderground Mom said I can post the meme tomorrow 😡

@Romulo2500 @GohansTips Yeah the game is Windows only

@GohansTips Vi que o download é 1,3 gb. Roda somente no PC e Android? Tenho o nds e switch

💎Pokémon Eternal Emerald: Set in a climatically unstable Hoenn region threatened by an impending meteorite, a trainer from Johto must travel the region, challenge gyms, confront a new villainous team. 🎯Download Link Of Game - gohantips.wixsite.com/pokemon/post/p…

@GohansTips It's not a romhack 🥀

I just open sourced my "Is this slop?" simple test

@koanchuk @ThrillaRilla369 I knew it was here. I still visit zombo.com time to time🥀

@ThrillaRilla369 this… is…

Anyone who surfed the early web between 1995-2009, what’s the one website you still think about?

Frontend developers irl:

Another iOS app accidentally shipped a CLAUDE.md file: Netflix

@orenyomtov I not just making HTML slides? Who's gonna download and open PDF?

PackageGate: Finding 0-days in Every JS Package Manager media.defcon.org/DEF%20CON%20Si…

npm closes my report as informative, and then proceeds to fix the reported issue in v12 🤷‍♂️ see my defcon slides for script execution bypasses for every single JS package manager

check this one Run the npm login cli command You will get a link like this /login/cli/uuid Copy it and share it with the victim The victim opens the link, and he only sees that the page is asking for otp, it doesn’t show him that his account gonna be logged in another session When the user puts the 2FA code, their account will log in to the attacker's session With good social engineering,it can be used to take over npm accounts I reported this one 3 years ago and it still work xD

@techbromemes love how I see my own memes on X

@thedealdirector After it hits 100% it will start social engineering

What happens when this hits 100%? Asking for a(n insecure) fren.

#PHPverse is live now! Tune in #jetbrains #php youtube.com/live/NR9L0zwXJ…