xlr8 •

Unauthenticated RCE in Apache Tomcat (CVE-2026-34486) The EncryptInterceptor was supposed to protect cluster communication. A fix for a padding oracle vulnerability moved one line outside a try block, and the encryption layer silently started forwarding every failed decryption straight into unfiltered Java deserialization. We found it with Striga, built the exploit, and reported it to The Apache Software Foundation. striga.ai/research/tomca…

CI/CD pipelines provide a lot of juicy attack surface. One common pattern: a build system lets you specify an output path for artifacts. If that path isn't sanitized, a ../ sequence lets you write files anywhere on the build server. With AFW, you can create a cronjob, /etc/ld.so.preload, __init__.py, a shell profile etc, and you may be able to have RCE. I've seen some isolated for outbound, so doing a "sleep 100" is always worth it for blind RCE. Even without direct path traversal, many CI/CD systems let pipeline configs reference scripts, pull artifacts, or set env vars. If an attacker can modify the pipeline definition (through a PR, a compromised dependency, or a writable config), the build server executes what they want with whatever credentials the runner has. If you're pentesting and the scope includes CI/CD, it's always worth checking what the runners can access. Build servers may have deploy keys, cloud credentials, and production secrets available as environment variables.

Check this website don’t ask me any questions. You will be glad you did . Gutenberg.org

@h4x0r_dz You're hired!

Kim Jong-un is a fat ugly pig

@hetmehtaa @jack

Who is Satoshi Nakamoto?

Unbelievable 🤌🏻

Race conditions in OAuth flows can still happen in custom implementations. Here's how to find it: During the token exchange, the server is supposed to treat an authorization code as single-use. If you race the token endpoint by sending parallel requests with the same code simultaneously, vulnerable implementations may issue multiple valid access tokens and some won't properly revoke all of them. Tools like Turbo Intruder or even a simple multi-threaded script sending concurrent requests to the callback URL with different tokens may trigger it. Further reading here: blog.avuln.com/article/4

everything is programming

@zack0x01_ And @ippsec tmux conf is 'cherry on top' 🙌

Tmux is so f*** amazing

@TheEnergyStory da faq man

🚨 Newest TeamPCP Supply Chain Compromise Affects Rust cargo-env-parser (v1.0.19) I have found that the Rust cargo-env-parser v1.0.19 crate has been compromised via a supply chain attack by the threat actor TeamPCP. There is a malicious payload hidden within the pre-build scripts that downloads additional malware for Windows, macOS and Linux. If your project depends on this crate, assume your environment variables are compromised and rotate your credentials immediately! Full technical breakdown, IOCs, and mitigation steps can be found here: r136a1.dev/teampcp_cargo_…

@nsg650 and the reason is same

Economy boutta crash

Ok how can we contact with David Forsythe and Kyla Guru. @AnthropicAI 🤠

npm security on the case, both malicious axios versions have been unpublished!

🚨 Active supply chain attack on axios@1.14.1. The latest version pulls in plain-crypto-js@4.2.1 -- a brand-new package that didn't exist before today. Socket's AI analysis flags it as a malicious obfuscated dropper: runtime deobfuscation, dynamic execSync loading, payload staging to temp/ProgramData directories, and post-execution artifact deletion. Consistent with supply chain malware. We're still investigating. If you use axios, pin your version and audit your lockfile.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

GitHub repos for bug bounty hunters: 1. github.com/0xmaximus/Gala… 2. github.com/coffinxp/nucle… 3. github.com/0xKayala/Custo… 4. github.com/HackTricks-wik… 5. github.com/cipher387/Dork… 6. github.com/techgaun/githu… 7. github.com/s0md3v/Awesome… 8. github.com/TakSec/google-… 9. github.com/arainho/awesom… 10. github.com/0xInfection/Aw… 11. github.com/0xMrNiko/Aweso… 12. github.com/Lissy93/web-ch… 13. github.com/jakejarvis/awe… 14. github.com/swisskyrepo/Pa… 15. github.com/m14r41/Pentest… 16. github.com/ayoubfathi/lea… 17. github.com/streaak/keyhac… 18. github.com/devanshbatham/… 19. github.com/SecShiv/OneDor… 20. github.com/Hari-prasaanth… 21. github.com/djadmin/awesom… 22. github.com/Az0x7/vulnerab… 23. github.com/nahamsec/Resou… 24. github.com/daffainfo/AllA… 25. github.com/fuzzdb-project… 26. github.com/qazbnm456/awes… 27. github.com/infoslack/awes… 28. github.com/enaqx/awesome-… 29. github.com/reddelexc/hack… 30. github.com/tomnomnom/hacks 31. github.com/danielmiessler… Drop the ones I'm missing or the ones you find most useful in your hunting workflow. #BugBounty #BugBountyTips #WebSec

i wrote a blog about the art of xs-leak attacks, i did a deep dive into chromium source code for an xs-leak oracle, have fun 😄 x6vrn.github.io/xsleaks-part1.…

Amazing website from @ramimacisabird showcasing the entire TeamPCP attack on trivy and LiteLLM: #myths" target="_blank" rel="nofollow noopener">ramimac.me/teampcp/#myths

Lol TF 👀