rehackxyz

Inspired by master @kinugawamasato, here's a DOMPurify bypass, found by Codex: ```html ``` SAFE_FOR_TEMPLATES is a DOMPurify option that strips template syntax like {{...}} so sanitized HTML can't smuggle expressions into a framework like Vue. This bypasses it. How it works: DOMPurify's job is to delete dangerous code like {{...}} before it reaches Vue. Normally it checks twice, but the RETURN_DOM option skips the second check. So we sneak the payload past the first check by chopping {{...}} into harmless looking pieces, with junk tags between them. DOMPurify strips away the junk tags, the pieces fall back together into {{...}}, and Vue runs the code. Fixed in 3.4.0. Detailed breakdown: github.com/cure53/DOMPuri…

Cyber Skills Level-Up! 2026 Ep02 UTP, Perak, Lets gooo!! linkedin.com/posts/cyberski…

New research: We were able to access camera permissions and obtain user GPS coordinates across 20+ major mobile wallets by exploiting WebView misconfigurations. Here's how ↓

Alhamdulillah diberi peluang untuk hasilkan video travel Malaysia bersama @mshaffuan07

There are very few people in the #bugbounty community that share their stellar research in this day and age. Massive respect. @brutecat made half a million hacking Google with AI, and he also shared his prrompts and techniques! brutecat.com/articles/hacki…

We sent Claude Mythos Preview spelunking through Squid’s guts, and it surfaced clutching a 29-year-old bug. Meet Squidbleed: a Heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration. Full story: blog.calif.io/p/squidbleed-c…

Kelas still open bagi yg mana tak sempat! 1. Join terus (Google Meet): meet.google.com/jhc-hknn-zyc 2. RSVP / add ke calendar (optional): calendar.app.google/CN4BMuRMEuYE83… 3. Join Telegram komuniti untuk updates, kelas dan talk akan datang: t.me/+Ny96BtOxjV5iN… Jumpa malam ni!

今年も AVTOKYO2026 ！ 📅 2026年11月21日（土）※今年は土曜日に戻ります 📅 November 21, 2026 (Sat) — back to Saturday! 📍 TK NIGHTCLUB, Shibuya, Tokyo CFP/CFX will open soon. no drink, no hack. avtokyo.org/avtokyo2026 #avtokyo

> be pakistan government > develop custom malware > used to target high profile targets > used against indian military and political ppl > named SHEETCREEP > send indian ppl file > UAE-India Strategic Partnership Week > malicious .lnk file > .lnk executes malicious c sharp code > does a bunch of stuff for persistence > exfiltrates data to Google Sheets > Google Sheets can be used to control victim pcs > pakistan gov hardcodes google c2 sheet > PAKISTAN GOV HARDCODES GOOGLE C2 SHEET > embed access key in payload > EMBED ACCESS KEY IN PAYLOAD > malware nerds find it > look inside > find all targets from pakistan gov > monitoring 91 ppl they think important THEY STARTED SO STRONG. WHY DID YOU HARDCODE EVERYTHING. YOU BURNED YOUR OPERATION securonix.com/blog/sheetcree…

@vx_antibi0tic @offsectraining Power!!

My first attempt Exploit Developer (OSED) EXP-301 exam just passed! I enjoyed especially content that pushed down from exp-401. x64 vm-escape & dev shellcode. It's also fun to be able to read assembly in depth, heap/stack, reverse, and bypass aslr/dep. Thank you @offsectraining.

we have server RCE now too. with client + server, this is now wormable 😄 we have some other wormables too :D stay tuned

The video of the Kernel-Hack-Drill Masterclass that I gave in Kuala Lumpur🌴 A lot of live demos of Linux kernel attacks and defenses🛠 youtube.com/watch?v=zXVqGa…

Recording is now available!! youtube.com/watch?v=9kxwQC…

SharePoint Server RCE via webshell upload — CVE-2026-45454. A user with basic Contribute perms can upload an ASPX webshell to the Master Page Gallery and get code execution as the app pool identity. One HTTP request, no admin needed. Patch now. aretiq.ai/research/12/

meanwhile in Kuala Lumpur.. am i going to jail?

Hacking Google with A.I. for $500,000 brutecat.com/r/hacking-goog…

🇲🇾 Malaysia: Municipal Government VPN Access Advertised for Sale * Threat actor is advertising alleged VPN access to a Malaysian municipal government organization * The listing claims: * OpenVPN access * Domain Administrator privileges * Approximately 50 hosts within the environment * Revenue estimated between $50M–$100M * Cylance EDR reportedly deployed in the network * The access is being offered for sale on a cybercrime marketplace for approximately $978 USD * No specific government entity was identified in the visible portion of the listing * At the time of reporting, the claims remain unverified and should be treated as allegations until independently confirmed Analyst Note: Initial access listings remain one of the most reliable early indicators of potential ransomware activity. Government environments are frequently targeted because attackers can monetize privileged access through ransomware operators, data theft groups, and espionage actors. Even if the advertised access is exaggerated, the presence of claimed domain administrator privileges significantly increases the potential impact should the access prove legitimate. #DDW #Intelligence #Malaysia #DarkWeb

Introducing HTTP/2 Bomb: a remote DoS in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. A single client pins 32GB of server memory in 10s. Found by Codex. Blog post: blog.calif.io/p/codex-discov… PoCs: github.com/califio/public…

Claude Codeに対してサプライチェーン攻撃を行うことが可能だった脆弱性についての記事を公開しました！