Quantum Computers Are Not a Threat to 128-bit Symmetric Keys

Quantum Computers Are Not a Threat to 128-bit Symmetric Keys

Critical 10.0 Spinnaker Vulns Allow RCE And Production Compromise - ZeroPath Blog ZeroPath Research discovered two separate RCE vulnerabilities in Spinnaker (CVE-2026-32604 and CVE-2026-32613) that let low-privilege authenticated users execute code on Clouddriver and Echo, enabling credential theft and pivots into production cloud environments.

Two new critical Spinnaker vulns allow RCE and production access

Exposing VENOM: Exec-Targeted Phishing Campaign Neutralizes MFA A credential theft campaign targets C-suite executives, intercepting live Microsoft sign-ins and abusing OAuth protocols to establish persistent access.

VENOM: A Phishing-as-a-Service Platform Targeting C-Suite Microsoft Credentials

P4WNED: How Insecure Defaults in Perforce Expose Source Code Across the Internet

SIM Farms as a Service: A Shared Control Plane Spanning 87 Farms

We analysed almost 100 UK charity websites and found that ~1 in 6 are running vulnerable JavaScript dependencies.

Command Execution via Drag-and-Drop in Terminal Emulators

Command Execution via Drag-and-Drop in Terminal Emulators

Vercel confirms Context.ai-linked breach exposed customer environment variables; ShinyHunters lists $2M sale on BreachForums

Analysis of the April 2026 Booking.com Supply Chain Breach and ClickFix Tactics

Fun with IP_TRANSPARENT I paid for all 65535 ports. I use all 65535 ports. And yes, a LLM is involved.

Building a LLM honeypot that monitors all 65535 ports

Deterministic Chain Analysis: The Missing Layer in a Mythos-Ready Security Program By Eldor Zufarov, Founder of Auditor Core Based on the CSA/SANS document "The AI Vulnerability...

Deterministic Chain Analysis: The Missing Layer in a Mythos-Ready Security Program

CFITSIO Fuzzing: Memory Corruptions and a Codex-Assisted Pipeline · Doyensec's Blog

Nasa CFITSIO Fuzzing: Memory Corruptions and a Codex-Assisted Pipeline

Discord Read Receipts: When, How Often, How Long | Paul Koeck Discord does not have read receipts by design. However, a bug in the OG image proxy reveals not only when a message was viewed, but also how often and for how long.

Discord Read Receipts: When, How Often, How Long

US20180229864A1 - High Frequency Gravitational Wave Generator - Google Patents

Subject: Inquiry Regarding Localized GEM Induction via High-Frequency Plasma

CVE-2026-34621 PoC isn't a scanner, it's a campaign weaponizer with 62 pre-authenticated Brazilian fintech targets

TPM 2.0 is cool, actually – Arthur Pastel How I went from dismissing TPM as a Windows 11 annoyance to using it as a hardware trust anchor for CodSpeed's bare-metal runners.

TPM 2.0 is cool, actually: hardware attestation for bare-metal fleets

MAD Bugs: Even "cat readme.txt" is not safe Turning "cat readme.txt" into arbitrary code execution in iTerm2.

MAD Bugs: Even "cat readme.txt" is not safe

The Smart TV in Your Living Room Is a Node in the AI Scraping Economy Bright Data's residential proxy SDK ships a public partner manifest listing the publishers it relays traffic through. CTV distributors reaching Comcast, Sky, LG, Samsung, Roku, and 125+ other TV brands are on the list. The SDK's 200 GB/month bandwidth budget is written for devices that are always plugged in,

The Smart TV in Your Living Room Is a Node in the AI Scraping Economy

Defenders in the Age of AI Vulnerability Research - Minimus AI is changing how vulnerabilities are found, not how they’re fixed. Defenders need a new approach: shrinking the attack surface before vulnerabilities exist.

AI uncovered thousands of zero-day vulnerabilities for every major operating system and browser. Including a bug dating back to 1996 in OpenBSD. Patch everything is officially obsolete.

Anonymous credentials: an illustrated primer (Part 2) This is the second in a series of posts about anonymous credentials. You can find this first part here. In the previous post, we introduced the notion of anonymous credentials as a technique that a…

Anonymous credentials: an illustrated primer (Part 2)

UnDefend: Chaotic Eclipse's third Defender zero-day blocks all signature updates from a standard user — no admin required

CVE-2026-33825 deep-dive: The researcher commented out the full credential dump. Here's what that means.

World Leaks: RDP Access Leads to Custom Exfiltration and Personalized Extortion Two phase intrusion: RDP brute force, privacy.sexy defense kill, Cobalt Strike, SoftPerfect Network Scanner, custom Rust exfiltration tool across 6,900+ Cloudflare IPs, personalized ransom notes addressed by name to every employee. Full negotiation chats included.

World Leaks: RDP Access Leads to Custom Exfiltration and Personalized Extortion

RedSun: How Windows Defender's Remediation Became a SYSTEM File Write

HAProxy HTTP/3 -> HTTP/1 Desync: Cross-Protocol Smuggling via a Standalone QUIC FIN (CVE-2026-33555) One zero-byte QUIC packet is enough to desynchronize HAProxy’s backend connection pool and smuggle HTTP requests across unrelated users — even users on a completely different frontend protocol.

HAProxy HTTP/3 -> HTTP/1 Desync: Cross-Protocol Smuggling via a Standalone QUIC FIN (CVE-2026-33555)

Bordair/bordair-multimodal · Datasets at Hugging Face We’re on a journey to advance and democratize artificial intelligence through open source and open science.

Open dataset: 100k+ multimodal prompt injection samples with per-category academic sourcing

AI Is Not Replacing Security Researchers | Simon Koeck AI is starting to find real vulnerabilities on its own. But every time it runs without a human in the loop, things go sideways. The future of security research is human-guided AI, not AI alone.

AI Is Not Replacing Security Researchers

netwatch - Real time network diagnostics in your terminal.

Minimus OpenClaw red team: agent read its own docs, escaped the sandbox via exec tool's host parameter, rewrote WhatsApp config, messaged real people. 635 tests, 131 failures, zero CVEs exploited

Building Runtime Enforcement for Kubernetes with eBPF - Juliet How we replaced a Falco sidecar with an embedded eBPF sensor, built a five-stage event pipeline, and learned the hard way why namespace scoping matters for enforcement.

Replacing Falco with an embedded eBPF sensor for Kubernetes runtime enforcement