[email protected] @0xTHMS

NEW: malware developers added nuclear & biological weapons text to to their spyware. Goal? To trigger LLM safety refusals... so that their spyware wouldn't be analyzed by an AI security scanner. Cleanest practical example I can think of for why over-indexing on first order safety alignment is risky. When closed (and open) models ship with aggressive refusals, they will be sprinkled with second-order blindspots that attackers will discover...and exploit. We are only in the earliest days of attackers leveraging these features, and it wouldn't surprise me if users systems that need to handle complex cybersecurity issues demand that models be less safety-blunted. In the weeds: @SocketSecurity's post also shows why intention matters in how you design a malware analysis pipeline to avoid prompt manipulation. H/T to colleagues that shared this with me socket.dev/blog/mini-shai…

@mariusoffchain Des gens utilisent encore Ledger ? kr kr

I earned a $22,500 bounty from Airbnb using a custom Opus 4.7 workflow built with MCP and Skills. It feels like bug bounty hunting has changed forever

THIS IS THE CRAZIEST STORY IN CRYPTO HISTORY!!!🤯 A man drained $110 MILLION from a crypto exchange in 20 minutes. Then used the stolen tokens to vote himself amnesty. He beat every federal charge in court. But still went to prison because of what the FBI found on his laptop. In October 2022, Avraham Eisenberg identified a flaw in Mango Markets, a decentralized exchange on Solana. Not a code bug, an economic design flaw. Here's what he did. He deposited $5 million, split it across two wallets, used one wallet to sell 483 million futures contracts, used the other to buy them all. Both sides of the same trade. Zero market risk. Maximum leverage. Then he went to the spot market. He aggressively bought the MNGO token on three exchanges with such thin liquidity that his buying pressure pumped the price 1,300% in 20 minutes. The price oracle fed that inflated price back to Mango Markets. The smart contract recalculated his portfolio value. Suddenly his position was worth hundreds of millions. He borrowed $110 million in Bitcoin, Ethereum, and stablecoins against the fake collateral, withdrew everything, then dumped his tokens and crashed the price back down. The platform was instantly insolvent. Every user's funds were gone. Then he went on Twitter, under his real name, and called it a "highly profitable trading strategy." He said, "all of our actions were legal open market actions, using the protocol as designed." The Mango DAO held a governance vote on whether to let him keep $47 million as a "bug bounty." It passed. 9.46% voted yes. 0.33% voted no. Over half the yes votes came from just two developer wallets. And Eisenberg himself voted for his own amnesty using the tokens he had just stolen. Then he fled to Israel. The FBI found his search history: "Elements of fraud," "When market manipulation becomes a crime," "Statute of limitations market manipulation," "Extradition rules from Israel," "FBI surveillance." He also used a fake Ukrainian identity to set up some of his trading accounts. So much for "transparent open market actions." In December 2022, he flew to Puerto Rico. The FBI was waiting. Arrested at the airport. Laptop and phones seized. In April 2024, a federal jury convicted him on every count. Commodities fraud. Market manipulation. Wire fraud. The first ever criminal conviction for open-market manipulation in crypto. Then his lawyers filed a Rule 29 motion. And the judge threw out everything. The commodities charges, vacated. Wrong jurisdiction. Eisenberg was in Puerto Rico. The trades happened on Solana. The government's entire case for being in New York was that a third-party vendor had employees in Manhattan who monitored accounts. The judge said that's not enough. The wire fraud charge, full acquittal. The judge ruled that Mango Markets had no terms of service, no rules, no prohibition against what he did. The smart contract executed exactly as coded. The oracle reported the real market price. And you can't commit fraud against a protocol that never told you what the rules were. He beat the biggest crypto fraud case in history. But here's the twist nobody saw coming. When the FBI seized his devices at the airport, they were looking for evidence of market manipulation. Instead, they found child abuse material on his laptop. The "plain view" doctrine. If agents executing a valid search warrant for one crime find evidence of another crime, it's fully admissible. He pleaded guilty. 52 months in federal prison. He outsmarted a $110 million exchange. Outsmarted the DOJ. Outsmarted the SEC. Outsmarted the CFTC. But he couldn't outsmart the contents of his own hard drive. The feds came for the $110 million. They stayed for what they found on the laptop.

keyboard_arrow_left Previous keyboard_arrow_right Next

Codex just found a “workaround” of not having sudo on my pc…

I'm old enough to remember that most setup.exe would require a reboot even if it didn't seem needed. Unless you're dealing with drivers I don't see the need the restart Windows. Thoughts ?

Confirmed! Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) chained 4 logic bugs to achieve a sandbox escape on Microsoft Edge, earning $175,000 and 17.5 Master of Pwn points. Full win! #Pwn2Own #P2OBerlin

23000$ for Authentication Bypass & File Upload & Arbitrary File Overwrite medium.com/@h4x0r_dz/2300…

J’ai écrit un petit article sur ma première CVE 🎉 Dedans il y a du Python, du ../, un peu de confusion CVSS, et moi qui essaie de faire genre je maîtrise le process. J'espère que ça va vous plaire :D nooblogaurus.online/articles/cve-2…

Military Grade Encryption > AES-256

The initial proof-of-concept was released in C-sharp. Using this method to dump credentials is iffy because it requires administrative access and some security access tokens which can raise some flags. First, Edge is Chromium based. This is a Chromium thing but (if my memory serves me correctly) a unique attribute to Edge exclusively. However, because it is Chromium based this may impact other Chromium bases. It requires more investigation. Edge is a primary target because it's the default Windows browser and used in enterprise environments. Secondly, as far as malware goes, this is yet another method to potentially dump credentials on a home users machine. There are a few different ways. This method doesn't surprise me. However, successfully using this method is an enterprise environment would be difficult to use. It would require administrative access and some security access tokens which would immediately raise some flags. In other words, this method is interesting, I like the research performed, however it isn't something super super critical. If you're using this method in an enterprise environment then that company has been completely compromised down to the bone and they've got much larger issues. The code and research is really cool though. I just wish it wasn't written in C-sharp (I have an irrational disdain to .NET, especially lately).

International Cyber Digest @IntCyberDigest

2 months ago

‼️🚨 Microsoft calls this "intended behaviour," so here we go. How to dump the credentials of every user stored in Microsoft Edge: 1. Open Edge. Don't browse anywhere, just open it. 2. Flip to Task Manager, find Edge, expand the task. 3. Highlight the "browser" sub-task,

keyboard_arrow_left Previous keyboard_arrow_right Next

288 2K 13K 1.1M 7K

@BrianRoemmele Will this be released ?

I've been extremely busy. Haven't been able to malware as much. Here is what I saw: - Linux security nerds big angry at some dude named Eric because he has been ignoring security things, or something, I don't know. Some drama about CopyFail and some Android stuff - cPanel CVE destroying normies, botnets, compromises, spam spamming stuff - Google not wanting to bug bounty as much because of AI slop. Bug bounty nerds throwing hands everywhere - A bunch of nerds arguing about the WeezerOSINT guy, saying he's a criminal, others saying he is cool and badass - A bunch of nerds angry at the Lunduke guy - Will Dormann going ham sandwich on CopyFail - More updates on those dorks who were in ALPHV but also cybersecurity negotiation people, they're cooked - 15 year old arrested for cybercrime in France (stuff with Breached, I guess, I don't know). - Everyone yapping about Fast16 still - China tests spooky deep sea oceanic internet cable cutter thingy - More NPM malware - Apple Claude md thingie oopsie doopsie Did I miss anything?

@hasanbroked Tell me more

Arion Kurtaj, the LAPSUS$ hacker who breached Rockstar Games and leaked GTA VI, was able to get a phone in prison and post some pictures.

keyboard_arrow_left Previous keyboard_arrow_right Next

@priyankapudi Low Level C

i mapped the ENTIRE supply chain behind a single ChatGPT query 76 nodes in 13 countries with 10 layers, from a quartz mine in North Carolina to your chat window so i built an interactive map where you can trace every path yourself every time you type a prompt, you are touching brazilian sugarcane that turned into ABF varnish by Ajinomoto in Japan that used to package Nvidia GPUs in Taiwan a single quartz mine in Spruce Pine NC that supplies the ENTIRE semiconductor industry with crucibles, no backup, one landslide and chip production stops globally ASML in the Netherlands, the ONLY company on earth that makes EUV lithography machines, they need Zeiss mirrors polished to less than ONE ATOM of roughness, and TRUMPF lasers from Germany to power them chinese germanium, ukrainian neon gas, chilean copper, australian iron ore all flowing through TSMC fabs that print at 2 nanometers, thats 10 atoms wide this is a PHYSICAL supply chain more fragile than most people realize everyone debates which model is better nobody talks about the quartz mine that all of them depend on

I found a vulnerability in Oracle VirtualBox (CVE-2026-21957) back in September 2025. It can be turned into AAR/AAW, and then escaping the VM is pretty easy. I originally planned to find a vulnerability for Pwn2Own, but since I found the vuln in September, sitting on a practical vuln for that long didn’t feel very ethical, so I eventually reported it to ZDI. But I still finished the exploitation + demo video as practice.

I wrote Task Unmanager: keeps killing processes Russian Roulette style, until your machine crashes

KYC Video Verification is officially dead