This is my #ZeroDay #PublicDisclosure of a security vulnerability impacting 4 Million of @zoom_us's users who have the Zoom Client installed on Mac. Zoom had 90-days two weeks to resolve this #vulnerability and failed to do so. medium.com/@jonathan.leitsch…

I tried the government's new AI "Jobcentre in your pocket" chatbot. Could it write me a CV? It could. It also suggested that I should consider employment law and whether I've been discriminated against. Key detail: I'm a parrot.

I'll be discussing *MCPwned* hacking local MCP Servers with browser-based DNS Rebinding during today's #ThursDef with @Recon_InfoSec ! Come hang out at today's fireside chat @ 1:30 PM ET/12:30 PM CT! You won't want to miss this! Register now - thursdef.com

I found a travel app leaking exact user locations and birthdays via its internal API. We could pinpoint where people were living and sleeping. Full write-up 👇 medium.com/bugbountywriteup/…

BREAKING: MongoDB Introduces Surprise Holiday Feature FOR IMMEDIATE RELEASE PALO ALTO, CA — MongoDB is thrilled to announce MongoBleed™, an innovative new feature that proactively shares your database contents with the broader internet community. "For years, customers asked us: 'How can we make our sensitive data more accessible?'" said a spokesperson we definitely didn't make up. "MongoBleed answers that call. No authentication required. No consent needed. Just pure, frictionless data liberation." Key Features: - Zero-Click Sharing: Your passwords share themselves! - Decade of Trust: We've been quietly beta-testing this since 2015 - Holiday Launch: Because nothing says "Merry Christmas" like your production secrets on GitHub - Elastic Integration: Built by someone who definitely understood the assignment Customer Testimonial: "I was enjoying Christmas dinner when I got paged. My database was sharing our user credentials with the world. It really brought the family together—around my laptop, watching me cry." — Definitely a real IT admin What's Next? We're excited to announce our 2026 roadmap includes: - Automatic password broadcasting to Shodan - AI-powered secret harvesting (we're pivoting to AI!) - A Slack integration that just posts your .env files directly to #general About MongoDB: MongoDB is the database that believes data wants to be free. Very, very free. doublepulsar.com/merry-chris…

Anyone have a security contact at @SandboxVR? A friend found a rather large data leak. They've reported it and the company has been, as of yesterday, unresponsive.

I may have found an SSRF vulnerability in @TheASF project 'Cloudstack'. Anyone interested in helping me confirm, DM me

⚠️ Google’s OSV just added 500 new advisories, not from new vulns, but from fixing a long-standing policy that made disputed CVEs invisible. Learn more → socket.dev/blog/google-osv-f…

🤔

Today we’re publishing research on 80 confirmed fraudulent candidates who applied for Socket engineering roles in the past 2 months. They’re part of a coordinated campaign, including suspected North Korean operators, aiming to infiltrate hiring pipelines. socket.dev/blog/fraudulent-e…

🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40 packages across multiple maintainers. Audit & remove affected versions. Our analysis of the malware: socket.dev/blog/tinycolor-su… #NodeJS #JavaScript

🚨 Breaking: npm author Qix compromised. Malicious package versions published in projects that typically see hundreds of millions of downloads each week. Details: socket.dev/blog/npm-author-q…