@NightmareJS profile picture
kat traxler @NightmareJS

proficient at drawing the rest of the 🦉| security impact junkie

Joined July 2012
  • Tweets 8,452
  • Following 3,308
  • Followers 1,787
1,126 Photos and videos
kat traxler retweeted
banteg
@banteg
Jun 13
updated fable eval scores
97
451
9,151
338,998
kat traxler retweeted
Vince Mpls
@vincempls
Jun 12
#OnThisDay June 12 2018: First noticed by @MPR employees, the "MPR Raccoon" causes a worldwide media sensation when it climbs 22 stories up @UBS Plaza in St Paul MN. Rescuers capture the animal from the roof the next morning and release it at an undisclosed location.
8
33
198
27,294
kat traxler retweeted
anpaure ✈️ icml
@anpaure
Jun 13
they turned claude into jesus: it died on friday, and it will resurrect on sunday
73
403
7,834
207,235
Is infoSec Twitter back?
37
kat traxler retweeted
Swissky
@pentest_swissky
Jun 10
CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow leading to RCE - @wiz_io zeroday.cloud/blog/postgres-…

CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow leading to RCE | ZeroDay.cloud

A 20-year-old heap buffer overflow in PostgreSQL's pgcrypto extension allows remote code execution. Discovered by Xint Code at ZeroDay.Cloud 2025.

zeroday.cloud
1
17
53
4,771
kat traxler retweeted
darkmage
@evildojo666
Jun 11
Woke up to this. Feels good man! The legend of Claude money is real. LFG!!!
7
1
82
2,697
kat traxler retweeted
skull
@brutecat
Jun 11
Hacking Google with A.I. for $500,000 brutecat.com/r/hacking-googl…

Hacking Google with A.I. for $500,000

What happens when you unleash an AI across all of Google's infrastructure? 1,500 APIs, 3,600 keys, and $500,000 in bounties later, here's what I found.

brutecat.com
59
500
2,457
322,943
kat traxler retweeted
Jeremiah Grossman
@jeremiahg
Jun 11
thevulnpocalypse.com/

1
22
120
65,018
Most know about Azure Managed Identities but I bet you haven't considered Azure's Platform-Level Managed Identities, #PLMIs
1
1
122
To close the knowledge gap, I wrote a threat model of these identities, complete with exploitation examples, available mitigations, and comparisons to #aws and #gcp. vectra.ai/blog/azures-hidden…

1
2
132
kat traxler retweeted
Itamar Golan 🤓
@ItakGol
May 31
Men in their 40s used to have cool midlife crises… now they just have agentic workflows. Bought a Claude subscription instead of a Porsche lmao.
65
108
2,025
163,262
kat traxler retweeted
Pope Leo XIV
@Pontifex
May 29
Artificial intelligences do not undergo experiences, do not possess a body, do not feel joy or pain, do not mature through relationships, and do not know from within what love, work, friendship or responsibility mean. Nor do they have a moral conscience, since they do not judge good and evil, grasp the ultimate meaning of situations, or bear responsibility for consequences. They may imitate or even simulate, but they do not understand what they produce, for they lack the affective, relational, and spiritual perspective through which human beings grow in wisdom. #MagnificaHumanitas
4,060
60,351
309,826
14,197,514
kat traxler retweeted
Zack Korman
@ZackKorman
May 29
Some of you don’t want to hear this but if your bug reports are always getting rejected you probably need to improve your writing.
22
6
130
26,564
kat traxler retweeted
rekdt
@rekdt
May 28
ACAB includes MSRC
3
2
81
2,788
kat traxler retweeted
International Cyber Digest
@IntCyberDigest
May 28
‼️ After the MSRC blog post about Nightmare-Eclipse, researchers are coming forward with their own MSRC horror stories. The response from the security community isn't going Microsoft's way. As they’re not backing Microsoft. Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word." Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case. Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.
International Cyber Digest
@IntCyberDigest
May 28
‼️ Microsoft has responded to the recent wave of public zero-day disclosures tied to Nightmare-Eclipse. In an MSRC post titled "A shared responsibility," Microsoft addressed RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, saying the vulnerability details were not shared with the company before release. That claim is contested. Nightmare-Eclipse says at least BlueHammer wasn't a blindside. In an April 15 signed post, the actor said MSRC was fully aware of the disclosure, that a case had been filed and dismissed, and that Microsoft knew another disclosure was coming. Microsoft's new post gives no per-CVE timeline. So right now, the public record has two conflicting versions. Microsoft never printed the handle "Nightmare-Eclipse," but by naming all six vulnerabilities it left no doubt who the post was about. The company says its security teams have been working "around the clock" to assess impact, protect customers, and ship updates. It also says its Digital Crimes Unit will keep pursuing the actors who weaponize these exploits and those who enable them. The case for coordinated disclosure is straightforward. The point of giving a vendor advance notice is not to protect the vendor. It is to protect the people running the software. Patch before PoC means defenders get a head start. PoC before patch hands it to attackers. That does not make the tension one-sided. Researchers walk away from coordinated disclosure for reasons: slow fixes, disputed severity, no credit, no payment, broken trust, or deleted reporting accounts. Nightmare-Eclipse claims Microsoft revoked access to the MSRC account used to report bugs, wiped it, and ignored requests for an explanation. Microsoft's post does not address that claim directly. It says only that it still welcomes submissions from anyone through its public researcher portal, regardless of past interactions or reputation. Both things can be true at once. A vendor can have a real duty to treat researchers fairly. And a researcher can still be wrong to burn the disclosure process in a way that arms criminals. The friction between those two points is exactly where users get hurt, and it's exactly why disputes belong inside proper channels, even after the relationship breaks down.
21
260
1,458
90,304
Should I tell my gym crush I’ve never spoken to that im moving so they’re not worried?
108
kat traxler retweeted
solst/ICE of Astarte
@IceSolst
May 28
They were burning their 0days by disclosing to msft hahahahhahahahahahahahaahahahahahahah

ALT Ken Dolls GIF

18
23
330
9,441
Nihilism as Optimism and other thoughts on the #vulnapocalypse kattraxler.cloud/an-optimist…

An Optimistic Nihilist's View of the Vuln-apocalypse

Congratulations, everybody—we might be entering the outer bands of the Vuln-apocalypse storm. The traditional, polite security timeline where we had weeks to patch a vulnerability is dead, replaced...

kattraxler.cloud
71
kat traxler retweeted
Nick Frichette
@Frichette_n
May 27
Interested in attending @fwdcloudsec but bummed you didn’t get a ticket? There are a few for sale from people who couldn’t make it last minute. Check out the Cloud Security Forum Slack to get yours and attend the best cloud security conference on earth.
1
5
4
6,145
Anthropics model assortment for every kind of catholic. Opus 4.7, the frontier model for front pew Catholics Sonnet 4.6, the model for the everyday, the Irish catholic. Mythos, the model for the clergy and cloistered.
75
Load more