like what’s even going on

Good lord 🤮

セキュリティリサーチャー RyotaK @ryotkak の技術ブログを公開しました。 今回、Claude Code GitHub Actions の権限制御を外部の GitHub Issue 経由でバイパスし、ワークフロー権限を悪用できる脆弱性、並びにそれに付随する設定ミスを発見・報告しました。 当該の脆弱性は v1.0.94 で修正済みですが、設定ミスについては各リポジトリにて対応が必要であるため、当該製品を利用されている場合は設定の見直しと実行ログの確認を推奨します。 flatt.tech/research/posts/po…

Posting a mini XSS challenge! Goal is to pop an alert. I believe this trick is not well known. Intended solution is chrome only. Thanks to @kevin_mizu for beta testing! Don't post solutions in the thread; DM only! xss.hashkitten.io/xss1.html

That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉

nah im just not gonna run npm install anymore

We responsibly disclosed the issue to @GitHub, who deployed a fix on GitHub.com the same day (!) and released patches for all supported GHES versions. GitHub Enterprise Server customers are strongly encouraged to update immediately.

I started playing CTFs in 2022, and LLMs definitely changed the **competitive** CTF scene a lot, especially since mid-2025. I also started using LLMs in late 2025. Yes, those models did one-shot many challenges, but what's the fun of slopping them? I learned absolutely nothing 🥲

i built an entire x86 CPU emulator in CSS (no javascript) you can write programs in C, compile them to x86 machine code with GCC, and run them inside CSS

I’ve been digging into HTTP Trailers and found some new smuggling techniques: sebsrt.xyz/blog/trailing-dan…

Chrome implements referrerpolicy on <input type="image">, despite it not being in the HTML spec. Like on the in-spec elements, it takes precedence over the document policy for that request and can be abused to leak the page URL via the Referer header. storage.googleapis.com/nowas…

Cross-Site ETag Length Leak blog.arkark.dev/2025/12/26/e… I just posted the author writeup for impossible-leak in SECCON CTF 14 Quals. As far as I know, this is a new XS-Leak technique! The ETag header can become a side channel :)

प्रिय Gen Z, तपाईहरूको योगदान र बलिदानबाट देशले परिवर्तन पाएको छ। वीर सहिदहरूप्रति हार्दिक श्रद्धाञ्जली। तपाईंहरूको योगदान अमूल्य छ, जसले सधैं भावी पुस्तालाई देशप्रेम र कर्तव्यबोधको मार्गदर्शन गर्नेछ। तपाईहरूप्रति असिम सम्मान। घाइतेहरूको शीघ्र स्वास्थ्यलाभको कामना गर्दछु।

तेरो भरौटेहरूको पो बा भइस् । साँच्चै नै कहिले बा हुन पाएको भए पो छोरा छोरीको मृत्युको पीडा बुज्थिस । यस्तो आतङ्क वाद यो विश्वले कहिले देखेको थिएन । त नेता त के मान्छे पनि बन्न सकेनस, आतङ्क बादी होस । #kpoliisterriorist

Turns out my #PHRACK article is live! 🔥 > The Art of PHP — My CTF Journey and Untold Stories! Kinda a love letter to those CTF players & PHP nerds! Hope all the credit goes to the right ppl. Also huge thanks to @0xdea for not forgetting me, @guitmz for the edits, and the @Phrack crew for keeping it real! 🎉 phrack.org/issues/72/5_md#ar…

I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 gmsgadget.com/ 1/4

It is pretty interesting that as I age and geohot ages, I end up noticing that we agree on more things than I thought in the past. This here is a good read: geohot.github.io//blog/jekyl… -- it's

I think many people are familiar with the topic of blind CSS exfiltration, especially after the post by @garethheyes However, an important update has occurred since then, which I wrote below ->

So, this is how lazarus drained 1.5 Billion 1) malicious JS injected into Safe{Wallet} at app.safe.global/_next/static… (because apparently, one of the nk devs just casually pushed it to production 🤡) 2) the JS modified executeTransaction() only if the signer was in a predefined list (Bybit’s multisig owners). 3) modified transaction now sets operation: 1 (delegatecall) to attacker address instead of a normal call. 4) delegatecall hits the attacker contract, which changed Safe contract's first storage slot which is masterCopy to a another attacker contract. 5) new masterCopy contract contained sweepETH() & sweepERC20(), draining $1.5B