[1/3] It's common to get a ParcelFileDescriptor pointing to a directory through an Android ContentProvider. But can you actually turn that into a directory listing?

"Dad, what was it like playing CTFs before AI?"

They grow up so fast, happy eighteen nginx RCE 🥹

Hacking with AI is quite boring and I confess that I missed some fun of hacking recently, but building things with AI is incredible fun I feel that I have never learned so much about Software Engineering/Architecture before, even without writing a single line of code

this is me in a few days ago

btw, some of these vulnerabilities stemmed from specific research into React Native apps. Uncovered some interesting techniques to escalate impact by abusing common mistakes in hybrid app implementations. Full technical writeup once the disclosure window closes.

Officially a Security Contributor of @ProtonPrivacy, very happy to help secure the ecosystem that I use every day. proton.me/blog/protonmail-se…

everyone, i need your help, anyone can hook us up with the "ESXi version 9.1.0.0"? your RT is really appreciated, this is Urgent AF.

Because we train LLMs on lots of movies and books about AI uprising, or articles and tweets about dystopian fears of AI, we might be causing the threat ourselves 🤔

Our second blog post is out here: bugscale.ch/blog/here-we-go-… ! We managed to install arbitrary APKs on the Samsung Galaxy S25 from an app without install permissions. For this, @SachaKozma did most of the work, but it was great looking into Samsung's cloud gaming component with him

do it :)

RT @8kSec: 🌍 Earth Day Giveaway - Learn Mobile or AI Security, On Us One beautiful planet we all share. Let's patch it together. 🌱 To cel…

I am talking about mobile... AI can speed up / help with BB (reports, PoCs).... but for finding real vulns, it’s mostly low-hanging fruit so far. So...don’t abandon a target just because Claude says so :)

There are no words.

Me: Reported 1 Click ATO Triager: User interaction? P4

This... this is art. Submitting a PR to the Claude Code repo to add the actual Claude Code source code.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

If you missed the talk at @1ns0mn1h4ck , our latest blog post is now available for you to explore. In this post, researchers @Hacker_Chai and @SachaKozma detail their journey to a 1-click RCE exploit on the Samsung S25 phone. Check it out here: bugscale.ch/blog/shoot-for-t…

Interested in exploiting browsers? Join me as I go over the free section of @ret2wargames "Fundamentals of Browser Exploitation" course. This is a course delivered by real #Pwn2Own winners! So, you're learning from the best! This first video is very beginner friendly so check it out even if you're just curios🧐. Video link below: youtu.be/5ArMYqwCmD4

For anyone dealing with RASP protected apps, frida-strace is now your first step. Trace the syscalls, find what the app checks, hook those specific functions, bypass. No more guessing. Frida 17.8.0 , kernel 6.1 required. #Frida #MobileSecurity #AppSec