Yay, I was awarded a $16,300 bounty on @Hacker0x01! hackerone.com/moblig #TogetherWeHitHarder 🎉🎉🎉 Tip: Even if an asset asks for authentication, fuzz for endpoints using ffuf, I found an unauthenticated API that allowed me to retrieve sensitive information!

Recon - more important the EVER

🚀 ANNOUNCEMENT🚀 Grayback x @ryftsec : nueva colaboración para impulsar a la comunidad de bug hunters 🤝 ✅ Reporta un bug válido en Grayback → obtén 1 mes GRATIS al TIER Security Researcher de Ryft Security 🎥 Video explicativo: youtube.com/watch?v=-kFkl62K… 🔗

THIS IS HUGE‼️ 🌐 “OnlyFans Mega Leak” allegedly containing approximately 340 million user records involving both fans and creators. According to the visible listing, the claimed dataset may include: • usernames and display names • email addresses • linked phone numbers • account creation dates • follower/subscriber metrics • likes and content statistics • creator/fan classifications • linked social profiles • partial payment card metadata (claimed last 4 digits) If authentic, this would represent one of the most operationally sensitive adult-platform-related exposures observed due to the combination of: • identity data • behavioral metadata • financial indicators • social linkage information • creator activity metrics The biggest risk here is not necessarily direct financial theft. The primary danger is: • extortion • doxxing • blackmail • targeted harassment • reputational attacks • account takeover campaigns • relationship/social exposure Adult-platform ecosystems are uniquely sensitive because attackers can combine: • usernames • linked social media • email reuse • payment references • creator/fan relationships • behavioral activity patterns to deanonymize users who believed their identities were separated from their online activity. For creators specifically, risks may include: • impersonation • stalking • swatting • revenue theft • subscriber fraud • credential compromise • targeted phishing pretending to be platform support or agencies For fans/users: • sextortion campaigns • phishing emails • credential stuffing • blackmail attempts • fake legal notices • cryptocurrency scams • exposure of private consumption habits One particularly concerning element is the reference to: • linked profiles • activity metrics • internal identifiers because these fields may allow correlation attacks across multiple platforms and previously leaked datasets. However, several important caveats exist: • extremely large breach claims are often exaggerated • underground actors frequently recycle older datasets • “scraped” data may originate from multiple unrelated leaks • partial data collections are sometimes rebranded as “internal databases” At this stage, the authenticity, source, freshness, and completeness of the alleged dataset remain unverified. Recommended immediate actions for users potentially affected: • change passwords immediately • enable MFA • avoid password reuse • monitor phishing attempts • review connected social accounts • monitor for impersonation attempts • remain alert for extortion emails or social engineering campaigns Platforms operating creator ecosystems should additionally: • monitor credential stuffing spikes • review API abuse • audit scraping protections • monitor underground marketplaces • strengthen anti-bot controls • alert high-risk creators proactively Because of the reputational and emotional sensitivity associated with adult-platform ecosystems, even limited verified exposure could have disproportionate real-world impact. 🌐 #DDW #Intelligence #CyberSecurity #DarkWeb #ThreatIntelligence #DataBreach #Infosec #OSINT #Privacy #OnlyFans

🚨 Ransom group "Qilin" publishes "SEMGREP" - United States 🇺🇸 📍 Location: San Francisco, California, USA 🏢 Industry: Cybersecurity / Application Security 🔗 Website: semgrep.dev Semgrep, Inc., founded in 2017, delivers the Semgrep AppSec Platform combining SAST, SCA, and secrets scanning. It also maintains the open-source Semgrep static analysis tool used across 30 programming languages by developers and security teams.

🔴 GitHub : un groupe de hackers affirme vendre près de 4 000 dépôts privés internes attribués à la plateforme, incluant du code source et plusieurs projets stratégiques liés à Microsoft. Selon les déclarations publiées, le groupe TeamPCP réclamerait au minimum 50 000 $ et menace de publier gratuitement les données en l’absence d’acheteur. Les fichiers revendiqués concerneraient notamment : 👉 GitHub Actions 👉 GitHub Enterprise 👉 GitHub Copilot 👉 Azure 👉 CodeQL 👉 systèmes d’authentification internes 👉 outils de sécurité et infrastructure cloud

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

🚨 Socket detected malicious activity in newly published versions of node-ipc, an npm package with 822K weekly downloads. Affected versions: node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 Socket’s AI scanner flagged the malware within ~3 minutes of publication. Early analysis shows obfuscated stealer/backdoor behavior, including host fingerprinting, local file enumeration, payload wrapping, and attempted exfiltration.

hey @Bugcrowd can we please make this checkbox do something thanks

Anthropic has launched a public bug bounty program on HackerOne, inviting researchers to secure Claude and internal systems despite claims about its Mythos AI. thenewstack.io/anthropic-pub…

Your prod JS files change constantly. Most teams have no idea what’s in them. Ryft’s JS Monitor tracks every JS file across your subdomains and runs AI analysis on each one 🔍 Secrets, unauthenticated endpoints, access control flaws, hardcoded configs. Daily scans. Code-level findings. ⚡ ryftsec.com​​​​​​​​​​​​​​​​ #cybersecurity #bugbountytips

Devs ship .js.map files to prod and forget about them. Attackers don’t.🎯 Source maps reverse minified JS back to raw source code, meant for local dev, not public servers. Ryft finds and analyzes them across all your subdomains; find secrets, API routes, frameworks. IDE-style ryftsec.com/pricing #cybersecurity #bugbountytips

⚠️ Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks Source: cybersecuritynews.com/apache… The Apache Software Foundation has released a critical security update for Apache HTTP Server, patching five vulnerabilities, including a dangerous double-free flaw capable of enabling Remote Code Execution (RCE) in version 2.4.67, released on May 4, 2026. All users running version 2.4.66 or earlier are strongly urged to upgrade immediately. The most severe of the five vulnerabilities is CVE-2026-23918, rated High with a CVSS base score of 8.8. The flaw is a double-free memory corruption bug triggered within Apache's HTTP/2 protocol implementation during an "early stream reset" sequence. #cybersecuritynews #vulnerability

🚨 BREAKING: Wiz Research discovered Remote Code Execution on GitHub.com with a single git push The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯

I earned $94,000 for my submission on @bugcrowd bugcrowd.com/h/{id: "tess"} #ItTakesACrowd

Meanwhile in Bug Bounty: AI slop bug reports overflowing vendors. Vendors can't handle the slop. Slop code, slop exploits, and slop write-ups result in vendor exiting program. AI slop is choking Bug Bounty

Expect more programs to follow

For people tweeting "cyber security is dead", are u ok? You think when everyone and everything is about to get hacked and the need for security goes through the roof, you think it's "dead" or "solved"? Bruh what it highlights is that security has always been underresourced, not over. Sure your grandma became as good as a professional attacker by simply promoting an llm and that's, granted a scary base entry. What you might not realize is the real determined researcher type attackers just got 1000x more powerful than before. You no longer need to be 20 cracked researchers to zero click RCE an iPhone, you can be one of those guys who is great at one component to be able to build a full chain yourselves. What the mainstream realm seems to not realize is the people who were in the trenches finding the vulns we always knew where there driving these bots will find more mind boggling and complex vulns than your avg hacker. Always been true, will remain true. Look at Poetic, it used particular architrcute bn different LLMs with awesome scaffolding to get Gemini to be 3x better at ARCAGI2. Hacking is not going anywhere. Hackers gonna hack. We gonna hack everything including the Mythos Preview, and other huge ais. Another important thing to raise, esp for ppl who don't spend their time looking for complex bugs in hyper secure software is, different hackers have always found very very different vulnerabilities. In bug bounty, youd often have situations where after the most talented hackers hacked a program, and being open for years, some completely new guy no one has heard of will show up and RCE the program a million ways. And this happens daily. Sometimes it's because that person knows something the rest of the world doesn't, a quirk they figured how to exploit, perhaps a behavior or a zero day (which bounty programs don't often accept), but oftentimes it has nothing to do with that other than how different that person thinks and approaches problems. Their unique life experience. People who have hacked for decade like me KNOW to the core of their heart vulnerabilities have ALWAYS been there in large numbers, and in large variety in every set of "secure" software known to man. We've always known it's a matter of time until we break any target, and picking from this buffet of targets to optimize for our time's ROI... Not bc we didn't think they aren't there, or that "15 year old code" would never be vulnerable. 15-20 year old code is exploited daily by hackers, just look at the Linux kernel or windows. It is not a metric of "impressive" - Bc what there always was is unique skills and minds, but not enough time to deploy said x thing into the world in mass, the illusion of being secure has existed. And tbh often pentests and red teams rarely needed new techniques or zero days. These guys who were hacking with their own quirks, who can show up to mature programs and RCE it a new different way will use the same AI you use to find bugs but find radically different vulns than anything you will find. And there is nothing you can do about it other than cry to your bot. Remember there isn't a finite number of vulns to be found. The chances are there are infinite attack vectors, no I am not exaggerating or using hyperbolic words, it's what I truly believe after hacking for a while. So yes it isn't "solved" by any means, it means you will find ur simple "Claude find me vulns" bugs, and then someone will find something you couldn't even conceptualize, and after all that a bug bounty hunter (or their specialized agent) will show up and still hack you. The need for cyber security innovation (not just bug finding) just went through the roof, not less. Time will show I am right that even after Mythos runs on ur code 20 times, you will be surprised you still got hacked. Someone who thinks hacking away or is just going through a list of checklist of known vulns has never met a hacker. And it shows!

JUST IN: Anthropic says Claude Mythos found a 27-year-old OpenBSD vulnerability in one of the world’s most security-hardened operating systems.

Introducing Project Glasswing: an urgent initiative to help secure the world’s most critical software. It’s powered by our newest frontier model, Claude Mythos Preview, which can find software vulnerabilities better than all but the most skilled humans. anthropic.com/glasswing

Already finding some good stuff while testing out the Ryft Security Researcher tier👇 Get into the waitlist now for an extended free trial⏳ ryftsec.com/home#waitlist #bugbountytips #bugbounty