Someone found an RCE on my website yesterday. CVE-2025-55182. React2Shell. I don't have a bug bounty program. I never asked for a security assessment. I woke up to a DM: "Hey I found a critical vulnerability in your site. I only ran the exploit to verify it worked. Here's my PayPal for the bounty." Bounty? I checked my logs. Forty-seven requests to my RSC endpoint. Something, something ... Prototype pollution payloads. They used the GitHub script. The one with 2,000 stars. The one that runs id automatically "for verification purposes." They spawned a shell on my production server. uid=1001(nextjs) gid=65533(nogroup) They took a screenshot. They posted it on Twitter. "Popped a Shell on a Live Website 🚀💀 #BugBounty #CVE-2025-55182 #YOLO" They got 84781 likes. My customers' data was on that server. I asked them to delete the screenshots. They said "I removed the domain name, you should be thanking me." Thanking them. For unauthorized access to my production infrastructure. For running arbitrary commands on systems I own. For posting proof of exploitation for clout. They called it "responsible disclosure." I called my lawyer. They called me "ungrateful." I called the FBI. Now they're in my DMs explaining that "this is how the industry works" and I "don't understand pen testing." A pen what? I understand it perfectly. I understand that running react2shell-ultimate.py against random websites isn't research. I understand that "I removed the identifying info" doesn't undo the unauthorized access. I understand that #BugBounty doesn't apply when there's no bounty program. I understand that finding my site on Shodan doesn't constitute authorization. Their followers are defending them now. "Presumption of innocence." "You don't know if it was authorized." "The screenshots were redacted." Three hundred people are calling me a bootlicker for reporting a crime. Someone said I should be grateful they didn't deploy a cryptominer. The bar is underground. I just wanted to run a small Next.js app. I didn't ask to be someone's proof-of-concept. I didn't consent to being their "first" I didn't sign up for an unscheduled penetration test from a stranger with a GitHub account. There is no safe harbor for spraying public exploits at random websites. There is no legal protection for "I was just verifying the vulnerability." There is no ethical framework where unauthorized prototype pollution is a favor. But sure. Thank you for your service. You found a CVE that was already public. Using a tool someone else wrote. Against a target that never authorized you. And you posted about it on main. For likes. Hero.

📢 REDstreams alert 📢 Join us for a new episode of #REDstreams, where we'll dive deep into the new features Coming Soon TM for Cyberpunk 2077 in Update 2.2! See you tomorrow at 5 PM CET on our Twitch and, for the first time ever, simultaneously on our YouTube channel. twitch.tv/cdprojektred youtube.com/@CyberpunkGame Get ready, chooms! It's gonna be 🔥

"Knowing that life is finite urges us to embrace the present, cherish every moment, and live with intention, for it is in the fleeting nature of time that we find true meaning." - me

Gmail Phishing Inbox mail -> Attachment -> myjust123[.]pdf -> link to https[://]mygmailservser[.]kidsgamereviews[.]sa[.]com #phishing

"He who would accomplish little need sacrifice little; he who would achieve much must sacrifice much. He who would attain highly must sacrifice greatly." - James Allen

Had a dream with my childhood friend, how are you there?

[RELEASE] Following the talk at DEF CON, I'm releasing all the POC projects associated with DriverJack. More info in the repos. For any additional info, hit me up ;) - github.com/klezVirus/DriverJ… - github.com/klezVirus/RpcProx… - github.com/klezVirus/koppeli…

"Be so focused on watering your grass that you don't have time to check if someone else's is greener"

#LummaStealer YT video -> projectglbl[.]lol -> GlobalCheats.zip -> GlobalæhÑáts.rar -> GlobalCheats.exe -> BitLockerToGo.exe hxxps[:]//toughsnxcmxz[.]shop/api hxxps[:]//empiredzmwnx[.]shop/api hxxps[:]//boattyownerwrv[.]shop/api hxxps[:]//rainbowmynsjn[.]shop/api hxxps[:]//definitonizmnx[.]shop/api hxxps[:]//creepydxzoxmj[.]shop/api hxxps[:]//budgetttysnzm[.]shop/api hxxps[:]//chippyfroggsyhz[.]shop/api hxxps[:]//assumedtribsosp[.]shop/api

Some songs remind me of Sunset in Ubud, Bali. In fact, I made a playlist for it. open.spotify.com/playlist/1L…

Fortuner dateng 🙂 E36 dateng ☺️ G400 dateng 😈

If you have a sister, at least two women will always care about you. The first is your mother, and the second is your sister.

It is what it is, so be it.

Waking up as a Linux user today #Crowdstrike

A fake uBlock Origin extension is being featured on the Chrome Web Store. Over 700,000 people using it. The real uBlock extension is made by Raymond Hill, and has 34,000,000 users. Fake: chromewebstore.google.com/de…

It's been a long time since I enjoyed a glass of cognac. It's so good.

FULL VINYL | 90s & Early 00s R&B Set [and more] | DJ JENN@CMS Sound Bar youtu.be/ZhsQuzEA6uo?si=GURc… via @YouTube 🫶

"Work in the shadows to serve the light."