Cobalt Strike 4.13 has a new Aggressor hook to support BOF cocktails. Here's a quick walkthrough: rastamouse.me/bof-cocktails-…

Before AI, I had 5 unfinished projects. After AI, I have 128 unfinished projects.

It’s a trap

Dear @github @Microsoft and @MsftSecIntel . Thank you for your service. I have lost all hopes from you guys. As a Windows security researcher whose intent was to help the beginners and contribute to open source security tooling, and i had so much respect towards @Microsoft , that thought was changed today and i am leaving. I have left the enough evidence in the ticket session. I would be better if a security researcher from GitHub might actually take a look at these. Thank you and bye to the community..... Here after you will not see posts about GitHub issues. Ticket ID: #4440743 #github #msft #defense #unlawful

I request the community to share this issue and help me resolve it. This is a major concern: sharing legal, open-source, public proof-of-concepts is now considered illegal? Is helping the open-source security community now against the terms of service? Or is this the new normal?! 2026 is causing a lot of trouble for security researchers. I'm trying my best to follow the ToS, rules, and regulations of @github, @MsftSecIntel, and @Microsoft, but I'm starting to lose hope in conducting research, submitting vulnerabilities now.. Really i saw this on today morning and i am very disappointed. I have an little hope @github @MsftSecIntel @Microsoft.

Every company’s AI workflow rn be like 😭💀

@msftsecresponse Why is teams now blocking links to articles on the hacker news? This is beyond reprehensible. thehackernews.com/2026/06/un…

The fix for Meta's AI bot vulnerability was apparently: - remove the feature from the UI ❌ - leave the API endpoint accessible ✅ I wish I was joking.

‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs." The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can. Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept. He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."

Uhmm... what????

🚨 Breaking: 31 npm packages from @RedHat have been compromised. 100,000 weekly downloads affected. The upstream CI/CD pipeline was compromised, with all packages published via GitHub Actions OIDC. The payload: ⚠️ Reads GitHub Actions runner process memory to extract masked secrets ⚠️ Sweeps credentials across AWS, GCP, Azure, K8s, Vault, and npm ⚠️ Self-propagating worm that republishes backdoored packages using stolen npm tokens, bypassing 2FA ⚠️ Persists on dev machines via Claude Code settings hijack and VS Code task injection ⚠️ Exfiltrates data through GitHub API commits, blending in with normal git operations We have responsibly disclosed the incident to the maintainers. Full technical analysis: stepsecurity.io/blog/multipl…

❗️ Over 30 official Red Hat npm packages were compromised. How they got in: - A Red Hat employee's GitHub account was compromised. - Attackers pushed "orphan commits" (detached from branch history) straight in, bypassing code review with no pull request. - Payload "Miasma" (Mini Shai-Hulud variant) steals GitHub/cloud/Vault/SSH/npm secrets. Rotate everything since June 1. - The commits added a workflow (ci.yaml) script (_index.js) that abused npm trusted publishing, requesting a real OIDC token to publish backdoored versions.

It's that time of year again - the time we get to figure out how to secure whatever is they released at Microsoft Build Best of luck everyone 😅

Want to practice pentesting? Joas A Santos just posted a huge list of purpose vulnerable systems on LinkedIn. 🔥 linkedin.com/posts/joas-anto…

There are some amazing people in MSRC When it comes to support and similar, it's been pretty universal that the majority of places are designed in a way that penalizes those who care and do the right thing and rewards those who churn out worthless stats

Don’t forget…

NEW POD UP!! Microsoft threatens legal action against researchers who drop zero-days. We debate whether it’s a fair line against extortion, or amateur-hour PR from a company that already torched its own research community? Costin plays reluctant defender, JAGS says the damage was done years ago, and Ryan reopens the long history of silent fixes and stolen bounties. (Presented by @Ent_Security) Plus, on the 10th anniversary of the Shadow Brokers leak, we discuss some enduring mysteries, theories on attribution, and an interesting trail that leads to Edward Snowden. @craiu @juanandres_gs @Ent_Security youtu.be/E5rIJ9nGOUo?si=HvH_…

This tshirt I made for Symantec Vulnerability Research, a program predating Google Project Zero by nearly a decade where we’d discover, report, & disclose vulnerabilities we found in other people’s software, is 20 years old. Still holds true: Don’t hate the Finder, hate the vuln

I plan to be at @BlackHatEvents and @defcon this year. Who else will be there? I’m looking forward to reconnecting with friends and making new connections. Let me know.

At @BsidesHbg yesterday I did a talk about how I built a modular asset discovery framework by using open source tooling to help automate my work when handling large engagements. That tool is called cygor: github.com/tjnull/cygor