🧵 We just discovered critical RCE vulnerabilities in popular AI coding tools including Claude Code and Gemini CLI. The issue: These tools use OAuth for MCP (Model Context Protocol) authentication, but don't validate authorization URLs from servers.

“accidentally said … and got kicked out of sf” Stfu 💔💔💔

F25 Demo Day in the books

A POC for CVE-2025-55182 gist.github.com/maple3142/48bc…

We're officially top 3 in the world on CTFtime for 2025, up from 13th last year! yay This year, we also: - hosted the first ever smileyCTF, with 1,000+ teams playing - went to in-person CTFs in Switzerland, Las Vegas, NYC * 2 - qualified for SECCON and LakeCTF 2026 finals

We spun out of the #1 hacking team in the US and built AI that finds what even the best hackers miss. During one engagement, it found 6 different ways to take over any user's account on a popular webapp. Completely autonomously. Then suggested fixes for every single one. Today

We just qualified 2 teams for DiceCTF Finals, with one of our teams getting 2nd place overall! Congrats BunkyoWesterns on winning and we'll see everyone in NYC! insert line about llms ruining ctfs here

Starting a series where we write up interesting vulns our agent at Veria Labs finds: First up, 1-click RCE in Goose, Block's coding agent with 33k+ stars: verialabs.com/blog/securing-… Goose was vulnerable to CSWSH, allowing an attacker-controlled website to run arbitrary commands.