always surprised that people dont know this ECDSA thing bfswa.substack.com/p/upbit-hacks-…

2026 prediction: an Ashley Madison-level breach from an AI app. Millions have handed their most personal thoughts, or all their corporate IP, to startups with 18 months of runway and a privacy policy nobody read.

We hacked the AWS JavaScript SDK, a core library powering the entire @AWScloud ecosystem - including the AWS Console itself 🤯 How did we do it? Just two missing characters was all it took. This is the story of #CodeBreach 🧵👇

Excited to disclose my research allowing RCE in Kubernetes It allows running arbitrary commands in EVERY pod in a cluster using a commonly granted "read only" RBAC permission. This is not logged and and allows for trivial Pod breakout. Unfortunately, this will NOT be patched.

All GCP customers will now be subsidizing GPU buildout costs. They are raising prices on something that has marginal costs.

Fortinet CVE-2026-24858.. is this even real life anymore? ”An attacker’s valid FortiCloud session, tied to their own device, gets accepted as legitimate for other users’ devices.”

I've been trying to reach moltbook for the last few hours. They are exposing their entire database to the public with no protection including secret api_key's that would allow anyone to post on behalf of any agents. Including yours Andrej Karpathy Karpathy has 1.9 million followers

👼GatewayToHeaven (CVE-2025-13292). I discovered a cross-tenant vulnerability in @GoogleCloud's #Apigee, allowing me to access other organizations' data (and sometimes even plaintext JWTs of end users). Below is the full breakdown of the exploit chain⛓️

We spent years and billions of dollars inserting a C compiler into a lossy hash table. Here’s how we spent two weeks getting it back out with a Markov process.

theregister.com/2026/02/12/app… "Apple patched a zero-day vulnerability affecting every iOS version since 1.0" 👀

This is peak 2026 github.com/cline/cline/se…

Two AES libraries ship a default IV that guarantees key reuse. 700K+ repos depend on aes-js alone. A developer flagged the problem years ago, but it was never fixed. 🧵

Before launch, Perplexity hired us to test the security of Comet, their AI browser assistant. We demonstrated how four prompt injection techniques could extract users' private information from Gmail. 🧵

Introducing Claude Code Security, now in limited research preview. It scans codebases for vulnerabilities and suggests targeted software patches for human review, allowing teams to find and fix issues that traditional tools often miss. Learn more: anthropic.com/news/claude-co…

🚨 Google told devs: API keys aren't secrets. Gemini changed that. 😱 We found ~3,000 public keys silently authenticating to Gemini - exposing private files, cached data & charging for LLM usage 💥Even Google's own keys were vulnerable. 🔗 trufflesecurity.com/blog/google-ap…

We discovered a phishing actor that is abusing .arpa to host content on domains that should not resolve to an IP address. The actor uses free services to create domain names from reverse DNS strings for IPv6 tunnels that use the .arpa top level domain. 🧵

Big skill drop from Trail of Bits today! Here are 10 new skills we publicly released from our internal repository: 🧵

"permitted a single ECS task role "read access to every secret in the account, including the production Redshift master credential."" There is a lot going on with this (even if not all of it can be believed). Properly scoping IAM is critical! bleepingcomputer.com/news/security/…

Introducing the Google Workspace CLI: github.com/googleworkspac… - built for humans and agents. Google Drive, Gmail, Calendar, and every Workspace API. 40+ agent skills included.