👿 Compromising (almost) every repo using CodeQL A supply chain attack on CodeQL using a publicly exposed secret valid for 1.022 seconds at a time. Praetorian’s (Praetorian) John Stawinski discovered a supply chain issue affecting GitHub CodeQL that allowed executing code

When the walls are caving in, it's a good time to consider your options 👤 Episode 3 featuring Kingpin is now streaming. YouTube: youtube.com/watch?v=Fa434r… Spotify: open.spotify.com/episode/0dZk38…

In just 1.022 seconds, a token exposure created a seam that could have lead to a large-scale supply chain attack - a la tj-actions. Join us on 4/10 as we walk through CodeQLEAKED, how it was uncovered, and how you can find similar vulns in the future 🐴 praetorian.com/resources/unpa…

What is the L0pht? Oh, it's just a hangout space 🤐 Episode 3 featuring Kingpin is now streaming. YouTube: youtube.com/watch?v=Fa434r… Spotify: open.spotify.com/episode/0dZk38…

Episode 4 of Where Warlocks Stay Up Late featuring Skyper is now live on our YouTube and Spotify channels 🧙 Skyper, aka Eduart Steiner (an alias), was the editor of Phrack Magazine for 6 years and was a member of TESO and THC. Watch now: youtu.be/sQVLniT9CDY

🍿THC member on camera. A first. 😅 30 years of hacking - a perspective and a reflection. 📺 👉 Keep Hacking 👈 The next 30 years of hacking start today. ❤️

Skills can be taught. Tools change. Principles? That's what holds Praetorian together. Our culture is built on this foundation. Learn how being guardians of talent guides everything we do: rb.gy/0q5l0s #PraetorianLife

Praetorian research found RCE & code smuggling vulns in Node.js CI/CD (GitHub/Jenkins). If it happened there, are your pipelines secure? Kudos Node.js for the swift fix! Full details: praetorian.com/blog/agent-of-… #AppSec #RSAC #RSAC2025

''Linux Kernel Exploitation'' #infosec #pentest #redteam #blueteam r1ru.github.io/categories/lin…

Frida 17 is out 🥳 frida.re/news/2025/05/1…

Our new blog post is live: blog.dfsec.com/ios/2025/05/30…

We've spent years researching and building tools for CICD security. Now, we're ready to knowledge dump at a 2-day hands-on training at Black Hat (Aug 2-3, 4-5): Learn more: praetorian.com/blog/ci-cd-tra…

Zero-days make headlines, but your biggest risk might be in your logs. We’ve found API keys and credentials hiding in tools like Datadog and Kibana, a quiet goldmine for attackers (and red teams). Read the blog: buff.ly/1svtuYL

“Just because we’ve been doing it the same way for decades doesn’t mean we should keep doing it that way.” – Erik Hart, CISO at Cushman & Wakefield Hear how Erik used Chariot to transform his organization’s approach to security from point-in-time assessments to a continuous,

Time to cut a new release — Medusa 3.2.0 is out! So many changes 🤯 Highlights: • Manifest diffing • Concurrent sessions • Android flag decoding And much more. Huge thanks to all contributors — and Medusa got its first sponsorship 🙌❤️ 🔗 github.com/Ch0pin/medusa/…

Heard about ChromeAlone at DEF CON? Last week Praetorian's own Mike Weber was asked to present it to the team at Google. Watch the presentation here: hubs.ly/Q03RYqfv0 If you build or defend web platforms, this is a must watch on how Chrome extensions & Isolated Web Apps

Praetorian engineer Siddhant Kalgutkar uncovered CVE-2025-55315, a critical hubs.ly/Q03SbmTF0 vulnerability that earned a $10K bounty and prompted a major security fix from Microsoft. A powerful example of the skill, curiosity, and depth that define offensive engineering at

Runtime Mobile Security (RMS) 📱🔥 v1.5.24 is out 🚀 #MobileSecurity Frida #AndroidSecurity #iOSsecurity Huge thanks to Saullo Carvalho Check the changelog 👇👇👇 github.com/m0bilesecurity…

New Praetorian research: CVE-2025-52493 exposes how masked password fields can still leak real secrets on the client side. Even “hidden” values were fully retrievable through standard browser tools. If a secret reaches the browser, it’s already compromised. Read the full

AI tools create vulnerabilities. And sometimes, security leaders need a safe place to confess them.