One of the cool things when working with An Trinh recently

We published a post that takes a deep dive into EKS IAM mechanisms, and techniques to pivot from compromised Kubernetes workloads to an AWS account securitylabs.datadoghq.com/articles/amazo…

One of the best way to compromise entire infrastructure

Creating a cluster in GKE: gcloud container clusters create sample-cluster Creating a cluster in EKS: oh sweet summer child...

Reproducing CVE-2023-38646: Metabase Pre-auth RCE blog.calif.io/p/reproducing-… CC peterjson Janggggg

In a recent engagement, we encountered a target running CraftCMS, and discovered a Remote Code Execution vulnerability that allowed us to compromise the target. blog.calif.io/p/craftcms-rce CC yeuchimse

Calif US Offsite Summer 2023

Pretty cool testimonial from Anthropic. If you're into hacking AI models, we're hiring! docs.google.com/document/d/1SJ…

If you use cert-manager.io in AWS EKS, be aware of a privesc vector that leads to full cluster compromise. We recommend revoking pod creation permission and switching to domain verification using DNS. See the update at the end of this blog post: blog.calif.io/p/privilege-es…

CVE-2023-49105 WebDAV Api Authentication Bypass using Pre-Signed URLs POC Lazy coder + ChatGPT => nocode cc Nguyen Anh Tien github.com/0xfed/ownedclo…

New blog post: in a recent engagement, we turned a simple XSRF in Argo CD to a shell with cluster admin privileges. No fix is available. We recommend hosting Argo CD on an isolated domain. Details: blog.calif.io/p/argo-cd-csrf

Type confusion attacks in ProseMirror editors blog.calif.io/p/type-confusi…

Wormable Substack XSS: blog.calif.io/p/wormable-sub… It must have been years since the last time a wormable XSS was found in a major social media website. This beautiful type confusion XSS attack vector is a gift that keeps on giving. But most of all, samy kamkar is our hero!

Submitted this bug to ZDI a long time ago, but they weren’t interested 🥲. Later sent to Oracle, marked dup of CVE-2023-22047. CVSS 7.5 but leads to unauth RCE. Fortunately, some big programs accepted it. Check exploit here : github.com/tuo4n8/CVE-202… #BugBounty #InfoSec #Oracle

If you can motivate yourself to spend 8+ hours a day, 5 days a week to read through: - Atlassian - Jira - Slack - GitHub - Other internal SaaS applications without guaranteed results, you'll be an amazing red teamer.

“Vibe Hacking”: Abusing Developer Trust in Cursor and VS Code Remote Development blog.calif.io/p/vibe-hacking…

We hacked the AWS JavaScript SDK, a core library powering the entire @AWScloud ecosystem - including the AWS Console itself 🤯 How did we do it? Just two missing characters was all it took. This is the story of #CodeBreach 🧵👇

A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets. A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool bug-hunting heuristic. open.substack.com/pub/calif/p/a-…

We have some exciting news to share: Blacktop is joining Calif to work on a range of R&D projects focused on Apple and AI security. If you work in the Apple security ecosystem, he’s already a household name. He’s the creator of: * ipsw – the ubiquitous Apple firmware

MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747) To our knowledge, this is the first remote kernel exploit both discovered and exploited by an AI. blog.calif.io/p/mad-bugs-cla…