InfoSec Planet

The attack landscape has been dynamic following the disclosure of the React Server Components RCE vulnerability. New information has emerged regarding the initial Proof-of-Concept exploit, as well as improved detection methods, exploitation mechanics observed in the wild, and rapidly growing attack activity. This update summarizes the changes and observations we have made across Wallarm customers. [...]

See full content

See full content

Here’s a fun paper: “The Naibbe cipher: a substitution cipher that encrypts Latin and Italian as Voynich Manuscript-like ciphertext“: Abstract: In this article, I investigate the hypothesis that the Voynich Manuscript (MS 408, Yale University Beinecke Library) is compatible with being a ciphertext by attempting to develop a historically plausible cipher that can replicate the man [...]

See full content

As the year draws to a close, it’s worth pausing to look back on what has been an extraordinary year for Wallarm and, more importantly, for the businesses we protect.  If 2024 was about laying the groundwork (tracking API sessions to understand behavioral attacks), then 2025 was the year we built upon that foundation, turning insight into action and visibility into measurable business impact. [...]

See full content

curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/3407352 [...]

See full content

See full content

See full content

A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine. The Nerdify homepage. The link between essay mills and Russian attack drones might seem improbable, but understanding it begins with a simple question: How do [...]

See full content

The vampire squid (Vampyroteuthis infernalis) has the largest cephalopod genome ever sequenced: more than 11 billion base pairs. That’s more than twice as large as the biggest squid genomes. It’s technically not a squid: “The vampire squid is a fascinating twig tenaciously hanging onto the cephalopod family tree. It’s neither a squid nor an octopus (nor a vampire), but rath [...]

See full content

See full content

See full content

See full content

Enjin disclosed a bug submitted by pwnie: https://hackerone.com/reports/3452015 [...]

See full content

See full content

Detecting React2Shell with Burp Suite React2Shell vulnerabilities in Next.js applications are now scannable across Burp Suite, making it fast to validate your exposure and begin automated coverage usi [...]

See full content

Nextcloud disclosed a bug submitted by aptroom: https://hackerone.com/reports/3357808 - Bounty: $150 [...]

See full content

curl disclosed a bug submitted by rootx1337: https://hackerone.com/reports/3452725 [...]

See full content

Nextcloud disclosed a bug submitted by klipz: https://hackerone.com/reports/2890071 [...]

See full content

Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3247499 - Bounty: $250 [...]

See full content

Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3275810 [...]

See full content

Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3112033 - Bounty: $100 [...]

See full content

Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3137895 - Bounty: $250 [...]

See full content

Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3138721 - Bounty: $250 [...]

See full content

Nextcloud disclosed a bug submitted by daroo: https://hackerone.com/reports/3247386 - Bounty: $150 [...]

See full content

Nextcloud disclosed a bug submitted by 0x0doteth: https://hackerone.com/reports/3338748 [...]

See full content

Nextcloud disclosed a bug submitted by 0x0doteth: https://hackerone.com/reports/3334165 [...]

See full content

A new anonymous phone service allows you to sign up with just a zip code. [...]

See full content

See full content

This blog explores the widespread and critical state of the React2Shell vulnerability. It provides a technical overview, suggested mitigations, and actions to safeguard people, processes, and data, as well as a review of what our team has experienced and seen off the back of this vulnerability. Please note that as more is learnt, Intigriti continues to update reports, provide information on what o [...]

See full content

China-based phishing groups blamed for non-stop scam SMS messages about a supposed wayward package or unpaid toll fee are promoting a new offering, just in time for the holiday shopping season: Phishing kits for mass-creating fake but convincing e-commerce websites that convert customer payment card data into mobile wallets from Apple and Google. Experts say these same phishing groups also are now [...]

See full content

See full content

See full content

curl disclosed a bug submitted by anonymous_237: https://hackerone.com/reports/3451305 [...]

See full content

On December 3, 2025, React maintainers disclosed a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components (RSC), tracked as CVE-2025-55182. A working PoC was released publicly, and Wallarm immediately began observing widespread exploitation attempts across customer environments. What is CVE-2025-55182? CVE-2025-55182 is an unauthenticated remote code e [...]

See full content

See full content

Learn more about the CVE-2025-55182 vulnerability affecting React Server Components and affecting Next.js. [...]

See full content

Posted by Aden Haussmann, Associate Product Manager and Sumeet Sharma, Play Partnerships Trust & Safety Lead Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle. Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications. The [...]

See full content

See full content

The API supply chain is the new security blind spot. Attackers no longer need to breach your APIs directly; they can target the third-party services that connect to them. These unmanaged dependencies are now the shortest path to your sensitive data. The recent Mixpanel incident is a stark reminder of that fact.  What Happened During the Mixpanel Incident? Why Does it Matter? In November 202 [...]

See full content

See full content

See full content

See full content

See full content

Django disclosed a bug submitted by stackered: https://hackerone.com/reports/3417967 [...]

See full content

In his 2020 book, “Future Politics,” British barrister Jamie Susskind wrote that the dominant question of the 20th century was “How much of our collective life should be determined by the state, and what should be left to the market and civil society?” But in the early decades of this century, Susskind suggested that we face a different question: “To what extent shoul [...]

See full content

Trail of Bits has developed constant-time coding support for LLVM, providing developers with compiler-level guarantees that their cryptographic implementations remain secure against branching-related timing attacks. These changes are being reviewed and will be added in an upcoming release, LLVM 22. This work introduces the __builtin_ct_select family of intrinsics and supporting infrastructure that [...]

See full content

See full content

This is crazy. Lawmakers in several US states are contemplating banning VPNs, because…think of the children! As of this writing, Wisconsin lawmakers are escalating their war on privacy by targeting VPNs in the name of “protecting children” in A.B. 105/S.B. 130. It’s an age verification bill that requires all websites distributing material that could conceivably be deemed “s [...]

See full content

Every December, TryHackMe’s Advent of Cyber brings the security community together around a simple idea: learn something new by getting hands-on. Each day during the festive season reveals a beginner- [...]

See full content

Stripo Inc disclosed a bug submitted by odaysec: https://hackerone.com/reports/2932960 [...]

See full content

curl disclosed a bug submitted by quello_stanco: https://hackerone.com/reports/3445174 [...]

See full content

curl disclosed a bug submitted by helspy: https://hackerone.com/reports/3444904 [...]

See full content

What is Intigriti’s stance on AI?   At Intigriti, we believe AI is a powerful ally to, not a replacement of, our community of security researchers. We will use AI to empower our researchers to hunt for bugs smarter, faster, and more efficiently, while recognizing the value of human creativity and ingenuity that machines cannot replicate. By creating AI-powered tools informed by researcher and cust [...]

See full content

Content Security Policies (CSPs) are often deployed as the last line of defense against client-side attacks such as cross-site scripting (XSS) and clickjacking. Since their first introduction in 2012, they've enabled developers to control which and what resources are allowed to load and evaluate within a given DOM context. However, it still commonly occurs that developers rely on this countermeasu [...]

See full content

See full content

See full content

See full content

See full content

A meter-long flying neon squid (Ommastrephes bartramii) was found dead on an Israeli beach. The species is rare in the Mediterranean. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]

See full content

In a new paper, “Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models,” researchers found that turning LLM prompts into poetry resulted in jailbreaking the models: Abstract: We present evidence that adversarial poetry functions as a universal single-turn jailbreak technique for Large Language Models (LLMs). Across 25 frontier proprietary and open-w [...]

See full content

See full content

See full content

See full content

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his r [...]

See full content

Revive Adserver disclosed a bug submitted by kassem_s94: https://hackerone.com/reports/3434156 [...]

See full content

See full content

This quote is from House of Huawei: The Secret History of China’s Most Powerful Company. “Long before anyone had heard of Ren Zhengfei or Huawei, Wan Runnan had been China’s star entrepreneur in the 1980s, with his company, the Stone Group, touted as “China’s IBM.” Wan had believed that economic change could lead to political change. He had thrown his support be [...]

See full content

Earlier this month, Microsoft uncovered SesameOp, a new backdoor malware that abuses the OpenAI Assistants API as a covert command-and-control (C2) channel. The discovery has drawn significant attention within the cybersecurity community. Security teams can no longer focus solely on endpoint malware. Attackers are weaponizing public and legitimate AI assistant APIs and defenders must adjust. W [...]

See full content

curl disclosed a bug submitted by kak1: https://hackerone.com/reports/3442060 [...]

See full content

curl disclosed a bug submitted by lim_e: https://hackerone.com/reports/3442024 [...]

See full content

At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security research community. This month, we've decided to take on a challenge ourselves as a way to give back to the community. In response to one of our recent articles, we decided to focus on JSON Web Token (JWT) vulnerabilities. This article provides a step-by-step walkthrough for solving Novem [...]

See full content

See full content

See full content

See full content

Democracy is colliding with the technologies of artificial intelligence. Judging from the audience reaction at the recent World Forum on Democracy in Strasbourg, the general expectation is that democracy will be the worse for it. We have another narrative. Yes, there are risks to democracy from AI, but there are also opportunities. We have just published the book Rewiring Democracy: How AI will Tr [...]

See full content

A common worry for IT and security teams is that, when operating an effective vulnerability management model, they will be flooded with potential vulnerability reports they likely don’t have the capacity to work through.   But the real issue here is not volume; it’s noise. Invalid or low-quality submissions can drain resources, cover up, or deprioritize critical signals that have real business imp [...]

See full content

Learn more about the Shai-Hulud 2.0 npm worm. [...]

See full content

Flickr disclosed a bug submitted by maskopatol: https://hackerone.com/reports/1916400 - Bounty: $479 [...]

See full content

curl disclosed a bug submitted by cainvsilf: https://hackerone.com/reports/3432833 [...]

See full content

On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet tra [...]

See full content

See full content

See full content

M&T Bank Vulnerability Disclosure disclosed a bug submitted by ozgun32: https://hackerone.com/reports/3426761 [...]

See full content

See full content

See full content

The International Association of Cryptologic Research—the academic cryptography association that’s been putting conferences like Crypto (back when “crypto” meant “cryptography”) and Eurocrypt since the 1980s—had to nullify an online election when trustee Moti Yung lost his decryption key. For this election and in accordance with the bylaws of the IACR, the [...]

See full content

See full content

curl disclosed a bug submitted by letshack9707: https://hackerone.com/reports/3434543 [...]

See full content

See full content

See full content

Basecamp disclosed a bug submitted by stackered: https://hackerone.com/reports/3329310 - Bounty: $2000 [...]

See full content

Django disclosed a bug submitted by stackered: https://hackerone.com/reports/3328367 [...]

See full content

See full content

See full content

Can you ever imagine the impact on your business if it went offline on Black Friday or Cyber Monday due to a cyberattack?  Black Friday is the biggest day in the retail calendar. It’s also the riskiest. As you gear up for huge surges in online traffic, ask yourself: have you protected the APIs on which the business runs?  The Black Friday API Boom When you think about Black Fri [...]

See full content

Hi hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring:  Finding an RCE using AI in GitHub  CORS exploitation cheat sheet  Scanning codebases with AI  Bypassing paywalls  SSTIs in AI models    And so much more! Let’s dive in! Company News Intigriti wins 2025 UK IT Industry Awards We are thrilled to announce that Intigriti has won Security Innovation [...]

See full content

In March 2024, Mozilla said it was winding down its collaboration with Onerep — an identity protection service offered with the Firefox web browser that promises to remove users from hundreds of people-search sites — after KrebsOnSecurity revealed Onerep’s founder had created dozens of people-search services and was continuing to operate at least one of them. Sixteen months later [...]

See full content

Posted by Dave Kleidermacher, VP, Platforms Security & Privacy, Google Technology should bring people closer together, not create walls. Being able to communicate and connect with friends and family should be easy regardless of the phone they use. That’s why Android has been building experiences that help you stay connected across platforms. As part of our efforts to continue to make cross-pla [...]

See full content

curl disclosed a bug submitted by gaurav_7777: https://hackerone.com/reports/3434510 [...]

See full content

See full content