Attacks against modern generative artificial intelligence (AI) large language models (LLMs) pose a real threat. Yet discussions around these attacks and their potential defenses are dangerously myopic. The dominant narrative focuses on “prompt injection,” a set of techniques to embed instructions into inputs to LLM intended to perform malicious activity. This term suggests a simple, s [...]
What you will learn in this blog What chaining is and how combining lower-severity issues can create a high-impact security risk. Key chaining techniques and terminology, such as pivoting, lateral movement, and privilege escalation. How chaining is identified and prioritized in practice, including the role of PTaaS and how researchers can use chaining to uncover critical attack paths and guide n [...]
This is a current list of where and when I am scheduled to speak: I’m speaking at Ontario Tech University in Oshawa, Ontario, Canada, at 2 PM ET on Thursday, February 26, 2026. I’m speaking at the Personal AI Summit in Los Angeles, California, USA, on Thursday, March 5, 2026. I’m speaking at Tech Live: Cybersecurity in New York City, USA, on Wednesday, March 11, 2026. I’m giving the Ross An [...]
An exploration of the interesting question. [...]
Node.js disclosed a bug submitted by 0xmaxhax: https://hackerone.com/reports/3473882 [...]
Node.js disclosed a bug submitted by winfunc: https://hackerone.com/reports/3465156 [...]
Node.js disclosed a bug submitted by aaron_vercel: https://hackerone.com/reports/3456295 [...]
Node.js disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3357723 [...]
Node.js disclosed a bug submitted by natann: https://hackerone.com/reports/3417819 [...]
Node.js disclosed a bug submitted by chalker: https://hackerone.com/reports/3405778 [...]
Nextcloud disclosed a bug submitted by se1en: https://hackerone.com/reports/3357036 - Bounty: $350 [...]
New York is contemplating a bill that adds surveillance to 3D printers: New York’s 20262027 executive budget bill (S.9005 / A.10005) includes language that should alarm every maker, educator, and small manufacturer in the state. Buried in Part C is a provision requiring all 3D printers sold or delivered in New York to include “blocking technology.” This is defined as software or firmw [...]
Omise disclosed a bug submitted by alitoni224: https://hackerone.com/reports/3183046 [...]
For the past week, the massive “Internet of Things” (IoT) botnet known as Kimwolf has been disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attem [...]
I just noticed that the ebook version of Rewiring Democracy is on sale for $5 on Amazon, Apple Books, Barnes & Noble, Books A Million, Google Play, Kobo, and presumably everywhere else in the US. I have no idea how long this will last. Also, Amazon has a coupon that brings the hardcover price down to $20. You’ll see the discount at checkout. [...]
Interesting research: “CHAI: Command Hijacking Against Embodied AI.” Abstract: Embodied Artificial Intelligence (AI) promises to handle edge cases in robotic vehicle systems where data is scarce by using common-sense reasoning grounded in perception and action to generalize beyond training distributions and adapt to novel real-world situations. These capabilities, however, also create [...]
It’s an unusually cold winter morning in Houston, and Craig Riddell is settling into his new role as Wallarm’s Global Field CISO. It’s a position that suits him down to the ground, blending technical depth, empathy, business acumen, and, what Craig believes, the most underrated skill in cybersecurity: curiosity. Like so many of us, Craig got into cybersecurity by accident. He first learned Un [...]
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild. Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quiet [...]
In 2023, the science fiction literary magazine Clarkesworld stopped accepting new submissions because so many were generated by artificial intelligence. Near as the editors could tell, many submitters pasted the magazine’s detailed story guidelines into an AI and sent in the results. And they weren’t alone. Other fiction magazines have also reported a high number of AI-generated submissions. This [...]
Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers. [...]
AWS VDP disclosed a bug submitted by aneeeketh: https://hackerone.com/reports/3426839 [...]
Django disclosed a bug submitted by sy2n0: https://hackerone.com/reports/3426417 [...]
You probably think the security mantra “you can’t protect what you don’t know about” is an inarguable truth. But you would be wrong. It doesn’t hold water in today’s threat landscape. Of course, it sounds reasonable. Before you secure APIs, you must first discover, inventory, and document them exhaustively. The problem is that this way of thinking has hardened into dogma and ignores how attack [...]
This is amazing: Opus 4.6 is notably better at finding high-severity vulnerabilities than previous models and a sign of how quickly things are moving. Security teams have been automating vulnerability discovery for years, investing heavily in fuzzing infrastructure and custom harnesses to find bugs at scale. But what stood out in early testing is how quickly Opus 4.6 found vulnerabilities out of t [...]
This is a video of advice for squid fishing in Puget Sound. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Once. Someone named “Vincenzo lozzo” wrote to Epstein in email, in 2016: “I wouldn’t pay too much attention to this, Schneier has a long tradition of dramatizing and misunderstanding things.” The topic of the email is DDoS attacks, and it is unclear what I am dramatizing and misunderstanding. Rabbi Schneier is also mentioned, also incidentally, also once. As far as ei [...]
Nextcloud disclosed a bug submitted by se1en: https://hackerone.com/reports/3360354 - Bounty: $750 [...]
curl disclosed a bug submitted by pajarori: https://hackerone.com/reports/3531216 [...]
Bug bounty growth insights across the US Bug bounty programs have evolved from a niche security tactic into a core component of modern defense strategies worldwide. In this blog, we focus on the US: one of the most invested and fastest-adopting markets, where organizations, driven by higher security maturity, are increasingly using bug bounty to uncover complex vulnerabilities that traditional t [...]
Django disclosed a bug submitted by stackered: https://hackerone.com/reports/3424977 [...]
GoCD disclosed a bug submitted by aigirl: https://hackerone.com/reports/3509632 [...]
Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your NGINX configurations. [...]
LinkedIn disclosed a bug submitted by allenjo: https://hackerone.com/reports/3151001 [...]
LinkedIn disclosed a bug submitted by minex627: https://hackerone.com/reports/3235855 [...]
A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion. Some victims reportedly are paying — perhaps as much to contain the stolen data [...]
PostMessage vulnerabilities arise when developers fail to properly validate message origins or sanitize content within cross-origin communication handlers. As modern web applications increasingly rely on the postMessage API for cross-origin communication, whether for embedded widgets, OAuth flows, third-party integrations, or iframe-based components, the attack surface continues to grow. While pos [...]
APIs are one of the most important technologies in digital business ecosystems. And yet, the responsibility for their security often falls to AppSec teams – and that’s a problem. This organizational mismatch creates systemic risk: business teams assume APIs are “secured,” while attackers exploit logic flaws, authorization gaps, and automated attacks in production. As Tim Erlin noted rece [...]
Last year, our engineers submitted over 375 pull requests that were merged into non–Trail of Bits repositories, touching more than 90 projects from cryptography libraries to the Rust compiler. This work reflects one of our driving values: “share what others can use.” The measure isn’t whether you share something, but whether it’s actually useful to someone else. This princi [...]
Software signatures carry an invisible expiration date. The container image or firmware you sign today might be deployed for 20 years, but the cryptographic signature protecting it may become untrustworthy within 10 years. SHA-1 certificates become worthless, weak RSA keys are banned, and quantum computers may crack today’s elliptic curve cryptography. The question isn’t whether our cu [...]
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. January's challenge presented participants with CRYPTIGRITI, a cryptocurrency trading platform where users could buy and trade Bitcoin (BTC), Monero (XMR), and a custom digital currency, 1337COIN. This article provides a step-by-step walkthrough for solving January's [...]
Posted by Nataliya Stanetsky, Fabricio Ferracioli, Elliot Sisteron, Irene Ang of the Android Security Team Phone theft is more than just losing a device; it's a form of financial fraud that can leave you suddenly vulnerable to personal data and financial theft. That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt. Today, [...]
A deep dive into OpenSSL’s January 2026 CMS and PKCS#12 vulnerabilities, including a pre-auth stack overflow and a PKCS#12 parsing bug. [...]
ExpressionEngine disclosed a bug submitted by fed01k: https://hackerone.com/reports/3249794 [...]
The cybercriminals in control of Kimwolf — a disruptive botnet that has infected more than 2 million devices — recently shared a screenshot indicating they’d compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people b [...]
curl disclosed a bug submitted by playerofficial19: https://hackerone.com/reports/3523953 [...]
curl disclosed a bug submitted by f_i_h: https://hackerone.com/reports/3523349 [...]
IDE-SHEPHERD is an open-source IDE security extension that provides real-time monitoring and protection for VS Code and Cursor. It intercepts malicious process executions, monitors network activity, and blocks dangerous workspace tasks before they can compromise your development environment. [...]
Note: This is a guest post by IT security consultant Adarsh Kumar. I’ve been using Burp Suite day to day for years, so when Burp AI was introduced, I was curious how it would actually hold up dur [...]
What you will learn Practical, bite-sized bug bounty tips and techniques you can apply immediately, whether you’re just starting or sharpening your skills. Proven approaches for finding, prioritizing, and validating vulnerabilities more efficiently in real-world programs. An eye on what to look out for to stay consistent and motivated in 2026. In the lead-up to the new year, we released a bug [...]
Basecamp disclosed a bug submitted by northeastprince: https://hackerone.com/reports/2012659 [...]
A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations [...]
Stripo Inc disclosed a bug submitted by srcode: https://hackerone.com/reports/3459285 [...]
Cosmos disclosed a bug submitted by 0xjam: https://hackerone.com/reports/3510161 [...]
curl disclosed a bug submitted by ichise: https://hackerone.com/reports/3516878 [...]
curl disclosed a bug submitted by foobar4213: https://hackerone.com/reports/3516974 [...]
pixiv disclosed a bug submitted by dexter34: https://hackerone.com/reports/2473173 [...]
curl disclosed a bug submitted by bhaskar_ram: https://hackerone.com/reports/3516202 [...]
curl disclosed a bug submitted by bhaskar_ram: https://hackerone.com/reports/3516186 [...]
pixiv disclosed a bug submitted by giwadaoud: https://hackerone.com/reports/2541962 - Bounty: $500 [...]
pixiv disclosed a bug submitted by hyk3n: https://hackerone.com/reports/2119892 - Bounty: $200 [...]
curl disclosed a bug submitted by andrewml: https://hackerone.com/reports/3514263 [...]
Nextcloud disclosed a bug submitted by hakuna: https://hackerone.com/reports/2388183 - Bounty: $100 [...]
Nextcloud disclosed a bug submitted by hakuna: https://hackerone.com/reports/2380133 - Bounty: $250 [...]
AWS VDP disclosed a bug submitted by farmer: https://hackerone.com/reports/3427370 [...]
Note: This is a guest post by pentester Julen Garrido Estévez (@b3xal). Methodology Key results Examples Key learnings Prompt template A pentester's POV on Burp AI Pentester Julen Garrido Es [...]
Hi hackers, Welcome to the latest edition of Bug Bytes (and the first of 2026)! In this month’s issue, we’ll be featuring: Hijacking official AWS GitHub repositories New anonymous bug bounty forum Finding more IDORs & SSRFs using a unique methodology New JavaScript file scanner to find hidden endpoints And so much more! Let’s dive in! Intigriti SantaCloud CTF results are in December 20 [...]
API security is becoming more important by the day and skilled practitioners are in high demand. Now’s the time to level up your API security skillset. Wallarm University, our free training course, provides security analysts, engineers, and practitioners with hands-on skills you can’t get from documentation, videos, or traditional courses. Run real attacks, investigate real signals, and learn [...]
Node.js disclosed a bug submitted by oriotie: https://hackerone.com/reports/3390084 [...]
curl disclosed a bug submitted by shiftj: https://hackerone.com/reports/3509396 [...]
Nextcloud disclosed a bug submitted by somerandomdev: https://hackerone.com/reports/3443563 [...]
Revive Adserver disclosed a bug submitted by 7yr: https://hackerone.com/reports/3473696 [...]
Revive Adserver disclosed a bug submitted by 7yr: https://hackerone.com/reports/3470970 [...]
Revive Adserver disclosed a bug submitted by nigh7c0r3: https://hackerone.com/reports/3468169 [...]
Revive Adserver disclosed a bug submitted by 0xjad: https://hackerone.com/reports/3445710 [...]
Revive Adserver disclosed a bug submitted by pakcyberbot: https://hackerone.com/reports/3445332 [...]
curl disclosed a bug submitted by z2_: https://hackerone.com/reports/3508321 [...]
curl disclosed a bug submitted by andrew-bbp: https://hackerone.com/reports/3508799 [...]
curl disclosed a bug submitted by vikash_saw: https://hackerone.com/reports/3509437 [...]
curl disclosed a bug submitted by andrew-bbp: https://hackerone.com/reports/3508785 [...]
curl disclosed a bug submitted by adce626q: https://hackerone.com/reports/3508701 [...]
Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoft’s most-dire “critical” rating, and the company warns that attackers are already exploiting one of the bugs fixed today. January’s Microsoft zero-day flaw — CVE-2026-20805 — is brought t [...]
What you will learn How 2025 became a defining year for Intigriti through key milestones, major wins, and bold product launches. Insights from Intigriti’s C-suite on the moments that shaped the company’s growth and direction. How these reflections set the foundation for Intigriti’s vision and priorities for 2026. 2025 reflections, aspirations, and lessons learnt Stijn Jans, Chief Executive Off [...]
A look at how Kubernetes CVE-2020-8554 works [...]
curl disclosed a bug submitted by 0xshakib0x04: https://hackerone.com/reports/3508854 [...]
curl disclosed a bug submitted by gudyuu: https://hackerone.com/reports/3508500 [...]
With browser-embedded AI agents, we’re essentially starting the security journey over again. We exploited a lack of isolation mechanisms in multiple agentic browsers to perform attacks ranging from the dissemination of false information to cross-site data leaks. These attacks, which are functionally similar to cross-site scripting (XSS) and cross-site request forgery (CSRF), resurface decade [...]
U.S. Dept Of Defense disclosed a bug submitted by moha1sd: https://hackerone.com/reports/3027405 [...]
U.S. Dept Of Defense disclosed a bug submitted by l0rdv0ld3m0r7: https://hackerone.com/reports/3346375 [...]
U.S. Dept Of Defense disclosed a bug submitted by exec_iq: https://hackerone.com/reports/2061982 [...]
U.S. Dept Of Defense disclosed a bug submitted by xgoon: https://hackerone.com/reports/3318295 [...]
U.S. Dept Of Defense disclosed a bug submitted by saqib98: https://hackerone.com/reports/3066992 [...]
U.S. Dept Of Defense disclosed a bug submitted by 0xkarim_dix: https://hackerone.com/reports/3238607 [...]
U.S. Dept Of Defense disclosed a bug submitted by aramx4: https://hackerone.com/reports/3205104 [...]
U.S. Dept Of Defense disclosed a bug submitted by aramx4: https://hackerone.com/reports/3204997 [...]
U.S. Dept Of Defense disclosed a bug submitted by bewgsy: https://hackerone.com/reports/3053220 [...]
U.S. Dept Of Defense disclosed a bug submitted by jonasdiasrebelo: https://hackerone.com/reports/3437836 [...]
U.S. Dept Of Defense disclosed a bug submitted by jonasdiasrebelo: https://hackerone.com/reports/3136746 [...]
U.S. Dept Of Defense disclosed a bug submitted by jonasdiasrebelo: https://hackerone.com/reports/3137212 [...]
U.S. Dept Of Defense disclosed a bug submitted by jonasdiasrebelo: https://hackerone.com/reports/3166582 [...]
U.S. Dept Of Defense disclosed a bug submitted by jonasdiasrebelo: https://hackerone.com/reports/3166581 [...]