InfoSec Planet
A collection of diverse security content from a curated list of sources. This website also serves as a demo for "worker-planet", the software that powers it.
TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak on 12/02/2026
Node.js disclosed a bug submitted by 0xmaxhax: https://hackerone.com/reports/3473882 [...]
Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS) on 12/02/2026
Node.js disclosed a bug submitted by winfunc: https://hackerone.com/reports/3465156 [...]
Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers on 12/02/2026
Node.js disclosed a bug submitted by aaron_vercel: https://hackerone.com/reports/3456295 [...]
Memory leak that enables remote Denial of Service against applications processing TLS client certificates on 12/02/2026
Node.js disclosed a bug submitted by giant_anteater: https://hackerone.com/reports/3357723 [...]
FS Permissions Bypass on 12/02/2026
Node.js disclosed a bug submitted by natann: https://hackerone.com/reports/3417819 [...]
Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled on 12/02/2026
Node.js disclosed a bug submitted by chalker: https://hackerone.com/reports/3405778 [...]
Mail stored HTML injection in subject text on 12/02/2026
Nextcloud disclosed a bug submitted by se1en: https://hackerone.com/reports/3357036 - Bounty: $350 [...]
3D Printer Surveillance on 12/02/2026
New York is contemplating a bill that adds surveillance to 3D printers: New York’s 20262027 executive budget bill (S.9005 / A.10005) includes language that should alarm every maker, educator, and small manufacturer in the state. Buried in Part C is a provision requiring all 3D printers sold or delivered in New York to include “blocking technology.” This is defined as software or firmw [...]
Cache Pollution via Unkeyed GET Parameters on www.omise.co on 11/02/2026
Omise disclosed a bug submitted by alitoni224: https://hackerone.com/reports/3183046 [...]
AI Red Teaming: Beyond Safety to Security on 11/02/2026
Rewiring Democracy Ebook is on Sale on 11/02/2026
I just noticed that the ebook version of Rewriring Democracy is on sale for $5 on Amazon, Apple Books, Barnes & Noble, Books A Million, Google Play, Kobo, and presumably everywhere else in the US. I have no idea how long this will last. Also, Amazon has a coupon that brings the hardcover price down to $20. You’ll see the discount at checkout. [...]
Quick tip! on 11/02/2026
Prompt Injection Via Road Signs on 11/02/2026
Interesting research: “CHAI: Command Hijacking Against Embodied AI.” Abstract: Embodied Artificial Intelligence (AI) promises to handle edge cases in robotic vehicle systems where data is scarce by using common-sense reasoning grounded in perception and action to generalize beyond training distributions and adapt to novel real-world situations. These capabilities, however, also create [...]
CISO Spotlight: Craig Riddell on Curiosity, Translation, and Why API Security is the New Business Imperative by Tim Erlin on 11/02/2026
It’s an unusually cold winter morning in Houston, and Craig Riddell is settling into his new role as Wallarm’s Global Field CISO. It’s a position that suits him down to the ground, blending technical depth, empathy, business acumen, and, what Craig believes, the most underrated skill in cybersecurity: curiosity. Like so many of us, Craig got into cybersecurity by accident. He first learned Un [...]
Your environment doesn’t sit still on 10/02/2026
Choosing Red Team or Blue Team in 2026 on 10/02/2026
AI-Generated Text and the Detection Arms Race on 10/02/2026
In 2023, the science fiction literary magazine Clarkesworld stopped accepting new submissions because so many were generated by artificial intelligence. Near as the editors could tell, many submitters pasted the magazine’s detailed story guidelines into an AI and sent in the results. And they weren’t alone. Other fiction magazines have also reported a high number of AI-generated submissions. This [...]
Tech impersonators: ClickFix and MacOS infostealers on 10/02/2026
Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers. [...]
Where are hackers located? on 09/02/2026
Unlimited Reuse of Coupon Code Allows Free Shipping on All Orders on on 09/02/2026
AWS VDP disclosed a bug submitted by aneeeketh: https://hackerone.com/reports/3426839 [...]
How AI Gets Tested in the Real World | Salesforce Live Hacking Event on 09/02/2026
ASGIRequest header concatenation quadratic CPU DoS on Django via repeated headers leads to worker exhaustion on 09/02/2026
Django disclosed a bug submitted by sy2n0: https://hackerone.com/reports/3426417 [...]
10+ Daily Essentials As An Ethical Hacker on 09/02/2026
The Myth of “Known APIs”: Why Inventory-First Security Models Are Already Obsolete by Tim Erlin on 09/02/2026
You probably think the security mantra “you can’t protect what you don’t know about” is an inarguable truth. But you would be wrong. It doesn’t hold water in today’s threat landscape. Of course, it sounds reasonable. Before you secure APIs, you must first discover, inventory, and document them exhaustively. The problem is that this way of thinking has hardened into dogma and ignores how attack [...]
LLMs are Getting a Lot Better and Faster at Finding and Exploiting Zero-Days on 09/02/2026
This is amazing: Opus 4.6 is notably better at finding high-severity vulnerabilities than previous models and a sign of how quickly things are moving. Security teams have been automating vulnerability discovery for years, investing heavily in fuzzing infrastructure and custom harnesses to find bugs at scale. But what stood out in early testing is how quickly Opus 4.6 found vulnerabilities out of t [...]
Bundle Up With Our Biggest Discounts Ever! on 07/02/2026
Friday Squid Blogging: Squid Fishing Tips on 06/02/2026
This is a video of advice for squid fishing in Puget Sound. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
I Am in the Epstein Files on 06/02/2026
Once. Someone named “Vincenzo lozzo” wrote to Epstein in email, in 2016: “I wouldn’t pay too much attention to this, Schneier has a long tradition of dramatizing and misunderstanding things.” The topic of the email is DDoS attacks, and it is unclear what I am dramatizing and misunderstanding. Rabbi Schneier is also mentioned, also incidentally, also once. As far as ei [...]
JHT Course Launch: Dark Web 2 - CTI Researcher on 06/02/2026
We take security seriously at Bugcrowd on 06/02/2026
iPhone Lockdown Mode Protects Washington Post Reporter on 06/02/2026
404Media is reporting that the FBI could not access a reporter’s iPhone because it had Lockdown Mode enabled: The court record shows what devices and data the FBI was able to ultimately access, and which devices it could not, after raiding the home of the reporter, Hannah Natanson, in January as part of an investigation into leaks of classified information. It also provides rare insight into [...]
WebAuthn app was updated based on public key on 06/02/2026
Nextcloud disclosed a bug submitted by se1en: https://hackerone.com/reports/3360354 - Bounty: $750 [...]
The Payload Podcast #001 with Jonny Johnson & Max Harley on 06/02/2026
Backdoor in Notepad++ on 05/02/2026
Hackers associated with the Chinese government used a Trojaned version of Notepad++ to deliver malware to selected users. Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2. Even then, the attackers maintained credentials to the internal services until December 2, a ca [...]
LIVE: 🕵️ Forensicating | HackTheBox | Cybersecurity on 05/02/2026
MQTT Protocol Packet Injection via Unchecked CONNACK Remaining Length on 05/02/2026
curl disclosed a bug submitted by pajarori: https://hackerone.com/reports/3531216 [...]
From niche to necessity: global bug bounty adoption accelerates, led by the U.S. by Eleanor Barlow on 05/02/2026
Bug bounty growth insights across the US Bug bounty programs have evolved from a niche security tactic into a core component of modern defense strategies worldwide. In this blog, we focus on the US: one of the most invested and fastest-adopting markets, where organizations, driven by higher security maturity, are increasingly using bug bounty to uncover complex vulnerabilities that traditional t [...]
Bugcrowd’s new Security Inbox on 04/02/2026
How To Approach ANY Bug Bounty Target In 2026 on 04/02/2026
User enumeration via timing attack in Django mod_wsgi authentication backend leads to account discovery on 04/02/2026
Django disclosed a bug submitted by stackered: https://hackerone.com/reports/3424977 [...]
US Declassifies Information on JUMPSEAT Spy Satellites on 04/02/2026
The US National Reconnaissance Office has declassified information about a fleet of spy satellites operating between 1971 and 2006. I’m actually impressed to see a declassification only two decades after decommission. [...]
Information Disclosure via Logback Configuration Injection in GoCD Agent on 04/02/2026
GoCD disclosed a bug submitted by aigirl: https://hackerone.com/reports/3509632 [...]
Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious on 04/02/2026
Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your NGINX configurations. [...]
Security folks on 03/02/2026
The Most Common IoT Security Flaws on 03/02/2026
Previous commentor on post can still comment even after comment permission is changed to disabled on 03/02/2026
LinkedIn disclosed a bug submitted by allenjo: https://hackerone.com/reports/3151001 [...]
Improper Access Control - Access to "Active Hiring" (Premium feature) filter results on 03/02/2026
LinkedIn disclosed a bug submitted by minex627: https://hackerone.com/reports/3235855 [...]
Hacking a Windows Web Application on 02/02/2026
Live Hacking 2025: $4.3M in Bounties, Tested Around the World on 02/02/2026
Every organization is vulnerable. on 02/02/2026
Exploiting PostMessage vulnerabilities: A complete guide by Ayoub on 31/01/2026
PostMessage vulnerabilities arise when developers fail to properly validate message origins or sanitize content within cross-origin communication handlers. As modern web applications increasingly rely on the postMessage API for cross-origin communication, whether for embedded widgets, OAuth flows, third-party integrations, or iframe-based components, the attack surface continues to grow. While pos [...]
Inside the Mind of a Hacker is a Bugcrowd staple on 30/01/2026
How Hackers Defeated Our AI on 30/01/2026
Why API Security Is No Longer an AppSec Problem – And What Security Leaders Must Do Instead by Annette Reed on 30/01/2026
APIs are one of the most important technologies in digital business ecosystems. And yet, the responsibility for their security often falls to AppSec teams – and that’s a problem. This organizational mismatch creates systemic risk: business teams assume APIs are “secured,” while attackers exploit logic flaws, authorization gaps, and automated attacks in production. As Tim Erlin noted rece [...]
Celebrating our 2025 open-source contributions on 30/01/2026
Last year, our engineers submitted over 375 pull requests that were merged into non–Trail of Bits repositories, touching more than 90 projects from cryptography libraries to the Rust compiler. This work reflects one of our driving values: “share what others can use.” The measure isn’t whether you share something, but whether it’s actually useful to someone else. This princi [...]
The Rise of the Bionic Hacker: AI, Autonomy & the Future of Offensive Security | Black Hat Europe on 29/01/2026
Annual testing vs daily change on 29/01/2026
Building cryptographic agility into Sigstore on 29/01/2026
Software signatures carry an invisible expiration date. The container image or firmware you sign today might be deployed for 20 years, but the cryptographic signature protecting it may become untrustworthy within 10 years. SHA-1 certificates become worthless, weak RSA keys are banned, and quantum computers may crack today’s elliptic curve cryptography. The question isn’t whether our cu [...]
Exciting Announcement With an Upcoming Capture the Flag! on 28/01/2026
Intigriti 0126 CTF Challenge: Exploiting insecure postMessage handlers by Ayoub on 28/01/2026
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. January's challenge presented participants with CRYPTIGRITI, a cryptocurrency trading platform where users could buy and trade Bitcoin (BTC), Monero (XMR), and a custom digital currency, 1337COIN. This article provides a step-by-step walkthrough for solving January's [...]
Clawdbot Malware on 27/01/2026
Chip-Off Firmware Extraction: 1-Minute Guide on 27/01/2026
New Android Theft Protection Feature Updates: Smarter, Stronger on 27/01/2026
Posted by Nataliya Stanetsky, Fabricio Ferracioli, Elliot Sisteron, Irene Ang of the Android Security Team Phone theft is more than just losing a device; it's a form of financial fraud that can leave you suddenly vulnerable to personal data and financial theft. That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt. Today, [...]
Part 3: Why CISOs Must Rethink Trust in AI on 27/01/2026
OpenSSL January 2026 Security Update: CMS and PKCS#12 Buffer Overflows on 27/01/2026
A deep dive into OpenSSL’s January 2026 CMS and PKCS#12 vulnerabilities, including a pre-auth stack overflow and a PKCS#12 parsing bug. [...]
🦞🤖MOAR CLAWDBOT CRAP🦞🤖 on 26/01/2026
SQL injection in structure plugin on 26/01/2026
ExpressionEngine disclosed a bug submitted by fed01k: https://hackerone.com/reports/3249794 [...]
🦞🤖CLAWDBOT SECURITY??🦞🤖 on 26/01/2026
HackerOne Agentic PTaaS Demo: Continuous Validation for Real-World Risk on 26/01/2026
AI can move fast on 26/01/2026
How to Become a Top Bug Bounty Hunter in 2026 on 26/01/2026
wcurl Argument Injection via Unquoted Variable on 26/01/2026
curl disclosed a bug submitted by playerofficial19: https://hackerone.com/reports/3523953 [...]
Integer Underflow in src/var.c on 26/01/2026
curl disclosed a bug submitted by f_i_h: https://hackerone.com/reports/3523349 [...]
Introducing IDE-SHEPHERD: Your shield against threat actors lurking in your IDE on 26/01/2026
IDE-SHEPHERD is an open-source IDE security extension that provides real-time monitoring and protection for VS Code and Cursor. It intercepts malicious process executions, monitors network activity, and blocks dangerous workspace tasks before they can compromise your development environment. [...]
🤖🤖🤖 on 23/01/2026
I am a scammer? on 23/01/2026
What exploit to hunt for when everything is tested #bugbounty on 23/01/2026
How to pick an exploit in #bugbounty on 23/01/2026
🤖🤖 on 22/01/2026
How I sped up exploit validation in Repeater using Burp AI on 22/01/2026
Note: This is a guest post by IT security consultant Adarsh Kumar. I’ve been using Burp Suite day to day for years, so when Burp AI was introduced, I was curious how it would actually hold up dur [...]
A tech issue alone does not = risk on 22/01/2026
IoT Hacking Stream on 22/01/2026
31 bite-sized tips, techniques, and bug bounty resources to kick off 2026! by Eleanor Barlow on 22/01/2026
What you will learn Practical, bite-sized bug bounty tips and techniques you can apply immediately, whether you’re just starting or sharpening your skills. Proven approaches for finding, prioritizing, and validating vulnerabilities more efficiently in real-world programs. An eye on what to look out for to stay consistent and motivated in 2026. In the lead-up to the new year, we released a bug [...]
🤖 on 21/01/2026
Spam & Clearance checks disabled with existing referenced Message-ID on 21/01/2026
Basecamp disclosed a bug submitted by northeastprince: https://hackerone.com/reports/2012659 [...]
"I made an Evil MCP server" (and AI fell for it) on 21/01/2026
Will LLMs Always Hallucinate? on 20/01/2026
Kimwolf Botnet Lurking in Corporate, Govt. Networks by BrianKrebs on 20/01/2026
A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations [...]
[Critical] Unauthorized Cross-Tenant Data Access in Stripo AI Hub Campaign via Deleted Project. on 20/01/2026
Stripo Inc disclosed a bug submitted by srcode: https://hackerone.com/reports/3459285 [...]
Memory Exhaustion in CometBFT v1.0.1 via malicious ProposalMessage leads to network-wide denial of service on 20/01/2026
Cosmos disclosed a bug submitted by 0xjam: https://hackerone.com/reports/3510161 [...]
Crossorigin cookies leak and injection risk when using a custom Host header on 20/01/2026
curl disclosed a bug submitted by ichise: https://hackerone.com/reports/3516878 [...]
SSL options ISSUERCERT, EC_CURVES and CRLFILE silently ignored by non-OpenSSL backends on 20/01/2026
curl disclosed a bug submitted by foobar4213: https://hackerone.com/reports/3516974 [...]
Internal logs/info leaked via endpoint {https://203.137.128.240/server-status} on 20/01/2026
pixiv disclosed a bug submitted by dexter34: https://hackerone.com/reports/2473173 [...]
This Simple Vulnerability Was Worth $70,000 on 19/01/2026
Cookie Replacement Use-After-Free Vulnerability on 19/01/2026
curl disclosed a bug submitted by bhaskar_ram: https://hackerone.com/reports/3516202 [...]
Cookie Max-Age Integer Overflow Vulnerability on 19/01/2026
curl disclosed a bug submitted by bhaskar_ram: https://hackerone.com/reports/3516186 [...]
Is @TheXSSRat a scammer? on 18/01/2026
Disclose Hidden Comments on Media Section of hub.vroid.com on 18/01/2026
pixiv disclosed a bug submitted by giwadaoud: https://hackerone.com/reports/2541962 - Bounty: $500 [...]
clickjacing can lead to account takeover on 18/01/2026
pixiv disclosed a bug submitted by hyk3n: https://hackerone.com/reports/2119892 - Bounty: $200 [...]