Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild. Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quiet [...]
In 2023, the science fiction literary magazine Clarkesworld stopped accepting new submissions because so many were generated by artificial intelligence. Near as the editors could tell, many submitters pasted the magazine’s detailed story guidelines into an AI and sent in the results. And they weren’t alone. Other fiction magazines have also reported a high number of AI-generated submissions. This [...]
Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers. [...]
AWS VDP disclosed a bug submitted by aneeeketh: https://hackerone.com/reports/3426839 [...]
Django disclosed a bug submitted by sy2n0: https://hackerone.com/reports/3426417 [...]
You probably think the security mantra “you can’t protect what you don’t know about” is an inarguable truth. But you would be wrong. It doesn’t hold water in today’s threat landscape. Of course, it sounds reasonable. Before you secure APIs, you must first discover, inventory, and document them exhaustively. The problem is that this way of thinking has hardened into dogma and ignores how attack [...]
This is amazing: Opus 4.6 is notably better at finding high-severity vulnerabilities than previous models and a sign of how quickly things are moving. Security teams have been automating vulnerability discovery for years, investing heavily in fuzzing infrastructure and custom harnesses to find bugs at scale. But what stood out in early testing is how quickly Opus 4.6 found vulnerabilities out of t [...]
This is a video of advice for squid fishing in Puget Sound. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Once. Someone named “Vincenzo lozzo” wrote to Epstein in email, in 2016: “I wouldn’t pay too much attention to this, Schneier has a long tradition of dramatizing and misunderstanding things.” The topic of the email is DDoS attacks, and it is unclear what I am dramatizing and misunderstanding. Rabbi Schneier is also mentioned, also incidentally, also once. As far as ei [...]
404Media is reporting that the FBI could not access a reporter’s iPhone because it had Lockdown Mode enabled: The court record shows what devices and data the FBI was able to ultimately access, and which devices it could not, after raiding the home of the reporter, Hannah Natanson, in January as part of an investigation into leaks of classified information. It also provides rare insight into [...]
Nextcloud disclosed a bug submitted by se1en: https://hackerone.com/reports/3360354 - Bounty: $750 [...]
Hackers associated with the Chinese government used a Trojaned version of Notepad++ to deliver malware to selected users. Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2. Even then, the attackers maintained credentials to the internal services until December 2, a ca [...]
curl disclosed a bug submitted by pajarori: https://hackerone.com/reports/3531216 [...]
Bug bounty growth insights across the US Bug bounty programs have evolved from a niche security tactic into a core component of modern defense strategies worldwide. In this blog, we focus on the US: one of the most invested and fastest-adopting markets, where organizations, driven by higher security maturity, are increasingly using bug bounty to uncover complex vulnerabilities that traditional t [...]
Django disclosed a bug submitted by stackered: https://hackerone.com/reports/3424977 [...]
The US National Reconnaissance Office has declassified information about a fleet of spy satellites operating between 1971 and 2006. I’m actually impressed to see a declassification only two decades after decommission. [...]
GoCD disclosed a bug submitted by aigirl: https://hackerone.com/reports/3509632 [...]
Datadog Security Research has identified an active web traffic hijacking campaign that targets NGINX installations and management panels like Baota (BT). In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your NGINX configurations. [...]
Microsoft gives the FBI the ability to decrypt BitLocker in response to court orders: about twenty times per year. It’s possible for users to store those keys on a device they own, but Microsoft also recommends BitLocker users store their keys on its servers for convenience. While that means someone can access their data if they forget their password, or if repeated failed attempts to login [...]
LinkedIn disclosed a bug submitted by allenjo: https://hackerone.com/reports/3151001 [...]
LinkedIn disclosed a bug submitted by minex627: https://hackerone.com/reports/3235855 [...]
A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion. Some victims reportedly are paying — perhaps as much to contain the stolen data [...]
There’s a new report about two AI coding assistants, used by 1.5 million developers, that are surreptitiously sending a copy of everything they ingest to China. Maybe avoid using them. [...]
PostMessage vulnerabilities arise when developers fail to properly validate message origins or sanitize content within cross-origin communication handlers. As modern web applications increasingly rely on the postMessage API for cross-origin communication, whether for embedded widgets, OAuth flows, third-party integrations, or iframe-based components, the attack surface continues to grow. While pos [...]
A new species of squid. pretends to be a plant: Scientists have filmed a never-before-seen species of deep-sea squid burying itself upside down in the seafloor—a behavior never documented in cephalopods. They captured the bizarre scene while studying the depths of the Clarion-Clipperton Zone (CCZ), an abyssal plain in the Pacific Ocean targeted for deep-sea mining. The team described the enc [...]
APIs are one of the most important technologies in digital business ecosystems. And yet, the responsibility for their security often falls to AppSec teams – and that’s a problem. This organizational mismatch creates systemic risk: business teams assume APIs are “secured,” while attackers exploit logic flaws, authorization gaps, and automated attacks in production. As Tim Erlin noted rece [...]
Last year, our engineers submitted over 375 pull requests that were merged into non–Trail of Bits repositories, touching more than 90 projects from cryptography libraries to the Rust compiler. This work reflects one of our driving values: “share what others can use.” The measure isn’t whether you share something, but whether it’s actually useful to someone else. This princi [...]
Software signatures carry an invisible expiration date. The container image or firmware you sign today might be deployed for 20 years, but the cryptographic signature protecting it may become untrustworthy within 10 years. SHA-1 certificates become worthless, weak RSA keys are banned, and quantum computers may crack today’s elliptic curve cryptography. The question isn’t whether our cu [...]
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. January's challenge presented participants with CRYPTIGRITI, a cryptocurrency trading platform where users could buy and trade Bitcoin (BTC), Monero (XMR), and a custom digital currency, 1337COIN. This article provides a step-by-step walkthrough for solving January's [...]
Posted by Nataliya Stanetsky, Fabricio Ferracioli, Elliot Sisteron, Irene Ang of the Android Security Team Phone theft is more than just losing a device; it's a form of financial fraud that can leave you suddenly vulnerable to personal data and financial theft. That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt. Today, [...]
A deep dive into OpenSSL’s January 2026 CMS and PKCS#12 vulnerabilities, including a pre-auth stack overflow and a PKCS#12 parsing bug. [...]
ExpressionEngine disclosed a bug submitted by fed01k: https://hackerone.com/reports/3249794 [...]
The cybercriminals in control of Kimwolf — a disruptive botnet that has infected more than 2 million devices — recently shared a screenshot indicating they’d compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people b [...]
curl disclosed a bug submitted by playerofficial19: https://hackerone.com/reports/3523953 [...]
curl disclosed a bug submitted by f_i_h: https://hackerone.com/reports/3523349 [...]
IDE-SHEPHERD is an open-source IDE security extension that provides real-time monitoring and protection for VS Code and Cursor. It intercepts malicious process executions, monitors network activity, and blocks dangerous workspace tasks before they can compromise your development environment. [...]
Note: This is a guest post by IT security consultant Adarsh Kumar. I’ve been using Burp Suite day to day for years, so when Burp AI was introduced, I was curious how it would actually hold up dur [...]
What you will learn Practical, bite-sized bug bounty tips and techniques you can apply immediately, whether you’re just starting or sharpening your skills. Proven approaches for finding, prioritizing, and validating vulnerabilities more efficiently in real-world programs. An eye on what to look out for to stay consistent and motivated in 2026. In the lead-up to the new year, we released a bug [...]
Basecamp disclosed a bug submitted by northeastprince: https://hackerone.com/reports/2012659 [...]
A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations [...]
Stripo Inc disclosed a bug submitted by srcode: https://hackerone.com/reports/3459285 [...]
Cosmos disclosed a bug submitted by 0xjam: https://hackerone.com/reports/3510161 [...]
curl disclosed a bug submitted by ichise: https://hackerone.com/reports/3516878 [...]
curl disclosed a bug submitted by foobar4213: https://hackerone.com/reports/3516974 [...]
pixiv disclosed a bug submitted by dexter34: https://hackerone.com/reports/2473173 [...]
curl disclosed a bug submitted by bhaskar_ram: https://hackerone.com/reports/3516202 [...]
curl disclosed a bug submitted by bhaskar_ram: https://hackerone.com/reports/3516186 [...]
pixiv disclosed a bug submitted by giwadaoud: https://hackerone.com/reports/2541962 - Bounty: $500 [...]
pixiv disclosed a bug submitted by hyk3n: https://hackerone.com/reports/2119892 - Bounty: $200 [...]
curl disclosed a bug submitted by andrewml: https://hackerone.com/reports/3514263 [...]
Nextcloud disclosed a bug submitted by hakuna: https://hackerone.com/reports/2388183 - Bounty: $100 [...]
Nextcloud disclosed a bug submitted by hakuna: https://hackerone.com/reports/2380133 - Bounty: $250 [...]
AWS VDP disclosed a bug submitted by farmer: https://hackerone.com/reports/3427370 [...]
Note: This is a guest post by pentester Julen Garrido Estévez (@b3xal). Methodology Key results Examples Key learnings Prompt template A pentester's POV on Burp AI Pentester Julen Garrido Es [...]
Hi hackers, Welcome to the latest edition of Bug Bytes (and the first of 2026)! In this month’s issue, we’ll be featuring: Hijacking official AWS GitHub repositories New anonymous bug bounty forum Finding more IDORs & SSRFs using a unique methodology New JavaScript file scanner to find hidden endpoints And so much more! Let’s dive in! Intigriti SantaCloud CTF results are in December 20 [...]