Computer programming is an art, because it applies accumulated knowledge to the world, because it requires skill and ingenuity, and especially because it produces objects of beauty.
Starred Articles
Visual Studio Extensions Revisited
05/27/2026We revisit the insecure state of Visual Studio extensions, showing how a malicious out‑of‑process extension can be built, published to the Visual Studio Marketplace, and silently execute remote code.
While the standards for Post-Quantum Cryptography have arrived, quantum-safe math is only half the story. This article explores how physical chips can still leak your secrets, and the hardware security needed to protect them.
Two Bypasses for Chrome's Sanitizer API
05/21/2026In this blog post, I present two bypasses for the Sanitizer API in Chrome 146: one tricks the SVG animate element to execute JavaScript, and another that exploits a mismatch between the full KURL parser and a fast‑path ProtocolIsJavaScript check.
Tokenization Attacks on LLMs
05/18/2026From glitch tokens and invisible Unicode injections to TokenBreak attacks that bypass security classifiers, attackers are increasingly exploiting tokenization behaviors to manipulate LLMs, evade safeguards, and compromise AI systems. This blog explores how tokenization works, why embedding relationships matter, and how attackers weaponize tokenizer quirks to undermine modern AI defenses.
New Articles
GKE ships three log sources to Cloud Logging by default but some critical data are still missing. We review the key pre-requisite and settings to properly handle a breach in GKE.
Technical analysis of a PlugX MSI sideloading malware using AVK.dll, XOR-encrypted staging, RC4 config decryption, and persistence.
Deep dive into CVE-2024-52577 Apache Ignite deserialization flaw enabling unauthenticated remote code execution at scale via Apache Ignite's TCP SPI paths.
We analyze a chain of subtle bypasses in a Web application that eventually lead to an exploitable XSS, the theft of the user OAuth token and eventually the takeover of the targeted account.
This guide consolidates everything about Microsoft Defender XDR custom detection rule: the rule anatomy and required columns, how to choose frequency, NRT eligibility rules, enrichment and entity‑mapping limits, response‑action prerequisites, scoping pitfalls, quota limits, and best‑practice patterns for building reliable, fast‑running, and well‑enriched custom detections.
When looking at security measures in Microsoft Entra ID environments, a common recommendation is to implement Conditional Access policies. However, simply implementing conditional access will not provide much security, as we see in the phishing attack that we analyze in this article.
We detail a three‑stage, memory‑only toolset used by a Lazarus‑linked subgroup: DPAPILoader (a DPAPI‑encrypted DLL that loads RemotePELoader), RemotePELoader (a C2‑controlled loader that evades EDR via HellsGate and ETW patching), and RemotePE (a full‑featured RAT that runs entirely in RAM, leaves no disk artifacts, and can execute plug‑in DLLs). We also provide IOCs, YARA rules, and detection guidance for defenders.
This article surveys the BitLocker flaws landscape: where it has been broken before, where it is still broken today, and what an investigator should expect to encounter on a seized Windows machine in 2026.
Finding XSS on Shazzer (literally)
05/27/2026How I found an XSS in Shazzer, a tool for discovering and sharing browser quirks through fuzzing. Not *using*, but *in* Shazzer. We'll explore some useful techniques with Blob URLs to unsandbox malicious content.
Deep Malware and Phishing Analysis
05/18/2026In this blog post, we analyze a multi-stage phishing campaign that leveraged two distinct infection vectors, both relying on the same underlying infrastructure.
We detail how we turned a an SQL injection in Drupal Core PostgreSQL (CVE-2026-9082), a fully unauthenticated SQL injection reachable through a public JSON:API collection filter, into a remote command execution (RCE).
We analyze The Gentlemen ransomware, a ransomware-as-a-service (RaaS) threat that is distinguished by its ability to pair its strong per-file encryption with an aggressive self-propagation capability designed to enable broad network compromise. In addition to using per-file ephemeral Curve25519 keys with XChaCha20 stream cipher, The Gentlemen ransomware attempts to spread across an environment using series of simultaneous, distinct lateral movement methods, increasing the likelihood of widespread impact once initial access is achieved.
We detail how AI-assisted browser automation can turn Microsoft Graph Explorer into a destructive Entra ID administration interface when a signed-in account already holds privileged access. Using Claude for Chrome, browser-side JavaScript, and Microsoft Graph batch requests, destructive actions can be automated directly from the browser session.
We found that Gogs allows authenticated users to achieve RCE on the server by creating a pull request with a specially crafted branch name. More in our latest analysis blog.
We explain how modern PowerShell workflows turn raw Windows memory and disk artefacts into fast, KAPE-style timelines for real-world DFIR.
A review of MalShark, an MCP (Model Context Protocol) server that wraps tshark and exposes a suite of malware analysis tools directly inside Cursor or any MCP-compatible AI client
Still Recent
Static Devirtualization of Themida
05/08/2026This article demonstrates devirtualization of CodeVirtualizer/Themida protected code, however the techniques described here apply to pretty much every virtual machine based obfuscator. Only requiring some minor modifications to support each of them.
(CVE-2026-41873) Apache Pony Mail CRLF Injection and SSRF Leading to Full Account Takeover
04/27/2026A CRLF injection vulnerability in Apache Pony Mail's Lua implementation allows an unauthenticated attacker to smuggle arbitrary HTTP requests to the backend Elasticsearch instance, enabling full administrative account takeover. A related blind SSRF in Apache Pony Mail Foal's OAuth endpoint was also identified and patched.
CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)
05/13/2026We discovered CVE-2026-20182 an authentication bypass vulnerability affecting the "vdaemon" networking stack of Cisco Catalyst SD-WAN Controller (formerly known as vSmart).
Oldies but Goodies
(CVE-2025-47985) Windows Event Tracing Insufficient Validation Leading to Elevation of Privilege
07/07/2025Insufficient validation of the TRACE_ENABLE_FLAG_EXTENSION offset in Windows Event Tracing allows a local attacker to corrupt flag extension length fields, leading to an out-of-bounds read and elevation of privilege.
Analysis of a ransomware infection that started with a password spray attack targeting an internet-facing RDP server.
We uncover real-world indirect prompt injection attacks and detail how adversaries weaponize hidden web content to exploit LLMs for high-impact fraud.