Security Review #310

June 05, 2026

Try new things. Bias towards novelty within the space of feasible solutions. Fight the impulse to copy designs verbatim. Every major system was just a half-baked idea in someone's head at some point.

— Mahesh Balakrishnan

Starred Articles

LLMReaper - DOM Based AI Conversation Exfiltration via Browser Extension

We introduce LLMReaper, a proof-of-concept Chrome extension demonstrating passive DOM-based exfiltration of AI conversations using MutationObserver, no special permissions, no network interception. Captured conversations are scanned in real-time for exposed API keys, OAuth tokens, JWTs, cloud credentials, and passwords, then exfiltrated via service worker to bypass Same-Origin Policy.

System Over Model, Tested: Reproducing Mythos's FreeBSD Find on Local Open-Weight Models

Mythos found a 17-year-old FreeBSD RCE; AISLE reproduced it with gpt-5.4-nano via their nano-analyzer pipeline. I ran the pipeline on two local open-weight models, gpt-oss-20b and gemma-4-31b-it. The misses recovered on re-run. The real problem was the false-positive rate, and one extra system stage cut it from 30 to 5 with the CVE still standing.

Poisoning Claude Code: One GitHub Issue to Break the Supply Chain

In this article, I will explain a vulnerability in Claude Code's GitHub Actions that could allow an attacker to compromise any repository that uses the Claude Code workflow, including Anthropic's own repositories.

Bypassing EDR in a Crystal Clear Way

This blog takes you from how C2 payloads actually work under the hood all the way to building a fully evasive reflective loader that bypasses one of the best EDR's, covering module overloading with .pdata registration, NtContinue entry transfer, API call stack spoofing with Draugr, sleep masking, and Crystal Palace YARA signature removal.

Codex Discovered a Hidden HTTP/2 Bomb

We’re publishing HTTP/2 Bomb, a remote denial-of-service exploit against most major web servers triggered by chaining two techniques known for a decade: a compression bomb and a Slowloris-style hold.

New Articles

Hardening Intune - Part 1: The Privileged Roles Nobody Talks About

This is Part 1 of a two-part series on Intune security hardening. This post covers what we have seen in real world attacks, why platform administration roles are systematically underprotected, and what controls you need in place.

Investigating suspicious AI workflows in Microsoft Entra Agent ID - Part 1: Autonomous agents

In this series, we will investigate three potentially suspicious behaviors originating from each of Microsoft’s Entra Agent ID supported agent workflow. This first part will focus on an autonomous agent made unauthorized changes to the Entra tenant that could be used to perform privilege escalation and persistence.

Tycoon 2FA AiTM detection for Entra ID and Google

Tycoon 2FA bypasses MFA on Entra ID and Google Workspace. We map telemetry fingerprints, ship detection rules, and contain incidents in under 10 seconds.

EDR Evasion: Using LLMs to Cut Detection Signatures

We explain how to use an LLM‑driven with VirusTotal‑guided feedback loop to automatically hunt and modify the strings, imports, and Go runtime metadata that trigger EDR detections. By treating VT results as an oracle and iterating with a Claude skill, we transform a flagged binary into a clean‑looking one without manual code rewrites.

Password Autofill Abused via HTML Injection

We detail how we turned a reflected HTML injection under a strict CSP into full credential theft by chaining password autofill with Referer header leakage.

Pattern Screamer: Subnet Discovery in Networks with Unknown Addressing

When tracing a route, devices reveal their interface addresses: a router whose TTL expires sends ICMP Time Exceeded, while the destination host replies to the probe itself with ICMP Destination Unreachable, SYN-ACK, or TCP RST, depending on its type. We leverage these behaviours to optimize network scanning and map subnets behind filters.

Breaking encryption schemes the lazy way

File name decryption with Claude Code: how encrypted file names were reverse-engineered in a DragonForce ransomware case.

Re:CACHE - Excessive reflection, type confusion, and 0-click SXSS on Next.js

We detail a real‑world exploit in which a Next.js app mirrors incoming request headers into its responses; by abusing the RSC endpoint, overriding the Content‑Type to text/html, and poisoning the Cloudflare cache, we chain two cache‑poisoning steps (one injecting a malicious HTML payload, the other using a Refresh header) to achieve a reliable zero‑click stored XSS.

The Lowdown on Lateral Movement

The aim of this blog post is to highlight the lateral movement ATT&CK category as one that presents network defenders with a myriad of issues in the context of threat detection and response. Although difficult to wrangle, using data source analysis combined with intelligent alerts, authentication and network layer telemetry, network defenders posses the necessary tools required to identify and act on malicious lateral movement.

1-Click GitHub Token Stealing via a VSCode Bug

A vulnerability in VSCode WebView makes it possible for an, attaxcker, just by clicking a link, to steal a GitHub token that can read and write to your repos, including private ones.

CIFSwitch: a non-universal Linux local root vulnerability

We detail CIFSwitch (CVE‑2026‑46243), a Linux local‑privilege‑escalation flaw in the CIFS kernel client’s handling of cifs.spnego key descriptions: an unprivileged process can forge a key description that launches the privileged cifs.upcall helper, forces it into an attacker‑controlled namespace, and loads malicious NSS modules to obtain root

ThinkPads From the Inside: A Reproducible Path From Archived BIOS to Named SoC Pads

A reverse-engineering writeup on turning Lenovo's published BIOS archive into something structured enough to drive coreboot ports, Hackintosh skeletons, GPIO security audits, and CVE-level firmware diffs - without owning the hardware, and without folklore.

CVE-2026-4387: StrongDM State File Reuse

We detail CVE-2026-4387, a vulnerability in StrongDM that would allow an attacker to transfer state files, which hold session authentication information, between hosts to provide authenticated sessions. Reusing the state file will result in an authenticated session and access to infrastructure.

Bypassing Windows Defender and AMSI: A Practical Defense Evasion Guide for Red Team Operators

A practical, layer-by-layer walkthrough of modern Windows defense evasion for red team operators: the architecture of Microsoft Defender, three generations of AMSI bypass (classic patching, hardware breakpoints, AMSI Write Raid), ETW silencing, AppLocker bypass with built-in LOLBins, and how to stitch them into a working kill chain - plus what blue teams can still detect.

EDR Incident Response Playbook: Containing Local Account Incidents

Local Windows accounts remain a challenge during incident response. This blog details the steps to build a single script that will help responding to incidents in which local accounts are used in the attach chain.

Unpatched NTLM Leakage in Windows search: URI Handler, Same Bug, No CVE, No Fix

We found that the same NTLM leakage primitive that got patched in the Snipping Tool exists in Windows Explorer's search: handler. A single link click can leak a user's NTLMv2 hash to an attacker-controlled server before Windows even renders an error message.

Malicious npm packages abuse dependency confusion to profile developer environments

We identified a dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and detection opportunities to help organizations identify and disrupt related activity.

How to Evaluate an npm Package

Stars and downloads tell you about popularity, not safety. Here's a practical checklist for evaluating an npm package's security, reliability, and long-term maintenance in 2026.

Smuggling Through the Front Door... Achieving 0-Click XSS with Cache Poisoning

In this post, I want to walk through a request smuggling bug chain affecting Azure Front Door. Using a malformed or confusing GET request, a smuggled Host header, and Azure's own error page rendering, it leads to caching an XSS payload that would be delivered to the next user.

Installation of a Syslog Log Collector

We provide step-by-step guidelines to setup a fully functionnal Syslog Log Collector relying on rsyslog, syslog-ng, logstash, filebeat, elastic agent and vector.

Sliver into WebAssembly: Inside WasmForge

In this article, we expose how compiling Sliver into WebAssembly beats EDR and introduce WasmForge, a tool that produces opsec-safe binaries with zero changes to the tool source.

How LLMs Learn Roles, Follow Instructions, and Get Exploited

We explain how LLMs use control tokens, instruction hierarchy, and prompt templates to power agentic AI systems, and how attackers exploit these same mechanisms through prompt injection and control token spoofing.

Oldies but Goodies

OAuth Explained: How It Works & Common Mistakes

A simple, real-world guide to understanding OAuth, its key players, grant types, token flows, and security pitfalls developers often miss.

Testing WebSocket for Vulnerabilites

A practical guide to understanding WebSockets, from the initial HTTP handshake to building full-duplex connections, and the critical vulnerabilities that developers and pentesters must look for.