Introducing Pathfinding Labs, a collection of intentionally vulnerable AWS environments for red teamers and blue teamers to deploy, exploit, and use for detection validation.

Technical breakdown of the unauthenticated ZTE router DoS published as CVE-2026-34473.

Storm-2949 turned stolen credentials into a cloud-wide breach, moving from identity compromise to large-scale data theft without using malware. This incident shows how threat actors can exploit trusted systems to operate undetected.

Varonis Threat Labs discovered a new technique that abuses NTFS junctions to generate infinite file paths, causing EDR products to hang and leave files unscanned.

Web Push userVisibleOnly was unenforced on Chrome, Edge, and pre-26.5 Safari. A showNotification/close race made the Service Worker silently exploitable as a persistent C2 channel via FCM and WNS. Apple shipped a fix on May 11. The Chromium patch (CL 7767797)…

Score traffic, solve PoW challenges for legitimate apps, and route hostile automation into controlled tarpits.

Static analysis on 12,750 n8n templates from n8n.io and GitHub. 716 expose pre-auth vulnerabilities. Six end-to-end demos: SSRF, SQL injection, RCE.

This research was recently presented at BSides Luxembourg 2026. This blogpost documents our findings presented during the talk. The BSides slides are posted here. Today, we’re also releasing the Docker-based playground utilized for the demos so anyone interested…

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.

Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious…

Observed exploit path: unauthenticated wizard requests disclose admin, WLAN, and PPPoE credentials. Those leaked secrets then become a direct path to management-interface auth bypass.

Iran’s plan to “tax the internet” in the Strait of Hormuz highlights the regime’s push to profit from global data cables while restricting citizens online.

IBM X-Force Index 2026: supply chain attacks 4x in 5 years. 50% of global orgs had an AI-related security incident. North America most attacked for first time in 6 years. The common thread is preventable.

TLDR; Score severity by collision count. Researchers ship patches not just reports. Companies redesign for a world where the exploit lands before the patch. No magic. No vendor pitch. Just the playbook.
The last post went further than I expected. NYT’s Hard…

CVE-2026-45585 (CVSS 6.8): YellowKey bypasses BitLocker encryption via Windows Recovery Environment. No password cracking. No TPM exploit. Just a maintenance request the OS processed exactly as designed.

IBM X-Force Index 2026: supply chain attacks 4x in 5 years. 50% of global orgs had an AI-related security incident. North America most attacked for first time in 6 years. The common thread is preventable.