Security

Vulnerabilities, breaches, supply-chain attacks, and defensive security.

DepthFirst research card titled 'Twenty One Zero-Days in FFmpeg' over a dark code-styled background

An AI agent found 21 ways to attack FFmpeg, the codec library inside almost everything

DepthFirst's agent surfaced 21 FFmpeg zero-days for about $1,000. One 183-byte packet hits RCE. The deeper story is who pays the volunteers who fix them.

Cargo loader moving freight onto an aircraft, a stand-in for the software supply chain

Security·1 hour ago

Red Hat's npm namespace and Arch's AUR were both backdoored within two weeks of each other

A worm hijacked Red Hat's npm namespace, a rootkit spread through 1,500 Arch AUR packages, and a SOC 2-certified AI gateway shipped malware. Registries are under fire.

Rows of server racks inside a data center, the kind of infrastructure that runs Starlette-based AI agent endpoints

Security·5 days ago

One bad Host header bypassed auth in Starlette, the routing core under millions of AI agents

A flaw in Starlette, downloaded 325M times a week, let a single Host-header character bypass path-based auth across FastAPI, vLLM, and MCP servers.

Security·last week

VS Code's webview sandbox leaks GitHub tokens that read and write every private repo

A disclosed VS Code zero-day lets one click on a malicious github.dev notebook steal a GitHub OAuth token with full read-write access to every private repo.

GitHub and Windows security composite with a warning overlay

Security·2 weeks ago

GitHub banned the researcher dropping Windows zero-days. The code was already mirrored everywhere.

GitHub wiped Nightmare-Eclipse's account on May 23 after weeks of unpatched Windows exploits. The ban reopened the oldest fight in security: who decides what research gets hosted?

Mozilla *Privacy Not Included graphic illustrating a car as a privacy nightmare, with data flowing out of the vehicle.

Security·2 weeks ago

Your car logs every hard brake, and the FTC just banned GM from selling it for five years

Connected cars collect location, driving behavior, in-cabin audio, and synced contacts, then route it to automaker clouds, brokers, and insurers. Here's how to stop it.

A 7-Eleven storefront, the retail chain whose franchisee document store was breached and leaked.

Security·2 weeks ago

ShinyHunters dumped 9.4GB of 7-Eleven franchisee data after a rejected ransom demand

ShinyHunters breached a 7-Eleven Salesforce instance holding franchisee documents, exposing 185,000 people. The 9.4GB archive hit a leak site after 7-Eleven declined to pay.

Security·3 weeks ago

Scammers turned a Microsoft notification address into a spam relay. The emails pass SPF, DKIM, and DMARC.

Spammers found a Tenant Name injection in Entra ID that pushes fraud text into Microsoft's own OTP emails. The from-line reads [email protected].

Security·3 weeks ago

Google's bug tracker auto-published exploit code for an unpatched Chromium flaw. The bug is still live.

Chromium Issue 1396278 went public on May 20 because Google's tracker auto-clears restrictions on stale closed bugs. The flaw, reported in 2022, was never fixed.

Apple Security Research site banner card.

Security·3 weeks ago

Apple shipped formal proofs for its post-quantum crypto. 2.5 billion devices now run verified code.

Apple's SEAR team published formal verification proofs for corecrypto's ML-KEM and ML-DSA implementations. 50,000 proof steps cover 2.5 billion active devices.

Security·3 weeks ago

GitHub's internal repos were breached. The attacker came in through a poisoned VS Code extension.

GitHub detected the intrusion on May 18 after a malicious VS Code extension compromised an employee's device. The attacker claims to have exfiltrated 3,800 internal repositories.

Microsoft's World Passkey Day 2026 promo art for passwordless authentication

Security·3 weeks ago

Microsoft is killing SMS codes on consumer Microsoft accounts. Passkeys take over by December.

Microsoft is phasing out SMS sign-in and recovery on personal Microsoft accounts by December 2026. Replacements: passkeys, Authenticator, or verified email.

Security·3 weeks ago

A CISA contractor left GovCloud admin keys on public GitHub. The file was named 'Important AWS Tokens.txt'.

GitGuardian found a public CISA repo with 844 MB of secrets, including AWS GovCloud admin keys. The repo sat open for six months.

An illustration of the Claude Code deeplink vulnerability, showing a malicious URL handler triggering a shell prompt.

Security·3 weeks ago

A bad command-line parser turned every claude-cli:// link into a remote shell

Joernchen of 0day.click found a deeplink RCE in Claude Code. Anthropic shipped the fix in 2.1.118 the same week.

A technician at a server rack with a laptop, standing in for the SQL infrastructure Opexus ran for 45 federal agencies.

Security·4 weeks ago

Twin contractors deleted 96 federal databases in 56 minutes. One asked an AI how to clear the logs.

A federal jury convicted Sohaib Akhter on May 7 of wiping 96 government databases at Opexus. His twin Muneeb queried an AI: 'how do I clear system logs from SQL servers.'

Stylized illustration of remote code execution attack flow

Security·last month

F5 patched an 18-year-old NGINX bug. Attackers can RCE a third of the web with one crafted request.

F5 disclosed CVE-2026-42945 on May 13 after depthfirst's analyzer found a heap overflow in a 2008 commit. NGINX 1.31.0 ships the patch, every Plus tier needs an upgrade.

Security·last month

A USB stick now opens a BitLocker drive in 60 seconds. The researcher calls it a backdoor.

A pseudonymous researcher dropped two unpatched Windows zero-days on May 12. YellowKey bypasses BitLocker via WinRE; Microsoft has not acknowledged either bug.

Glowing DNS server illustration above a darkened network rack

Security·last month

Six new bugs hit dnsmasq, the DNS daemon in every Linux router. One gives a local attacker root.

CERT VU#471747 lists six dnsmasq CVEs disclosed May 11. The DHCPv6 flaw is local-root code execution. Simon Kelley credits 'a revolution in AI-based security research.'