The security angle on encrypted DNS is often oversimplified. DoH prevents ISP-level snooping and basic DNS hijacking, but doesn't protect against a compromised resolver. DoT is easier to detect and block, which has real implications for threat actors trying to exfiltrate via DNS. DoQ is interesting from a security perspective because QUIC's connection ID migration makes traffic correlation harder. Article includes benchmark data and practical server config — but mostly written for the "which threat model does each protocol address" question.

I published a technical write-up on an old OLX account takeover issue.

The core bug was an OTP correctness leak inside the rate-limit state.

After repeated invalid OTP attempts, the application showed a lockout message. However, blocked submissions did not become response-equivalent.

Invalid codes during lockout still produced the invalid-code signal.

The valid code during lockout removed that signal while keeping the lockout message.

That made the lockout state act as an oracle for whether the OTP was correct.

The broader impact came from reuse of the verification flow across account paths, including recovery/reset-style flows, plus weak session revocation behavior after password change.

The write-up focuses on the response-difference behavior, why the validity window mattered, how the issue escalated to account takeover, and why lockout states must stop leaking success/failure information.

The first sign wasn’t a security alert. It was a temperature reading.
A food plant’s cold rooms were warming up and the product was spoiling. The engineers expected a dead compressor. Instead, someone had been inside the controllers and rewritten them on purpose: setpoints, safety limits, valves pinned open, and the engineers’ own remote account locked out while the plant failed. Three compressors destroyed. No malware required, just an attacker who understood refrigerant physics.
On the same network, our team found a disk wiper hiding as a fake Microsoft update.
One IRGC-directed front. Two target sets, IT and OT. And it all ran under a ceasefire, when everyone had been told the fighting was over. That’s not a coincidence. It’s the doctrine.
Our IRT broke the whole thing down, with GRAT IOCs and a YARA rule:

Disclosure/write-up for CVE-2021-21735 affecting the ZTE ZXHN H168N V3.5.

The issue is cataloged as information disclosure, but the useful part is the authorization failure: wizard handlers under the setup surface exposed PPPoE and WLAN material that should have required authenticated configuration access. Firmware analysis points to a brittle whitelist decision around the QuickSetup flow, including routes such as wizard_pppoe_lua.lua and wizard_wlan_config_lua.lua.

The write-up keeps secrets redacted and focuses on the route behavior, firmware logic, deployment-dependent admin compromise path, disclosure timeline, and the ZTE Low vs NVD Medium severity split.

Overview: On May 24, 2026, the data breach notification service Have I Been Pwned (HIBP) integrated a dataset originating from an April 2026 extortion campaign targeting 7-Eleven. The breach, attributed to the threat actor group ShinyHunters, compromised 185,300 unique accounts and resulted in a 9.4GB cleartext data dump following the organization's refusal to comply with ransom demands.

Attack Vector & Targeted Infrastructure

The initial compromise occurred on or around April 8, 2026. Forensic indicators and lateral movement tracking indicate the threat actors did not target point-of-sale (POS) networks or central customer-facing databases. Instead, the breach was localized to external cloud-managed systems - specifically infrastructure dedicated to corporate franchisee document management and onboarding portals.

The vector aligns with recent ShinyHunters operational methodology involving targeted credential harvesting, session hijacking, and the exploitation of permissive API keys within integrated third-party identity management providers.

Data Profile & Exfiltrated Schemas

Following a failed extortion deadline set by the actors between April 17 and April 21, the full 9.4GB archive was leaked to the public internet. The schema validation confirms that the compromised database contains:

• Primary PII: Full names, verified email addresses, mobile and landline telephone numbers, and residential physical addresses.
• Sensitive Administrative Records: Dates of birth and corporate filing metadata.
• Vetting Documentation: A subset of the leaked files contains sensitive background check documentation, including Social Security Numbers (SSNs) and state-issued identification numbers submitted during the franchise application phase.

Operational Timeline

• 2026-04-08: Detection of unauthorized access to the franchisee document storage cluster.
• 2026-04-17: ShinyHunters list 7-Eleven on their public Tor leak site, establishing a 4-day payment window.
• 2026-04-22: Following 7-Eleven's administrative refusal to negotiate or pay the extortion fee, the actors published the complete unencrypted archive.
• 2026-05-24: Complete data ingestion, de-duplication, and formal verification completed by HIBP.

Technical Analysis & Core Metrics

The incident highlights a persistent trend where threat actors deliberately target non-production, administrative, or third-party adjacent business environments to bypass hardened perimeter controls protecting primary consumer data.

Hi r/netsec,

I work in DevRel at KubeArmor, a CNCF open source runtime security project. We built an AI security CTF that covers attack surfaces most traditional CTFs don't touch yet, and I think this community would find it interesting.

Three tracks, 18 challenges:

1. Prompt Injection Lab - system instruction override, persona drift via roleplay/translation, multi-turn memory manipulation, indirect injection through poisoned context, guardrail filter bypass
2. Agent Workflow Hijack - coercing agent tool misuse, poisoning indexed sources with hidden instructions, manipulating fake approval gates, exploiting agent memory as a prompt injection surface, chaining tool calls to exfiltrate secrets
3. Hidden API & Guardrail Bypass - triggering debug endpoints, tampering safety mode parameters via DevTools, abusing export features for data leaks, intercepting streamed responses before redaction kicks in, replaying weak preview tokens

The whole thing runs in the browser. No cluster access, no local tools needed. We wanted to remove friction so people could focus on the actual exploitation.

It's free, individual play, CTFd-scored. June 17-22. $1,000+ in prizes for top performers.

If you have thoughts on the challenge design or want to discuss AI threat modeling approaches, I'm all ears.

repo : https://github.com/Ymsniper/NoEyes

"When performing security assessments on HTTP-based applications, whether web, mobile, APIs, or thick clients, the standard workflow is straightforward: put Burp Suite in the middle, and you’re good to go. Most of the time, that’s all you need.

Every now and then, though, you run into a small but significant class of applications where that workflow breaks down. Custom protocols, payload encryption, request signatures, replay protection, non-standard encoding, these are the scenarios where you can no longer work manually the way you’re used to, and where Burp’s automated tools (Intruder, Scanner) stop being useful because they’re operating on data they can’t meaningfully read or modify.

In this talk I took one of these complexities as example, additional payload encryption, and used it as a vehicle to explore advanced approaches based on custom Burp extensions to restore full testability: working manually in Proxy and Repeater, running automated tools like Intruder and Scanner, and even driving external tools like SQLMap through Burp, all as if the complexity simply weren’t there."

This is the longer technical writeup behind CVE-2021-35036. The short CVE summary makes it sound like simple cleartext storage, but the useful part is the access path.

A low-privileged Zyxel router session could query DAL handlers like login_privilege and tr69 and receive password-bearing backend objects in the response. That included higher-privilege local account data, FTPS credentials, and TR-069 management secrets. Zyxel’s advisory later expanded the scope from the original VMG3625-T50B report into broader CPE, ONT, LTE, and 5G product lines.

I also included the password-generation side: QEMU runtime, LD_PRELOAD serial hook, getpassword analysis, and the Method2 / Method3 supervisor password logic.

We've been tracking TeamPCP since March. This is the fifth major package in the same campaign. Full chronology:

• Mar 19 — Trivy compromised. CI/CD secrets harvested downstream.
• Mar 24 — LiteLLM 1.82.7/1.82.8 to PyPI via credentials stolen through Trivy. ~95M monthly downloads. ~1,000 cloud environments in a 3-hour window.
• Mar 27 — Telnyx Python SDK 4.87.1/4.87.2 to PyPI. WAV steganography for payload delivery. ~670K monthly downloads.
• April — Bitwarden CLI, SAP npm packages, PyTorch Lightning.
• May 11 — 84 malicious versions across ~170 packages (@tanstack/, guardrails-ai, u/mistralai/, OpenSearch). First SLSA Build Level 3 provenance bypass. OpenAI hit downstream.
• May 20 — durabletask 1.4.1/1.4.2/1.4.3. Reads Vault, 1Password, Bitwarden, SSH keys, Docker creds. Propagates via AWS SSM and kubectl exec.

We wrote on the LiteLLM chain in March when this started. Same TTPs, different package: https://www.bluerock.io/post/litellm-supply-chain-protection

I wrote a full technical breakdown of the CISA/Nightwing GitHub credential leak that dropped last week. Sharing here because the coverage mostly stopped at "government agency leaked secrets" without getting into what actually failed at each layer.

What was in the repo (844 MB):

- AWS GovCloud admin keys in `Important AWS Tokens.txt`

- Browser password export: `AWS-Workspace-Firefox-Passwords.csv`

- Entra ID SAML certificates (full SSO impersonation capability)

- GitHub PATs (personal + professional)

- Kubernetes Kube-Config for CISA's Landing Zone DevSecOps cluster

- ArgoCD application files with secret-related YAML

- Terraform IaC describing internal cloud architecture

- CI/CD logs, internal documentation, service hostnames

The five defense failures I broke down:

1. Plaintext credential storage (baseline failure)

2. GitHub secret scanning deliberately disabled — this is the one that gets me. Push protection ships ON by default. Someone turned it off.

3. Shadow backup workflow — repo was structured as personal cloud storage for work assets, bypassing enterprise data controls

4. Zero internal monitoring detected this for 183 days. GitGuardian found it externally.

5. AWS GovCloud keys stayed valid for **48 hours after the repo came offline** — confirmed independently by Philippe Caturegli of Seralys

The 48h window is the underreported angle. Taking the repo down removes the exposure source. It doesn't revoke credentials already harvested. Anyone who scraped during the 183-day window still had working GovCloud admin access two days after the incident was "contained."

MITRE ATT&CK mapping: T1078, T1552.001, T1552.004, T1098, T1087, T1619, T1021, T1530, T1567.002, T1562.001

Detection rules included:

- Sigma rule for AWS key usage post-exposure (CloudTrail-based)

- gitleaks/TruffleHog scan commands

- Kubernetes API anomaly detection logic

- Honeytoken deployment strategy

Three-tier remediation plan: immediate (today), short-term (this week), strategic (30 days) — with specific commands and tooling recommendations.

Happy to discuss the detection engineering side or any of the MITRE mappings — some of them (especially T1562.001 for the secret scanning disable) are worth arguing about.

got so tired of this, that i wrote an awareness article. What do you think? Am i missing something?

CVE-2026-34474 covers a pre-auth credential disclosure in ZTE ZXHN H298A 1.1 and H108N 2.6 router web interfaces.

The short version: an ETHCheat branch returns credential-bearing HTML before authentication. The captured fields include the admin password, WLAN PSK, and ESSID, and a companion wizard endpoint exposes serial data. The writeup keeps the PoC output redacted and focuses on the response behavior, affected scope, and disclosure trail.