ZeroPath just released a fun library of free, lightweight exploit development CTFs and walkthroughs. Good for beginners and people trying to get better at exploit development.

I have documented a campaign consisting of more 25 distinct phishing variants that all converge on a single Google Cloud Storage (GCS) infrastructure point.

Core Infrastructure:

1. Primary Host: storage/.googleapis/.com
2. Bucket/Object: /whilewait/comessuccess.html

Analysis Highlights:

Evasion Strategy: The campaign utilizes the inherent trust of the googleapis/.com domain to bypass SPF/DKIM-based reputation filters and secure email gateways (SEGs).

Lure Variance: Social engineering hooks include Scareware (Storage Full/Threat Detected), Retail Rewards (Lowe's/T-Mobile), and Lifestyle/Medical lures.

Redirect Logic: The comessuccess.html file serves as a centralized gatekeeper, redirecting traffic to secondary domains designed for Credit Card (CC) harvesting via fraudulent subscriptions.

Hey all,

I’ve been working on a live vulnerability intelligence dashboard that tracks trending CVEs, severity levels, and related social media activity in one place.

The goal was to make it easier to quickly see what’s gaining attention and what might actually matter, instead of scrolling through raw feeds.

Each CVE has its own page with:

• Overview & description
• CVSS score
• Impact summary
• References
• Linked social media posts related to that CVE

It’s free to browse (no login required):

[https://leakycreds.com/vulnerability-intelligence](https://)

Would appreciate honest feedback — especially from folks who actively triage vulnerabilities.

What signals do you usually look at first?

What feature would you want to see here next?

For those that don't know, during the TLS handshake, the server sends its certificate chain so the client can verify they're talking to who they think they are. When we move to Post Quantum-safe signatures for these certificates, they get huge and will cause the handshake to get really big. The PLANTS group at the IETF is working on a method to avoid this, and Merkle Tree Certificates are currently the way they're going.

Google and Cloudflare are going to start testing this (with proper safeguards in place) for traffic using Chrome and talking to certain sites hosted on Cloudflare. Announcements and explanations of MTC:

https://blog.cloudflare.com/bootstrap-mtc/

https://security.googleblog.com/2026/02/cultivating-robust-and-efficient.html

It might be a good time to test your TLS intercepting firewalls and proxies to make sure this doesn't break things for the time being. It's early days and a great time to get ahead of any problems.

Questions regarding netsec and discussion related directly to netsec are welcome here, as is sharing tool links.

Rules & Guidelines

• Always maintain civil discourse. Be awesome to one another - moderator intervention will occur if necessary.
• Avoid NSFW content unless absolutely necessary. If used, mark it as being NSFW. If left unmarked, the comment will be removed entirely.
• If linking to classified content, mark it as such. If left unmarked, the comment will be removed entirely.
• Avoid use of memes. If you have something to say, say it with real words.
• All discussions and questions should directly relate to netsec.
• No tech support is to be requested or provided on r/netsec.

As always, the content & discussion guidelines should also be observed on r/netsec.

Feedback

Feedback and suggestions are welcome, but don't post it here. Please send it to the moderator inbox.

Deep dive into a TOCTOU vulnerability in Node.js's ClientRequest.path that bypasses CRLF validation and enables Header Injection and HTTP Request Splitting across 7+ major HTTP libraries totaling 160M+ weekly downloads

I recently analysed a new emerging RAT named Moonrise.

Moonrise is a Golang binary that appears to be a remote-control malware tool that lets the attacker keep a live connection to an infected Windows host, send commands, collect information, and return results in real-time.

My analysis also suggest surveillance-related features such as keylogging, clipboard monitoring, crypto focused data handling.

At the time of the analysis, this was fully undetected by all and any AV solutions.

Tested 5 LLMs (GPT-5.2, GPT-4o-mini, Claude Opus/Sonnet/Haiku) against invisible instructions encoded in zero-width characters and Unicode Tags, hidden inside normal trivia questions.

The practical takeaway for anyone building on LLM APIs: tool access transforms invisible Unicode from an ignorable artifact into a decoded instruction channel. Models with code execution can write scripts to extract and follow hidden payloads.

Other findings:

• OpenAI and Anthropic models are vulnerable to different encoding schemes — attackers need to fingerprint the target model
• Without explicit decoding hints, compliance is near-zero — but a single line like "check for hidden Unicode" is enough to trigger extraction
• Standard Unicode normalization (NFC/NFKC) does not strip these characters

Defense: strip characters in U+200B-200F, U+2060-2064, and U+E0000-E007F ranges at the input boundary. Be careful with zero-width joiners (U+200D) which are required for emoji rendering.

Code + data: https://github.com/canonicalmg/reverse-captcha-eval

Writeup: https://moltwire.com/research/reverse-captcha-zw-steganography