This writeup details innovative ‘syntax confusion’ techniques exploiting how two or more components can interpret the same input differently due to ambiguous or inconsistent syntax rules.

Alex Brumen aka Brumens provides step-by-step guidance, supported by practical examples, on crafting payloads to confuse syntaxes and parsers – enabling filter bypasses and real-world exploitation.

This research was originally presented at NahamCon 2025.

Author here.

Zero the Hero (0tH) is a Mach-O structural analysis tool written in Rust.

It parses FAT binaries, load commands, slices, CodeSignature/SuperBlob, DER entitlements, requirements bytecode, and CodeDirectory versions.

The binary is universal (Intel + ARM64), notarized and stapled.

Motivation: existing tools lack full coverage of modern Mach-O signature internals.

Docs: https://zero-the-hero.run/docs

Happy to discuss signature internals or Mach-O specifics.

Think prepared statements automatically make your Node.js apps secure? Think again.

In my latest blog post, I explore a surprising edge case in the mysql and mysql2 packages that can turn “safe” prepared statements into exploitable SQL injection vulnerabilities.

If you use Node.js and rely on prepared statements (as you should be!), this is a must-read: https://blog.mantrainfosec.com/blog/18/prepared-statements-prepared-to-be-vulnerable

My talk about Lateral Movement in the context of logged in user sessions 🙌

Curious what frameworks people use for desktop application testing. I run a pentesting firm that does thick clients for enterprise, and we couldn't find anything comprehensive for this.

Ended up building DASVS over the past 5 years - basically ASVS but for desktop applications. Covers desktop-specific stuff like local data storage, IPC security, update mechanisms, and memory handling that web testing frameworks miss. Been using it internally for thick client testing, but you can only see so much from one angle. Just open-sourced it because it could be useful beyond just us.

The goal is to get it to where ASVS is: community-driven, comprehensive, and actually used.

To people who do desktop application testing, what is wrong or missing? Where do you see gaps that should be addressed? In the pipeline, we have testing guides per OS and an automated assessment tool inspired by MobSF. What do you use now for desktop application testing? And what would make a framework like this actually useful?

Hi everyone,

I'm sharing a new open-source tool I developed: the Ephemeral Vulnerability Scanner.

If you're tired of using security tools that require you to send sensitive lists of your installed software to a 3rd party server, this is your solution.

What it does:

1. You run a simple command (PowerShell, dpkg -l, brew list) to generate a local inventory.json file.
2. You open the scanner's index.html in your browser.
3. You upload the file (it stays local!).
4. The browser's JavaScript performs the lookup against public APIs (MSRC, OSV.dev, CISA KEV) and gives you a professional, exportable report.

The core benefit is privacy: Your inventory never leaves your control. Analysis is ephemeral—everything is gone when you close the tab.

It supports Windows, Linux, and macOS, giving you a unified, free way to scan packages across your fleet.

Feedback and contributions are highly welcome!

We've just released a tool that fixes a particularly annoying problem for those trying to fuzz HTTP/3.

The issue is that QUIC is designed to prevent network bottlenecks (HOL blocking), which is beneficial, but it disrupts the fundamental timing required for exploiting application-level race conditions. We tried all the obvious solutions, but QUIC's RFC essentially blocks fragmentation and other low-level network optimizations. 🤷‍♂️

So, we figured out a way to synchronize things at the QUIC stream layer using a technique we call Quic-Fin-Sync.

The gist:

1. Set up 100+ requests, but hold back the absolute last byte of data for each one.
2. The server gets 99.9% of the data but waits for that last byte.
3. We send the final byte (and the crucial QUIC FIN flag) for all 100+ requests in one single UDP packet.

This one packet forces the server to "release" all the requests into processing near-simultaneously. It worked way better than existing methods in our tests—we successfully raced a vulnerable Keycloak setup over 40 times.

If you are pentesting HTTP/3, grab the open-source tool and let us know what you break with it. The full write-up is below.

What’s the most frustrating thing you’ve run into trying to test QUIC/HTTP/3?

Hey bro 👾
Wanna take on a friendly challenge?

I built a cloaker that’s been flying under Meta’s radar — and I want to see if you can break it.

The challenge is simple:
🧠 Try to identify any vulnerabilities or leaks in the cloaker system I’m using.
🚀 If you manage to break it or point out a real flaw, I’ll send you a little prize (or maybe a project if you impress me).

Hint:
The ad on Meta shows one thing...
But the landing page is completely different from the advertised offer.

Let’s see if you’re sharp enough to catch it 😏
Game on?

Hi all,

I’ve published a technical case study analyzing a design issue in how the Binance API enforces IP whitelisting. This is not about account takeover or fund theft — it’s about a trust-boundary mismatch between the API key and the secondary listenKey used for WebSocket streams.

Summary of the issue

• A listenKey can be created using only the API key (no secret, no signature).
• The API key is protected by IP whitelisting.
• The listenKey is not protected by IP whitelisting.
• Once a listenKey leaks anywhere in the toolchain — debug logs, third-party libraries, bots, browser extensions, supply-chain modules — it can be reused from any IP address.
• This exposes real-time trading activity, balances, open orders, leverage changes, stop levels, liquidation events and more.

This is not a direct account compromise.
It’s market-intelligence leakage, which can be extremely valuable when aggregated across many users or bot frameworks.

Why this matters

Many users rely on IP whitelisting as their final defensive barrier. The listenKey silently bypasses that assumption. This creates a false sense of security and enables unexpected data exposure patterns that users are not aware of.

Disclosure process

I responsibly reported this and waited ~11 months.
The issue was repeatedly categorized as “social engineering,” despite clear architectural implications. Therefore, I have published the analysis openly.

Full case study

🔗 https://technopathy.club/when-ip-whitelisting-isnt-what-it-seems-a-real-world-case-study-from-the-binance-api-816c4312d6d0

Shai-Hulud second attack analysis: Over 300 NPM Packages and 21K Github Repos infected via Fake Bun Runtime Within Hours

Greetings everyone,

I was looking for Top Universities for Masters in Cybersecurity. For my Background, I have done Bachelor’s in Computer Science and i have 2.5 years of Industry experience in Application Security, Cloud Security and Product Security.

I was not a Top student at my Bachelor's and neither my university is highly ranked. CGPA: 8.5 Hence getting Admission into the ETHz MS Cyber program seems tough Thou i would still apply.

I know a couple of other universities In Europe which are well know but not sure how respected is the curriculum. I have done my research but i wouldn't want to miss out on any hidden gem.

Looking for: 1. Well-recognized and reputable universities (Preferably public but can consider private)

1. Strong Practical cybersecurity curriculum practical

2. Would be great if the University has Hacking group which is doing well in CTF Competitions

USA and UK could have been great options but they are crazy expensive, the post study laws, migrations and Job search is pretty bad out there. Please correct me if i am wrong.

I would really appreciate your recommendations from your Experience and Knowledge.

Thanks in advance.

I’ve built NocturneNotes, a secure note‑taking app written in Rust with GTK4.

🔐 Features:

AES‑256‑GCM encryption for all notes Argon2 password‑based key derivation Clean GTK4 interface Reproducible Debian packaging for easy install 

It’s designed for people who want a privacy‑first notebook without the bloat.

Repo: https://github.com/globalcve/NocturneNotes

Got tired of your log analysis workflow being: export logs → wait for jq → try different filter → wait again → eventually load into ELK → wait for indexing.

Built JSONL Viewer Pro to solve this. Native desktop app (Mac) that handles the log analysis I do daily without needing infrastructure.

Technical details:

• Multi-threaded simdjson parser - opens 5GB files in ~10 seconds
• Automatic nested JSON flattening (alert.signature, flow.bytes_toserver, etc.)
• Advanced filtering with operators: alert.severity <= 2, flow.bytes > 100000
• Handles 10M+ rows in memory
• C++ native implementation (6MB binary, not Electron)
• Supports .jsonl and .jsonl.gz

Supported formats:

• Suricata EVE JSON logs
• Zeek (Bro) JSON logs
• EDR logs (CrowdStrike, SentinelOne, etc.)
• Cloud audit trails (CloudTrail, Azure, GCP)
• Any JSONL-formatted security data

Workflow improvements:

• Daily log review: Load overnight alerts, filter by severity, export indicators
• Threat hunting: Quick pivots on IPs, domains, hashes across millions of records
• Incident response: Rapidly filter timeline data without waiting for SIEM queries
• IOC extraction: Filter and export specific fields for threat intel

Privacy/Security:

• Zero telemetry
• No internet connection required
• Data never leaves your machine
• Good for analyzing sensitive logs on air-gapped systems

Launch pricing: $49 (normally $79)
https://iotdata.systems/jsonlviewerpro/

Built this for my own workflow but would love feedback from other analysts. What log formats or features would make this more useful?

Depending on configuration and timing, a Sliver C2 user's machine (operator) could be exposed to defenders through the beacon connection. In this blog post, I elaborate on some of the reverse-attack scenarios. Including attacking the operators and piggybacking to attack other victims.

You could potentially gain persistence inside the C2 network as well, but I haven't found the time to write about it in depth.

HelixGuard has released analysis on a new campaign found in the Python Package Index (PyPI).

The actors published packages spellcheckers which contain a heavily obfuscated, multi-layer encrypted backdoor to steal crypto wallets.

We are building a foundational technology that is a bloom dollar IP. We need three key pillars of engineering talent to formalize this system:

Mathematical Proof Architect: Expertise in formal assurance and engineering deterministic systems to mathematically verify code correctness.

Trust Architect (Advanced Distributed Systems): Deep experience in cryptography, immutability, and creating trust architectures that are legally non-repudiable.

Critical Systems Engineer: Mastery of low-level, high-assurance security engineering in performance-critical or regulated environments.

If you possess these specific skills and want to get in on the ground floor of a billion-dollar IP and secure significant stake shares and profits, DM me ASAP. Preferred location is the U.S., but we will enthusiastically consider exceptional talent globally.

hi folks, I tried to detect bgp hijack, my way is pretty straitforward as below:

I downloaded IP/ASN data set from IRR(ripe/arin/apnic) and store them in search engine(support partial/prefix query), then I crawled bgp stream data from routeviews, if I found the original asn was different than IRR, then the

hijack event would be caught.

My result can be found here ipiphistory.com

I published a breakdown of several Python packages that can be repurposed for building surveillance/spyware-style tooling.
The write-up focuses on:

• which packages enable keylogging, screen capture, webcam access, browser data extraction, etc
• how attackers combine these packages for full-scope monitoring
• why these libraries are so easy to misuse
• practical mitigations for developers and defenders

No drama, no “hacking tutorial” garbage — just an audit-style analysis showing how legitimate packages become building blocks for malicious tooling.

Full post:
https://audits.blockhacks.io/audit/python-packages-to-create-spy-program

Would appreciate feedback from people who deal with Python malware, IR, or supply-chain issues.

A threat actor known as "888" has allegedly dumped sensitive LG Electronics data on ThreatMon (November 16, 2025). LG has not yet confirmed or denied these claims.

Alleged Leaked Data: • Source code repositories • Configuration files and SQL databases
• Hardcoded authentication credentials • SMTP server credentials

Attack Vector: The leak reportedly originated from a contractor access point, suggesting a supply chain compromise rather than direct breach of LG systems.

Threat Actor Profile: "888" has previously targeted Microsoft, BMW Hong Kong, Decathlon, and Shell. Typically monetizes through ransomware or selling data on breach forums. No public ransom demand in this case yet.

Technical Concerns: - Hardcoded credentials enable persistence and lateral movement - SMTP access could facilitate convincing phishing campaigns - Source code exposure may reveal vulnerabilities in LG IoT devices affecting millions of users globally

Related Context: LG Uplus (LG's telecom division) confirmed a separate breach in October 2025 during a wave of South Korean telecom attacks.

Verification Status: UNCONFIRMED - Awaiting official statement from LG Electronics.

Source: https://cyberupdates365.com/lg-data-leak-claim-threat-a/

Thoughts on supply chain attack vectors and contractor access management?

PacketSmith v4.0 is shipped with an X.509 certificate extractor designed for use with TLS/SSL over TCP and DTLS over UDP streams. You can now either export these certificates to disk or dissect their attributes and output them as JSON objects and arrays.

Hi everyone,

My best friend and I have been working on a project after going through CCNA → CCNP ENCOR → CCNP ENARSI together. We realised that for most people (including us), the hardest part of the CCNA journey isn’t the technical content. It’s staying motivated through the long PDFs, the repetitive labs, and the feeling of studying alone.

We wanted to take some of that pain away and make learning networking feel more structured, more guided, and more rewarding. So we started building something based on short lessons, clear diagrams, and a gamification system that helps you actually feel your improvement.

The idea is to help learners stay consistent, avoid feeling lost, and have a more enjoyable path through the CCNA topics.

We’re currently sharing this with CCNA learners and mentors to see if it actually helps, and we’d definitely welcome any feedback or questions :)

Anthropic just published a case study where threat actors jailbroke Claude and used it to run entire attack campaigns autonomously.

I built npmscan.com because npm has become a minefield. Too many packages look safe on the surface but hide obfuscated code, weird postinstall scripts, abandoned maintainers, or straight-up malware. Most devs don’t have time to manually read source every time they install something — so I made a tool that does the dirty work instantly.

What npmscan.com does:

• Scans any npm package in seconds
• Detects malicious patterns, hidden scripts, obfuscation, and shady network calls
• Highlights abandoned or suspicious maintainers
• Shows full file structure + dependency tree
• Assigns a risk score based on real security signals
• No install needed — just search and inspect

The goal is simple:
👉 Make it obvious when a package is trustworthy — and when it’s not.

If you want to quickly “x-ray” your dependencies before you add them to your codebase, you can try it here:

https://npmscan.com

Let me know what features you’d want next.

I recently completed a project on “Scanning and Enumeration with Nmap” using Kali Linux and Metasploitable2. The project includes network discovery, port scanning, service enumeration, NSE scripting, and vulnerability detection. I’ve documented all findings, screenshots, and results in a structured report. I’m sharing it here to get feedback and suggestions to improve my methodology and reporting style.

#DevTown #nmap #cybersecurity

FaceSeek is like Google Images but mostly for faces. It uses facial photos and reverse photo finding method to recognition and detect a face even if it’s cropped or filtered. Plus it also ad modify those faaces to some body and make videos out of them. This could be useful for OSINT or threat hunting, but it also means attackers could find out our digital footprints by photo. Is it a threat? Or not? Considering that there are already a lot Ai tools like these, But Ai is alvo improving daily.

So my honeypot just caught something interesting: RedTail malware hitting exposed Docker APIs on port 2375/tcp.

For context, RedTail is typically known for exploiting PHP vulnerabilities, PAN-OS, and Ivanti, but not a single vendor mentions Docker in their threat reports.

I did a pretty extensive research dive across:

• Threat intel reports (Akamai, Forescout, Trend Micro, Kaspersky)
• SANS ISC, VirusTotal, Malpedia
• GitHub repos and academic papers
• Various community discussions

What I confirmed:

• C2 IP: 178[.]16[.]55[.]224 (AS214943)
• User-Agent: "libredtail-http" (consistent with RedTail)
• Absolutely zero public documentation of RedTail targeting Docker

Two theories:

1. This is a blind spot in threat intelligence reporting
2. We're seeing a new tactical evolution of RedTail (as of Nov 2025)

Has anyone else seen similar activity?

Analysis of the Milvus Proxy Authentication Bypass Vulnerability(CVE-2025-64513)

After we launched SysReptor a few years ago, we now published the data leak service "SysLeaks for Attackers". We're still refining the service and kindly ask for your feedback. You can use SysLeaks quite extensively during the BETA phase, which will remain open in November.

How it works:
You search for domain names and receive usernames/email addresses, plaintext passwords and (in some cases) the platform the account was used for.

Limitations:

• Users must sign up with their company email address (we approve offensive security companies only to prevent abuse).
• We don't disclose the leaks of the last 14 days as a grace period for affected companies.
• Free 50 credits for up to 2.500 leaked accounts per week (during the BETA phase)

Hello! Earlier this year I found an interesting logic quirk in an open source library, and now I wrote a medium article about it.

This is my first article ever, so any feedback is appreciated.

TLDR: mPDF is an open source PHP library for generating PDFs from HTML. Because of some logic quirks, it is possible to trigger web requests by providing it with a crafted input, even in cases where it is sanitized.

This post is not about a vulnerability! Just an unexpected behavior I found when researching an open source lib. (It was rejected by MITRE for a CVE)