April 19, 2026

Administrivia

Sorry for the delays and then this huge post. Twitter changed their API slightly and ithe python module I use for scraping had to get patched.

i see the issue here, you're getting a BUG() splat in dmesg because of a process called "exploit". id start by debugging that process and see what it was up to with strace() https://t.co/MTTSys3mHI

— h0mbre (@h0mbre_) April 18, 2026

https://t.co/qUeBsyfqrx pic.twitter.com/NREzTwEnyp

— Intel Takes (@inteltakes) April 18, 2026

Because for that, it is necessary to understand the work of hackers as an organised process that has a bureaucratic structure, socio-technical dependencies and, most importantly, a strategy. And "S in TTP stands for strategy". 6/6

— Volodymyr Styran 🇺🇦 (@arunninghacker) April 16, 2026

People are overstating “LLM cyber capability”. LLMs do not really have broad cyber capability. What they have is a degree of appsec, bug-hunting, and pentest usefulness because they approximate a pretty good coder. But that still is not the same thing as being a hacker. 1/6

— Volodymyr Styran 🇺🇦 (@arunninghacker) April 16, 2026

My bug bounty: not a vuln, requires all DVNs
Their deployment: removes the ‘all’ part
Hackers: collects $295M bounty instead https://t.co/TS9ax2yEir pic.twitter.com/N1lwK4ScqB

— sujith (@sujithsomraaj) April 19, 2026

but would your thesis defend YOU?

— the meji. (@mejitwo) April 18, 2026

這陣子用 AI 逆向的一些心得，我是從這邊開始對 AI 改觀的，以前只覺得 AI 在軟體這領域很厲害，現在有一種 AI 在軟體領域無所不能的感覺

至少在逆向這塊，完全出乎我意料，打開了我這個井底之蛙的眼界，什麼都拆，什麼都不奇怪，萬物皆可逆https://t.co/TBm5Kup5kN

— Huli | lang: zh-Hant-TW (@hulitw) April 18, 2026

從逆向工程重新認識 AI 的強大 - Huli's blog

之前寫過一篇感謝 AI 讓我這外行人也能做簡單的逆向工程，描述了我怎麼結合 AI agent 跟 ghidra MCP，去逆向一個 Golang binary（stripped），就算結果有點小錯誤，但整體方向都是對的。 過了快兩個月，這中間我拿 AI 去逆向了更多東西，更多我以為 AI 逆不出來的東西，但 AI 狠狠地打了我的臉，我才是無知的那個。 這篇記錄一下 AI 能做到的事情，最後聊聊這件

GOOGLE BUILT A SECRET WEAPON FOR FILE DETECTION

they ran it internally for years, gmail, drive, safe browsing, hundreds of billions of files every week

then they open sourced it

it's called magika and it exposes what files really are, not what they pretend to be

rename…

— Vaishnavi (@_vmlops) April 13, 2026

GitHub - google/magika: Fast and accurate AI powered file content types detection · GitHub

Fast and accurate AI powered file content types detection - google/magika

google/magika (16,008 stars, Python) Fast and accurate AI powered file content types detection

source: Vaishnavi (@_vmlops)

Iran secretly acquired a Chinese spy satellite in 2024, giving it the ability to monitor US bases, an FT investigation has found. Miles Johnson explains what this means for Tehran, and the questions it raises about China’s role in the Middle East war. https://t.co/CSJk03RuhS pic.twitter.com/O0XIpj6Cki

— Financial Times (@FT) April 17, 2026

The Maintenance of Everything

Studying how other fields think about maintenance and sustainment is extremely useful. These areas are rich in lessons to apply to cybersecurity. Stewart Brand’s Maintenance of Everything is a brilliant overview of many of these fields. It’s one of… pic.twitter.com/TP5EoVHPsh

— Phil Venables (@philvenables) April 18, 2026

this is why magical realism thrives in Latin America https://t.co/AVumYXEKlD

— sick public transit, gloria (@seungylee14) April 18, 2026

“Expecting an algorithmic description to instantiate the quality it maps is like expecting the mathematical formula of gravity to physically exert weight.” https://t.co/t6BErrSX8O pic.twitter.com/d85j7puww2

— ℏεsam (@Hesamation) April 18, 2026

Mythos is not a bad name for a model but it would be better if Anthropic switched to using famous Claudes. Monet, Debussy etc. The final model that achieves AGI would obviously be Van Damme

— Jessica Nutt (@JessicaNutt96) April 17, 2026

AOL spent over decade mailing people nearly 2 billion CDs with free trial software as part of a marketing campaign to get people to use the Internet... https://t.co/5cO0XrUIKA

— Ryan Broderick (@broderick) April 18, 2026

this is legit the most impressive part. the exploit is nothing lol https://t.co/tyCz5TuVT4

— chompie (@chompie1337) April 19, 2026

Many know how to capture packets over Ethernet and WiFi, but what about Cellular?

4G LTE data is encrypted over-the-air but wouldn't we like to know what that TCP/IP traffic looks like after it exits the cell network?

In my latest video, I discuss the basic setup of running a…

— Matt Brown (@nmatt0) April 17, 2026

4G LTE IoT Test Lab - Basic Setup — Matt Brown

source: Matt Brown (@nmatt0)

Hacker im Signal-Konto? @BfV_Bund und BSI warnen vor staatlichen Cyberakteuren, die anhaltend Messengerdienste angreifen und mitlesen. Der interaktive Leitfaden sagt, was zu tun ist: https://t.co/x9CxAaXr6Mhttps://t.co/2Jho1SD2RU

— Bundesamt für Verfassungsschutz (@BfV_Bund) April 17, 2026

BSI - Handlungsleitfaden bei Phishing über den Signal Support

Informationen zu Hochverfügbarkeit in kritischen Geschäftsprozessen

Bundesamt für Verfassungsschutz - Spionage- und Proliferationsabwehr - Aktualisierte Warnung von BSI und BfV zum Phishing über Messengerdienste

Das Bundesamt für Verfassungsschutz (BfV) hat am 6. Februar gemeinsam mit dem Bundesamt für Sicherheit in der Informationstechnik (BSI) vor einer Phishing-Kampagne über Messengerdienste wie „Signal“ gewarnt. Aktuelle Erkenntnisse zeigen, dass die Kampagne weiterhin aktiv ist und an Dynamik gewinnt.

This reminds me of a bug I found maybe 10 years ago and never disclosed. There was an airline that would produce digital boarding passes. The trick was, if one traveler had pre-check, ALL passes on the reservation were marked as pre-check, even for foreign nationals. https://t.co/4FWNzixT19

— n00py (@n00py1) April 18, 2026

Certifications that don’t teach you anything and are an expensive way to add more useless words to your CV https://t.co/IQ8qRpmJxT

— Katie Paxton-Fear (@InsiderPhD) April 18, 2026

Learn how Open Source Intelligence is changing the way wars are fought. View online exhibit: https://t.co/ybwlGe6DNM

Analysts thousands of miles from the front lines are tracking troop movements using commercial satellite imagery, geolocating videos posted to TikTok, and… pic.twitter.com/3aaS2x819d

— The International Spy Museum (@IntlSpyMuseum) April 17, 2026

Open Source: Ukraine & the Intelligence Revolution – A Digital Exhibition of the International Spy Museum

A Digital Exhibition of the International Spy Museum

Never-before-seen footage of how Palantir’s Maven Smart System actually works:

“It gives us the ability to take classified, unclassified, and commercial data—and you can aggregate it all together to help you make all the decisions that you have to in warfare.”

Via @Channel4 pic.twitter.com/7dNTchK7ef

— Jawwwn (@jawwwn_) April 18, 2026

Ukrainians hacked yesterday's secret meeting of the Russian Ministry of Industry and Trade on drone production in which Russians cited problems in obtaining even basic components, all now being reliant on China.

Russians laugh that they now have to even import copper wire and… pic.twitter.com/WQLOkPKP79

— SPRAVDI — Stratcom Centre (@StratcomCentre) April 18, 2026

Fyi. Im still looking for work. CVEs are below (Dont report bugs anymore after what happened in 2023 at msft). Cant travel to the US. Prefer fulltime or contract work but worst case, a buyer for my work at competitive pricing would be great too. big_polar_bear1@proton.me pic.twitter.com/9j2u38yrzh

— SandboxEscaper (@WeirdQuadratic) April 18, 2026

It's November 2001. Chop Suey is playing in xmms on your Sun workstation. You fire up IE5 and point it at your just-finished PoC – a buffer overflow in gopher handling, of all things. The calculator pops up. You don't know it yet, but this is the best computing will ever be pic.twitter.com/rtG2F14LUK

— Brendan Dolan-Gavitt (@moyix) April 18, 2026

Even before Mythos, professionally developed exploits had been leaked or used for "extra-curricular activities" in some cases. The former uses were relatively indiscriminate, the latter definitely limited. Mythos is just latest reminder not to be 2-3 0days away from disaster.

— Dino A. Dai Zovi (@dinodaizovi) April 18, 2026

That’s true, but not every company can realistically afford security by default. The real shift is that, before Mythos and similar players, the assumption was that, economically, these exploits would only be used against high-value targets. That assumption has now fundamentally…

— Nico Waisman (@nicowaisman) April 18, 2026

A single bit was all it took.

We successfully exploited the kernelCTF LTS kernel with a novel 1-bit flip attack against a 15-year-old vulnerability.
It affects the latest versions of all major distributions, including Android, Ubuntu, Debian, Red Hat, CentOS, and Fedora. pic.twitter.com/CZ4Qv1k4Xu

— NebuSec (@nebusecurity) April 18, 2026

This is the right assumption: assume that your adversaries *already* have exploits for vulnerabilities in software that you depend upon. The goal of security engineering is to proactively design your systems and environments to withstand security failures in that software. https://t.co/oRAW2YzISg

— Dino A. Dai Zovi (@dinodaizovi) April 18, 2026

The most important takeaway is to drop your SAST vendors now and shift to LLM-based code review.

This is not something I say lightly. But it’s my experience that this is the way to roll and now. The difference in depth is just too much.

I see SAST capturing less than 10% of… https://t.co/Osr0WVXq1U

— Jim Manico from Manicode Security (@manicode) April 18, 2026

At work we tested 5 models on 2 real vulns from the Mythos blog post. 8 runs each. No hints. Could they find what Mythos found?

Mostly: no. But the how and why is more interesting than the headline pic.twitter.com/MmvDOtLy0y

— Katie Paxton-Fear (@InsiderPhD) April 17, 2026

"It all comes down to compute."@DAlperovitch from @SilveradoPolicy explains:
"The single most important input to winning is compute the processing power used to train and run AI models. Let me say that plainly, because it is defining that everything that congress and this… pic.twitter.com/t7MDSVF5tV

— Select Committee on China (@ChinaSelect) April 16, 2026

https://t.co/Y3OfRKRiRX pic.twitter.com/iJ8ydSUUNA

— ₩îck̶êrm̶ân̶ (@mossbooger) April 17, 2026

We had early access to Opus 4.7 and ran it against real exploit targets.

First look: fewer vulns found per run than 4.6. We almost wrote it off.

Then we realized we were counting completions, not tokens. Opus 4.7 takes smaller, more precise actions. Normalize by token budget…

— Nico Waisman (@nicowaisman) April 16, 2026

XBOW - Smaller Bites, Bigger Meals: What We Learned Running Opus 4.7 in Offensive Workflows

We got exclusive early access to Anthropic's latest model Opus 4.7. Here's what's new, what's improved, and why it matters for the future of AI security.

HTTP/3 downgrade desync via a QUIC FIN! This is a really nice finding. There used to be a significant cognitive & fiddly-coding barrier to testing lower-level HTTP/2 & 3 techniques but AI has largely eliminated it.

As ever, the fix is... upstream HTTP/1 must die! https://t.co/aX8LpAV53G

— James Kettle (@albinowax) April 17, 2026

I finally managed to write up some memories about my recently deceased and very dear friend, Felix 'Fx' Lindner. https://t.co/X96XbapaLI

— Halvar Flake (@halvarflake) April 17, 2026

What's funny is from a managerial viewpoint, breaking up security research into "browser guys", "android guys", "router guys" and so on makes sense.

But anyone who's been one of those guys can instantly feel how ephemeral and artless such an assembly line actually is.

— GCU Tense Correction (@tensecorrection) April 17, 2026

You’ve not heard of the Celestyal Discovery? It’s the ship that made the Strait of Hormuz run in less than twelve parsecs. https://t.co/x5zn29s41V

— Peter Hague (@peterrhague) April 17, 2026

On my way to Berlin to celebrate the life of FX. And yes, I feel honored to have met him, to have had the opportunity to receive his mentorship and guidance, to later become his peer and finally a friend. I can't stop thinking about the imense loss. Good to be able to join…

— Rodrigo Branco (@bsdaemon) April 16, 2026

Put it in the Louvre https://t.co/Tzh8ZQofBN pic.twitter.com/PgpyXnte2j

— TFG87 (@TFG870) April 17, 2026

Totally true. A US born young woman daughter of US born parents was rejected by the CIA as "non-clearable" because she had learned two Middle Eastern languages by travelling abroad on her own. They want people who never left Utah. Later she became an Asst Sec of State. https://t.co/T8wD2T1HSs

— Edward N Luttwak (@ELuttwak) April 16, 2026

This one totally nerdsniped me.
At first glance, it LOOKED LIKE Codex was what got an end user infected.

Turns out, it was prompted to just act like an incident responder all on its own -- inadvertently polluting ACTUAL triage and analysis.

Eager to tell more of the story in… https://t.co/B1hUDHvT5s pic.twitter.com/t2uSDohSvX

— John Hammond (@_JohnHammond) April 17, 2026

The cat's out of the bag! My latest book, "The Secret Life of Circuits", is available in early access:https://t.co/ormpiPwapu

It's what I wish I had when I was starting out. Electrons to embedded systems, 290+ color illustrations and 420+ pages of well-explained theory.

— lcamtuf (@lcamtuf) April 16, 2026

Many of you follow this blog because of the regular features about electronic circuit design.

"Mythos and National Power" - This is definitely worth listening to.

I'm an old school security person, so my threat models are always dominated by the assumption that attackers already have knowledge of a systems vulnerabilities.https://t.co/G9sqYZiKhb

1/n

— chrisrohlf (@chrisrohlf) April 16, 2026

Let's play a game - win32 types vs Polish language:

LPCWSTR
PSZCZYNA
WCSLEN
WCZESNY
LPCTSTR
BYDGOSZCZ
WSTRZAS
HGDIOBJ
DOWOD
HWINSTA
DLUGOSC
LPCSTR
DWORD
KAL
LPWSTR
SZCZECIN
PCWSTR
BLAD
PUHALF
CHUJ
UHALF

— Valentin Ignatev (@valigo) April 17, 2026

AI labs are buying internal communications of defunct startups to train their agents. Emails, Slack archives, etc. Personally identifiable info is removed by data resellers. But how would you feel knowing your former board/CEO is selling your comms to recover losses/pay debts? https://t.co/LYiH51otDD

— Kim Zetter (@KimZetter) April 16, 2026

Obfuscation vs The Optimizer: A Battle in LLVM Middle End.@yates82 shows us how the continuous improvement of the LLVM optimizer defeats naive code obfuscation, and how the obfuscator can fight back.
An eternal fight in which all victories are ephemeralhttps://t.co/KGRcbImqf4 pic.twitter.com/wurajrbFvk

— quarkslab (@quarkslab) April 16, 2026

An Indonesian fisherman just pulled a 3.7-meter torpedo-shaped Chinese spy sensor out of the Lombok Strait, near Gili Trawangan. Defense analysts have identified it as a Deep-Sea Real-Time Transmission Mooring System made by China's 710 Research Institute, a body focused on…

— Aadil Brar (@aadilbrar) April 18, 2026

There's something poetic about the most popular distribution of qmail --- an MTA with a core design principle of not using the C standard library at all, even the simple stuff --- getting popped with a popen bug like it's 1995. https://t.co/OwN3tKBmQK

— Thomas H. Ptacek (@tqbf) April 17, 2026

tu es enterré avec lui, comme les chats du pharaon https://t.co/X65TgIDR2L

— Huluberlu (@huluberlu75) April 15, 2026

Confidential plan for cutting Iran off from the internet has been leaked. #DigitalBlackOutIran‌ https://t.co/ptGp4GGAUM pic.twitter.com/ItIg4Chc5r

— Doug Madory (also on Bluesky) (@DougMadory) April 17, 2026

This is one hell of a graph.

CVEs requested by code owners using the GitHub Security Advisories feature and vulnerabilities affecting open source projects discovered by security researchers at GitHub or Microsoft not covered by another CNA’s scope.https://t.co/3gaIzUKbLP pic.twitter.com/4aT5GBcIES

— Daniel Cuthbert (@dcuthbert) April 17, 2026

A Japanese citizen was arrested in Belarus in July 2024 and charged with espionage on behalf of Japan's intelligence service.

(1/6) pic.twitter.com/BHwQyqBLde

— Spycraft101 (@spycraft101) April 17, 2026

After an embargo of 256 days, I'm happy to reveal our newest work: we present TREVEX, a black-box CPU fuzzer that detects transient execution vulnerabilities in an automated manner. Running TREVEX on AMD, Intel, and Zhaoxin CPUs discovered multiple new CPU vulnerabilities! pic.twitter.com/pEHapUiDsa

— Daniel Weber (@weber_daniel) April 17, 2026

MAD Bugs: Even "cat readme.txt" is not safe, by @calif_io

cat readme.txt and you're pwned baby

We'd like to acknowledge @OpenAI for partnering with us on this project.https://t.co/vKQ9ttp7cW

— Calif (@calif_io) April 17, 2026

Happy Friday guys! Just pushed some new features to LevelUp and new stuff for you to play with over the weekend 🙂

We now have 36 categories and 12 challenge types and two new streams alongside our offensive / red team content 👇

— l33tdawg (@l33tdawg) April 17, 2026

My thought on cyber evals is that some things are easy to measure and some things are important to measure and these are rarely the same thing.

— Dave Aitel (@daveaitel) April 16, 2026

Kim Dong-sik was one of North Korea’s most dangerous covert operatives until he was captured during the Buyeo Armed Spy Incident in October 1995.

(1/6) pic.twitter.com/VMOr1Pfvgt

— Spycraft101 (@spycraft101) April 15, 2026

the Red Sun vulnerability is genuinely one of the funniest bugs i've seen in a while

Windows Defender finds a malicious file with a cloud tag and instead of quarantining or deleting it...

it helpfully rewrites the file back to its original location

the antivirus. protecting… pic.twitter.com/afv0WIMypc

— Het Mehta (@hetmehtaa) April 16, 2026

I need everyone to check out this link ASAP this is one of the funniest fucking things I've ever readhttps://t.co/tffFMVp9YA https://t.co/UzqtcmCiaa

— Operation Ivy🍂🦌 (@0h_it_Ivy) April 17, 2026

Notion

A collaborative AI workspace, built on your company context. Build and orchestrate agents right alongside your team's projects, meetings, and connected apps.

We asked Claude to audit Sagredo's qmail. It found a RCE.

All it took was a single prompt.https://t.co/2MyYjKiHxq

— Calif (@calif_io) April 16, 2026

Woke up to a stack of good news.

1. OpenAI named @calif_io an official vulnerability research partner, alongside Trail of Bits.

2. We hit the Hacker News front page again, third time in a single week. Hacker News comments are terrible though! Most readers don't really know what… pic.twitter.com/8mvJeGTYlW

— thaidn (@XorNinja) April 16, 2026

Microsoft just laid out a new way to keep enterprise software growing in an AI-heavy workplace: charge AI agents for software seats the same way companies pay for human employees.

The old SaaS model was easy, a company buys 1 license for 1 worker, so revenue rises when headcount… pic.twitter.com/lxRmXlHcRw

— Rohan Paul (@rohanpaul_ai) April 14, 2026

Has AI brought back the early 2000s? People can find and exploit 0days easily. Hackers angry at Microsoft are dropping 0day. Frosted tips are cool again (ok, that one would mean the apocalypse) https://t.co/9bPiE9vq6Y

— thaddeus e. grugq (@thegrugq) April 16, 2026

Another zero day exploit released by some nerd (can't remember name right now) because they're annoyed with Microsoft. It's been confirmed by other nerds. It is yet another legit zero day. Whew.https://t.co/Zllhns1ztn

— vx-underground (@vxunderground) April 16, 2026

GitHub - Nightmare-Eclipse/RedSun: The Red Sun vulnerability repository · GitHub

The Red Sun vulnerability repository. Contribute to Nightmare-Eclipse/RedSun development by creating an account on GitHub.

Nightmare-Eclipse/RedSun (1,550 stars, C++) The Red Sun vulnerability repository

source: vx-underground (@vxunderground)

An update from NIST. Due to volume they’re only going to enrich CVEs that are meaningful to USG federal systems and critical software (some more nuance in the blog post). This means if you’re relying on the NVD data for your enterprise security program and use other software,…

— Heather Adkins - Ꜻ - Spes consilium non est (@argvee) April 16, 2026

NIST Updates NVD Operations to Address Record CVE Growth | NIST

NIST is changing the way it handles cybersecurity vulnerabilities and exposures, or CVEs, listed in its National Vulnerabilit