April 2, 2026

        April 2, 2026

April 2, 2026

        April 2, 2026

At [un]prompted, the illusion that vulnerability research won’t be automated away has passed. Specifically, it was Nicholas Carlini’s talk, a last second entry, that hammered it in.

A short thread + talk video pic.twitter.com/M9AOy9huIj
— Gadi Evron (@gadievron) April 1, 2026

I cannot overstate how absurd it is to suggest that, say, Japan offers more of intelligence value to the United States than Britain. This applies in essentially every respect: HUMINT on hard targets like Russia, depth of SIGINT co-operation, access to geography like Cyprus, etc. https://t.co/MmZaRI0FJf
— Shashank Joshi (@shashj) April 1, 2026

If NATO splits up who gets custody of the Atlantic?
— Karl Sharro (@KarlreMarks) April 1, 2026

🔥Pwndbg is dropping GDB support🔥
We love GDB, but after 5+ years of crash reports sitting on Bugzilla collecting dust… we're done.
Reported a crash to LLDB? Fixed in two weeks. TWO WEEKS🤯
We go all in on LLDB. Time to move where debugging works with us, not against us@gdb
— Patryk Sondej (@patryk4815) April 1, 2026

Evaluating AI bug-finding capability is hard for many reasons, but here's a particularly fun reason:

Sometimes a new "false-positive" finding in our benchmark results ends up being a real nginx 0day https://t.co/50dIHDmFU1
— Tim Becker (@tjbecker) April 2, 2026

we accidentally created a time capsule of the last era in which humans wrote code pic.twitter.com/pac9QyvKFv
— “paula” (@paularambles) April 1, 2026

Note that @OCCRP reported this two days ago, not quite “just in” and would have been great to link to their work.  https://t.co/pyeg3lXfhv
— Runa Sandvik (@runasand) April 1, 2026

                                        Poisoned Trekkers and Phantom Flights: Nepal Charges 32 in Massive Himalayan Rescue Scam | OCCRP
                                    A sprawling criminal network of trekking agencies, hospitals, and helicopter pilots allegedly fed tourists baking soda to induce illness, siphoning nearly $20 million in fraudulent insurance payouts.

Our newest team member @streypaws just dropped his first blog post! 
He peered into CVE-2026-0899, from patch to arbitrary r/w primitives

No, it is not April Fool's joke from ushttps://t.co/fuHUFhLDOx
— starlabs (@starlabs_sg) April 1, 2026

                                        CHECK Removed, Context Confused, Checkmate Achieved | STAR Labs
                                    TL;DR In January 2026, the Chrome Releases blog announced several security fixes across different Chrome components. One entry caught our attention: CVE-2026-0899, an Out-of-Bounds memory access in V8 discovered by @p1nky4745.
Vulnerabilities in V8, especially OOB and Type Confusions are always interesting from a security research perspective. We decided to take a closer look. At the time of writing, the issue was still restricted and no public proof-of-concept was available. After reverse engin...

As a connoisseur of fraud, i feel comfortable saying this is one of the greats https://t.co/ZUYZIImkFc
— Danny Gold (@DGisSERIOUS) April 1, 2026

As a former spook I can tell you that the easiest low-integrity career path for former spies and intel goons  is to become a "tell-all" writer that affirms every conspiracy theory as true.

This works commercially because people lap it up and it enables you to lean on your old… https://t.co/20z0lJANt5
— J.T. Alexander (@JTAlexander_) April 1, 2026

Somewhere in Tehran, the entire IRGC intelligence branch has given up on human & technical sources and is just wall to wall monitoring insider Polymarket bets.
— Shashank Joshi (@shashj) April 1, 2026

New: Recent research published in the CIA’s Studies in Intelligence journal suggests AI could erode confidence in digital communications and spur human spying tradecraft. I spoke with author Thomas Mulligan about his findings ->https://t.co/U2peBERMpy
— David DiMolfetta (@ddimolfetta) April 1, 2026

                                        Old-school spycraft could make a comeback as AI undermines trust - Nextgov/FCW
                                    An article in the CIA’s Studies in Intelligence journal argues that artificial intelligence may erode confidence in certain electronic communications and further revive centuries-old human intelligence techniques.

Chinese government affiliated hackers breached the FISA secret files almost two years ago and there’s no assurance the breach has been sealed. There’s been not much said about it but “major cyber incident” is an understatement. https://t.co/NxKHrtLCPq
— Josh Rogin (@joshrogin) April 2, 2026

We recently achieved renderer RCE and universal XSS on Samsung's default browser.

Here's how we abused an out-of-date V8 to construct the exploit chain. pic.twitter.com/TO7zxMadOk
— OtterSec (@osec_io) April 1, 2026

https://t.co/skESD3MZM8

— OtterSec (@osec_io) April 1, 2026

                                        Patch Gap to Mobile Renderer RCE: Pwning Samsung Internet's V8 on the Galaxy S25
                                    Samsung Internet on the Galaxy S25 shipped a six-month-old version of V8, exposing it to publicly known bugs. Learn how we exploited a bytecode interpreter vulnerability to achieve renderer RCE and universal XSS in the browser.

                            Don't miss what's next. Subscribe to the grugq's newsletter:

            Email address (required)

          Add a comment:

                Share this email:

                                Share on Twitter

                                Share on Hacker News

                                Share via email

                                Share on Mastodon

                                Share on Bluesky