April 24, 2026

NSA joins the @NCSC and others in releasing joint guidance detailing multiple China-nexus threat actors who are using dynamic, external covert networks of botnets to facilitate malicious cyber activity strategically at scale. Read the report today!https://t.co/IbHwKD1XEt pic.twitter.com/NAn30DMAcT

— NSA Cyber (@NSACyber) April 23, 2026

This is a decent, similar test to Firefox. It started on March 11th with a MacBook Pro and a MacBook Air M5, and creating an attack surface map, but it rapidly devolved into vuln discovery and documentation. https://t.co/u70xOTv3hi It's still an ongoing effort. #apple #ai…

— David Maynor (@Dave_Maynor) April 23, 2026

GitHub - dmaynor/apple-vuln-research · GitHub

Contribute to dmaynor/apple-vuln-research development by creating an account on GitHub.

dmaynor/apple-vuln-research (30 stars, C)

source: David Maynor (@Dave_Maynor)

NEW @citizenlab report

We uncover two sophisticated telecom surveillance campaigns. The findings expose how surveillance vendors exploit the global telecom ecosystem to conduct covert location tracking operations that can persist undetected for years.https://t.co/42GwvzX5ay

— profdeibert (@RonDeibert) April 23, 2026

Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors - The Citizen Lab

Our investigation uncovers two sophisticated telecom surveillance campaigns and, for the first time, links real-world attack traffic to mobile operator signalling infrastructure. The findings expose how suspected commercial surveillance vendors (CSVs) exploit the global telecom interconnect ecosystem, leverage private operator networks, and conduct covert location tracking operations that can persist undetected for years.

Whatever Anthropic provided to Google, didn’t include the 0-days in Chrome that I am reporting right now. Zero dupes so far https://t.co/iXRuS9ddA4

— Alisa Esage Шевченко (@alisaesage) April 23, 2026

The amount of squabbling over bugs, bug quality, AI bug extermination, how security is doomed/not doomed/unchanged/improved based on bugs… it’s ridiculous. Bugs are not the totality of cybersecurity.

— thaddeus e. grugq (@thegrugq) April 24, 2026

Religious arguments are being staked out on the finite nature of bugs in code. Once we’ve reviewed all code with the current generation of models will succeeding frontier models find new bugs in that same (unchanged) code, or will those opportunities decline to nothing? https://t.co/7OpfQ8Z49D

— John Hultquist (@JohnHultquist) April 22, 2026

MAD Bugs: An Apple Kernel Bug, Brought to You by Microsoft

This is an autonomous N-day analysis of CVE-2026-28825. 100% reliable on macOS 26.3.2.https://t.co/cKk88uk5l9

— Calif (@calif_io) April 22, 2026

“Mythos has found 153 bugs” pic.twitter.com/HPsniSjsJ6

— solst/ICE of Astarte (@IceSolst) April 22, 2026

For that topic, I found the most weird thing is the title of the blog "The zero-days are numbered", this was when I felt this is prob. hype - which serious vendor use a title like that? Especially giving the fact that your product gets pwned every year at Pwn2Own (if I remember…

— Haifei Li (@HaifeiLi) April 23, 2026

Now this is brilliant research by @qian_wenxiang and @tu_zhixin on taking chromium bugs and automatically patching and fixing CVEs pic.twitter.com/0Cxa457FWA

— Daniel Cuthbert (@dcuthbert) April 24, 2026

Before Stuxnet, there was fast16.

Our team uncovered a 2005 sabotage framework that used a boot-start filesystem driver to silently patch high-precision calculation software in memory. Nudging calculations just enough to throw them off. https://t.co/Tg6d9aIozf

— Gabe (@Gabeincognito) April 24, 2026

fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet | SentinelOne

A previously unknown 2005 cyber sabotage framework patches high-precision calculation software in memory to silently corrupt results.

we're looking for a couple folks to grow a new TI capability in the sec team at A\ - if you're an intel person that leans more towards building and diving deep to understand technical threats, while still handy with the pen, could be for you! 👇👇https://t.co/e5027kyvAQ

— billy leonard (@billyleonard) April 23, 2026

Job Application for Security Engineer - Threat Intel at Anthropic

New York City, NY; Remote-Friendly (Travel-Required) | San Francisco, CA | Washington, DC; San Francisco, CA | New York City, NY

WHAT IS THE CHARGE? FRONT-RUNNING AN OVERSEAS COUP D’ÉTAT? A SUCCULENT VENEZUELAN COUP D’ÉTAT? https://t.co/VOd5WjT2gb pic.twitter.com/uCs66wPkVD

— spor (@sporadica) April 23, 2026

At least 300 Germans are confirmed victims, including a senior CDU foreign policy MP and the former deputy head of German foreign intelligence (BND). The BfV's own internal warning says the real number is "significantly higher" and that numerous Signal groups in the parliamentary… https://t.co/veNFhcdjRZ

— Lukasz Olejnik (@lukOlejnik) April 23, 2026

Julia Klöckner ist Opfer des Signal-Hacks - DER SPIEGEL

Nach SPIEGEL-Informationen gehört Bundestagspräsidentin Julia Klöckner zu den Opfern der aktuellen Angriffswelle auf Signal-Nutzer. Auch das Handy des Bundeskanzlers wurde bereits untersucht.

Mozilla says Mythos helped identify 271 vulnerabilities in Firefox 150.

I went through the commits, CVEs, and bug links to see what that number really means.

My takeaway: relax folks.https://t.co/9LEqL7sXX6

— xarkes (@xarkes_) April 23, 2026

A quick look at Mythos run on Firefox: too much hype?

A closer look at Mozilla's Firefox 150 "271 vulnerabilities" fixes and what they do, and do not, tell us about the alarming claims we can read online and AI-assisted vulnerability research.

I feel like what a lot of people are calling security debt is really security willful ignorance - and the complaining about the fact that you can find bugs with llms from the defensive community is ironic considering it's going to be the offensive community that feels the heat. https://t.co/mfFnSEuWTm

— Dave Aitel (@daveaitel) April 23, 2026

After burning $2.5k on tokens and LLM findings, I have a question about the 270 Firefox bugs: were they all attacker-reachable? The findings I got where often "legitimate bad code" but also "not reachable in any sane scenario".

— Halvar Flake (@halvarflake) April 23, 2026

It is hard to do science outside a frontier lab right now. We do have positions open ! https://t.co/B6RraccARD

— Dave Aitel (@daveaitel) April 23, 2026

I got completely owned by the most sophisticated hack I've ever encountered.

I'm a developer. I know what scams look like.
This didn't look like one.

🧵

— Turshija (@turshija) April 22, 2026

Looks like the npm package bitwarden cli was compromised, you can see version 2026.4.0 was not published from a trusted publisher (green checkmark) 😬https://t.co/UEI42DAtK9 pic.twitter.com/7tEsJx7ceS

— mpgn (@mpgn_x64) April 23, 2026

Cool works! First time someone publish agent that can deliver Chrome 0days :)
But the cost seems huge: The campaign ran uninterrupted for 7 days on a public-cloud pool of 24 nodes, each provisioned with 8×H100 GPUs (192 H100s total). https://t.co/HphdLxssTh

— Toan Pham (@__suto) April 23, 2026

1/ Releasing our WhatsApp research tool, used for our @BlackHatEvents talk today. (link 🧵👇)
It enables users to enumerate WhatsApp devices, send silent pings, fingerprint devices Operating Systems (OS) send a per device message and more 😉@openclaw detection demo: pic.twitter.com/QtZVEFRxju

— Tal Be'ery (@TalBeerySec) April 23, 2026

Trailmark supports 17 languages. We're also releasing 8 Claude skills built on its API. On Ed448, one classified 73% of surviving mutants as equivalent. Flat lists can't see that. https://t.co/OCyOrpwP22

— Trail of Bits (@trailofbits) April 23, 2026

Trailmark turns code into graphs - The Trail of Bits Blog

Trailmark turns source code into a security-analysis graph, powering eight Claude Code skills for blast radius, taint propagation, and mutation test triage.

When Claude reasons about code, it reasons about lists, but the questions that actually matter are graph questions.

We just open-sourced Trailmark to make it easy for security engineers to parse source code into a call graph for Claude. 🧵

— Trail of Bits (@trailofbits) April 23, 2026

To be clear, they published the Meta Agent (AgentFlow) source code, which can generate multiple agents (around 300) capable of finding Chrome 0day. Cost approx 200k ( per chatgpt calc)
So far I dont see prompt of agents that find 0days. And seems the cost to running them around… https://t.co/zFgVRG0fu0

— Toan Pham (@__suto) April 23, 2026

Chinese LLMs can hack better than state-sponsored hackers with properly evolved harness -

Kimi K2.5 managed to find and exploit 6 vulnerabilities in browsers: a single page view or an extension install by victims equal full system hijack.

Check https://t.co/d0SZSf1KqF pic.twitter.com/UbD7QR45l0

— Chaofan Shou (@Fried_rice) April 23, 2026

[2604.20801] Synthesizing Multi-Agent Harnesses for Vulnerability Discovery

LLM agents have begun to find real security vulnerabilities that human auditors and automated fuzzers missed for decades, in source-available targets where the analyst can build and instrument the code. In practice the work is split among several agents, wired together by a harness: the program that fixes which roles exist, how they pass information, which tools each may call, and how retries are coordinated. When the language model is held fixed, changing only the harness can still change succe...

Synthesizing Multi-Agent Harnesses for Vulnerability Discovery

LLM agents have begun to find real security vulnerabilities that human auditors and automated fuzzers missed for decades, in source-available targets where the analyst can build and instrument the code. In practice the work is split among several agents, wired together by a harness: the program that fixes which roles exist, how they pass information, which tools each may call, and how retries are coordinated. When the language model is held fixed, changing only the harness can still change success rates by several-fold on public agent benchmarks, yet most harnesses are written by hand; recent harness optimizers each search only a narrow slice of the design space and rely on coarse pass/fail feedback that gives no diagnostic signal about why a trial failed. AgentFlow addresses both limitations with a typed graph DSL whose search space jointly covers agent roles, prompts, tools, communication topology, and coordination protocol, paired with a feedback-driven outer loop that reads runtime signals from the target program itself to diagnose which part of the harness caused the failure and rewrite it accordingly. We evaluate AgentFlow on TerminalBench-2 with Claude Opus 4.6 and on Google Chrome with Kimi K2.5. AgentFlow reaches 84.3% on TerminalBench-2, the highest score in the public leaderboard snapshot we evaluate against, and discovers ten previously unknown zero-day vulnerabilities in Google Chrome, including two Critical sandbox-escape vulnerabilities (CVE-2026-5280 and CVE-2026-6297).

PDF

source: Chaofan Shou (@Fried_rice)

eBPF one-liners that'll save your on-call shift

You got paged at 3am. Service is flapping. Here's what actually works (run with sudo):

execsnoop-bpfcc
— catches every short-lived process the sec it spawns. That sneaky cronjob forking 400 python workers? gotcha. Invisible to… pic.twitter.com/ZRZUUUU6Qv

— Immanuel (@immanuel_vibe) April 22, 2026

GitHub - immanuwell/pktz: pktz — eBPF-powered network traffic monitor — per process, per connection, live · GitHub

pktz — eBPF-powered network traffic monitor — per process, per connection, live - immanuwell/pktz

immanuwell/pktz (43 stars, Go) pktz — eBPF-powered network traffic monitor — per process, per connection, live

source: Immanuel (@immanuel_vibe)