May 11, 2026

        May 11, 2026

May 11, 2026

        May 11, 2026

The Cyber Reality States Don’t Want to Admit

Just me ranting about the irrational Western reaction to Russia’s actual cyber capacity builing pipeline being revealed by the Bauman University leak.https://t.co/43mNfBHA9p
— Volodymyr Styran 🇺🇦 (@arunninghacker) May 10, 2026

                                        The Cyber Reality States Don’t Want to Admit
                                    Just me ranting about the irrational Western reaction to Russia’s actual cyber capacity builing pipeline being revealed by the Bauman University leak.

The world would be a better place if more western leaders read what @arunninghacker writes in his substack post. https://t.co/KT8GzYIIcC
— Halvar Flake (@halvarflake) May 10, 2026

Thailand is one of the first ag countries to enter a planting season since the Iran war. We went to document the impact of supply shocks to fuel/fertilizer — It was worse than I anticipated. 

Farmers are leaving huge tracts of land barren bc they can’t afford to plant. pic.twitter.com/mCPkYlqcFF
— Rebecca Tan (@rebtanhs) May 9, 2026

Annotating IDB used to take hours before you start actual work, and it's now a matter of minutes. pic.twitter.com/PNcDDFapgf
— Alex Matrosov (@matrosov) May 10, 2026

Once upon a time, someone noticed "random" numbers repeating.
That observation led to one of the most catastrophic crypto bugs ever (Debian’s 2008 OpenSSL RNG flaw) https://t.co/w6MCBEmAqu
— Juliano Rizzo (@julianor) May 9, 2026

two years ago people said that coding is dead, now they calling hacking is dead ... 
My take is probably bug bounty/0day for money is dead, but the joy of understanding something deeply will survive, just like coding as the joy of building things. 
(  but tbf I think 0day for…
— Toan Pham (@__suto) May 10, 2026

https://t.co/vngHIPQFKk

— Dave Aitel (@daveaitel) May 10, 2026

                                        We've Been Here Before: Decompilers, Fuzzers, and Now AI | CLEARSECLABS LLC
                                    A practitioner's take on the latest 'AI replaces vulnerability research' worry. Why the people who adapt come out the most dangerous in the room.

Pwn2Own Berlin 2026まとめ
・AIによって大量の0-day RCEが発見される
・運営のキャパを超える応募が殺到
・多くの参加者がリジェクト(賞金が貰えない)
・0-day RCEを持ったハッカーが野に放たれる
・リベンジ脆弱性公開を始める ←いまここ
— Satoki@Kn0wl3dg3 (@satoki00) May 11, 2026

𝗔 𝘀𝘁𝗮𝗳𝗳 𝗺𝗲𝗺𝗯𝗲𝗿 𝗼𝗻 𝘁𝗵𝗲 𝗛𝗼𝘂𝘀𝗲 𝗖𝗵𝗶𝗻𝗮 𝗖𝗼𝗺𝗺𝗶𝘁𝘁𝗲𝗲 𝘄𝗮𝘀 𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱 $𝟭𝟬,𝟬𝟬𝟬 𝗳𝗼𝗿 𝗨𝗦 𝗽𝗼𝗹𝗶𝗰𝘆 𝗶𝗻𝘀𝗶𝗴𝗵𝘁𝘀, 𝗼𝗻 𝗶𝘀𝘀𝘂𝗲𝘀 𝗹𝗶𝗸𝗲 𝗩𝗲𝗻𝗲𝘇𝘂𝗲𝗹𝗮 𝗮𝗻𝗱 𝗿𝗮𝗿𝗲-𝗲𝗮𝗿𝘁𝗵 𝗺𝗶𝗻𝗲𝗿𝗮𝗹𝘀.

When a man identifying… pic.twitter.com/Txskmv2SWn
— Byron Wan (@Byron_Wan) May 10, 2026

            https://www.nytimes.com/2026/05/09/us/politics/china-us-spy-congressional-aide.html    

Hahahahaha pic.twitter.com/tDvRySFerE
— Traceix (@usetraceix) May 8, 2026

🔐 Releasing LUKSbox: encrypted vaults that survive the next decade.

Drop sensitive files on any cloud or USB. The provider gets one random-looking blob they can't read, even under subpoena.

✅ FIDO2 (YubiKey, Titan, Nitrokey, Windows Hello)
✅ TPM 2.0 keyslots
✅ Post-quantum… pic.twitter.com/ODHc5ahayw
— Sébastien Dudek 📡 (@FlUxIuS) May 7, 2026

                                        GitHub - PentHertz/LUKSbox: Store sensitive files in the cloud, or on shared media without trusting the host. LUKSbox is a Rust-based encrypted-container tool with passphrase, FIDO2 (YubiKey, Titan, Nitrokey, Windows Hello), TPM 2.0, and hybrid post-quantum (ML-KEM-768 / 1024) keyslots. Mounts as a real drive on Linux, macOS, and Windows. · GitHub
                                    Store sensitive files in the cloud, or on shared media without trusting the host. LUKSbox is a Rust-based encrypted-container tool with passphrase, FIDO2 (YubiKey, Titan, Nitrokey, Windows Hello), ...

PentHertz/LUKSbox (413 stars, Rust)
  Store sensitive files in the cloud, or on shared media without trusting the host. LUKSbox is a Rust-based encrypted-container tool with passphrase, FIDO2 (YubiKey, Titan, Nitrokey, Windows Hello), TPM 2.0, and hybrid post-quantum (ML-KEM-768 / 1024) keyslots. Mounts as a real drive on Linux, macOS, and Windows.
source: Sébastien Dudek 📡 (@FlUxIuS)

Trenchant exec, Peter Williams, who stole zero day exploits from his employer and sold them to a Russian buyer (known to sell exploits to the Russian government) has been ordered to pay $10 million in restitution to his former employer https://t.co/u2KSRestgv
— Kim Zetter (@KimZetter) May 8, 2026

                                        Trenchant Exec Who Sold Zero Days to Russian Buyer Ordered to Pay $10 Million in Restitution to Former Employers
                                    Peter Joseph Williams, the former L3 Trenchant executive recently convicted of stealing zero-day exploits from his employer and selling them to a Russian broker, has been ordered to pay $10 million to his former employer and its parent company, according to a new judgment issued by a US district court

how many of y'all working queues back in ~2013 remember when people used to photoshop alert(1) xss returns?

good times. 

the thing that i see people underestimating consistently atm is that when you create games for hackers, the first thing we do is try to break the game itself https://t.co/7P2XZxGCdy
— cje (@caseyjohnellis) May 8, 2026

In January, a phishing message arrived on my Signal account, supposedly from "Signal Support."

The unwise attack attempt, gave me a unique opportunity to peek inside this wide-scale phishing campaign targeting journalists and politicians.

I was target #13,730 in their database. pic.twitter.com/A4KaMcFbYw
— Donncha Ó Cearbhaill (@DonnchaC) May 8, 2026

Head of SVR disinformation network in Latin America detained in Argentina https://t.co/2Mv9m26Nxn
— Michael Smith (@MickWSmith) May 8, 2026

                                        Head of SVR disinformation network in Latin America detained in Argentina

I’m not dying from some fucking hentai virus
— dan nolan (@dannolan) May 7, 2026

i love how people are saying "if we write a sufficiently detailed specification, the agent can write all our code"

do you know what writing a sufficiently detailed specification that deterministically maps to what a computer's actions is? it's coding
— Chris Wood (@CWood_sdf) May 7, 2026

Would love to see ZDI showing stats of submissions, so we can know what is truly on fires (everyone sitting on 0day exploit) instead of all the hypes around these noisy LPE and unexploitable CVE, or in OS that nobody use... https://t.co/qp13TjmfQC
— Toan Pham (@__suto) May 8, 2026

Funny enough, Xint *did* find it as well. It was just buried in many other bugs that we didn't get to triage / report manually yet. Interesting part is that it's auto-triaged not as important as Copy Fail bug because it needed user namespace (which requires root in Ubuntu), and…
— Brian Pak (@brian_pak) May 8, 2026

There are so many Linux and Windows LPEs that we literally have to turn away researchers with perfectly good exploits, because we just don’t need another one lying around on the shelf. 

If you must work Windows/Linux, it makes sense to work on RCE primitives instead of LPE
— IRIS C2 (@C2IRIS) May 8, 2026

                                Don't miss what's next. Subscribe to the grugq's newsletter:

            Email address (required)

          Add a comment:

                Share this email:

                                Share on Twitter

                                Share on Hacker News

                                Share via email

                                Share on Mastodon

                                Share on Bluesky