FFreeRaveinfreerave.hashnode.dev·2h ago · 15 min readxAI's Grok Build CLI Was Quietly Uploading Entire Codebases to Google CloudA wire-level security analysis found that xAI's coding CLI was shipping whole git repositories — untouched files, unredacted secrets, and full commit history included — to a Google Cloud bucket that n00
YPYogesh Peelainexploitnotes.hashnode.dev·14h ago · 8 min readHackTheBox: NeoVault Challenge WriteupSummary NeoVault is a small banking app (Next.js frontend + REST API) that lets users register, transfer funds, and download PDF statements. The API ships in two parallel versions, v1 and v2. v2 patch00
DIDaniel Isaac Eindanielisaace.hashnode.dev·5h ago · 5 min readStop Trusting Your WAF: Modern Attackers Have Already Moved OnIntroduction For years, Web Application Firewalls (WAFs) have been marketed as one of the most important security controls for protecting web applications. Organizations invest heavily in WAF solution10
RRelayShieldAdmininrelayshield.hashnode.dev·6h ago · 5 min readWe Proved an AI Agent Can Find and Pay for a Security API With Zero Custom CodeWe just proved something we've been building toward for a while: an AI agent that autonomously finds and pays for a security check, with no human in the loop, using only AWS and Coinbase infrastructur00
4F404 Foundersin404-founders.com·8h ago · 4 min readZimbra Classic Web Client: Critical Stored XSS FlawA single crafted email is enough to run attacker-controlled code inside a Zimbra webmail session - no click, no attachment opened, just viewing the message in the Classic Web Client. CVE: Not yet assi00
4F404 Foundersin404-founders.com·8h ago · 5 min readGitea CVE-2026-20896: Docker Auth Bypass ActiveAttackers are actively probing a critical authentication bypass in Gitea's official Docker image that lets anyone with network access to the container become an admin, using nothing but a single forge00
4F404 Foundersin404-founders.com·8h ago · 5 min readEntra Passkey Vishing Hijacks Microsoft 365 AccessA threat cluster is calling employees, walking them through what looks like a routine Microsoft passkey setup, and walking away with full access to their Microsoft 365 account - no password stolen, no00
CSChris Sheridaninhalosecurityhasnodedev.hashnode.dev·8h ago · 4 min readAnatomy of a Pentest Dropbox: How Remote Internal Assessments Actually WorkWhen people imagine a penetration test, they picture someone on-site — badge on a lanyard, laptop open in a conference room. That still happens, but a large share of internal assessments now run remot00
MMediuswareinmediusware.hashnode.dev·10h ago · 10 min readAutonomous Fraud Defense for Smarter Business GrowthFraud does not wait. It learns. While your team is reviewing yesterday’s suspicious transactions, fraud systems are already testing new patterns today. They rotate identities, exploit timing gaps, mim00
NNakonakokawaiiinai-change-brief.hashnode.dev·12h ago · 5 min readOpenAI Daybreak and Codex Security: Why Cyber Defense Is Moving From Finding Bugs to Fixing ThemAI can produce more security findings than teams can absorb. OpenAI’s new cyber program focuses on the harder outcome: validated vulnerabilities, tested patches and evidence that reaches human reviewe00