We created a vulnerability vending machine: AI tokens in, zero-days out
Artificial intelligence is transforming the landscape of vulnerability research, yet much of the discussion remains theoretical, focusing on the potential capabilities of models rather than their current practical applications. Our goal was to address a more pragmatic inquiry: with the models we currently have access to, how effectively can AI assist in identifying genuine, exploitable…
OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps
A malware framework known as OkoBot has been operational on Windows systems since April 2025, with one of its components designed to deceive hardware wallet users into revealing their recovery phrases. On a compromised computer, the request originates from the wallet’s own desktop application. At times, it waits until the device is connected. The page…
AsyncAPI npm Packages Compromised by Credential-Stealing Malware
Five harmful versions of AsyncAPI packages were uploaded to the Node Package Manager (npm) as part of a supply-chain attack that introduced a remote access trojan capable of stealing information. The attacker took advantage of a poorly configured GitHub Actions workflow, releasing trojanized packages within the @asyncapi namespace, which collectively garnered over 2.25 million downloads…
Announcing Gas City 1.0! – Marquee de Sells: Chris’s insight outlet
Announcing Gas City 1.0! You may have heard from Steve Yegge, the creator of Beads and Gas Town, that we’ve released Gas City 1.0! As the CEO of the newly minted Gas City, Inc., I thought I’d provide some additional details on Steve’s excellent blog post. It’s hard to look back on the release of…
China’s DeepSeek trims the price of its flagship AI model by 75%, and it could be a huge shift
Chinese AI startup DeepSeek just made one of the boldest pricing moves in the artificial intelligence race so far. The company announced it is permanently slashing the cost of its flagship V4-Pro AI model by 75%, bringing prices down to just a fraction of what developers were paying only weeks ago. AI companies worldwide have…
Toyota sealed up a backdoor to its global supplier management network
Adam Bannister07 February 2023 at 17:34 UTC Updated: 14 February 2023 at 11:15 UTC A security researcher recently commended Toyota for its swift action in responding to a reported security vulnerability, which thankfully did not lead to malicious exploitation. UPDATED: This article was revised on February 13 to address earlier claims regarding SHI International’s role…
DOM XSS vulnerability in Gartner Peer Insights widget patched
Charlie Osborne08 February 2023 at 13:42 UTC Updated: 20 February 2023 at 12:31 UTC Web attack vector resolved following insufficient initial fixes An image showcasing the issue has been replaced with a new reference image: Gartner has addressed a DOM XSS vulnerability identified in its Peer Insights widget, a security concern that researchers believe has…
New XSS Hunter host Truffle Security faces privacy backlash
Adam Bannister 09 February 2023 at 17:12 UTC Updated: 22 February 2023 at 15:09 UTC Concerns arise as anonymized data regarding bug discoveries are removed following community feedback. UPDATED, February 22. On February 21, Truffle Security announced the addition of optional end-to-end encryption to its XSS Hunter fork, prompting favorable reactions on Twitter. The developers…
Radio silence from DMS vendor quartet over XSS zero-days
No updates or patches have been provided by the vendors of the affected document management systems. Recent research has highlighted several critical vulnerabilities in document management systems (DMS) affecting four enterprise-level providers, who have yet to address the security concerns. In a blog entry released on February 7, Tod Beardsley, director of research at Rapid7,…
OAuth ‘masterclass’ crowned top web hacking technique of 2022
Adam Bannister 10 February 2023 at 14:56 UTC Updated: 10 February 2023 at 16:10 UTC Single sign-on and request smuggling emerged as prominent topics in another remarkable year for web security research. Detectify founder Frans Rosén has secured the top spot in PortSwigger’s list of the most significant web hacking techniques of 2022 with his…
