Nostr notes by Nethemba

This is a full-day hands-on training designed for Bitcoin ...

2026-05-21T18:30:20Z

This is a full-day hands-on training designed for Bitcoin holders, founders, investors, and anyone who is publicly (or quietly) involved in the space.
https://gart.io/event/gart-training-btc-prague-2026-3/register

First Public macOS Kernel Exploit on Apple M5 Prepared Using ...

2026-05-18T15:20:00Z

First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days
https://cybersecuritynews.com/first-public-macos-kernel-exploit/

A security researcher says Microsoft secretly built a backdoor ...

2026-05-17T20:10:00Z

A security researcher says Microsoft secretly built a backdoor into BitLocker, releases an exploit to prove it
YellowKey exploit bypasses BitLocker full volume encryption via USB stick and WinRE
https://www.techspot.com/news/112410-security-researcher-microsoft-secretly-built-backdoor-bitlocker-releases.html

Steal SSH host private keys and /etc/shadow via the ...

2026-05-15T11:03:00Z

Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels.
https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

NGINX Rift RCE Proof of concept for CVE-2026-42945, a critical ...

2026-05-15T01:00:00Z

NGINX Rift
RCE Proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module introduced in 2008. The bug enables unauthenticated remote code execution against servers using rewrite and set directives.
https://github.com/DepthFirstDisclosures/Nginx-Rift

The Tiny UDP Cannon: An Android VPN Bypass ...

2026-05-12T15:20:00Z

The Tiny UDP Cannon: An Android VPN Bypass
https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypass/

Using Instagram for any (private) communication is always a bad ...

2026-05-09T01:00:03Z

Using Instagram for any (private) communication is always a bad idea.
Instagram privacy tech is turned off today - what does this mean for your DMs?
https://www.bbc.com/news/articles/clypzxl3lvqo

The Internet Is Falling Down, Falling Down, Falling Down (cPanel ...

2026-05-07T18:00:01Z

The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)
https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/

Copy Fail: 732 Bytes to Root on Every Major Linux Distribution. ...

2026-05-07T12:00:02Z

Copy Fail: 732 Bytes to Root on Every Major Linux Distribution.
Xint Code disclosed CVE-2026-31431, an authencesn scratch-write bug chaining AF_ALG + splice() into a 4-byte page cache write. A 732-byte PoC gets root on Ubuntu, Amazon Linux, RHEL, SUSE.
https://xint.io/blog/copy-fail-linux-distributions

Apple fixes bug that allowed FBI to read deleted Signal messages ...

2026-05-07T06:00:02Z

Apple fixes bug that allowed FBI to read deleted Signal messages
FBI used the flaw to extract readable previews of Signal messages from an iPhone's notification database even after the app was deleted.
https://cointelegraph.com/news/apple-fixes-bug-fbi-read-encrypted-messages-signal-via-notifications

"We evaluate AgentFlow on TerminalBench-2 with Claude Opus ...

2026-04-26T01:00:02Z

"We evaluate AgentFlow on TerminalBench-2 with Claude Opus 4.6 and on Google Chrome with Kimi K2.5. AgentFlow reaches 84.3% on TerminalBench-2, the highest score in the public leaderboard snapshot we evaluate against, and discovers ten previously unknown zero-day vulnerabilities in Google Chrome, including two Critical sandbox-escape vulnerabilities (CVE-2026-5280 and CVE-2026-6297). "
https://arxiv.org/abs/2604.20801

CLI security scanner built for the agentic era. Detects CI/CD ...

2026-04-25T20:10:01Z

CLI security scanner built for the agentic era. Detects CI/CD misconfigs, agent permission risks, MCP tool injection, hardcoded secrets, and DMCA-flagged AI dependencies.
https://github.com/asamassekou10/ship-safe
https://www.shipsafecli.com/

Post Quantum Cryptography - Computerphile ...

2026-04-25T01:00:01Z

Post Quantum Cryptography - Computerphile
https://m.youtube.com/watch?v=_MoRcYLN-7U

A governance standard for autonomous penetration testing ...

2026-04-24T20:10:02Z

A governance standard for autonomous penetration testing platforms.
https://github.com/OWASP/APTS

Diverzifikácia rizika na "európsky spôsob" - ...

2026-04-24T15:20:01Z

Diverzifikácia rizika na "európsky spôsob" - diskriminujeme non-EU dodávateľov a zrazu nam zostane oligopol EÚ firiem :)
Komise zákon prezentuje jako obranu proti čínským dodavatelům. Právnická firma Bird & Bird ale v březnové analýze upozornila na paradox: politika „diverzifikace“ v praxi vede k menší diverzitě dodavatelského pole. Vyloučení firem ze třetích zemí koncentruje zakázky u několika velkých evropských hráčů: Bundesdruckerei, Thales, IDEMIA nebo Atos.
https://reporteri.substack.com/p/novy-kyberneticky-zakon-zavira-dvere

‘Withdraw Now’—Inside Aave’s Sudden $200M Bad Debt Crisis ...

2026-04-23T15:20:01Z

‘Withdraw Now’—Inside Aave’s Sudden $200M Bad Debt Crisis
A major exploit of KelpDAO's cross-chain bridge has cascaded into Aave, one of DeFi's largest lending protocols.
https://www.forbes.com/sites/digital-assets/2026/04/18/withdraw-now-inside-aaves-sudden-200m-bad-debt-crisis/

"We took the specific vulnerabilities Anthropic showcases in ...

2026-04-22T20:10:02Z

"We took the specific vulnerabilities Anthropic showcases in their announcement, isolated the relevant code, and ran them through small, cheap, open-weights models. Those models recovered much of the same analysis. Eight out of eight models detected Mythos's flagship FreeBSD exploit, including one with only 3.6 billion active parameters costing $0.11 per million tokens. A 5.1B-active open model recovered the core chain of the 27-year-old OpenBSD bug."
https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged-frontier

Autonomous vulnerability scanner and source-code hunter built on ...

2026-04-22T01:00:01Z

Autonomous vulnerability scanner and source-code hunter built on LangGraph.
https://github.com/Lazarus-AI/clearwing

The current state of AI hacking skills ...

2026-04-18T20:10:03Z

The current state of AI hacking skills

Reverse proxy for Claude Code that anonymizes sensitive pentest ...

2026-04-18T15:20:01Z

Reverse proxy for Claude Code that anonymizes sensitive pentest data (IPs, hashes, credentials, hostnames, PII) before it reaches Anthropic. Dual-layer detection: local Ollama LLM + regex safety net, with per-engagement vault and self-improving feedback loop.
https://github.com/zeroc00I/LLM-anonymization

"I Let Claude Opus Write a Chrome Exploit: The Next Model ...

2026-04-18T01:00:01Z

"I Let Claude Opus Write a Chrome Exploit: The Next Model (Mythos?) Won't Need My Help? "
https://www.hacktron.ai/blog/i-let-claude-opus-to-write-me-a-chrome-exploit

Can you steal $10,000 from a locked iPhone? ...

2026-04-17T15:20:01Z

Can you steal $10,000 from a locked iPhone?
https://www.youtube.com/watch?v=PPJ6NJkmDAo

While Anthropic’s new model only succeeded in 3 out of 10 ...

2026-04-17T01:00:01Z

While Anthropic’s new model only succeeded in 3 out of 10 attempts, even the average Mythos Preview run completed 22 of the 32 required infiltration steps, significantly higher than the 16-step average achieved by Claude 4.6.
New model is the first AI system to complete a difficult multistep infiltration challenge.
https://arstechnica.com/ai/2026/04/uk-govs-mythos-ai-tests-help-separate-cybersecurity-threat-from-hype/

Supply chain nightmare: How Rust will be attacked and what we can ...

2026-04-15T20:10:00Z

Supply chain nightmare: How Rust will be attacked and what we can do to mitigate the inevitable
https://kerkour.com/rust-supply-chain-nightmare

XBOW Validation Benchmarks is a collection of web security ...

2026-04-09T20:10:01Z

XBOW Validation Benchmarks is a collection of web security challenges designed to test automated security testing tools.
https://github.com/xbow-engineering/validation-benchmarks
AI agent benchmark results across security platforms
https://0ca.github.io/BoxPwnr-Traces/stats/platform.html?platform=xbow

This is big... Anthropic just announced a model so powerful they ...

2026-04-09T01:00:02Z

This is big... Anthropic just announced a model so powerful they won't release it to the public out of fear over the damage it will cause 😨
Claude Mythos Preview found thousands of zero-day exploits in every major operating system and web browser...
The numbers are hard to believe:
> $50 to find a 27-year-old bug in OpenBSD, one of the most security-hardened operating systems ever built
> Under $1,000 to find AND build a fully working remote code execution exploit on FreeBSD that grants unauthenticated root access from anywhere on the internet
> Under $2,000 to chain together multiple Linux kernel vulnerabilities into a complete privilege escalation exploit
For context: these are the kinds of findings that previously required elite security researchers working for weeks.
Anthropic engineers with no formal security training asked Mythos to find exploits overnight. They woke up to working code the next morning.
The results were so impressive Anthropic assembled Apple, Google, Microsoft, Amazon, NVIDIA, and seven other organizations into Project Glasswing:
A $100M defensive coalition. They're not releasing this model publicly. Instead, they're racing to patch the world's infrastructure before models like this proliferate.
https://x.com/JoshKale/status/2041589742303649802

Assessing Claude Mythos Preview’s cybersecurity capabilities ...

2026-04-08T15:20:12Z

Assessing Claude Mythos Preview’s cybersecurity capabilities
https://red.anthropic.com/2026/mythos-preview/

Privacy-first mobile carrier with IMSI rotation, encrypted ...

2026-04-04T01:00:03Z

Privacy-first mobile carrier with IMSI rotation, encrypted texting, SIM swap protection, anonymous payments, and no data collection
https://www.cape.co/

axios Compromised on npm - Malicious Versions Drop Remote Access ...

2026-03-31T15:20:02Z

axios Compromised on npm - Malicious Versions Drop Remote Access Trojan:
The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan