Security Review #294

Starting with Python 3.5, lines in .pth files starting with "import" followed by a space or tab are executed. This allows malicious code in such files to run whenever any code on the device imports a module. In this blog post, we will look into the details of this backdooring technique, examining its implementation and investigating whether it leaves any traces behind.

This post introduces to the anatomy and detection of JavaScript memory corruption exploits that target Google Chrome's V8 JavaScript engine. We dive into the primitives attackers need during the first stage of a Chrome full-chain exploit, and what artifacts these primitives leave behind in memory that can be used for proactive detection purposes.

Deep technical analysis of bypassing eBPF-based security solutions through kernel-level hooks targeting BPF iterators, ringbuffers, and perf events.

TURN servers are meant to relay media traffic for WebRTC. In this article, review how they have abused for year by hackers, becoming powerful proxies for internal network access, C2 operations, and DDoS attacks.

The Global Assembly Cache is a system-wide repository in the .NET framework that stores strong named assemblies so multiple applications can use them without version conflicts. Threat actors with elevated privileges on the asset could tamper, an assembly inside the GAC folder to execute arbitrary code. The technique could establish persistence by blending into a trusted process.

In this article I discuss remote execution via SMB, akin to PSExec and Impacket SMB. I will focus on finding ways to execute remote services more stealthily, avoiding the traditional execution paths we usually rely on. You can also use this technique to create more effective persistence.

Roundcube's HTML sanitizer doesn't treat SVG feImage href as an image source. Attackers can bypass remote image blocking to track email opens. (CVE-2026-25916)

We analyze the technical mechanics of an attack vector that bypasses phishing-resistant multi-factor authentication (MFA). The technique utilizes a transparent reverse proxy on serverless infrastructure to intercept and modify server responses in real-time.

We discovered a critical vulnerability (CVE-2025-64712) in Unstructured.io that enables arbitrary file write and potentially full remote code execution on the machine running the library.

We discovered a critical RCE in Google's Antigravity IDE that lets attackers take over your system just by opening a malicious website.

Infor Syteline ERP uses hard-coded encryption keys (CVE-2026-2103) embedded in application binaries to protect sensitive credentials stored in its database. An attacker with access to the database can decrypt all stored passwords including application user credentials, database connection strings, API keys, and payment gateway passwords.

We detail a widespread flaw in many language bindings for AES‑GCM: they accept truncated authentication tags, letting an attacker succeed with far fewer guesses as a 1‑byte tag needs only 256 tries. Ruby, PHP, Node.js, Erlang and others all suffer from this lenient verification.

We review the Data Protection API (DPAPI) and App-Bound Encryption (ABE) techniques implemented by Chrome to prevent credential theft via browser dumping attacks. Then we details the different methods that can be used to bypass those security mechanisms.

Harden-runner is a specialized GitHub Actions focused on runner hardening that monitors outbound connections through network syscalls. Most tools and commands trigger detectable patterns. But UDP, with its connectionless nature, presented an interesting attack surface. some UDP syscalls behave differently enough that they fall outside the monitoring scope.

We detail two pre‑authentication Remote Code Execution flaws in Ivanti Endpoint Manager Mobile (CVE‑2026‑1281 and CVE‑2026‑1340). The Apache‑driven Bash scripts expose an unauthenticated HTTP endpoint that can be abused via arithmetic expansion - allowing an attacker to inject and run shell commands.

OysterLoader, also known as Broomstick and CleanUp, is a malware developed in C++, composed of multiple stages, belonging to the loader (A.k.a.: downloader) malware family. We analyze its evasion techniques from API hammering to custom LZMA, and explore the 4-stage infection chain.

We detail the root cause of CVE-2025-20393, a vulnerability affecting Cisco Secure Email Gateway and Secure Email and Web Manager: a single-byte integer overflow in the EUQ RPC protocol that bypasses authentication and chains into Python pickle deserialization - achieving unauthenticated remote code execution with a single HTTP request.

Crystal Palace now has a Yara rule generator. In this blog post, I'll walk you through the design and evaluation of this feature.

One of the threats common threats that AI Chatbots face is unfurling of hyperlinks, which can lead to data exfiltration and is something often seen in Chatbots. So, let's shine more light on it, including practical guidance on how to mitigate it with the example of Slack Apps.

In this blog post I describe the root cause of 5 issues with Administrator Protection, specifically the implementation of UI Access, how this has been a long standing problem with UAC that's been under-appreciated, and how it’s being fixed now.

A prompt injection vulnerability in Cline's Claude Issue Triage workflow allows any attacker with a GitHub account to compromise production Cline releases on both the Visual Studio Code Marketplace and OpenVSX.

Mature enterprises lock down egress but often carve out broad exceptions for trusted cloud services. This post shows how reviewing deployment guides can help identify those exceptions and weaponize them with a new Mythic C2 profile called azureBlob.

We show how to embed Tailscale and a dropbear SSH server into an Arch initramfs so you can remotely unlock an encrypted boot partition.

Anthropic brought Claude's capabilities into the browser. It's less a browser extension than a new kind of browser altogether. The threat model for an agentic browser includes both familiar as well as novel risks. In this post, we map the attack surface of Claude Chrome where the agent - not the user - is in the driver's seat.

We explore a vulnerability I discovered in the Telephony Service’s server mode, which allows low-privileged client to write arbitrary data to files accessible by the service and, under certain conditions, achieve remote code execution.

Some SaaS "AWS integrations" are only one AssumeRole away from becoming a cross-tenant data access problem because the SaaS integration layer often fails to bind tenant identity to cloud identity in a way that holds up under real attacker behavior. This post is a practical write-up of confused deputy patterns I repeatedly observed while assessing cloud integrations.

In this post I'll give details about how to exploit CVE-2020-6449, a use-after-free (UAF) in the WebAudio module of Chrome. I'll give an outline of the general strategy to exploit this type of UAF to achieve a sandboxed RCE in Chrome by a single click on a malicious website.

We detail how to build compact, optimized Windows shellcode in C instead of hand‑writing all the assembly. It explains how to locate the process's PEB/TEB at runtime, walk the loader's module list to find DLL base addresses, and use a lightweight DJB hash to match DLL and export names without storing string literals.

This second part mainly focuses on exploitation: brute force login, CSRF, JWT signing algorithms, scopes and roles, offline access, and uma authorization.

Keycloak is an open-source Identity and Access Management (IAM) solution. It allows easy implementation of single sign-on for web applications and APIs. In this first part of the series, we will focus on OpenID configuration and enumeration of client IDs, scopes, realms, grants, identity providers, roles and user emails.