Security Review #301

A deep-dive into the URL decoding pipelines of React Router, Next.js, Vue Router, Angular, SvelteKit, Nuxt, Ember, and SolidStart. Showing how every major frontend framework creates path traversal primitives and how those primitives escalate to CSPT, SSRF, and XSS.

We write 3 variants of a fully undetected (FUD) code of a simple dropper/stager that downloads and executes shellcode in-memory, and avoids writing anything to disk. The trick is using Python as scripting languages are not heavily scrutinized when we’re comparing with compiled (PE executable) code.

We discuss how attackers hide malware inside WAV audio files using steganography. We first review the full kill chain of a real-life attack then move to an hands-on lab to create our own .WAV steganography encoder/decoder.

I developed a kernel module to monitor tty connections (ie SSH Sessions, Terminal or Console sessions) in a stealthy way filtering only processes I am interested at. Instead of relying on direct system-call hooks, the approach comes from understanding how the kernel itself moves tty data and identifying a point in that path where observation can happen without drawing attention.

We discovered a critical command injection vulnerability in OpenAI Codex that allowed attackers to steal GitHub OAuth tokens through unsanitized branch names. The flaw affected ChatGPT, Codex CLI, SDK, and IDE extensions, and could scale into automated supply chain attacks via poisoned GitHub branches.

We review the impact of unprotected groups used to grant sensitive privileges or enforce critical security controls. This can allow internal or external lower-tier administrators, or even foreign enterprise applications, to perform sensitive actions or gain access to critical resources.

We identified and investigated an Android rootkit. The the app contacts a remote server, profiles the device, and downloads root exploits tailored to that device’s specific hardware and software. If the exploits succeed, the malware gains full control of the device. From that moment onward, every app that the user opens are injected with attacker‑controlled code.

We found a Stored XSS issue in Jira Work Management Software of Atlassian. When exploited, it allows an attacker to perform a full organization takeover.

This post introduces a structured methodology for assessing security risks in Kubernetes environments that use Namespace-based Multi-Tenancy. It addresses weaknesses that break Namespace-based isolation that not well studied, yet.

Claude's Chrome extension creates an IPC named pipe that can be used to execute Javascript code in any browser tab without disrupting current legitimate Claude Code session.

The blog explains how threat actors increasingly abuse legitimate Cloudflare services like Workers and Tunnels to host phishing pages, distribute malware, and evade traditional security defenses by leveraging Cloudflare's trusted infrastructure.

I found three vulnerabilities in Mongoos, each independently exploitable: complete bypass of mTLS authentication, preauth RCE as root via a heap overflow in the client public key parsing logic, and preauth RCE via a single UDP packet through mDNS.

ShellBags are better understood as Windows remembering where the shell has been asked to render a folder view for a user. That can be strong evidence of navigation and exploration. It can also be weak evidence of anything beyond that. We detail what ShellBags really are and how they can be properly used as a guide for corroboration.

This is the first article of a series on Kubernetes forensics. In this one we will focus on the underlying container technology, reviewing the architecture, the components and detailing how to perform forensic analysis on Podman and Docker containers.

This is a deep analysis of TeamPCP’s second-stage payload targeting Windows machines. The malware is downloaded in the form of a WAV file from the remote C2 server when importing the malicious version of Telnyx, decoded using XOR, and then saved as an executable, which is later executed on the machine.

CVE-2025-33073 gives any domain user SYSTEM on unpatched hosts. We elaborate on its combination with the AD unconstrained delegation architectural flaw, eventually leading to a full domain compromise from a low-privilege domain user.

We dive deep into CVE-2026-3055, an unstable memory overhead vulnerability in Citrix Netscaler SAML persoing engine, leading to partial memory leak.

In this post we will share a journey of finding a type confusion in Firefox JavaScript engine, SpiderMonkey. We discovered this bug using AI-assisted fuzzing by asking Claude Code to analyze the actively being developed TypedArray resizable feature. After that we iteratively enhanced our fuzzing framework to cover all aspects of that feature in the entire commit history.

In this post, we'll walk through vulnerabilities we discovered in Progress ShareFile that allowed us to achieve pre-auth RCE: CVE-2026-2699 (Authentication Bypass) and CVE-2026-2701 (Remote Code Execution)

We identified a malicious undicy-http npm package that delivers a dual-payload attack: a Node.js-based Remote Access Trojan (RAT) with live screen streaming, and a native Windows PE binary that uses direct syscalls to inject into browser processes and steal credentials, cookies, credit cards, IBANs, and session tokens.

Full analysis of a new AMOS variant that targets macOS users with trojanized crypto wallets, ClickFix lures, and root-level persistence.

We go deeper in the analysis of CVE-2026-3055, a memory overhead in Citrix Netscaler, and discover a bug in the processing of the /wsfed/passive URL. The impact is a consistent memory leak that eventually can reveal administrative sessions ID.

I dug into why ntlmrelayx's HTTP SOCKS proxy fails with browsers, and fixed several fundamental issues with how it handles HTTP. I also discovered some undocumented Windows kernel auth behavior, silently killing relay sessions, and a tool built to fix both issues.

We found an attack path in ImageMagick, starting from a single image upload to file leaks, security policy bypasses, and remote code execution across a wide range of default and real-world configurations.

We uncover the new sophisticated EvilTokens device code phishing as-a-service, with AI-augmented features facilitating BEC fraud. This first part explains the Microsoft device code authorisation flow and offers a technical analysis of the EvilTokens device code kit, covering its phishing pages, the weaponisation of harvested Microsoft tokens, and the functionalities available to affiliates.

Threat actors abused trusted Trivy distribution channels to inject credential-stealing malware into CI/CD pipelines worldwide. This analysis walks through the Trivy supply-chain compromise, attacker techniques, and concrete steps security teams can take to detect and defend against similar attacks.

We walk through an attack chain involving two medium-severity findings eventually leading to a full admin compromise on a SaaS application.

We discovered a hidden outbound communication path from ChatGPT's isolated execution runtime to the public internet enabling a single malicious prompt to turn an otherwise ordinary conversation into a covert exfiltration channel, leaking user messages, uploaded files, and other sensitive content.

An in-depth analysis of CrySome, a feature-rich remote access trojan (RAT) designed to establish and maintain a persistent command-and-control (C2) channel over TCP while enabling full-spectrum remote operations on compromised systems.

In this article, we explain how we leveraged an HTML injection vulnerability in a DOMPurify-protected web application to perform a CSS injection. Thanks a an OAuth misconfiguration, this injection makes it possible to steal victim's token.

The final part of the series analyzes CVE-2023-36802, a privilege escalation vulnerability in mskssrv.sys, used to gain SYSTEM access on a VMware host.

We discovered that attackers bypass the Group Policy designed to disable NTLMv1, allowing insecure authentications to persist in Active Directory environments.

We uncoves forensic insights in Windows AutoLogger-Diagtrack-Listener.etl, a telemetry artefact with untapped investigative value. Understanding when and how this file records telemetry could transform it into a valuable forensic artefact- particularly in incident response investigations where process creation and execution traces are critical.

In this blog post, we will explore different types of out-of-bounds (OOB) vulnerabilities in Windows kernel drivers. We will write realistic, purpose-built kernel drivers containing intentional vulnerabilities to showcase OOB reads, OOB writes, and loop-based overflow.

Beacon object files (BOF) are the new method for conducting post-exploitation activities on compromised systems. This blog aims to provide the necessary tools and knowledge to start incorporating BOFs in your hacking toolkit.

Self-mutation in malware represents one of the most elegant solutions to the detection problem. Instead of hiding what you are, you become something different each time you reproduce. It’s digital evolution in its purest form. In this post, we talk about writing self-mutating malware, how to build your own polymorphic engine, and a bit on metamorphic code too.