Security Review #307

We discovered and exploited memory safety and logic vulnerabilities in Google's Rust zero-knowledge proof code. We managed to forge a proof claiming better quantum circuit performance metrics than Google's original results, demonstrating unique security risks in zkVM systems.

I walk through the process that led me to build a curated list of 70 + impackets protocol‑level indicators of compromise that expose both obvious implementation quirks (e.g., non‑GUID client IDs, hard‑coded nonces) and subtle deviations from Microsoft's specifications.

Technical reference on modern EDR architecture, detection mechanisms, evasion techniques, and reverse-engineering methodology. We cover kernel callback APIs, file-system mini-filters, ETW providers, the four detection-engine model, syscall gates, sleep obfuscation, call-stack spoofing, ETW-TI hardware-breakpoint bypass, patchless AMSI bypass via VEH, and BYOVD against the vulnerable-driver blocklist.

Vector embeddings have become load-bearing in modern AI systems, but production vector databases ship no native controls for verifying that an embedding hasn’t been modified after the model produced it. We analyze what an attacker can do with that gap, and what it takes to close it.

We discovered a flaw with Claude’s Chrome extension (“Claude in Chrome”) that allows any extension, even one with no special permissions at all, to effectively hijack Claude’s extension by injecting it with malicious instructions, extract any information that the attacker desires, and get Claude to perform active agentic actions on their behalf.

Technical analysis of Kazuar, a sophisticated malware that expanded from a relatively traditional backdoor into a highly modular peer-to-peer (P2P) botnet ecosystem designed to enable persistent, covert access to target environments.

We expose how prompt injection in AI agent frameworks can lead to remote code execution. We will review how these vulnerabilities work, what's impacted, and how to secure your agents. We also share details on the vulnerabilities we discovered in Microsoft's Semantic Kernel, along with the steps we took to address them and interactive way to try it yourself.

Dirty Frag (CVE-2026-43284, CVE-2026-43500) exposes a critical Linux kernel flaw enabling local privilege escalation to root. We examine how both vulnerabilities can be exploited, affected systems, detection with Sysdig and Falco, and mitigation strategies.

I detail a chain of 5 vulnerabilities in Edge: an allowlist for bing.com, a Bing open redirect, a Microsoft Store URL handler that leaks the MS account token, a forgotten “Push to Install” backend, and a skuId path traversal that bypasses its ownership check. Chained together they allow the install of an attacker-controlled app on the victim's devices.

I identified a chain of two vulnerabilities in LiteLLM that, when combined, allow any holder of a standard API key to achieve remote code execution on the proxy server. The chain escalates from a low-privilege internal_user API key to full admin access via an environment variable disclosure, then leverages a Jinja2 Server-Side Template Injection (SSTI) in the GitLab prompt management integration to execute arbitrary commands in-process.

In this second part of the series we'll go through the relevant code paths, analyze the patch, and develop an in-cage read/write primitive.

This article brings together a complete spoliation investigation workflow for Windows devices and external drives. Every step is grounded in real examination experience, peer-reviewed for technical accuracy, and expanded with the full procedural detail needed to conduct a professional investigation from acquisition through final reporting.

This blog walks through Shadow SSDT hijacking to achieve kernel code execution under VBS/HVCI/kCET-enabled environments on Windows 11. We first cover the fundamentals of userland access and debug our way into kernel mode using WinDBG and Ret-Sync, then detail the logic of the Shadow SSDT hijack and deep dive into Kernel Code Execution via the Shadow SSDT.

We provide a data-driven view of Jenkins security, covering vulnerabilities, plugins, and common configuration patterns.

Copilot agent mode is vulnerable to a prompt injection attack. If a repository maintainer clicks 'code with agent mode' on an issue, it will open a new codespace and copilot will automatically run the issue's description.

We analyze a technique that hijacks trusted Electron apps to enable malware persistence and the bypass of application safelisting.

We cover seven concrete threat-hunting scenarios for AWS Bedrock, the exact CloudTrail event names to pivot on, sample Athena queries you can paste straight into your data lake, and a hardening checklist for production GenAI workloads.

Two command injection vulnerabilities exist in the Windows Explorer "Open PowerShell window here" context menu due to improper quoting and command injection through user-controlled folder paths. By creating folders with crafted names, an attacker can trigger arbitrary PowerShell command execution.

This article shows an in-depth analysis of forensic artifacts from Android applications using the Maps SDK.

We identified PCPJack, a credential theft framework that worms across exposed cloud infrastructure and removes artifacts associated with TeamPCP. It harvests credentials then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts.

We build a simple, "naive" de‑virtualizer by disassembling a stack‑based VM, emitting each opcode as LLVM IR (including an emulated stack), then letting LLVM's optimization passes fold away the virtualization layer, producing clean native code that reveals the original flag‑checking logic.

We uncovered a sophisticated npm supply chain attack using a typosquatted package, crypto-javascri, to mimic crypto-js. The malware steals npm and GitHub credentials, hijacks maintainer accounts, republishes trojanized packages, and uses Tor-based command-and-control. The campaign targets Linux developer systems and CI/CD environments, creating serious downstream supply chain risk.

We detail CVE-2026-0300, a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software. It allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewalls by sending specially crafted packets through network traffic.

CVE-2026-6307 is a V8 compiler bug in the metadata used to recover from optimized JS-to-Wasm calls. This first part walks through the background details that are needed to follow along, as well as the trigger specifics of the bug.

Adobe disclosed three critical security issues (CVE-2026-34621,CVE-2026-34622,CVE-2026-34626) affecting Acrobat DC, Acrobat Reader DC. This post documents our process of reproducing and analyzing the bugs to better understand how they were exploited in the wild and what primitives they enabled.

In this post, we describe the major findings from our review of TP-Link new generation TAPO security cameras: a pre-auth RCE, multiple authentication bypass vulnerabilities leading to 10+ post-auth RCE, and a cryptographic design weakness that can enable a full cloud account compromise.

I discovered some minor vulnerabilities in a GitHub Actions workflow of @img/colour: an overly permissive workflow, an untrusted branch checkout, and blind faith in a friendly bot. Chained together these three simple flaws transformed a basic dependency update into a full-blown remote code execution.

We provide details about the ability to configure client to connect to ports other than TCP/445 and QUIC/443.

We discovered techniques that allowed the AWS WAF to be bypassed using the onbeforetoggle DOM event. In this article we detail the methodology and tools we used to find the technique.