Jeya Seelan @rootxjs

Not everyone who reports to Google Cloud VRP does a writeup, but critical bugs still show up in CVEs and release notes Made a tool that aggregates both so you can see the types of bugs getting found in GCP gcp-cves.brutecat.com

StubZero: $148,337 RCE in Google Cloud Production brutecat.com/articles/googl…

@github

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?

‼️🚨 UPDATE: The TanStack npm attack is now a full campaign. 'Mini' Shai-Hulud has hit: - OpenSearch - Mistral AI - Guardrails AI -UiPath - Squawk packages across npm and PyPI The malware specifically targets AI developer tooling. It hooks into Claude Code (.claude/settings.json) and VS Code (.vscode/tasks.json) to re-execute on every tool event, long after the infected package is gone. npm uninstall does not fix this.

International Cyber Digest @IntCyberDigest

4 weeks ago

‼️🚨 BREAKING: A new npm supply-chain attack uses a dead-man's switch. The payload plants a watcher on your machine that nukes your home directory the second you revoke the GitHub token it stole from you. The compromise happened today, across 42 official tanstack npm packages,

139 946 6K 1.5M 3K

🚨SECURITY ALERT: Ongoing supply chain attack - “Shai-Hulud: Here We Go Again” We are continuing to track the latest attack in the “Shai-Hulud: Here We Go Again” campaign - Up until now 406 package versions were detected as compromised, including npm scopes @tanstack, @squawk, @uipath, and spreading to PyPI packages mistralai and guardrails-ai. JFrog Curation customers using an Immaturity policy were fully protected from this attack, as all of the hijacked packages were flagged in less than 24 hours. See our blog for a full analysis of this attack, including an ongoing list of compromised packages (link shared soon in this thread).

A few months ago, I found a Prompt Injection vulnerability on Google Tasks. It was simple, yet tricky. Google rewarded me with a $15,000 bounty for it. Here's the full story:

Open-source local AWS emulator with real databases github.com/ministackorg/m…

I achieved a cross-tenant #RCE in #GoogleCloud simply by abusing predictable bucket names. 🪣 In my latest research for @FocalSecurity, I look into "Bucket Squatting" - a cross-tenant attack that landed me 3 critical vulnerabilities in GCP. Here is how it works:

🚨 BREAKING: Wiz Research discovered Remote Code Execution on GitHub.com with a single git push The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯

Why is no one talking about this? @nvidia is offering around 80 AI models via hosted APIs absolutely for free. You get access to MiniMax M2.7, GLM 5.1, Kimi 2.5, DeepSeek 3.2, GPT-OSS-120B, Sarvam-M etc. This plugs straight into OpenClaude, OpenCode, Zed IDE, Hermes agent and even with Cursor IDE. Setup: – Grab API key: build.nvidia.com/models – base_url = "integrate.api.nvidia.com/v1" – api_key = "$NVIDIA_API_KEY" – select model (e.g. minimaxai/minimax-m2.7) If you’re building or experimenting, this is basically free inference. Lock in and start building today anon. Thank me later.

@DrVaishnavi14 @ICCCBengaluru @blrcitytraffic @TOIBengaluru @peakbengaluru @MALimbavali I’m sorry about that! I'll make sure use official channels.

#marathahalli #spacetechnology #Bengaluru Latest visuals from munnekolala, marathahalli Another vehicle stuck due to the poor roads. Around 2 months the roads are like this and no action is taken till now. @ICCCBengaluru @EASTCITYCORP @blrcitytraffic @TOIBengaluru @peakbengaluru

keyboard_arrow_left Previous keyboard_arrow_right Next

abhishek raj mishra @abhishekmrej

5 months ago

A traffic deadlock at munnekolala near asha tiffins, because of some incompetent officials from @chairmanbwssb , fust they dugged whole area 1 month ago, and then they dumped pipes on the road for last 2 weeks with no work going on. @blrcitytraffic wake up! Wake up!

keyboard_arrow_left Previous keyboard_arrow_right Next

6 4 4 1K 1

@ICCCBengaluru @blrcitytraffic @TOIBengaluru @peakbengaluru @MALimbavali (Manjula Aravind Limbavali), MLA the condition in Munnekolala Mahadevapura is unacceptable. Basic issues have been ignored for months. Please take immediate action.

@BECCUPDATES @bwssbchairman @bbmpcommr @BBMPSWMSplComm @BbmpEast @GBA_office @MALimbavali (Manjula Aravind Limbavali), MLA the condition in Munnekolala Mahadevapura is unacceptable. Basic issues have been ignored for months. Please take immediate action.

@BECCUPDATES Only areas that have good roads are being re layed. Very Near to this our Munekolala Sai Baba Temple 2 kms stretch road is torn apart by @bwssbchairman 4 Months ago. Still no fixes. @BECCUPDATES @bbmpcommr @BBMPSWMSplComm @BbmpEast @GBA_office

keyboard_arrow_left Previous keyboard_arrow_right Next

@abhishekmrej @chairmanbwssb @blrcitytraffic @osd_cmkarnataka FYI

@ICCCBengaluru @blrcitytraffic @TOIBengaluru @peakbengaluru @osd_cmkarnataka FYI

@BECCUPDATES @bwssbchairman @bbmpcommr @BBMPSWMSplComm @BbmpEast @GBA_office @SWDGoK @commonman_KA

@BECCUPDATES @bwssbchairman @bbmpcommr @BBMPSWMSplComm @BbmpEast @GBA_office @ChristinMP_ @osd_cmkarnataka @DeccanHerald @BangaloreMirror @BPACofficial @BECCUPDATES @BangaloreTimes1 @peakbengaluru @blrcitytraffic Kindly bring this to attention of higher officer in Bangalore East City Corporation - Location Munnekolala , Marathahalli

Here's my update to the broader community about the ongoing incident investigation. I want to give you the rundown of the situation directly. A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. The details are being fully investigated. Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments. Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration. We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel. At the moment, we believe the number of customers with security impact to be quite limited. We’ve reached out with utmost priority to the ones we have concerns about. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitization of our environments. We’ve deployed extensive protection measures and monitoring. We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community. The recommendation for all Vercel customers is to follow the Security Bulletin closely (vercel.com/kb/bulletin/ve…). My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature. In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive env var creation and management. As always, I’m totally open to your feedback. We’re working with elite cybersecurity firms, industry peers, and law enforcement. We’ve reached out to Context to assist in understanding the full scale of the incident, in an effort to protect other organizations and the broader internet. I also want to thank the Google Mandiant team for their active engagement and assistance. It’s my mission to turn this attack into the most formidable security response imaginable. It’s always been a top priority for me. Vercel employs some of the most dedicated security researchers and security-minded engineers in the world. I commit to keeping you updated and rolling out extensive improvements and defenses so you, our customers and community, can have the peace of mind that Vercel always has your back.