CopyFail (CVE-2026-31431) in Go. In case you want to get root from a static binary without Python as a dependency.
Bad Sector Labs
- 562 Followers
- 113 Following
- 116 Posts
Weekly Cybersecurity news, techniques, exploits, and tools every Monday at http://blog.badsectorlabs.com
ποΈβ€οΈπ€ Ludus MCP/Skills (@badsectorlabs), Grapefruit π± security suite (@codecolorist), 2 Citrix NetScaler posts (@alizthehax0r + @_mccaulay), π BIOS bypass (@craigsblackie), and more!
https://blog.badsectorlabs.com/last-week-in-security-lwis-2026-03-30.html
The FCC bans all new foreign routers, Delve was a compliance as a service scam, ForceHound, VMKatz, and more!
https://blog.badsectorlabs.com/last-week-in-security-lwis-2026-03-24.html
ποΈ Ludus launched 2 years ago and the community embraced and extended it with write-ups, roles, configs, and environments. We're excited to see what you build with Ludus 2!
Ludus 2 brings:
- ποΈ Cluster support
- π Web UI
- πΊοΈ Range Blueprints
- π€ Better sharing (Users and groups!)
- ποΈ New backend
- π SSO
- π Updated docs
Ludus is free an open source, with optional paid plugins to support enterprise use cases. All new features besides the Web UI are available via the API/CLI and open source, commercial use permitted.
We want as many people as possible to be able to use Ludus Pro. You can apply for an NFR license to get Pro features free for non-commercial use at http://ludus.cloud
Full quality video: https://youtu.be/swa9k4QxeXA
Ludus 2 (@badsectorlabs), new GOAD lab (@M4yFly), πͺ hack (@XeEaton), DPAPI + Nemesis (@harmj0y + @tifkin_), iOS exploit kit found (@Mandiant), and more!
https://blog.badsectorlabs.com/last-week-in-security-lwis-2026-03-09.html
SolarWinds RCE (@chudypb), Windows 11 Recall-based LPE (@filip_dragovic), Robot RCEs (@olivier_boschko + @ruikai), EDR as a RAT (@p0w1_), and more!
https://blog.badsectorlabs.com/last-week-in-security-lwis-2026-03-02.html
Firefox RCE (@kqx_io), Havoc Professional (@C5pider + @0xC4RN4GE + @avx128), afd.sys UAF (@Dark_Puzzle + @Bad_Jubies), macOS JIT abuse (@kyleavery), AEMonitor (@__pberba__), and more!
https://blog.badsectorlabs.com/last-week-in-security-lwis-2026-02-23.html
SharePoint enumeration (@matthiasdeeg), LNK "0days" (@wietze), AMD driver LPE (@Bad_Jubies), POSTing to superadmin (@XeEaton), and more!
https://blog.badsectorlabs.com/last-week-in-security-lwis-2026-02-16.html
"Negative-day" discovery (@spaceraccoonsec), Exploit gen with LLMs (@seanhn), Harmony LPE (@johnnyspandex + @buffaloverflow), NetSupport Manager RCE (@0xor_solo), Azure blob C2 (@KingOfTheNOPs + @senderend) and more!
https://blog.badsectorlabs.com/last-week-in-security-lwis-2026-02-09.html
SmarterMail Pre-auth RCE (@chudypb + @SinSinology), Claude Code code execution (@ryotkak), VSS create (@ricardojoserf ), EDRStartupHinder (@TwoSevenOneT), and more!
https://blog.badsectorlabs.com/last-week-in-security-lwis-2026-01-12.html
