Mastodawn

This cPanel issue sure sounds like a big deal.

https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026/

[RESOLVED] CRITICAL SECURITY VULNERABILITY WITH CPANEL/WHM, APRIL 28, 2026 - Namecheap Status

Dear Customers, We regret to inform you that a critical security vulnerability has been identified in cPanel software affecting all currently supported versions. This vulnerability relates to an authentication login exploit that could allow unauthorized access to the control panel. As an immediate precautionary measure, we have applied a firewall rule to block access to … Continue reading [RESOLVED] CRITICAL SECURITY VULNERABILITY WITH CPANEL/WHM, APRIL 28, 2026 →

Namecheap Status

Joshua Small Apr 16

If you open the Microsoft Secure Score recommendations and try to accept a risk, your browser happily tells you Microsoft made a spelling mistake.

Joshua Small Apr 10

Best use of Claude code in a pentest so far (could not surface this answer on Google).

/cc @wdormann

Joshua Small Apr 9

Javascript people falling over themselves to bundle megabytes of compat shims everywhere. Meanwhile, I have to say this is on of my favourite bits of code. Honestly, try it. The only people you'll break already can't use your website because your CSS never catered to them.

Joshua Small Apr 7

Will Dormann Apr 6

There's a new Windows 0day LPE that has been disclosed called BlueHammer. The reporter suggests that it's being disclosed due to how MSRC operates these days.

MSRC used to be quite excellent to work with.
But to save money Microsoft fired the skilled people, leaving flowchart followers.
I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now. 😂

Anyway, yeah, it works. Maybe not 100% reliably, but well enough...

Joshua Small Apr 1

Joshua Small Mar 30

I know people are rightfully concerned about the privacy and bloat here, the way logon forms are hammered by bots I'd implement it there myself if I could (and only on logon forms).

https://www.buchodi.com/chatgpt-wont-let-you-type-until-cloudflare-reads-your-react-state-i-decrypted-the-program-that-does-it/

ChatGPT Won't Let You Type Until Cloudflare Reads Your React State. I Decrypted the Program That Does It.

Edit April 2, 2026: I've been getting inbound interest from researchers wanting to run their own queries. The MCP integration I use for my own research lets you analyze live mobile telemetry continuously collected from real devices in the wild, directly from Claude. To access it reach out at buchodi@

Buchodi's Threat Intel

Joshua Small Mar 27

Kevin Beaumont Mar 26

Going all in with GenAI, the case study.

Joshua Small Mar 24

Someone's just published a very nice BYOVD exploit and I'm amazed I never heard more about this sort of thing.

https://github.com/andreisss/KslDump

GitHub - andreisss/KslDump: KslDump — Why bring your own knife when Defender already left one in the kitchen?

KslDump — Why bring your own knife when Defender already left one in the kitchen? - andreisss/KslDump

GitHub

Joshua Small Mar 20

Am I the only one who just assumes we read pressure in megabyte?

Website	https://lolware.net/
Github	https://github.com/technion/
Age Key	https://lolware.net/age.txt