~w00p~
- 50 Followers
- 228 Following
- 1.2K Posts
TechmemeQ&A with Simon Willison on the November release of GPT-5.1 and Opus 4.5 as the inflection point for coding, exhaustion due to managing coding agents, and more (Lenny Rachitsky/Lenny's Newsletter)
https://www.lennysnewsletter.com/p/an-ai-state-of-the-union
http://www.techmeme.com/260404/p6#a260404p6
An AI state of the union: Weâve passed the inflection point, dark factories are coming, and automation timelines | Simon Willison
Listen now | Simon Willison on why November 2025 changed software engineering forever, the lethal trifecta, his top agentic engineering patterns, and much more
O RLY CYBER(zsec.uk) Autonomous LLM-Driven Vulnerability Hunting at Scale: Architecture, Methodology, and Discovered Zero-Days
New research details an autonomous LLM-driven vulnerability hunting system using Claude Code and Model Context Protocol (MCP), uncovering multiple zero-days including critical Go standard library flaws and a four-stage OEM exploit chain.
In brief - A security researcher built an end-to-end autonomous system integrating 300+ tools across five VMs, discovering confirmed CVEs (CVE-2026-33809, CVE-2026-33812) and a complex OEM service exploit chain achieving SYSTEM execution. The system eliminates false positives through a rigorous multi-gate validation pipeline.
Technically - The architecture leverages FastMCP-based Python servers for SSH/WinRM, Proxmox VM orchestration, Ghidra/radare2/Frida RE, grammar-based fuzzing (WinAFL, Jackalope, DynamoRIO), and FAISS-backed RAG. Key findings: CVE-2026-33809 (Go TIFF parsing OOM via unchecked IFD offset), CVE-2026-33812 (Go SFNT font parsing OOM via unchecked uint16 class count), and an OEM exploit chain combining WCF named pipe auth bypass, SSRF, catalog injection, and BYOVD for SYSTEM execution. Validation requires PoC compilation, clean-VM crash reproduction, and exploitability confirmation.
Eugen RochkoRE: https://mastodon.social/@pojntfx/116345677794218793
This is not acceptable, plain and simple.
(pushsecurity.com) Device Code Phishing Enters Mainstream Adoption: 10 Active Kits, PhaaS Proliferation, and the Bypass of All Authentication Controls
Device code phishing has surged 37.5x, becoming a mainstream criminal attack vectorâbypassing MFA, passkeys, and all authentication controls via OAuth 2.0 Device Authorization Grant abuse.
In brief - Ten phishing kits, including the PhaaS EvilTokens, now weaponize this technique. Russia-linked Storm-2372 and Scattered Lapsus$ Hunters are actively targeting Microsoft 365 and Salesforce. Block device code flows via Conditional Access and monitor for anomalous token grants.
Technically - Attackers initiate an unauthenticated POST to the device authorization endpoint, phish victims to enter the user_code on a legitimate page, then poll for tokens. Kits like EvilTokens (Railway/Cloudflare Workers) abuse first-party Microsoft apps (FOCI-enabled) to harvest Primary Refresh Tokens. Mitigate by pre-creating service principals, enforcing user assignment, and deploying browser-level detection for device_code polling loops.
Socketđ¨ New Investigation: Attackers are hunting the maintainers behind Lodash, Fastify, buffer, Pino, mocha, Express, and #Nodejs core, because compromising one of them means write access to packages downloaded billions of times a week.
Multiple high-impact maintainers have all confirmed they were targeted in the same coordinated social engineering campaign that compromised Axios.
https://socket.dev/blog/attackers-hunting-high-impact-nodejs-maintainers
RE: https://mastodon.ie/@EugeneMcParland/116339483253500337
And yet, clueless bureaucrats like @HennaVirkkunen are pushing for ever increasing surveillance (i.e. supporting absolute abominations such as #chatcontrol) putting us all and our private data and digital lives at greater risk.
These people will never get it. They can't.
(nviso.eu) Supply Chain Attack via Compromised Axios npm Package: RAT Deployment Analysis and Hunting Guidance
Malicious Axios npm packages (1.14.1, 0..30.4) deployed cross-platform RAT via trojanized [email protected] dependency in a supply chain attack after maintainer account compromise.
In brief - Two Axios npm versions were compromised via a maintainer account breach, delivering a RAT through a malicious dependency. Immediate lockfile inspection, endpoint isolation, and credential rotation are critical for affected organizations.
Technically - The postinstall dropper (setup.js) executed via node.exe, identified the OS, and on Windows copied powershell.exe to C:\ProgramData\wt.exe. A VBS dropper (6202033.vbs) fetched a second-stage PowerShell script (6202033.ps1) from C2 hxxp[://]sfrclak[.]com:8000/6202033, establishing persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run ('MicrosoftUpdate'). KQL queries for MDE telemetry (DeviceNetworkEvents, DeviceProcessEvents) can detect exposure. IOCs include C2 domains sfrclak[.]com, callnrwise[.]com, calltan[.]com and IPs 142[.]11[.]206[.]73, 23[.]254[.]167[.]216.
Source: https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/
Simon WillisonWarning to open source maintainers: the Axios supply chain attack started with some
very sophisticated social engineering targeted at one of their developers https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/
very sophisticated social engineering targeted at one of their developers https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/
Internal memo: Iranian strikes have rendered two AWS zones "hard down" in Dubai and Bahrain and Amazon expects them to be "unavailable for an extended period" (Alex Kantrowitz/Big Technology)
https://www.bigtechnology.com/p/iran-strikes-leave-amazon-availability
http://www.techmeme.com/260403/p15#a260403p15
