- Exploitarium
- A hot messy summer of vulnerabilities
- AI Squatting
- Linux LPE - no shortage of those
- Fingerprinting Favicons
- Windows 10 extended
- Can Clothes Make You Invisible to Facial Recognition?
- Fable and Mythos for All
- Do we care about Quantum?
- Execs have AI risk under control
- Biological warefare in Spyware
- The scripts in-scope for PCI
- We don't have privacy, but we may get age restrictions
- Let’s be real. Your scanners are dumping thousands of vulns, half of them noise, and you still don’t know what’s actually exploitable in your environment.Patching everything isn’t possible, and chasing CVSS isn’t working.At the Vulnerability Management Virtual Cybersecurity Summit, learn how to prioritize based on exploitability, reduce false positives, and actually fix what matters.Security Weekly listeners can register for free at https://securityweekly.com/vulnmanagement using the promo code: CSS26-SW
- CyberRisk TV is proud to be an official media partner of Black Hat USA 2026! We'll be broadcasting live from the Black Hat LIVEWIRE Studio with technical interviews covering offensive security, detection, response, infrastructure, and the tools practitioners use every day.Our Executive Interviews and Event Momentum Packages keep your message in front of the security community long after Black Hat wraps up. Fewer than 10 interview opportunities remain, so visit https://securityweekly.com/exec today and secure your spot before they're gone.
Paul Asadoorian
- bikini/exploitarium: A single archive of public exploit PoCs and vulnerability research writeups.
Talk about dropping it like its hot! - "The repo, published by an anonymous GitHub account "bikini," aggregated PoC exploit code and vulnerability write-ups across ~15-18 products, with reports ranging from 96 to 130 tracked entries depending on the source. It was published without coordinated disclosure to any affected vendor, and the README states none had been reported at time of posting, inviting others to claim CVE credit. GitHub has since banned the account and pulled the repo, with GitLab following within days." - I feel like its the early days and people are just YOLO'ing exploits out into the wild. On one hand I love it, on the other its scary.
- It’s looking like a hot, messy summer for security teams as AI finds countless previously hidden vulns
"Athena coalition members submit vulnerabilities they find in open source code using any frontier model. Sometimes they find these bugs while scanning their own apps. In other cases they discover them after pointing Mythos or GPT‑5.5‑Cyber at a commonly used library, Lorenc said. The companies submit a full report to Chainguard, which acts as a clearinghouse, deduplicating, correlating, and addressing findings from members in batches across entire libraries, hardening them against classes of vulnerabilities instead of just one bug. " - I don't like the gating of tech and vulnerabilities. This notion of "you get the information if you are part of our club" is annoying. It conflicts with the open-source model concept of open and free software, let the vulnerabilities be free, you are free to fix or not fix them. If you run OSS, you can fix them yourselves or switch to a different library or software that isn't vulnerable. The scary part is we're finding new vulnerabilities in ALL OSS. And if we can, attackers can too. Yikes.
- Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector
AI does this, its better, but it still does this: "Unit 42's research identifies "phantom squatting," where attackers register domains that LLMs commonly hallucinate for well-known brands, then weaponize them for phishing and malware before defenders can flag them." - I notice this will general queries to the frontier models with CVEs. If a CVE is one digit off, like the year, it will just assume two CVEs are the same. I thought we were dealing with computers here where a 0 is not a 1. Enter AI trying to be helpful but messing up our data.
- libssh2 CVE-2026-55200 Shows Why Outbound SSH Is an Attack Surface
Interesting how the server has to be malicious, not the client.
- Why Being in the Docker Group Is a Backdoor to Your Whole System
Confirming my suspicions that Linux LPE is still easy, especially for systems running Docker. This has been known for a long time. We get new Linux LPE every week, the real answer is to harden Linux systems and monitor them as you will not be able to squash every LPE vulnerability.
- FCC Bans Chinese-Produced Network Equipment Linked to Cyber and Espionage Risks
More bans on Chinese tech: "The ban is on older/legacy Chinese-produced telecom and surveillance equipment, not just new models. The affected vendors mentioned in the reporting are Huawei, ZTE, Hytera, Hikvision, and Dahua, with the rule expanding FCC restrictions to prior-authorized equipment used in public safety, government facilities, critical infrastructure, and similar national-security contexts. The article also notes the FCC’s earlier separate actions: new Chinese-made routers were already restricted in March 2026, and new Chinese-made drones were restricted in December 2025." - Again, banning based on country of origin is not a solution...
- OpenAI’s Patch the Planet Aims to Fix Open Source Security
The experiment relies heavily on humans to review AI findings. What I think is more interesting is the development of better tools and processes to reliably triage and fix bug reports. I think we put too much focus on offense and not enough focus on using AI for defense, which is a much harder problem. I can turn a model loose on finding vulns and it can be wrong 99% of the time, with the 1% being a confirmed vulnerability. Defending and fixing things has to deal with operational problems, e.g. does this bug fix work in all situations? Does it introduce a new bug? Much harder problems.
- New Critical Linux Vulnerability Enables Root Privilege Escalation
"a newly disclosed Linux kernel local privilege escalation vulnerability, nicknamed “pedit COW,” tracked as CVE-2026-46331, that lets an unprivileged local user gain root by corrupting in‑memory cached binaries via the tc (traffic control) subsystem’s pedit action without touching the on‑disk files." - More Linux kernel vulnerabilities to deal with...
- Adding some Automation to the favicon.ico method of Host Recon
Recon using Favicons is neat, reading this post one could easily re-create this for your workflow, esp using the Shodan CLI and API, lets you carve out sites running the same apps. Nice.
- sgkdev/packet_edit_meme: PACKET_EDIT_MEME.c (aka CVE-2026-46331): yet another page cache poisoning nightmare
- sgkdev/ipv6_frag_escape: Linux LPE – Reliable Jail/Container Escape
This is a Linux container escape flaw: a low-privilege process running inside a container can abuse a bug in the host’s networking code to break out, gain root on the host, and effectively take over the underlying system. The issue lies in the Linux kernel itself, so it can affect environments that use Docker-like containers, not just a specific platform.
- If you ask people, often they just do things! – PwnDefend
Don't give random people a copy of your Signal backup keys!
- TP-Link DHCP Option 66 Unauthenticated RCE (CVE-2026-11834)
Interesting attack vector: "An attacker on the same broadcast domain as the target’s WAN interface can achieve unauthenticated remote code execution by answering the device’s DHCP requests with a malicious Option 66 value. No authentication, user interaction, or control of an existing DHCP server is required."
- Windows 10 support quietly extended until Oct 2027, as users reject Windows 11
I think this means if you PAY Microsoft you can extend until 2027. People don't like Windows 11, so now you can pay to get an additional year of Windows 10 updates. I can't say I recommend this; I think that you can use Windows 11 if you go through the trouble of configuring it and removing most of the features, so you just get an OS and nothing more, like Copilot.
- Chrome’s next update will kill your adblocker – and make the web less safe
Google just keeps making it difficult to run really good ad blockers. I hate this. Time to find a new browser? For more stuff, it's fine; however, when I am scouring the web for hacking/infosec related articles, I sometimes end up on weird sites and rely on browser extensions to provide a layer of security. I am thinking of moving my workload to another browser, Firefox? Edge? Brave? Something else?
Jeff Man
- CYBER STRATEGY for America
We never did complete our deep dive on this, so I'm bringing it up again. If nothing else, should be used as a reference for discussions on AI, Quantum, Critical Infrasctucture, OT.
- US lifts restrictions on Anthropic’s powerful AI models Fable and Mythos
The United States government has lifted its restrictions on foreign access to Anthropic’s most powerful AI models,... [and] Anthropic said late on Tuesday that it would begin restoring access to Claude Fable 5 and Mythos 5 [in early July].
- Post-Quantum Cryptography Migration in the United States: Managing Risk and Advancing Cyber Readiness in Critical Infrastructure
I hate to be curmudgeonly, but I'm just not seeing the rationale behind all the gloom and doom around "Q Day" or the concept of "Harvest Now; Decrypt Later" (HNDL). I've read and heard many discussion about these topics (this article included) that collectively seem to be missing the point - which is that data is typically encrypted using symmetric algorithms and not the soon-to-be-breakable asymmetric algorithms. So I simply ask, what's the big deal?
- Cybersecurity requires strategy, culture and vigilance, local experts advise
My weekly nod towards the fundamentals... particularly the ones that must be considered BEFORE you start looking at the technology.
- White House Accelerates Quantum Computing Strategy With New Cybersecurity Mandates
Now we have new executive orders that promulgate the notion of HNDL...please.
- USHERING IN THE NEXT FRONTIER OF QUANTUM INNOVATION
The actual EO....this one calls for the "deployment and commercialization of quantum computing, sensing, and networking."
- SECURING THE NATION AGAINST ADVANCED CRYPTOGRAPHIC ATTACKS
An EO that calls out the need for protection against HNDL strategies (threats?).
Seems that there is a push to iimplement PQC now rather than wait the usual 5-10 years for adoption.
I don't disagree with that, necessarily, I would merely like to see a legitimate argument for doing so and not QFUD.
Larry Pesce
Sam Bowne
- Executives Four Times More Confident About AI Risk Than the Teams Managing It
29% of US executives say AI risk is under control, against 7% of the practitioners running it day-to-day.
- Agentjacking: Researchers Show How One Fake Bug Report Can Hijack AI Coding Agents
Fake bug reports can trick AI coding agents into running code. The technique abuses the way AI coding assistants process untrusted error logs from Sentry, a popular application monitoring platform. Agentjacking does not require stolen passwords or direct access to a company’s internal network. Sentry added a patch which sounds weak, but a broader platform-level fix is difficult because the root issue involves AI agents treating untrusted tool output as instructions.
- Embedding Forbidden Text in Spyware to Discourage AI Analysis
At least one malware developer is adding text about nuclear and biological weapons to their spyware, in an effort to stop automatic AI analysis. In weak pipelines, this can cause refusal behavior, prompt confusion, context pollution, or premature classification before the scanner reaches the actual malware.
- Trump Order Sets 2030 Deadline for Federal Post-Quantum Crypto Migration
Key establishment must move by December 31, 2030; digital signatures by December 31, 2031. EO 14409 leaves national security systems on a separate track. The deadlines matter because of a threat that does not need a working quantum computer today. Adversaries can collect encrypted U.S. data now and decrypt it later, once a large-scale quantum machine exists, the risk is known as "harvest now, decrypt later".
- White House app auto-downloads to government phones, can’t be uninstalled
The app displays propaganda, and initially shared users’ locations and IP addresses with third parties. It also incorporates widgets created by a Russia-based company called Elfsight, which exposed the personal information of White House officials.
- Unpatchable ‘usbliter8’ Exploit Breaks Apple A12 and A13 SecureROM Boot Chain
This is not a remote attack. It requires physical possession of the device. It affects older iPhones, and cannot be patched, like checkm8. But it does not compromise the Secure Element, so it does not expose user data. Its main use is to expose iOS so security researchers can study it.
- The Scripts on Your Checkout Page Are Now a PCI DSS Problem
The dangerous part: the malicious code usually arrives through a script you already approved. Attackers compromise a third-party vendor, and the payload rides in on a script you have run for months. Nothing looks new. What changed is the script's behavior, not its presence on the page. PCI DSS v4.0.1 says to inventory every payment-page script, authorize it, and prove its integrity.
- New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials
The attack starts with a web page built as a puzzle. To fit its dystopian theme, the puzzle rewards wrong answers, like insisting that 2 + 2 = 5. Once the agent accepts that "wrong" is the winning move, it follows game logic instead of safety logic. The final step of the puzzle asks it to grab the user's credentials, and not one of the six agents flagged that as something it should refuse.
- New AI espionage powers trigger Putin camera scare
Russia paused surveillance system after killing of Iran’s Supreme Leader exposed how AI can be used on CCTV data to target enemies. New tools allow language-based searches on video, such as two men handing a bag to each other; a person who has changed their appearance, or has changed clothes multiple times in a day; or a vehicle that has recently been painted over, or has driven past the same spot several times in a short period. Such systems can pull in information not just from CCTV, but also from social media, hacked communications, audio picked up by microphones in smart devices and travel histories.
- The KIDS Act Would Require Age Checks To Get Online
Within the next week, Congress is preparing to vote on the KIDS Act, a sprawling package of legislation that seeks to control Americans’ web browsing and private messaging. The package of cobbled-together bills is a mess, with different age-gating schemes for different services, using different standards. It’s a lot of complexity, and a lot of legal risk. Faced with that, many companies will conclude that the safest option is restrictive age-checking practices across their entire platforms.









