Marco Ivaldi
@raptor.infosec.exchange.ap.brid.gy
When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.
[bridged from https://infosec.exchange/@raptor on the fediverse by https://fed.brid.gy/ ]
[bridged from https://infosec.exchange/@raptor on the fediverse by https://fed.brid.gy/ ]
A cool new project by a friend
Zynk - Move anything
Between everything
Send folders, photos, and multi‑gig archives across phones, laptops, TVs, and servers. End‑to‑end encrypted, resumable, no size limits.
https://zynk.it/
Zynk - Move anything
Between everything
Send folders, photos, and multi‑gig archives across phones, laptops, TVs, and servers. End‑to‑end encrypted, resumable, no size limits.
https://zynk.it/
Zynk - Your shortcut to data transfer
Zynk makes moving data effortless, reliable, and secure across every device and user.
zynk.it
December 7, 2025 at 10:10 AM
A cool new project by a friend
Zynk - Move anything
Between everything
Send folders, photos, and multi‑gig archives across phones, laptops, TVs, and servers. End‑to‑end encrypted, resumable, no size limits.
https://zynk.it/
Zynk - Move anything
Between everything
Send folders, photos, and multi‑gig archives across phones, laptops, TVs, and servers. End‑to‑end encrypted, resumable, no size limits.
https://zynk.it/
Check out pipetap! A new Windows named pipe proxy/tool byb @leonjza https://infosec.exchange/@leonjza/115676998634958935
leonjza :verified: (@[email protected])
Attached: 1 image Two blog posts just dropped - one with the details on the bloatware pwning shenanigans I was up to earlier in the year, and another on pipetap, a new Windows named pipe proxy/tool. https://sensepost.com/blog/2025/pwning-asus-driverhub-msi-center-acer-control-centre-and-razer-synapse-4/ https://sensepost.com/blog/2025/pipetap-a-windows-named-pipe-proxy-tool/
infosec.exchange
December 7, 2025 at 9:33 AM
Check out pipetap! A new Windows named pipe proxy/tool byb @leonjza https://infosec.exchange/@leonjza/115676998634958935
Reposted by Marco Ivaldi
Yesterday, after various bogus AI slopped "PoC"s, eventually a functional PoC for the React RCE emerged:
https://github.com/msanft/CVE-2025-55182
We now have a PoC from the reporter of the vulnerability as well:
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
#react2shell
https://github.com/msanft/CVE-2025-55182
We now have a PoC from the reporter of the vulnerability as well:
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
#react2shell
GitHub - msanft/CVE-2025-55182: Explanation and full RCE PoC for CVE-2025-55182
Explanation and full RCE PoC for CVE-2025-55182. Contribute to msanft/CVE-2025-55182 development by creating an account on GitHub.
github.com
December 5, 2025 at 3:17 PM
Yesterday, after various bogus AI slopped "PoC"s, eventually a functional PoC for the React RCE emerged:
https://github.com/msanft/CVE-2025-55182
We now have a PoC from the reporter of the vulnerability as well:
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
#react2shell
https://github.com/msanft/CVE-2025-55182
We now have a PoC from the reporter of the vulnerability as well:
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
#react2shell
Reposted by Marco Ivaldi
"The Dutch government has quietly removed #google #tracking tools from job listings for its intelligence services over concerns that the data would expose aspirant spies to U.S. #surveillance," according to POLITICO.
"The intervention would put an end to Google’s processing of the data of job […]
"The intervention would put an end to Google’s processing of the data of job […]
Original post on eupolicy.social
eupolicy.social
December 3, 2025 at 7:15 PM
"The Dutch government has quietly removed #google #tracking tools from job listings for its intelligence services over concerns that the data would expose aspirant spies to U.S. #surveillance," according to POLITICO.
"The intervention would put an end to Google’s processing of the data of job […]
"The intervention would put an end to Google’s processing of the data of job […]
Reposted by Marco Ivaldi
You see what happens? You see what happens Larry?
You see what happens when you let Javascript people do RPC servers in The Cloud?
This is what happens when you let Javascript people do RPC servers in The Cloud, Larry […]
You see what happens when you let Javascript people do RPC servers in The Cloud?
This is what happens when you let Javascript people do RPC servers in The Cloud, Larry […]
Original post on mastodon.social
mastodon.social
December 3, 2025 at 4:37 PM
You see what happens? You see what happens Larry?
You see what happens when you let Javascript people do RPC servers in The Cloud?
This is what happens when you let Javascript people do RPC servers in The Cloud, Larry […]
You see what happens when you let Javascript people do RPC servers in The Cloud?
This is what happens when you let Javascript people do RPC servers in The Cloud, Larry […]
Reposted by Marco Ivaldi
"We did a number of refactors [...] This also fixes a critical security vulnerability." 👀
CVE-2025-55182, an RCE in React Server Components just landed:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Enjoy your patching, and make sure to check […]
CVE-2025-55182, an RCE in React Server Components just landed:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Enjoy your patching, and make sure to check […]
Original post on mstdn.social
mstdn.social
December 3, 2025 at 3:57 PM
"We did a number of refactors [...] This also fixes a critical security vulnerability." 👀
CVE-2025-55182, an RCE in React Server Components just landed:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Enjoy your patching, and make sure to check […]
CVE-2025-55182, an RCE in React Server Components just landed:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Enjoy your patching, and make sure to check […]
Hey developers and vulnerability researchers!
I'm currently working on improving my #semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: https://github.com/0xdea/semgrep-rules
Some notable changes since the previous battle-tested release: new rules […]
I'm currently working on improving my #semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: https://github.com/0xdea/semgrep-rules
Some notable changes since the previous battle-tested release: new rules […]
Original post on infosec.exchange
infosec.exchange
December 3, 2025 at 3:18 PM
Hey developers and vulnerability researchers!
I'm currently working on improving my #semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: https://github.com/0xdea/semgrep-rules
Some notable changes since the previous battle-tested release: new rules […]
I'm currently working on improving my #semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: https://github.com/0xdea/semgrep-rules
Some notable changes since the previous battle-tested release: new rules […]
Reposted by Marco Ivaldi
continually astonished that every package delivery service on earth seems unaware that the #1 reason people are visiting their website is to use the track-and-trace and not to read their mission statement
December 1, 2025 at 11:43 AM
continually astonished that every package delivery service on earth seems unaware that the #1 reason people are visiting their website is to use the track-and-trace and not to read their mission statement
Reposted by Marco Ivaldi
👀 Before the #radare2 6.0.6 release during the testing stage I spotted a crash on Windows and decided to write a post explaining how I fixed it using only the cmd interface 👉 https://trufae.github.io/aiblog/WinCdbNull-en.html
As a UNIX person I'm not comfortable on #windows but i was happy to […]
As a UNIX person I'm not comfortable on #windows but i was happy to […]
Original post on infosec.exchange
infosec.exchange
November 28, 2025 at 12:03 PM
👀 Before the #radare2 6.0.6 release during the testing stage I spotted a crash on Windows and decided to write a post explaining how I fixed it using only the cmd interface 👉 https://trufae.github.io/aiblog/WinCdbNull-en.html
As a UNIX person I'm not comfortable on #windows but i was happy to […]
As a UNIX person I'm not comfortable on #windows but i was happy to […]
Reposted by Marco Ivaldi
[meta]
When I watch sector specific experts tell me their sector is special.<snark />. They're more like other sectors than they necessarily think.
When I watch sector specific experts tell me their sector is special.<snark />. They're more like other sectors than they necessarily think.
November 16, 2025 at 1:56 AM
[meta]
When I watch sector specific experts tell me their sector is special.<snark />. They're more like other sectors than they necessarily think.
When I watch sector specific experts tell me their sector is special.<snark />. They're more like other sectors than they necessarily think.
Reposted by Marco Ivaldi
While cleaning a storage room, our staff found this tape containing #unix v4 from Bell Labs, circa 1973
Apparently no other complete copies are known to exist: https://gunkies.org/wiki/UNIX_Fourth_Edition
We have arranged to deliver it to the Computer History Museum
#retrocomputing
Apparently no other complete copies are known to exist: https://gunkies.org/wiki/UNIX_Fourth_Edition
We have arranged to deliver it to the Computer History Museum
#retrocomputing
November 6, 2025 at 8:50 PM
While cleaning a storage room, our staff found this tape containing #unix v4 from Bell Labs, circa 1973
Apparently no other complete copies are known to exist: https://gunkies.org/wiki/UNIX_Fourth_Edition
We have arranged to deliver it to the Computer History Museum
#retrocomputing
Apparently no other complete copies are known to exist: https://gunkies.org/wiki/UNIX_Fourth_Edition
We have arranged to deliver it to the Computer History Museum
#retrocomputing
Reposted by Marco Ivaldi
Our senior security analyst @[email protected] has published a follow-up to his popular #groovy Template Engine #exploitation writeup:
https://hnsecurity.it/blog/groovy-template-engine-exploitation-part-2/
Check out some new practical exploitation tricks that he figured out while working on […]
https://hnsecurity.it/blog/groovy-template-engine-exploitation-part-2/
Check out some new practical exploitation tricks that he figured out while working on […]
Original post on infosec.exchange
infosec.exchange
November 11, 2025 at 8:41 AM
Our senior security analyst @[email protected] has published a follow-up to his popular #groovy Template Engine #exploitation writeup:
https://hnsecurity.it/blog/groovy-template-engine-exploitation-part-2/
Check out some new practical exploitation tricks that he figured out while working on […]
https://hnsecurity.it/blog/groovy-template-engine-exploitation-part-2/
Check out some new practical exploitation tricks that he figured out while working on […]
Reposted by Marco Ivaldi
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Introduction - OWASP Top 10:2025 RC1
OWASP Top 10:2025 RC1
owasp.org
November 7, 2025 at 12:19 PM
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Reposted by Marco Ivaldi
It's amazing how many pen testers don't want to do the hard yards and do proper offensive analysis of configs or reverse engineer the services and protocols that are running. Firing up nmap and Nessus is all well and good but it's *not* an effective analysis of the attack surfaces. Looking at a […]
Original post on infosec.exchange
infosec.exchange
November 6, 2025 at 10:55 PM
It's amazing how many pen testers don't want to do the hard yards and do proper offensive analysis of configs or reverse engineer the services and protocols that are running. Firing up nmap and Nessus is all well and good but it's *not* an effective analysis of the attack surfaces. Looking at a […]
Reposted by Marco Ivaldi
I wrote up some notes on two new papers on prompt injection: Agents Rule of Two (from Meta AI) and The Attacker Moves Second (from Anthropic + OpenAI = DeepMind + others) https://simonwillison.net/2025/Nov/2/new-prompt-injection-papers/
New prompt injection papers: Agents Rule of Two and The Attacker Moves Second
Two interesting new papers regarding LLM security and prompt injection came to my attention this weekend. Agents Rule of Two: A Practical Approach to AI Agent Security The first is …
simonwillison.net
November 2, 2025 at 11:11 PM
I wrote up some notes on two new papers on prompt injection: Agents Rule of Two (from Meta AI) and The Attacker Moves Second (from Anthropic + OpenAI = DeepMind + others) https://simonwillison.net/2025/Nov/2/new-prompt-injection-papers/
Reposted by Marco Ivaldi
infosec has a lot to learn about understanding failure conditions and accurate, understandable error messages from roadies
November 2, 2025 at 7:09 PM
infosec has a lot to learn about understanding failure conditions and accurate, understandable error messages from roadies
Reposted by Marco Ivaldi
The other day we had our first ever chained AI tool success on the #curl factory floor:
- tool A found a possible flaw in code and reported it.
- using the plain English description from tool A, tool B could create a reproducible by itself that verified the finding
The sense of magic is […]
- tool A found a possible flaw in code and reported it.
- using the plain English description from tool A, tool B could create a reproducible by itself that verified the finding
The sense of magic is […]
Original post on mastodon.social
mastodon.social
October 29, 2025 at 7:52 AM
The other day we had our first ever chained AI tool success on the #curl factory floor:
- tool A found a possible flaw in code and reported it.
- using the plain English description from tool A, tool B could create a reproducible by itself that verified the finding
The sense of magic is […]
- tool A found a possible flaw in code and reported it.
- using the plain English description from tool A, tool B could create a reproducible by itself that verified the finding
The sense of magic is […]
Reposted by Marco Ivaldi
#brida 0.6 is here! The bridge between #burpsuite and #frida is now fully compatible with Frida 17+.
As of this release, Brida 0.6 supports only Frida 17 and later. For users who still rely on older Frida versions, Brida 0.6pre remains available on GitHub.
Get the latest release here […]
As of this release, Brida 0.6 supports only Frida 17 and later. For users who still rely on older Frida versions, Brida 0.6pre remains available on GitHub.
Get the latest release here […]
Original post on infosec.exchange
infosec.exchange
October 28, 2025 at 10:32 AM
#brida 0.6 is here! The bridge between #burpsuite and #frida is now fully compatible with Frida 17+.
As of this release, Brida 0.6 supports only Frida 17 and later. For users who still rely on older Frida versions, Brida 0.6pre remains available on GitHub.
Get the latest release here […]
As of this release, Brida 0.6 supports only Frida 17 and later. For users who still rely on older Frida versions, Brida 0.6pre remains available on GitHub.
Get the latest release here […]
Reposted by Marco Ivaldi
New, long, oral history of Ken Thompson, my and everyone's hero.
From the Computer History Museum: https://computerhistory.org/blog/a-computing-legend-speaks/
Click thru a while to get a text transcript.
From the Computer History Museum: https://computerhistory.org/blog/a-computing-legend-speaks/
Click thru a while to get a text transcript.
A Computing Legend Speaks
Ken Thompson, one of the foremost programmers and computer scientists of the last 50 years, shares stories about his life and career in a newly released oral history.
computerhistory.org
October 27, 2025 at 12:36 AM
New, long, oral history of Ken Thompson, my and everyone's hero.
From the Computer History Museum: https://computerhistory.org/blog/a-computing-legend-speaks/
Click thru a while to get a text transcript.
From the Computer History Museum: https://computerhistory.org/blog/a-computing-legend-speaks/
Click thru a while to get a text transcript.
Mem3nt0 mori – The #hacking Team is back!
“In March 2025, #kaspersky detected a wave of infections that occurred when users clicked on personalized #phishing links sent via email. No further action was required to initiate the infection; simply visiting the malicious website using Google […]
“In March 2025, #kaspersky detected a wave of infections that occurred when users clicked on personalized #phishing links sent via email. No further action was required to initiate the infection; simply visiting the malicious website using Google […]
Original post on infosec.exchange
infosec.exchange
October 27, 2025 at 9:41 AM
Mem3nt0 mori – The #hacking Team is back!
“In March 2025, #kaspersky detected a wave of infections that occurred when users clicked on personalized #phishing links sent via email. No further action was required to initiate the infection; simply visiting the malicious website using Google […]
“In March 2025, #kaspersky detected a wave of infections that occurred when users clicked on personalized #phishing links sent via email. No further action was required to initiate the infection; simply visiting the malicious website using Google […]
Reposted by Marco Ivaldi
please enjoy: my Wasm-hosted, Wasm-targeting build of Clang/Clang++/LLD: a self-contained, 25 MiB (gzipped) pure function
https://www.npmjs.com/package/@yowasp/clang
https://www.npmjs.com/package/@yowasp/clang
October 26, 2025 at 9:48 AM
please enjoy: my Wasm-hosted, Wasm-targeting build of Clang/Clang++/LLD: a self-contained, 25 MiB (gzipped) pure function
https://www.npmjs.com/package/@yowasp/clang
https://www.npmjs.com/package/@yowasp/clang
Reposted by Marco Ivaldi
you know you're about to watch paint dry for a _long_ time when just the checkout step in a github actions workflow takes 3+ minutes
October 25, 2025 at 7:07 PM
you know you're about to watch paint dry for a _long_ time when just the checkout step in a github actions workflow takes 3+ minutes