Are you ready to survive the night at RomHack Camp? 🌙

We believe the best hacking stories happen after midnight. That’s why for RomHack Camp 2026, we are teaming up with Fibonhack to bring you another intense competition: "From Dusk Till Dawn"

This isn’t just another CTF. It’s an on-site, 12-hour overnight marathon taking place at RomHack Camp.

The Roadmap to Glory

1️⃣ May 9-10: Open Online Qualifiers (24h)
2️⃣ The Selection: The Top 5 teams qualify for the Camp
3️⃣ Oct 2–3: The Finals. 19:00 to 07:00. On-site. No sleep. Pure skill.

From Web Security and Binary Exploitation to Cryptography and Reverse Engineering, Fibonhack is preparing a set of challenges that will push even the most seasoned researchers to their limit.

Mark your calendars. Sharpen your tools. The long night is coming.

👉 Follow Fibonhack and Cyber Saiyan for the upcoming quals registration link! 🔗 More info: https://romhack.io/ctf

#RomHackCamp #CyberSecurity #CyberSaiyan #CTF #Hacking #Rome #Fibonhack

Me checking my email every morning.

Long shot: do I know anybody in Europe who can provide two dozen 12 row, 80 column punch cards, preferably punched with a specific text? (no advertising)

Background: August of this year marks 45th anniversary of a Nixdorf Computer apprenticeship, and we're meeting. I thought it would be cute to present colleagues with a punch card (which is what we first programmed on) as a souvenir.

Obviously I'd be very willing to pay for the service!

Boosts appreciated.

#followerpower

Just read this via repost from @HalvarFlake
https://sean.heelan.io/2026/01/18/on-the-coming-industrialisation-of-exploit-generation-with-llms/

This post from Sean Heelan is probably the most important post in that domain (being LLMs in offensive security contexts) in quite a while. We're already discussing this in my research group, and I have some initial thoughts. Exciting times!

RCECoaster, an exploit for Rollercoaster Tycoon 1999

https://github.com/RickdeJager/RCECoaster

Bit of a long shot, would anyone on here know how to get in touch with anyone from the Finnish demoscene group Future Crew, in particular Psi (Sami Tammilehto)? Are any on them on fedi? They must be in their 50's now.

I'd like to ask if he still has the Scream Tracker 3 source code, and if he would consider releasing it... It's such an important part of computing and music history. It deserves preservation.

Update: hearsay is that Psi is not interested in releasing the sources. See replies.

#demoscene #futurecrew #screamtracker3

At #Pwn2Own Berlin 2025, a full exploit chain against VMware Workstation was demonstrated via a heap overflow in the PVSCSI controller.
Despite Windows 11 LFH mitigations, advanced heap shaping and side-channel techniques enabled a reliable exploit.

🔍 Full technical write-up 👇
https://www.synacktiv.com/en/publications/on-the-clock-escaping-vmware-workstation-at-pwn2own-berlin-2025

[RSS] CVE-2026-23864: React and Next.js Denial of Service via Memory Exhaustion

https://www.akamai.com/blog/security-research/2026/jan/cve-2026-23864-react-nextjs-denial-of-service

#Kubernetes Remote Code Execution Via Nodes/Proxy GET Permission

https://grahamhelton.com/blog/nodes-proxy-rce

Thread with vendor response/workaround:

https://threadreaderapp.com/thread/2015789985459212714.html

#k8s

Odd anomaly caused Microsoft's network to mishandle example.com traffic
Company's autodiscover caused users' test credentials to be sent outside Microsoft networks.
https://arstechnica.com/information-technology/2026/01/odd-anomaly-caused-microsofts-network-to-mishandle-example-com-traffic/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

My first blog post on Windows Administrator Protection is out. https://projectzero.google/2026/26/windows-administrator-protection.html probably the most interesting and complex bug out of the 9 I found, but that doesn't mean the rest weren't interesting as well, stay tuned :D

RE: https://infosec.exchange/@briankrebs/115962508398912420

This might actually be the point where I just refuse to go.

Not getting an Apple/Google-sanctioned phone with SafetyNet in order to enter a country.

[RSS] Bypassing Windows Administrator Protection

https://projectzero.google/2026/26/windows-administrator-protection.html

[RSS] More Scope Injection for Fun and Profit (or, why those security updates broke your functions) [ColdFusion]

https://www.hoyahaxa.com/2026/01/more-scope-injection-for-fun-and-profit.html

[RSS] Districton 1 Slides - Control the Variables and You Control the Code: Language-Level Vulnerabilities in Adobe ColdFusion

https://www.hoyahaxa.com/2026/01/districton-1-slides-control-variables.html

[RSS] After reporting vulnerabilities found in MDT, Microsoft chose to retire the service rather than fix the issues... Admins should follow the defensive recommendations to mitigate the issues if they choose to continue using the software or can't migrate to a different solution.

https://specterops.io/blog/2026/01/21/task-failed-successfully-microsofts-immediate-retirement-of-mdt/

Sign-up and first information are now live!
Save the date and start working on your productions!
https://2026.revision-party.net/

🆕 The URL Pattern API is Newly Available!

Use it to match and extract parts of URLs, no need to reinvent routing logic. Supports literals, wildcards, named groups, and even regex constraints.

Learn how it works 👇
https://developer.mozilla.org/en-US/docs/Web/API/URL_Pattern_API

it sounds like the Log4J bug-bounty might soon close as well: https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/comment-page-1/#comment-27393

Meta drops appeal against court ruling requiring non-algorithmic social media timelines https://nltimes.nl/2026/01/26/meta-drops-appeal-court-ruling-requiring-non-algorithmic-social-media-timelines