This one by @sassdawe deserves some more love in these trying days:

#VSCode Extension Deployment with Intune - Björn Sundling, David Sass - PSConfEU 2025

https://www.youtube.com/watch?v=deBTJdjMc5o

RE: https://infosec.exchange/@sassdawe/116606877612791531

Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.

I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.

Wow some terrible reporting about Google's latest horrible ideas about how to distort information access in the name of "convenience" (or something):

https://techcrunch.com/2026/05/19/google-search-as-you-know-it-is-over/

A short thread
🧵>>

@sassdawe Birds don't exist!

I could not find an existing phrase so I'm inventing a new one:

"Yes Man Design" is the principle of implementing a system so it always reports desired results and hides any errors. This often serves to achieve faster adoption than competing, more honest designs, forcing out alternatives.

I use the #LLM tag for no particular reason.

back in 2022 i found a bug that would let me, with no user interaction, turn any chromium-based browser into a permanent js botnet member

in edge, you wouldn't even notice anything out-of-place, and would stay connected to the c2 even after closing the browser

today, almost 4 years later, the bug is finally public:
https://issues.chromium.org/issues/40062121

info on the github breach appears to only be available on xitter 🙄 , I fished it out for you.

#github

im celebrating the release of the new openbsd

but the usb rndis driver, extremely fragile!

if someone walks up to your OpenBSD 7.9 thinkpad in starbucks tomorrow and tries to plug in a suspicious usb device into your daily driver whilst yelling "please run `ifconfig urndis0 up` as soon as possible! this is a matter of life and death!" don't fall for it, you've been warned.
https://bird.makeup/users/openbsd/statuses/2056724227273687517

After uncovering memory bugs in NASA’s CFITSIO, we looked at turning its *documented* features into attack primitives.

Check out the blog post for details & a newly released Docker playground to reproduce the demos locally.

#AppSec #doyensec #security

https://blog.doyensec.com/2026/05/19/cfitsio-weaponized-filenames.html

RE: https://mastodon.social/@bagder/116599713949044164

Unfortunately Daniel Stenberg's talk on how to manage a critical open source infrastructure under the AI-accelerated deluge of vulnerability reports turned into a practical demonstration of how to do it, and we hope to announce a new keynote speaker shortly.

In part 2 of my macOS security internals series, I demystify System Integrity Protection (SIP), breaking down how the kernel enforces Apple-signed entitlements over POSIX root privileges, the mechanics of rootless.conf, and why the hardware always has the final veto.

Includes a small C program to audit your own CSR bitfield configuration.

Read the full deep dive here:
https://bytearchitect.io/macos-security/Apple-defences-SIP-and-APFS-(cont'd)/

#macOS #infosec #cybersecurity #ReverseEngineering #XNU #AppleSecurity #Kernel #OSInternals #Rootless

@tychotithonus did they start supporting normal webauthn without passkeys again??

[RSS] RCE and arbitrary file write in Vitess vtbackup via untrusted MANIFEST fields

https://neurowinter.com/security/2026/05/18/RCE-and-arbitrary-file-write-in-Vitess-vtbackup-via-untrusted-MANIFEST-fields/

Did you hear about Optical Line Terminals? ISPs rely on them to build their service networks, but what if they are vulnerable?
Here @coiffeur0x90 shows how attackers could compromise entire ISPs by exploiting them and cloud-based fleet management software
https://blog.quarkslab.com/how-olts-may-have-exposed-entire-isp-networks.html

There's another LInux LPE (of course):
pintheft

Sadly, the RDS kernel module this requires is only default on Arch Linux among the common distributions we tested.

CVE unknown.

New blog post on "Proofs and Intuitions": On the Unreasonable Effectiveness of Property-Based Testing for Validating Formal Specifications.

https://proofsandintuitions.net/2026/05/18/property-based-testing-specifications/

The gist: randomised testing can validate formal specs. It's very cheap and powerful: we found bugs in specs of VERINA and CLEVER benchmarks.

Today is L0pht Day. In 1998 7 hackers in suits told the US Senate the internet was a house of cards. We said we could take it down in 30 minutes. They looked at us like we'd landed from another planet.

28 yrs later, the gap between what the security community knows and what decision-makers act on remains a fundamental problem.

Miss you, Peter Neumann. He testified that day too, with decades of hard-earned wisdom. We owe him.

The work isn't done. It never was.

#L0phtDay #InfoSec

You probably not gonna like this, yet somewhat might have anticipated...

We are seeing a stark influx in requests to audit vibe-coded cryptography.

So, vibe-crypto is a thing and will be one for a while.

Do what now?

As promised - full blog post is live for CVE-2026-40369
Covers everything: initial research, methodology, the exploitation path, caveats, cleanups, etc. The whole journey from finding it to production-grade exploit:

https://pwn2nimron.com/blog
https://bird.makeup/users/orinimron123/statuses/2054672170068918348

@algernon wow, this is unusually stupid, esp. if we consider: https://www.schneier.com/blog/archives/2026/02/llms-generate-predictable-passwords.html