[RSS] Kubevirt security audit

http://blog.quarkslab.com/kubevirt-security-audit.html

[RSS] Bringing USB to Life in QEMU - Kernel Build, Debug, and Redirection

https://streypaws.github.io/posts/Android-Kernel-USBRedir-QEMU-Build-Debugging/

hey more fun ai / search engine privacy nonsense!

looks like chatgpt .. just.. sprays google with stuff from chats? because it thinks it needs to? so private chats get squirted into google and end up as weird searches?

https://arstechnica.com/tech-policy/2025/11/oddest-chatgpt-leaks-yet-cringey-chat-logs-found-in-google-analytics-tool/

Nicholas Weaver: The futile future of the gigawatt datacenter

The edge is where it’s at

Blog post:
https://pivot-to-ai.com/2025/11/07/the-futile-future-of-the-gigawatt-datacenter-by-nicholas-weaver/

Interview with Nick about the post:

https://www.youtube.com/watch?v=a5rLzNxRjEQ&list=UU9rJrMVgcXTfa8xuMnbhAEA - video
https://pivottoai.libsyn.com/20251107-nicholas-weaver-the-futile-future-of-the-gigawatt-datacenter - podcast

time: 26 min 53 sec

[RSS] What's That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299)

https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/

"The moment of discovery" does not always exist: the scientist's work is too tenuous, too divided, for the certainty of success to crackle out suddenly in the midst of his laborious toil like a stroke of lightening, dazzling him by its fire.

In: Eve Curie - Madame Curie - Chapter XII (p. 158)

~Marie Curie #BOTD in 1867.

#physics #radioactivity #womeninStem

Magika 1.0 is released, available in Rust, TypeScript and Python, and supporting more than 200 file types.

Public blog post:
https://opensource.googleblog.com/2025/11/announcing-magika-10-now-faster-smarter.html

Source: https://github.com/google/magika

From bit flip to RCE in Ollama! 🦙

Our latest blog post explains how a file parsing bug led to an interesting out-of-bounds write primitive. Learn how it could have been exploited in Ollama, a tool to run LLMs locally:

https://www.sonarsource.com/blog/ollama-remote-code-execution-securing-the-code-that-runs-llms/?utm_medium=social&utm_source=twitter&utm_campaign=research&utm_content=blog-ollama-vuln-251104-&utm_term=---&s_category=Organic&s_source=Social%20Media&s_origin=social

#security #vulnerability #llm #ai

Project: facebook/react https://github.com/facebook/react
File: packages/react-reconciler/src/ReactFiberCommitWork.js:1981 https://github.com/facebook/react/blob/c250b7d980864be49facf2306f06455e7f9e305d/packages/react-reconciler/src/ReactFiberCommitWork.js#L1981

function commitMutationEffectsOnFiber( finishedWork: Fiber, root: FiberRoot, lanes: Lanes, )

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Ffacebook%2Freact%2Fblob%2Fc250b7d980864be49facf2306f06455e7f9e305d%2Fpackages%2Freact-reconciler%2Fsrc%2FReactFiberCommitWork.js%23L1981&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Ffacebook%2Freact%2Fblob%2Fc250b7d980864be49facf2306f06455e7f9e305d%2Fpackages%2Freact-reconciler%2Fsrc%2FReactFiberCommitWork.js%23L1981&colors=light

OH: "You're in his DMs. I'm in his VMs. We're not the same."

2025 Component Abuse Challenge: Overdriven LEDs Outshine the Sun

https://hackaday.com/2025/11/06/2025-component-abuse-challenge-overdriven-leds-outshine-the-sun/

[RSS] How to write dnSpy extension

https://kant2002.github.io/en/dotnet/2025/10/02/dnspy-extension.html

I almost got brain aneurysm thinking that the query syntax of tree-sitter and ast-grep differ.

Fortunately that's not the case, but - contrary to Internet wisdom - query syntax is not compatible between languages (parsers).

Also, ast-grep's Playground is insanely useful:

https://ast-grep.github.io/playground.html

[RSS] One-Click Memory Corruption in Alibaba's UC Browser: Exploiting patch-gap V8 vulnerabilities to steal your data

https://www.interruptlabs.co.uk/articles/one-click-memory-corruption-in-alibabas-uc-browser-exploiting-patch-gap-v8-vulnerabilities-to-steal-your-data

‼️ Meet Ryan Clifford Goldberg, a Digital Forensics and Incident Response manager at Sygnia, he is one of three insiders accused of cybercrimes. He allegedly conducted cyberattacks using ALPHV BlackCat ransomware.

Goldberg and two other insiders ran ransomware operations since 2023 while employed at cybersecurity firms. After an FBI visit, Goldberg confessed. He now faces up to 50 years in prison.

I found a thing (RCE) in langgraph. ;D

https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5

RCE in "json" mode of JsonPlusSerializer · Advisory · langchain-ai/langgraph · GitHub
https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5

The Louvre's Video Surveillance Password Was 'Louvre' https://yro.slashdot.org/story/25/11/05/238245/the-louvres-video-surveillance-password-was-louvre?utm_source=rss1.0mainlinkanon

Kaitai Struct: A Tool For Dealing With Binary Formats - Petr Pucil & Mikhail Yakshin

https://www.youtube.com/watch?v=SC2zIli8MNA

#hacklu2025