We analyzed the Coruna exploit kit and found intriguing code overlaps with Operation Triangulation https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/

📱 1-click RCE in the YTDLnis Android app!

On Android, turning file writes into RCE is usually quite hard, but here the app had a nice gadget for us. Check out the details in our latest blog post:

https://www.sonarsource.com/blog/ytdlnis-argument-injection-rce?utm_medium=social&utm_source=mastodon&utm_campaign=research&utm_content=social-ytdlnis-rce-260324-&utm_term=---&s_category=Organic&s_source=Social%20Media&s_origin=social

#appsec #security #vulnerability

Sometimes I wonder… I come from two Milanese industrialist families who worked hard to keep their factories going (and failed in one case due to, literally, natural causes aka a dam disaster) and, reading the responses to my LinkedIn post about salary dumping in Ticino, I cannot reconcile it with anything I have ever heard from my parents or grandparents.

This bizarre concept that it is the workers and the international treaties which somehow "force" the companies to use cheap labour is spectacular.

Of course my families tried to run a profit but, in one case, literally financed one of the most skilled workers to set up their own shop and become a supplier with a guaranteed 5-yr 100% purchase cover before they could work alone (their family is still in business!), the other spent literally almost all their fortune to provide for the worker families hit by the disaster.

I should add that my grandfather's idea of "owner luxury" was going on holiday in Rimini for two weeks, having a large apartment in a new development towards Milan Linate airport, and driving an Alfa Romeo Alfetta, not "two yachts, three Ferrari, five villas." That might explain things...

Having said this I was brought up in a left-wing family and the only comment when I said I was an Ⓐ was "perhaps too much?" which is fair :)

There is currently an insane spy thriller running in #Hungary ICYMI:

https://www.direkt36.hu/en/titkosszolgalati-nyomasra-tortent-hazkutatas-a-tiszat-segito-informatikusoknal-aztan-kibukott-egy-gyanus-muvelet-a-part-ellen/

A 90min interview with the whistleblower was released too that reveals even more pieces of the puzzle. The whole thing screams for a movie (and long prison sentences).

okay I can finally show off these things- Sun SPOTs, weird little java on metal microcontrollers from 2005/2006!

http://nug.only9fans.com/penny/SunSPOTs/

[RSS] Quick notes on KERNSEAL

https://dustri.org/b/quick-notes-on-kernseal.html

#Linux #PaX

ALT https://effinbirds.com/post/812081909931884544

New Project Zero issue:

vpu driver open and close instance ioctls race causing UAF

https://project-zero.issues.chromium.org/issues/463672550

CVE-2026-0112

Who would win: the Balrog or Yoda?

Aww yiss another critical Citrix vuln.

https://www.bleepingcomputer.com/news/security/citrix-urges-admins-to-patch-netscaler-flaws-as-soon-as-possible/

Detection/remediation details here: https://docs.netscaler.com/en-us/netscaler-console-service/instance-advisory/remediate-vulnerabilities-cve-2026-3055

[un]prompted 2026 conference videos

https://www.youtube.com/playlist?list=PLjmt1tu85IhAiVPugOjP-7Cy0Oemi3m7z

Coding with LLMs and agents is a generational opportunity to throw the last decade's hard won lessons on secure coding and appsec out of the window. Definitely something that trust and safety teams, threat actors and possibly even your parents are seizing on with glee when they bypass all of your policies and procedures around installing new software, data governance, validated designs, code reviews, principles of least privilege and regular security assessments. Best of luck.

I popped a Pwn2Own $40k target with a directory traversal in hypervisor

Plenty of buffer overflows there, too
https://bird.makeup/users/abantdogal/statuses/2036132328599089230

Your periodic reminder that security tools are attack surface too.

#trivy

To celebrate the trivy/litellm/??? supply chain compromise, here's some good old #ska #music:

https://www.youtube.com/watch?v=42QloZAhM44

i love that we went from "zero trust" as a fundamental buzzword to "trust autonomous nondeterministic agents everywhere in your stack"

RE: https://mastodon.social/@MozillaAI/116279201448628866

All we wanted was a browser. All you had to do was build a browser. You had one job.

#LiteLLM Compromised! LiteLLM - a popular Python Library used by a lot of AI tooling got compromised on PyPI, and the malicious versions are stealing everything they can find on your machine:

#SoftwareSupplyChainSecurity

👇
https://www.xda-developers.com/popular-python-library-backdoor-machine/

We can remove strncpy() from the Linux kernel finally! I did the last 6 instances, and dropped all the implementations:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=dev/v7.0-rc2/strncpy

Over the last 6 years working on this, there were 362 commits by 70 contributors. The folks with more than 1 commit were:

211 Justin Stitt <justinstitt@google.com>
22 Xu Panda <xu.panda@zte.com.cn>
21 Kees Cook <kees@kernel.org>
17 Thorsten Blum <thorsten.blum@linux.dev>
12 Arnd Bergmann <arnd@arndb.de>
4 Pranav Tyagi <pranav.tyagi03@gmail.com>
4 Lee Jones <lee@kernel.org>
2 Steven Rostedt <rostedt@goodmis.org>
2 Sam Ravnborg <sam@ravnborg.org>
2 Marcelo Moreira <marcelomoreira1905@gmail.com>
2 Krzysztof Kozlowski <krzk@kernel.org>
2 Kalle Valo <kvalo@kernel.org>
2 Jaroslav Kysela <perex@perex.cz>
2 Daniel Thompson <danielt@kernel.org>
2 Andrew Lunn <andrew@lunn.ch>

Thank you to all of you! (And especially to Justin Stitt who took on the brunt of the work.)

It's clear that AI assisted coding is dividing developers (welcome to the culture wars!). I've seen a few blog posts now that talk about how some people just "love the craft", "delight in making something just right, like knitting", etc, as opposed to people who just "want to make it work". As if that explains the divide.

How about this, some people resent the notion of being a babysitter to a stochastic token machine, hastening their own cognitive decline. Some people resent paying rent to a handful of US companies, all coming directly out of the TESCREAL human extinction cult, to be able to write software. Some people resent the "worse is better" steady decline of software quality over the past two decades, now supercharged. Some people resent that the hegemonic computing ecosystem is entirely shaped by the logic of venture capital. Some people hate that the digital commons is walled off and sold back to us. Oh and I guess some people also don't like the thought of making coding several orders of magnitude more energy intensive during a climate emergency.

But sure, no, it's really because we mourn the loss of our hobby.