The RCE I've found in LiteLLM (https://x41-dsec.de/lab/advisories/x41-2026-001-litellm/) is a nice example of how AI agents can speed up security research. The issue was found during a project with strict time constraints by me manually. So I had a Nemesis backed AI agent do auto-triage and find a sandbox escape fully automated. After 20 minutes the job was done including a fully working exploit.

Linus Torvalds, the legend 🔥

#linux

Getting serious ADHD and building software nobody asked.

checksec for Mach-O
https://github.com/ChiChou/macchk

⚠️ Warning: vibe coded

i released an Atari 2600 demo with some friends at revision this year and managed to win 1st place in the oldskool demo compo! it's been in development for about a year now so was really cool to see it finally out :3
https://demozoo.org/productions/389801/
https://www.youtube.com/watch?v=aEJ0A8Wvdxs

Inherent flaws in node.js remain unpatched. Bobby Gould and Michael DePlante detail the problem and how the burden of security silently falls on app developers. https://www.zerodayinitiative.com/blog/2026/4/8/nodejs-trust-falls-dangerous-module-resolution-on-windows

RE: https://infosec.exchange/@NowSecure/116251163921885755

Last wednesday I sat down at the #paulsecurityweekly podcast to talk about static analysis with @radareorg and mobile security. The video/audio is now online! https://www.scworld.com/podcast-segment/14644-hacking-ip-kvms-reversing-with-radare2-sergi-alvarez-psw-918

Another #Hungary and #Russia investigation by #VQuare

• Budapest systematically weaponized the issue of Hungarian minority rights in Ukraine to stall EU accession negotiations.
• Péter Szijjártó offered Sergey Lavrov to send EU documents through the Hungarian Embassy in Moscow.
• Hungary and Slovakia, acting as Kremlin friends in the EU, pushed against restrictions of Russian energy supplies.
• Budapest also supported the Kremlin’s “achievements” of the Alaska Summit.
• Leaked audio reveals a strikingly deferential, submissive attitude from Szijjártó toward Lavrov.

https://vsquare.org/kremlin-hotline-how-hungary-coordinates-with-russia-blocking-ukraine-from-the-eu/

New from 404 Media: Microsoft has terminated an account associated with VeraCrypt, the popular and long-running piece of encryption software. This means can no longer receive updates on Windows, the developer told me. Little explanation given by Microsoft https://www.404media.co/microsoft-abruptly-terminates-veracrypt-account-halting-windows-updates/

taking pride in my vintage pre-AI CVEs

\o/ VLC in space

@videolan

It's definitely impressive the LLMs capabilities finding bugs (I was very interested with AIxCC) but let's be honest, bugs were never scarce. There is just a new toy able to scale things faster (although funny how the price is always hidden). So were fuzzers when AFL coverage was introduced. Will it plateau or not that's the question. And will introduction of new bugs crash or not. Interesting times? Sure. End of times? Meh... Time will tell, as usual 🙂

Keep these monstrosities off our roads 🙅‍♂️

"US carmakers have accused Brussels of keeping their largest pick-up trucks, including the Ford F-150, the Chevy Silverado and the Ram 1500, off European roads”

https://www.ft.com/content/3eb796fd-bcdb-4a9f-89b7-f7d5e692a3cd

https://www.carsized.com/en/cars/compare/renault-twingo-1998-3-door-hatchback-vs-ford-f-350-2016-4-door-pickup-crew-cab/

📱 Summer intern wanted!

@exhel and I are looking for someone to help us reverse engineer Android apps this summer @ TU Graz.

→ 20 or 40hrs/week contract
→ Helpful background: Android, reversing, or messaging apps

Send a short motivation statement + CV to lena.heimberger@tugraz.at AND edona.fasllija@tugraz.at

Boosts appreciated! 🙏 #AndroidSecurity #ReverseEngineering #Internship

In the 70s they could open Facebook by pressing the Meta key and there were Like and Dislike buttons right on the keyboard.

Here’s why it’s important to always use r2 from git. In r2land, we follow the law of full disclosure and fix any reported vulnerability within a 24h deadline, as stated in SECURITY.md #radare2 https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero

It's so cool that anthropic is setting up a double-sided protection racket where it will profit from the massive token burn of attackers and defenders with a tool specifically designed to generate exploits and their only observable mitigation is a clientside system prompt that sternly warns the LLM to be good and not do malware
https://red.anthropic.com/2026/mythos-preview/

To my security peeps: Was the introduction of widespread fuzzing similar to AI-based bug hunting now, or is this really a different beast?