[RSS] Three Bugs Walk Into a PDF: Prototype Pollution, Served Cold

https://starlabs.sg/blog/2026/04-three-bugs-walk-into-a-pdf-prototype-pollution-served-cold/

CVE-2026-34621, CVE-2026-34622, CVE-2026-34626

[RSS] Carrot disclosure: Forgejo

https://dustri.org/b/carrot-disclosure-forgejo.html

[RSS] A Route to Root in a 4G Industrial Router

https://tantosec.com/blog/2026/04/route-to-root-in-4g-industrial-router/

[RSS] Discovering Vulnerabilities in Enterprise Audiovisual Hardware

https://spaceraccoon.dev/discovering-vulnerabilities-enterprise-audiovisual-hardware/

[RSS] libghidra - SDK for automating Ghidra from Python, Rust, and C++

https://github.com/0xeb/libghidra

#Ghidra

[RSS] TAPOcalypse Now: Exploiting TP-Link Smart Devices From Anywhere

https://labs.taszk.io/articles/post/tapocalypse/

News shouldn’t disappear. 🕳️

Some publishers are blocking the Wayback Machine, putting the public record at risk. Journalists are speaking out.

Add your name. Stand for preserving the news.

✍️ https://www.savethearchive.com/NewsLeaders

Detailed report from DigiCert (thanks!) about "a limited number of code signing certificates, few of which were then used to sign malware".

At the beginning a ZIP file with a .scr executable, and some time later 60 revoked Code Signing certificates. https://bugzilla.mozilla.org/show_bug.cgi?id=2033170

Can web developers stop fucking with scroll bars please? No website is so beautiful that it justifies losing the ability to see how far the page scrolls down. I don't give two shits about your design vision.

CARTOON/BOFFO1.GIF

Interesting Git repos of the week:

Detection:

* https://github.com/gadievron/honeyslop - a side bar to RAPTOR, a vulndev slop detector from @gadi 🤖
* https://github.com/Nehboro/nehboro - a Chrome extension to help protect you from phishing scams
* https://github.com/trustedsec/SysmonCommunityGuide - TrustedSec dropped guides for Sysmon
* https://github.com/JPCERTCC/LogonTracer - watch out for unexpected logins with JPCERT
* https://github.com/persistent-security/month-of-bypasses - a month of detection engineering tips and tricks
* https://github.com/sjzasada/agentflash - my old uni house mate has written a tool to keep an eye on Claude

Bugs:

* https://github.com/theori-io/copy-fail-CVE-2026-31431 - copy.fail \o/

Exploitation:

* https://github.com/CyberStrikeus/CyberStrike - sloppy pen testing 🤖
* https://github.com/SnailSploit/Claude-Red - another agentic pen tester 🤖
* https://github.com/PurpleAILAB/Decepticon - rise of the bots 🤖
* https://github.com/hackerschoice/team-teso - courtesy of @thc, an archive of TESO
* https://github.com/BishopFox/cirro - @BishopFox created Cirro to map clouds 🤖
* https://github.com/thomasdullien/vulpine - @HalvarFlake dabbles in AI bug hunting and vulndev
* https://github.com/boostsecurityio/smokedmeat - smoked meat attacks CICD pipelines for hot red team action
* https://github.com/mandiant/gopacket - Mandiant ported Impacket to Go
* https://github.com/trailofbits/trailmark - @trailofbits's Trailmark graphs code 🤖
* https://github.com/sailay1996/vss-fr2system - arbitrary reads to SYSTEM \o/
* https://github.com/asset-group/Sni5Gect-5GNR-sniffing-and-exploitation - attacking 5G for sniffs and giggles
* https://github.com/ANSSI-FR/bmc-tools - ANSSI parses your RDP screenshots
* https://github.com/BSI-Bund/RdpCacheStitcher - BSI stitches them together
* https://github.com/califio/publications - @thaidn and friends do interesting things 🤖
* https://github.com/jedireza/reserved-subdomains - what subdomains are reserved?

Hardening:

* https://github.com/sektioneins/ovpncc - One of SektionEins's various config checking tools, this onefor OpenVPN
* https://github.com/HarmonicSecurity/claudit-sec - audit your Claude Desktop posture

Cryptography:

* https://github.com/nitram2342/bruteforce-crc - crunching through CRC32

Data:

* https://github.com/op7ic/SwarmMaker - my good friend opt7ic drops a new tool to build LLM skills

Nerd:

* https://github.com/moshix/BRICKS_TS - mainframe code

#security, #research, #code

Infosec community right now…

313 Team, the Iraqi-aligned group claiming credit for the Ubuntu attack, are now encouraging the use of #CopyFail against Ubuntu targets while servers may not be able to reach updates.

https://discourse.ifin.network/t/ubuntu-services-under-attack/356

“GCC now supports Algol 68” https://algol68genie.nl/en/blog/gcc-algol-68-genie/

#BlackMetal album of the day by a friend of mine: Malevolic, Complete Integrity Corruption.

https://malevolic.bandcamp.com/album/complete-integrity-corruption
#Metal

This is a temp+humidity sensor pcb + 4 sensing connectors. Can you tell what the full product was (genuine Q, not a challenge) #namethatware

My first ever open source release: lib0xc, the C standard library you wish you had.

https://aka.ms/lib0xc

[RSS] A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202

https://www.akamai.com/blog/security-research/2026/apr/incomplete-patch-apt28s-zero-day-cve-2026-32202

Looks like the NSA implemented sophons:

https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/

[RSS] Revealing NVIDIA Closed-Source Driver Command Streams for CPU-GPU Runtime Behavior Insight

https://arxiv.org/abs/2604.26889