unsandboxed Chrome RCE nets $250k. great writeup too https://issues.chromium.org/issues/453094710

Our intrepid 20%-er @dillonfranke exploited a vulnerability in CoreAudio. See his process for gaining privilege escalation on a Mac:

https://projectzero.google/2026/01/sound-barrier-2.html

RE: https://infosec.exchange/@atredis/115973990718232965

This was a ton of fun and a lot of work with @jordan9001.

The game has a client-side scripting interface (we demo it in the post) that's really neat from an offensive perspective; all sorts of cool stuff you can tinker with with the right function call

And if you're interested in finding your own 1995 era RCEs, I see EA has released source code for the other C&C games...https://github.com/electronicarts/CnC_Tiberian_Dawn

Command & Conquer'd: worming RCEs through a classic multiplayer game. Check out the full writeup from our @DistrictCon Junkyard submission here:
https://www.atredis.com/blog/2026/1/26/generals

By @drone and @jordan9001

#Security #modding #rce

Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar

https://blog.cloudflare.com/serverless-matrix-homeserver-workers/

My first blog post on Windows Administrator Protection is out. https://projectzero.google/2026/26/windows-administrator-protection.html probably the most interesting and complex bug out of the 9 I found, but that doesn't mean the rest weren't interesting as well, stay tuned :D

Binary obfuscation in 2026:

Just put ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FA... into your program 😎

Thanks to @mxey for the idea

🧭 Jump Anywhere in IDA 9.3 makes everyday navigation faster and more responsive — especially on large databases.

Here’s how it works and what’s improved.
https://hex-rays.com/blog/ida-9.3-jump-anywhere

Really enjoyed @chompie1337’s #SSTIC2023 talk “Deep attack surfaces, shallow #bugs”

https://www.sstic.org/2023/presentation/deep_attack_surfaces_shallow_bugs/

(catching up with my huge “watch later” backlog)

CVE-2025-64155: Three Years of Remotely Rooting the #Fortinet #FortiSIEM

https://horizon3.ai/attack-research/disclosures/cve-2025-64155-three-years-of-remotely-rooting-the-fortinet-fortisiem/

Had fun watching @gynvael’s grehackconf talk about a cool #NETGEAR #vulnerability chain ✊

https://youtu.be/X-ZJH4d2tuE?t=1162

🚨 REcon 2026 is LIVE!
🚀 Call for papers and registration are now open!

Join the world's top reverse engineers & exploit devs in Montreal:

🛠 Trainings: June 15-18 (19 hands-on classes – AI agents, kernel exploits, Rust/Go reversing, fault injection & more!)

📅 Conference: June 19-21
Tickets & early bird now open → https://recon.cx

Limited spots – see you in MTL! #REcon2026 #ReverseEngineering

Shoutout to the legends teaching: @SinSinology
@malachijonesphd
@andreyknvl @bird.makeup
@mr_phrazer @yarden_shafir @drch40s @pulsoid + more elite instructors! See website for all trainers and session info.

If Andrew "bunnie" Huang didn't exist, I'd swear he was a character out of a(n extraordinarily technologically well-informed) cyberpunk novel. Every time I interact with this legendary hardware hacker, he blows my mind with some project or insight that permanently alters how I think about tech.

-

If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2026/01/09/quantity-break/#so-many-chips

1/

Check out our latest blog from Matt Burch (@emptynebuli) detailing new supplemental findings from his DefCon32 talk Where's the Money: Defeating ATM Disk Encryption: https://www.atredis.com/blog/2025/8/26/24nrgne4dqbwjxyip7txn8ep6zj057

Drop what you are doing and read this incredible story from Wired, if you can. After that, come back here.

https://www.wired.com/story/edward-coristine-tesla-sexy-path-networks-doge/

It mentions that a 19 y/o man who's assisting Musk's team and who has access to sensitive government systems is Edward Coristine. Wired said Coristine, who apparently goes by the nickname "Big Balls," runs a number of companies, including one called Tesla.Sexy LLC

"Tesla.Sexy controls dozens of web domains, including at least two Russian-registered domains. One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market.While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review."

The really interesting part for me is Coristine's work history at a company called Path Networks, which Wired describes generously as a company "known for hiring reformed black-hat hackers."

"At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn resume. Path has at times listed as employees Eric Taylor, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company."

The founder of Path is a young man named Marshal Webb. I wrote about Webb back in 2016, in a story about a DDoS defense company he co-founded called BackConnect LLC. Working with Doug Madory, we determined that BackConnect had a long history of hijacking Internet address space that it didn't own.

https://krebsonsecurity.com/2016/09/ddos-mitigation-firm-has-history-of-hijacks/

Incidentally, less than 24 hours after that story ran, my site KrebsOnSecurity.com was hit with the biggest DDoS attack the Internet had ever seen at the time. That sustained attack kept my site offline for nearly 4 days.

https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

Here's the real story behind why Coristine only worked at Path for a few months. He was fired after Webb accused him of making it known that one of Path's employees was Curtis Gervais, a serial swatter from Canada who was convicted of perpetrating dozens of swattings and bomb threats -- including at least two attempts on our home in 2014. [BTW the aforementioned Eric Taylor was convicted of a separate (successful) swatting against our home in 2013.

https://krebsonsecurity.com/2017/09/canadian-man-gets-9-months-detention-for-serial-swattings-bomb-threats/

https://krebsonsecurity.com/2017/02/men-who-sent-swat-team-heroin-to-my-home-sentenced/

In the screenshot here, we can see Webb replying to a message from Gervais stating that "Edward has been terminated for leaking internal information to the competitors."

Wired cited experts saying it's unlikely Coristine could have passed a security clearance needed to view the sensitive government information he now has access to.

Want to learn more about Path? Check out the website https://pathtruths.com/

Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2024-30051) https://www.coresecurity.com/core-labs/articles/windows-dwm-core-library-elevation-privilege-vulnerability-cve-2024-30051