A digital intruder broke into an AWS cloud environment and in just under 10 minutes went from initial access to administrative privileges, thanks to an AI speed assist.

The Sysdig Threat Research Team said they observed the break-in on November 28, and noted it stood out not only for its speed, but also for the "multiple indicators" suggesting the criminals used large language models to automate most phases of the attack, from reconnaissance and privilege escalation to lateral movement, malicious code writing, and LLMjacking - using a compromised cloud account to access cloud-hosted LLMs.

"The threat actor achieved administrative privileges in under 10 minutes, compromised 19 distinct AWS principals, and abused both Bedrock models and GPU compute resources," Sysdig's threat research director Michael Clark and researcher Alessandro Brucato said in a blog post about the cloud intrusion. "The LLM-generated code with Serbian comments, hallucinated AWS account IDs, and non-existent GitHub repository references all point to AI-assisted offensive operations."

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Persistent, Sandboxed, Single-Site Browser (firejail and proxychains)

Or how to avoid getting locked-out of another Google Account

By Michael Altfield
License: CC BY-SA 4.0
https://tech.michaelaltfield.net/

This guide will describe how to setup a persistent browser (for Evil Corp) that's isolated in a sandbox (with firejail) and forced to use a SOCKS5 proxy to retain a static IP address (using proxychains)

Persistent, Sandboxed, Single-Site, Browser

Have you ever been locked out of your own account, and then got an email for your service provider annoyingly letting you know that they've "blocked a login attempt -- for your protection?"

There's countless reports of frustrated users who have permanently lost access to their own gmail accounts because of Google's faulty "fraud protection" systems that locked the account owner out of their own account, due to false-positives.

Read the full article here:

• https://tech.michaelaltfield.net/2026/02/03/single-site-browser-firejail-proxychains/

We are glad to announce Vulnerability-Lookup 3.0.0. Our second release of 2026 is a major milestone, featuring GCVE-BCP-07 support. Now, every Vulnerability-Lookup instance can publish its own KEV catalog while integrating KEV feeds from CISA and ENISA.

Let’s take a look at all the notable changes.

What's New

GCVE-BCP-07: Known Exploited Vulnerabilities (KEV) Catalogs Integration

This release implements support for GCVE-BCP-07, enabling seamless integration with multiple Known Exploited Vulnerabilities (KEV) catalogs from different Global Numbering Authorities (GNAs). PR #310

Out of the box, any Vulnerability-Lookup instance can publish its own GCVE-BCP-07–compliant KEV catalog and consume KEV catalogs from ENISA and CISA. Conversion and synchronization are performed using the following tool: https://github.com/gcve-eu/gcve-eu-kev

A huge thank you to CISA and ENISA for their continuous work and for making KEV data available. Their catalogs are key building blocks for effective vulnerability prioritization, and it’s great to see them fit naturally into a GCVE-aligned workflow.

New and updated tools

• CISA KEV and ENISA CNW EUVD to GCVE-BCP-07 Converter: https://github.com/gcve-eu/gcve-eu-kev

  $ gcve-from-cisa --push
  $ gcve-from-enisa --push
  

• BCP Validator: https://github.com/gcve-eu/bcp-validator

  $ python gcve_bcp05_validate.py --url https://vulnerability.circl.lu/api/vulnerability?source=gna-1
  OK: https://vulnerability.circl.lu/api/vulnerability/recent?source=gna-1
  

• GCVE Python client: https://github.com/gcve-eu/gcve

  $ gcve references --list
  {
    "kev": [
        {
        "uuid": "405284c2-e461-4670-8979-7fd2c9755a60",
        "short_name": "CISA KEV",
        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
        "automation_url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
        "description": "For the benefit of the cybersecurity community and network defenders\u2014and to help every organization better manage vulnerabilities and keep pace with threat activity\u2014CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework."
        },
        {
        "uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd",
        "short_name": "CIRCL",
        "gcve_gna_id": 1,
        "description": "CIRCL provides a known-exploited vulnerability and supporting the different status_reason described in GCVE BCP-07."
        },
        {
        "uuid": "cce329bf-df49-4c6e-a027-80be2e6483bd",
        "short_name": "EUVD KEV",
        "gcve_gna_id": 2,
        "automation_url": "https://github.com/enisaeu/CNW/raw/refs/heads/main/kev.csv",
        "description": "ENISA via the CSIRTs network provides list of known-exploited seen in the CSIRTs network."
        }
    ]
  }
  

New Vulnerability Sources

• new: [feeders] OSV importer for Drupal security advisories. Imports vulnerabilities from the Drupal security team's OSV feed. 14177ab

• new: [feeders] OSV importer for CleanStart security advisories. Imports vulnerabilities from CleanStart's OSV feed. 14177ab

• new: [feeders] Bitnami Vulnerability Database importer. Imports vulnerabilities from Bitnami's OSV-formatted vulnerability database, covering their application catalog. 165e99d

Changes

• chg: [gcve] Updated GCVE Python client with improved type hints and bug fixes. 78dbfc1 5ddf74d

• chg: [gcve] KEV catalog menu now handles production instances that have their own GNA ID. When a local instance (e.g., CIRCL - GNA-1) exists in the GCVE KEV catalog list, it's marked as local without creating duplicates. 2bba2d8

• chg: [api] Extended x_gcve injection to all vulnerability list endpoints: VulnerabilitiesList, Recent, Last, and LastLegacy. This ensures consistent GCVE integration across all API endpoints. 227da00

• Various graphical improvements.

Fixes

• fix: [gcve] Resolved circular import in gcve_utils module. e7aa364

• 'Ghost CVEs' toggle is wonky #303

• Fix CVSS 4.0 parsing crash in web filters #304

• Fix blacklist bypass vulnerability in username validation #314

• Support YYYYMMDD date format in API since parameter #315

Changelog

For the full list of changes, check the GitHub release:
v3.0.0 Release Notes

Thank you to all our contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

https://archive.is/dX5xd

Set up a framework to fully man-in-the-middle my own browsers' networking and see what they're up to beyond just looking at their DNS queries and encrypted tcp packets. We force the browser to trust our mitmproxy cacert so we can peek inside cleartext traffic and made it conveniently reproducible and extensible.

It has containers for official Firefox, its Debian version, and some other FF derivatives that market a focus on privacy or security. Might add a few more of those or do the chromium family later - if you read the thing and want more then please let us know what you want to see under the lens in a future update!

Tests were run against a basic protocol for each of them and results are aggregated at the end of the post.

Posting with ambition that this can trigger some follow-ups sharing derived or similar things. Maybe someone could make a viral blog post by doing some deeper tests and making their results digestible ;)

Cross-post. Original Thread @ https://discuss.tchncs.de/post/53845514

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

It is not an universal RCE (it works from a service account with the correct permissions).

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

We’re delighted to announce the release of Vulnerability-Lookup 2.21.0.

This release brings several important improvements focused on search, data ingestion, and usability.

What's New

Product-level indexing & search API

Making it easier to explore vulnerabilities from a product-centric angle, without specifying a vendor name. (f906064)

New CSAF feeder for Schneider Electric

We have recently added a new CSAF feed for Schneider Electric. (e43fa03)

More flexible user registration configuration

New options to customize signup/about pages and restrict accepted email domains. (3855838, bfc82cf)

Improved notifications & UI refinements

Clearer emails, better metadata, and cleaner templates.

Ghost CVE

We now use the term Ghost CVE to refer to vulnerabilities observed in the wild via sightings that do not yet have a public CVE record.

Changes

A number of fixes and technical improvements are also included.

• chg: [notifications] Added the publication date in email notifications and a special icon for new vulnerabilities. Closes #299. 64bc631
• chg: [dependencies] Updated Python and dev/docs dependencies. 510233c b08c381
• chg: [config] Updated default value for ACCEPTED_DOMAINS_FOR_REGISTRATION. 6563f8a
• chg: [templates] Simplified titles for vuln and sightings pages; added Open Graph meta tag. 19c9a69 27eb6bf
• chg: [documentation] Updated installation instructions. 152212d

Fixes

• fix: [api] Preserve typing for flask-restx decorators (mypy). f5f31c5
• fix(cvss): Safely handle CVSS 4.0 vectors in Jinja filters. Closes #305. 5a303bb
• fix: [templates] Fix Bootstrap switch click handling (moved popover to help icon). Closes #303. 19a8c54
• fix: [bin] Corrected the script name for the CSAF Schneider Electric importer. 1386a76
• fix: [templates] Fixed an issue with batch deletion of users. 839345b
• fix: [templates] Fixed a tag id in vulnerability_templates.html. bc0d329

Changelog

For the full list of changes, check the GitHub release:
v2.21.0 Release Notes

Thank you to all our contributors and testers!

The new contributor of this release is Thai Nguyen.

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter. If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes. This happens because the telnetd server do not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to by-pass normal authentication. Severity: High Vulnerable versions: GNU InetUtils since version 1.9.3 up to and including version 2.7.

Happy 2026! The BusKill project published our Annual Report for the progress we made last year.

What is BusKill?

BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4

If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device.

Executive Summary

• First Annual Report
• Video documentation
• Futo Grant Recipient

In 2025, we're changing from a twice-yearly Warrant Canary to a once-yearly-canary plus a new once-yearly-annual-report.

In 2025, we published two video to help spread awareness, provide a clear demo, and show how to use BusKill.

And in 2025, we were awarded a grant from Futo.

Happy New Year!

We're looking forward to continuing to improve the BusKill software and looking for other avenues to distribute our hardware BusKill cable to make it more accessible this year.

If you want to help, please consider purchasing a BusKill cable for yourself or a loved one. It helps us fund further development, and you get your own BusKill cable to keep you or your loved ones safe.

Buy a BusKill Cable
https://buskill.in/buy

You can also buy a BusKill cable with bitcoin, monero, and other altcoins from our BusKill Store's .onion site.

Stay safe,
The BusKill Team
https://www.buskill.in/
http://www.buskillvampfih2iucxhit3qp36i2zzql3u6pmkeafvlxs3tlmot5yad.onion/

In January 2026, Huntress Senior Security Operations Analyst Tanner Filip observed threat actors using a malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a “scan” to remediate the threats. Our analysis revealed this campaign is the work of KongTuke, a threat actor we have been tracking since the beginning of 2025. In this latest operation, we identified several new developments: a malicious browser extension called NexShield that impersonates the legitimate uBlock Origin Lite ad blocker, a new ClickFix variant we have dubbed “CrashFix” that intentionally crashes the browser then baits users into running malicious commands, and ModeloRAT, a previously undocumented Python RAT reserved exclusively for domain-joined hosts.