Security Harvester

Is this book valid for 2026? https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470: 1. Banks, retailers, and others have deployed millions of applications that are full of holes, allowing attackers to steal personal data, carry out fraud, and compromise other systems. 2. This fully updated edition contains the very latest attack techniques and countermeasures, showing you how to break into today's complex and highly functional applications. 3. All in all, this book will take beginners and pros alike and serve as an excellent reference and lesson to bump you to whatever level of web application hacker you can be. @secharvester

Researcher accidentally gained access to a threat actor-controlled phishing website https://potato.id/en/posts/i-accidentally-logged-into-threat-actor-website/#google_vignette: 1. The platform consisted of a PHP application backed by MySQL, with file storage used to host malware payloads and dynamic endpoints handling downloads. 2. Not long after, the threat actor appeared to identify how access had been obtained and patched the initialization flaw that allowed the reinstallation process in the first place. 3. In the end, the infrastructure survived, but the investigation provided a rare look into how a live malware distribution platform was built, operated and maintained in the wild. @secharvester

PromptSnatcher: AdBlocker stealing Ai Chats - 90k installs https://malext.io/reports/PromptSnatcher/: 1. While presented as ad blockers, the extensions ship a custom-built interception engine that records non-public conversations, model usage, and account-tier metadata from every major AI platform (ChatGPT, Claude, Gemini, and others). 2. The investigation was initially flagged by the MalExt Sentry automated scanner due to a recurrence of the Google Tag Manager ID GTM-TCT2RJ across multiple extensions' filter rules. 3. The extensions intercept full AI conversation history, model usage, and subscription tier from eight platforms, and transmit this data to operator-controlled infrastructure without notification to the user beyond a generic "Enhanced Protection" consent string. @secharvester

I'm putting together a full guide on typical DRM tricks and how they get cracked.(denuvo : 2026 Re9) https://www.youtube.com/@mojte2546: 1. We gebruiken cookies en gegevens voor het volgende: Als je Alles accepteren kiest, gebruiken we cookies en gegevens ook voor het volgende: Als je Alles afwijzen kiest, gebruiken we cookies niet voor deze aanvullende doeleinden. 2. Gepersonaliseerde content en advertenties kunnen bijvoorbeeld ook videoaanbevelingen, een aangepaste YouTube-homepage en op jou toegespitste advertenties omvatten die zijn gebaseerd op eerdere activiteit, zoals de video's die je bekijkt en de items waarnaar je zoekt op YouTube. 3. We gebruiken cookies en gegevens ook om te zorgen dat de functionaliteit geschikt is voor je leeftijd, als dit relevant is. @secharvester

MeshCentral: From XSS to RCE https://www.techanarchy.net/meshcentral-from-xss-to-rce/: 1. The last step was to send the review-findings and report-writer agents to check over the findings and session logs and generate me a report I could share with the project devs. 2. I mean yes one of the strongest use cases for LLMs is in the developer world and it's a relatively simple fix, So I opened the PR and a day or two later it was merged and a new patched release was ready to go alongside a new Advisory. 3. You can also review the logs that are generated in MeshCentral, they show a history of all commands that are executed against hosts Its pretty clear from the writeup that AI was used significantly during this research project. @secharvester

ShinyHunters linked to exploitation of critical flaw in Oracle PeopleSoft https://www.cybersecuritydive.com/news/shinyhunters-exploitation-critical-flaw-oracle-peoplesoft/822796/: 1. “We are working with the third party that maintains the platform to investigate and we will continue to support the police with their enquiries.” The Cybersecurity and Infrastructure Security Agency on Friday added the flaw to its Known Exploited Vulnerabilities catalog and confirmed it has been used in ransomware attacks. 2. Halcyon researchers, meanwhile, said the attack is part of a recent pattern by ShinyHunters, as the group was linked to the campaign against Instructure, the firm behind the Canvas Learning Management System. 3. “The extensive infiltrated data from universities in the case of PeopleSoft and Canvas continue to provide ShinyHunters an avenue to conduct targeted campaigns against faculty and students, including phishing and extortion,” s... @secharvester

Reverse-engineered the WHOOP 4.0's Bluetooth protocol and open-sourced it. https://github.com/OpenStrap/edge: 1. lib/sync/background_sync.dart registers an OS-scheduled task, WorkManager on Android, BGTask on iOS, that wakes roughly every 15 minutes, connects if the band's in range, drains, uploads, and disconnects. 2. flutter_blue_plus for Bluetooth, sqflite for the local store, http and provider and shared_preferences for the plumbing, workmanager for the background sync, home_widget for the widget bridge, and fl_chart / google_fonts / hugeicons / share_plus for the look of it. 3. OpenStrap's Flutter app: drains a WHOOP 4.0 band over Bluetooth, syncs raw data to your own backend, and shows what your strap actually measures. @secharvester

NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks https://www.securityweek.com/npm-12-will-change-script-execution-behavior-to-prevent-supply-chain-attacks/: 1. Multiple major incidents that occurred over the past several months, mainly associated with TeamPCP and the Shai-Hulud self-replicating worm, have been abusing the default, automatic execution of scripts from dependencies during npm install to infect thousands of developers with malware. 2. Multiple major incidents that occurred over the past several months, mainly associated with TeamPCP and the Shai-Hulud self-replicating worm, have been abusing the default, automatic execution of scripts from dependencies during npm install to infect thousands of developers with malware. 3. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentest... @secharvester

Reverse-engineered the WHOOP 4.0's Bluetooth protocol and open-sourced it. https://github.com/OpenStrap/edge: 1. lib/sync/background_sync.dart registers an OS-scheduled task, WorkManager on Android, BGTask on iOS, that wakes roughly every 15 minutes, connects if the band's in range, drains, uploads, and disconnects. 2. On iOS, the widget and Live Activity need the App Group set up, NSSupportsLiveActivities turned on, and the background task id registered. 3. OpenStrap's Flutter app: drains a WHOOP 4.0 band over Bluetooth, syncs raw data to your own backend, and shows what your strap actually measures. @secharvester

US Gov asks Anthropic to ban 'foreign national' access to Fable, Mythos. https://www.bleepingcomputer.com/news/security/us-gov-asks-anthropic-to-ban-foreign-national-access-to-fable-mythos/: 1. Fable blocks or diverts sensitive cybersecurity, biology, and chemistry queries, while the unrestricted Mythos 5 goes only to vetted government cyberdefenders and life sciences partners. 2. "To date, the government has only given us verbal evidence of a potential narrow, non-universal jailbreak, which essentially consists of asking the model to read a specific codebase and fix any software flaws," states Anthropic. 3. The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. @secharvester

Getting the PID from random numbers in PHP https://blog.ikaes.de/getting-the-pid-from-random-numbers/: 1. cracking the seed of the marsenne twister has been proven possible not only in php but also in python, which also uses this algorithm as its default random number generator. 2. in order to guess the pid, we would have to know the precise time when the first call of mt_rand was performed and then generate subsequent random values to eventually find our output. 3. in order to guess the pid, we would have to know the precise time when the first call of mt_rand was performed and then generate subsequent random values to eventually find our output. @secharvester

The Pulling of Mythos Offline: Why AI KYC Will Fail to Stop Cybercriminals https://www.infostealers.com/article/the-pulling-of-mythos-offline-why-ai-kyc-will-fail-to-stop-cybercriminals/: 1. Compromised logs from infostealers like Lumma, Vidar, and RedLine regularly capture active session tokens, cookies, and saved credentials for vital infrastructure platforms, including Claude.ai and OpenAI. 2. Coupled with the widespread availability of stolen passports, driver’s licenses, and government identification documents, bad actors possess a complete, inexpensive toolkit to fabricate verified identities on demand. 3. When these repositories are inevitably breached, the stolen data will be funneled directly back into the cybercrime ecosystem, providing the exact credentials needed to fuel further identity fraud and access bypasses. @secharvester

CTO at NCSC Summary: week ending June 14th https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-june-fb9: 1. That trust is rooted in an unbroken chain of command and accountability, from our democratic process through civilian and military leadership, to the men and women who carry out the mission.” Opportunities for AI in cyber defence - Australian Signals Directorate outlined in May - “Human oversight, governance and Secure by Design practices remain essential. 2. The notable point of this sample is not a single technique, but the way the entire execution chain is divided into many small layers, with each stage taking on a specific task: file dropping, persistence setup, DLL sideloading, payload decryption, manual mapping, and finally generating the configuration/C2 information used for network communication. 3. The extension contains the following components that overlap with techniques used by the Lazarus Group: A JavaS... @secharvester

Getting the PID from random numbers in PHP https://blog.ikaes.de/getting-the-pid-from-random-numbers/: 1. cracking the seed of the marsenne twister has been proven possible not only in php but also in python, which also uses this algorithm as its default random number generator. 2. in order to guess the pid, we would have to know the precise time when the first call of mt_rand was performed and then generate subsequent random values to eventually find our output. 3. in order to guess the pid, we would have to know the precise time when the first call of mt_rand was performed and then generate subsequent random values to eventually find our output. @secharvester

The Axios npm compromise was visible in registry metadata before anyone ran npm install https://autodoc.bearblog.dev/how-30-seconds-of-metadata-would-have-caught-the-axios-attack/: 1. Maintainer’s PC compromised through social engineering and a RAT, npm credentials stolen, versions 1.14.1 and 0.30.4 published manually, malicious dependency pulling a cross-platform trojan. 2. The signal everyone walked past: legitimate axios releases publish through an automated pipeline that stamps the registry with a trusted-publisher block and ties the version to a specific commit. 3. What actually would have worked: Strip it down to a principle: a provenance-mismatch check, run automatically at install time, flags this entire class of attack before a single line of package code executes. @secharvester

"Instead of touching grass for 6 months I built an AI that names 150,000 sub_ functions overnight. I have no regrets [SpectrIDA]" SELF PROMO (i love the tool tho) https://github.com/ggfuchsi-oss/spectrIDA-Reverse_Engineering_Stack: 1. spectrIDA splits the binary into N shards, runs them in parallel via idalib, merges into one .i64, then lets a fine-tuned 8B model name every function — all from one terminal UI with a cyberpunk theme and exactly the right amount of sarcasm. 2. Requirements: IDA Pro 9.x with idalib · Python 3.10+ · Ollama No TUI needed — drive spectrIDA from scripts, Claude Code, notebooks, whatever: hf.co/gdfhhjk/spectrida-re-gguf — Qwen3-8B fine-tuned for reverse engineering. 3. Only the RE-relevant neurons are tuned — base Qwen3 knowledge stays intact, you just added a very specific skill on top. @secharvester

US Government Orders Suspension of Fable 5 and Mythos 5 Access https://x.com/anthropicai/status/2065597531644743999?s=46: 1. Sign up now to get your own personalized timeline! 2. By signing up, you agree to the Terms of Service and Privacy Policy, including Cookie Use. @secharvester

Maine disables data breach notification portal after fake disclosures https://www.bleepingcomputer.com/news/security/maine-disables-data-breach-notification-portal-after-fake-disclosures/: 1. The Attorney General's Office says it has now temporarily disabled public access to the breach notification database while it reviews reporting procedures to reduce similar abuse in the future. 2. The notice states that companies can continue to submit breach notifications through the reporting service, but members of the public seeking copies of disclosures must now contact the Attorney General's Office directly. 3. Build cyber resilience with Wazuh: The open-source SIEM & XDR for proactive protection Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Not a member yet? @secharvester

Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE) - watchTowr Labs https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/: 1. It ingests logs, metrics, and event data from across an organization's IT environment - servers, applications, network devices, and security tools - and indexes it so it can be queried in near real time using Splunk's Search Processing Language (SPL). 2. Freshly armed with the knowledge that PostgreSQL Sidecar Service accepts any credentials, we had further questions: The advisory was fairly clear: arbitrary file creation and truncation. 3. Surprise: As we know already, we fully control the dbname argument and it seems that PostgreSQL allows you to define a connection string within a database name (lol). @secharvester

IBM, AT&T Accused by Whistleblower of Covering Up Foreign Hacks https://www.claimsjournal.com/news/national/2026/06/05/338002.htm: 1. International Business Machines Corp. and AT&T Inc.’s computer systems were repeatedly breached by foreign hackers, and the companies concealed those intrusions from the U.S. government in violation of the law, according to a lawsuit from a former IBM cybersecurity official. 2. William Barlow, IBM’s former vice president of threat intelligence, alleged in the complaint that the companies failed to disclose multiple breaches over years by attackers linked to foreign governments and made false assurances about the security of their systems in order to win and keep federal contracts. 3. “You can’t sell cybersecurity to the federal government while allegedly having these security problem within your own company.” In his suit, Barlow claimed he personally witnessed numerous breaches of IBM’s core network and ... @secharvester