A new open-source bug bounty hunting toolkit called BugHunter, built on top of Anthropic’s Claude Code and now extended to support free AI providers like Ollama and Groq, is gaining traction in the security research community for automating the full vulnerability discovery and reporting pipeline. Developed by security researcher Shuvon Md Shariar Shanaz and hosted […]

Just a day after Arch Linux developers believed they got their malware AUR incident under control with 1,500+ packages affected by malware, another round of of AUR malware is now being discovered

BUMSRAKETE is a HUGE, TREMENDOUS, MANY-PEOPLE-ARE-SAYING FreeBSD kTLS-RX page-cache write primitive. The BEST primitive. Some say the best ever.

Skills for threat modeling, scanning, triage, patching, plus an autonomous scanning harness you can /customize - anthropics/defending-code-reference-harness

exploit for CVE-2026-42945. Contribute to DepthFirstDisclosures/Nginx-Rift development by creating an account on GitHub.

On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork↔base trust boundary, and OIDC token extraction from runner memory to publish 84 malicious versions across 42 @tanstack/* packages on npm. Full postmortem.

Contribute to V4bel/dirtyfrag development by creating an account on GitHub.

The Apache Software Foundation has released a critical security update for Apache HTTP Server, patching five vulnerabilities, including a dangerous double-free flaw capable of enabling Remote Code Execution (RCE) in version 2.4.67, released on May 4, 2026.

Copy Fail (CVE-2026-31431): a 732-byte Linux LPE — straight-line, no race, no per-distro offsets. Same Python script roots Ubuntu, Amazon Linux, RHEL, SUSE since 2017. Page-cache write bypasses on-disk file-integrity tools and crosses container boundaries. Found by Xint Code.

Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser.

The Red Sun vulnerability repository. Contribute to Nightmare-Eclipse/RedSun development by creating an account on GitHub.

more details: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan Most likely, a maintainer's GitHub and npm accounts are compromised as these issues are getting deleted. I have also rep...

Binarly has published VulHunt Community Edition, making the core scanning engine from Binarly's commercial Transparency Platform available to independent

A prompt injection in a GitHub issue triggered a chain reaction that ended with 4,000 developers getting OpenClaw installed without consent. The attack composes well-understood vulnerabilities into something new: one AI tool bootstrapping another.