Security Analysis: Potential AI Agent Hijacking via MCP and A2A Protocol Insights #SecurityAnalysis #AIAgentHijacking #MCPProtocol #A2AProtocol #SecurityFlaws https://medium.com/@foraisec/security-analysis-potential-ai-agent-hijacking-via-mcp-and-a2a-protocol-insights-cd1ec5e6045f
Medium
Security Analysis: Potential AI Agent Hijacking via MCP and A2A Protocol Insights
Communication protocols represent a core infrastructure accelerating the development and deployment of AI Agents. Anthropic’s Model Context…
Aiding reverse engineering with Rust and a local LLM #Rust #ReverseEngineering #LocalLLM #Security #Vulnerabilities https://security.humanativaspa.it/aiding-reverse-engineering-with-rust-and-a-local-llm/
HN Security
Aiding reverse engineering with Rust and a local LLM - HN Security
Offensive Rust series article that introduces a new AI tool (oneiromancer) to aid with reverse engineering.
SAP Emarsys SDK for Android Sensitive Data Leak (CVE-2023-6542) #SAPEmarsysSDK #AndroidVulnerability #DataLeak #RemoteCodeExecution #RCESecurity https://www.rcesecurity.com/2025/04/sap-emarsys-sdk-for-android-sensitive-data-leak-cve-2023-6542/
Everyone knows your location, Part 2: try it yourself and share the results #LocationData #PrivacyRights #TrafficAnalysis #AppData #Crowdsourcing https://timsh.org/everyone-knows-your-location-part-2-try-it-yourself/
tim.sh
Everyone knows your location, Part 2: try it yourself and share the results
Learn how to record and analyse your mobile device traffic, take an app from the list of "shady" apps and share the results.
SSD Advisory – extract() double-free(5.X)/use-after-free(7.X/8.X) #SSDAdvisory #PHPVulnerability #DoubleFree #UseAfterFree #ArbitraryCodeExecution https://ssd-disclosure.com/ssd-advisory-extract-double-free5-x-use-after-free7-x-8-x/
SSD Secure Disclosure
SSD Advisory - extract() double-free(5.X)/use-after-free(7.X/8.X) - SSD Secure Disclosure
Summary A vulnerability in PHP’s extract() function allows attackers to trigger a double-free in version 5.x or a user-after-free in versions 7.x, 8.x, which in turn allows arbitrary code execution (native code). Credit An independent security researcher…
AES & ChaCha — A Case for Simplicity in Cryptography #AES #ChaCha #Cryptography #Simplicity #Comparison https://phase.dev/blog/chacha-and-aes-simplicity-in-cryptography/
phase
AES & ChaCha — A Case for Simplicity in Cryptography | Phase Blog
A technical deep dive into how the ChaCha20 cipher is taking on AES as the gold standard for symmetric encryption, and a lesson about the power of simplicity in cryptographic design.
SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation #SuperCardX #NFCRelayFraud #ChineseMaaS #AndroidMalware #LowDetectionRate https://www.cleafy.com/cleafy-labs/supercardx-exposing-chinese-speaker-maas-for-nfc-relay-fraud-operation
Cleafy
SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation | Cleafy
A new fraud campaign based on the Android malware "SuperCard X" and innovative NFC relay techniques is impacting Italian's banking. Read our latest report to learn more.
CVE-2025-25364: Speedify VPN MacOS privilege Escalation #CVE-2025-25364 #SpeedifyVPN #MacOS #PrivilegeEscalation #Patch https://blog.securelayer7.net/cve-2025-25364-speedify-vpn-macos-escalation/
SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management
CVE-2025-25364: Speedify VPN MacOS privilege Escalation
SecureLayer7 discovered CVE-2025-25364, which is a critical command injection vulnerability discovered in the me.connectify.SMJobBlessHelper XPC service, a privileged helper tool...
New Bug Bounty Programs #BugBountyRadar #PublicPrograms #LatestPrograms #Scope #Rewards https://bbradar.io/
bbradar.io
The Bug Bounty Radar - The Latest Public Bug Bounty Programs | The Bug Bounty Radar
The Bug Bounty Radar - Discover and explore the latest public bug bounty programs from top platforms. Find security research opportunities, compare rewards, and access the most comprehensive bug bounty database. 8 new programs added recently.
IoT Network Security: Analyzing Decrypted Zigbee Traffic Data #IoTNetworkSecurity #DecryptedZigbeeTraffic #DataAnalysis #NetworkEncryption #DeviceCommunicationBehaviors https://rackenzik.com/enhancing-iot-network-security-and-performance-insights-from-decrypted-zigbee-traffic-data/
Compilation Parser And AST #ParserWorkflow #V8internals #LazyParsing #ParserBug #ScopesInJavascript https://w1redch4d.github.io/post/parser-workflow/
Jumping the line: How MCP servers can attack you before you ever use them #MCP #Vulnerabilities #PromptInjection #SecurityThreats #LineJumpingAttacks https://blog.trailofbits.com/2025/04/21/jumping-the-line-how-mcp-servers-can-attack-you-before-you-ever-use-them/?hss_channel=lcp-912286
The Trail of Bits Blog
Jumping the line: How MCP servers can attack you before you ever use them
MCP’s ’line jumping’ vulnerability lets malicious servers inject prompts through tool descriptions to manipulate AI behavior before tools are ever invoked.
New Pacu Module: Secret Enumeration in Elastic Beanstalk #NewPacuModule #SecretEnumeration #ElasticBeanstalk #RhinoSecurityLabs #PenetrationTesting https://rhinosecuritylabs.com/tools/new-pacu-module-enumerating-elastic-beanstalk/
Rhino Security Labs
New Pacu Module: Secret Enumeration in Elastic Beanstalk
Pacu's newest scenario, enumerating Elastic Beanstalk for Secrets, was built to save users hours of testing during an AWS penetration test.
How I made $64k from deleted files — a bug bounty story #BugBountyStory #GitHubSecrets #AutomationSuccess #DeletedFiles #64kBounty https://medium.com/@sharon.brizinov/how-i-made-64k-from-deleted-files-a-bug-bounty-story-c5bd3a6f5f9b
Medium
How I made $64k from deleted files — a bug bounty story
TL;DR — I built an automation that cloned and scanned tens of thousands of public GitHub repos for leaked secrets. For each repository I…
Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731) #LocalPrivilegeEscalation #ZyxelUSGFLEX #CVE20251731 #HNsecurity #fuzzing https://security.humanativaspa.it/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731/
hn security
Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731) - hn security
“So we wait, this is our […]
👍1
XRP supply chain attack: Official NPM package infected with crypto stealing backdoor #XRPsupplychainattack #OfficialNPMpackage #CryptoStealingBackdoor #MalwareDetection #AikidoSecurity https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor
www.aikido.dev
XRP supply chain attack: Official NPM package infected with crypto stealing backdoor
The official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets.
Remote Code Execution in ZYXEL FLEX-H Series. #summary #coding #hexadecimal #programming #deadcode https://0xdeadc0de.xyz/blog/cve-2025-1731_cve-2025-1732
0xdeadc0de.xyz
0xdeadc0de Infosec
GitHub potential leaking of private emails and Hacker One #GitHub #emailleak #HackerOne #APIissue #OmarAbid https://omarabid.com/hacker-one
Omar Abid - Personal Blog
GitHub potential leaking of private emails and Hacker One
TBD
Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028) #TowrResearch #VaultBreach #CommvaultRCE #SSRFVulnerability #RemoteCodeExecution https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/
watchTowr Labs
Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028)
As we pack our bags and prepare for the adult-er version of BlackHat (that apparently doesn’t require us to print out stolen mailspoolz to hand to people at their talks), we want to tell you about a recent adventure - a heist, if you will.
No heist story…
No heist story…
SSD Advisory – How MiraclePtr Crushed Two Sandbox Escapes #MiraclePtr #SSDAdvisory #SandboxEscapes #UAF #ExploitProtection https://ssd-disclosure.com/ssd-advisory-miracleptr-sandbox/
SSD Secure Disclosure
SSD Advisory - How MiraclePtr Crushed Two Sandbox Escapes - SSD Secure Disclosure
Summary In the wild exploit targeting Chrome, UAF within the Browser process have frequently been a key vector for sandbox escapes. In this post, we introduce two newly discovered UAF within the Browser process, identified during our vulnerability research.…
CVE-2025-22234 #VulnerabilityDirectory #CVE-2025-22234 #HeroDevs #NeverEndingSupport #OpenSource https://www.herodevs.com/vulnerability-directory/cve-2025-22234?nes-for-spring
Herodevs
Vulnerability Directory | CVE-2025-22234 | Spring | HeroDevs
Patch CVE-2025-22234 immediately to secure your systems from critical vulnerabilities. Protect your applications and prevent exploits with the latest updates and fixes—don’t wait, act now!