In-depth red team research, blue team strategy — and privacy-first security tools that run entirely in your browser. No accounts. No telemetry. No data leaves your machine.
GitHub confirmed an employee's device was compromised via a poisoned VS Code extension, with ~3,800 internal repos exfiltrated. A technical breakdown of TeamPCP's Mini Shai-Hulud supply chain worm.
CVE-2026-20182 (CVSS 10.0) and CVE-2026-0300 (CVSS 9.3) hit simultaneously — one owns your firewall, the other poisons your entire SD-WAN fabric.
22% of ransomware incidents in 2026 involve no encryption at all. The threat model has shifted from disruption to silent exfiltration — and most defenses haven't caught up.
Microsoft's on-prem Exchange Server has an actively exploited XSS zero-day (CVSS 8.1). A single crafted email in OWA triggers arbitrary JavaScript — here's how it works and how to stop it.
ShinyHunters breached Canvas LMS, stole 275 million students' data, took the ransom — and attacked again four days later. Here's who they are and why arrests haven't stopped them.
TeamPCP has compromised hundreds of open-source packages and stolen half a million credentials. But their OPSEC is leaking — and someone is already hunting them.
A researcher discovered a zero-day that bypasses BitLocker encryption on Windows 11 using a USB stick and the recovery environment — and suspects the component may be intentional. CVE-2026-45585, CVSS 6.8. Microsoft released an official mitigation on May 21, 2026.