500 Microsoft CVEs Later — We're Still Measuring Security Wrong
Microsoft patched 500+ vulnerabilities in five months. Linux ecosystems patched even more. So which is more secure? That's the wrong question — here's the metric that actually matters.
Security Research & Analysis
Offensive thinking.
Offensive thinking.
Defensive expertise.
In-depth red team research, blue team strategy — and privacy-first security tools that run entirely in your browser. No accounts. No telemetry. No data leaves your machine.
Featured
Latest research
Archive
Recent posts
Shai-Hulud: The Open-Source GitHub Actions Token Harvester That Just Went Public
TeamPCP's Shai-Hulud is a TypeScript/Bun C2 framework targeting GitHub Actions CI/CD pipelines — it steals GitHub tokens, exfiltrates via a fake git domain, and has now been open-sourced for anyone to deploy.
The Cache That Bites Back: GitHub Actions Cache Poisoning Attacks
How attackers turn GitHub Actions' shared build cache into a supply chain weapon — real cases, attack mechanics, detection logic, and mitigations.
When the Weapon Learns: How Nation-States Weaponized AI Across the Full Attack Chain
Google GTIG's May 2026 report documents a turning point: state actors now use AI to write zero-day exploits, build self-navigating backdoors, and poison the AI supply chain itself.
Europe's Digital Independence Push: EuroStack, Sovereign Cloud, and Breaking Free from US Infrastructure
France is migrating 2.5 million government PCs to Linux. Europe is building its own payment network to rival Visa and Mastercard. EuroStack aims to replace AWS and Azure. Here's what's happening, why it matters for security, and how realistic it is.
Dirty Frag & Copy Fail: Two New Linux Kernel Vulnerabilities Grant Root Privileges
Two new Linux kernel vulnerabilities — Dirty Frag (CVE-2026-43284/43500) and Copy Fail (CVE-2026-31431) — enable local privilege escalation to root on nearly all major distros. What users and admins need to know.
CallPhantom: How 28 Fake Apps Collected Payments for Data That Never Existed
ESET uncovered CallPhantom — 28 Android apps with 7.3M downloads that sold fabricated call histories. A deep dive into the fraud mechanics, billing bypass, and how to protect yourself.