SmarterMail Auth Bypass Under Active Exploitation. watchTowr discovered WT-2026-0001, an authentication bypass letting anyone reset the SmarterMail admin password via an unauthenticated API endpoint that never validates the old password. Attackers reverse-engineered the patch within two days of release and began exploiting it in the wild. MORE

Cloudflare Zero-Day: Accessing Any Host Globally. FearsOff researchers found a zero-day in Cloudflare's ACME implementation that allowed accessing any host globally. The vulnerability has since been addressed by Cloudflare. MORE

Hacking an AI Children's Toy: Remote Access to Every Conversation. Security researchers found Bondu's AI toy admin panel was accessible to anyone with a Google account, exposing tens of thousands of children's conversations, family data, and full device control. The company fixed it within 10 minutes of disclosure. MORE

React Server Components CVE-2026-23864. Multiple high-severity DoS vulnerabilities in React Server Components affect Next.js 13-16 and other frameworks. Specially crafted HTTP requests to Server Function endpoints can crash servers or cause OOM exceptions. Upgrade immediately. MORE

Samsung MagicINFO 9 Server RCE Chain. Steven Seeley walks through chaining multiple vulnerabilities in Samsung's MagicINFO digital signage server, from license check bypasses and hardcoded credentials to Java deserialization, achieving pre-auth remote code execution on ~6,600 exposed servers. MORE

Curl Ends Its Bug Bounty Program. After seven years and $100K+ paid to researchers, Daniel Stenberg shut down curl's bug bounty due to an explosion of AI slop reports driving confirmed vulnerability rates below 5%. The project moves security reports to GitHub and drops monetary rewards entirely. MORE

State of AppSec 2026: Security at Engineering Speed. ProjectDiscovery's report argues scan-and-report AppSec hit a ceiling because AI-accelerated code production outpaced verification. Modern risk lives in authorization gaps, business logic, and exploit chains that scanners miss entirely. MORE

Trail of Bits 2025 Open-Source Contributions. Trail of Bits engineers submitted over 375 merged pull requests across 90+ projects last year, from the Rust compiler and pyca/cryptography to Sigstore and PyPI Warehouse, including cutting PyPI's test suite runtime by 81%. MORE

Inside the Mind of a Hacker 2026. Bugcrowd's annual report reveals 82% of hackers now use AI in their workflow, 61% find more critical bugs when hacking in teams, and 65% have chosen not to disclose a vulnerability because there was no clear pathway to report it. MORE

What Every Built in a Week of Pure Vibe Coding. The Every team spent a week in Panama with one mission: experiment freely, build fast, and see what emerges. No roadmaps. No sprints. Just pure vibe coding with the latest AI tools. MORE

Moltbook: Where AI Agents Talk to Each Other. Simon Willison explores Moltbook, a social network for OpenClaw AI assistants that installs itself via a skill URL. Bots share genuinely useful tips like ADB-over-Tailscale phone control, while Willison warns this "fetch and follow instructions every 4 hours" pattern is ripe for exploitation. MORE

The Creator of OpenClaw: "I Ship Code I Don't Read." Peter Steinberger runs 5-10 agents simultaneously, views PRs as "prompt requests," and shipped 6,600+ commits in January alone. The Pragmatic Engineer podcast explores how one person can operate like a full team by treating AI agents as junior developers. MORE

Singing the Gospel of Collective Efficacy. Matt Webb reflects on how neighborhood WhatsApp groups, swift nest box projects, and small acts of civic participation build the shared belief that acting together can make a difference, and asks if we could design games that teach this to kids. MORE

JWT Auth Bypass Found Using LLMs for Code Review. PentesterLab's Louis Nyffenegger used Claude to triage JWT libraries across languages he'd never used, discovering CVE-2026-23993 where any unrecognized algorithm value bypasses signature verification entirely in HarbourJwt. MORE

Jason Haddix shares his AI stack setup in this detailed thread, offering insights into the tools and workflows he uses for security research. This is part one of a comprehensive breakdown of his AI-powered methodology. MORE

@codingo_ - VP of Operations @bugcrowd, CyberSecurity AI, XSS/SQLi/SSRF, WAF bypass

@_Base_64 - Rohan

@Jhaddix - CEO, CISO, Trainer, Hacker, and Speaker. Cybersecurity + Hacking + AI + Sec Leadership @arcanuminfosec

@win3zz - Founder of @Cuberks. Maker, hacker, security researcher. Tweets about hacking, tech, and entrepreneurship

@baltaaazr - Composing @cursor_ai + @withvoxelize

One Human + One Agent = One Browser From Scratch. A developer built a cross-platform web browser in 20K lines of Rust with zero dependencies in 72 hours using a single Codex agent. Key takeaway: one human driving one agent produced better results than the "thousands of agents for weeks" approach. MORE

The Five Levels: From Spicy Autocomplete to the Dark Factory. Dan Shapiro maps AI coding adoption to NHTSA's driving automation levels. Most "AI-native" developers are stuck at Level 2 (pair coding), while Level 4 means you're basically a PM writing specs and checking if tests pass 12 hours later. MORE

Adding Dynamic Features to an Aggressively Cached Website. Simon Willison shows how localStorage tricks let him add admin-only edit links and random tag navigation to his Cloudflare-cached Django blog, all built via Claude Code prompts from his iPhone. MORE

Some Notes on Starting to Use Django. Julia Evans shares her experience picking up Django after 20+ years of avoiding web frameworks, praising its explicit conventions, built-in admin, ORM magic with double-underscore JOINs, and automatic migrations. MORE

He Leaked the Secrets of a Southeast Asian Scam Compound. WIRED's Andy Greenberg tells the story of "Red Bull," a trapped Indian engineer who became an active whistleblower inside a Laotian pig-butchering compound, leaking scripts, chat logs, and internal operations while risking his life. MORE

AIWhisperer: Sanitize Documents Before Uploading to AI. This tool shrinks massive PDFs to fit AI upload limits and replaces names, phones, and IBANs with placeholders before cloud upload. Built from a real investigation where a researcher analyzed 4,713 pages in 20 minutes without leaking sensitive data. MORE

Obsidian Tunnel: Access Your Vault from Anywhere. A self-hosted web interface for managing your Obsidian vault remotely via Cloudflare Tunnel with authentication. Browse, create, edit, and delete notes from any browser with real-time markdown editing. MORE

Zerobrew: A 5-20x Faster Homebrew Alternative. This experimental drop-in Homebrew replacement uses a content-addressable store, APFS clonefile, and parallel downloads to dramatically speed up package installation. Built with Claude Opus 4.5 and applies uv's model to Mac packages. MORE

Remotion: Make Videos Programmatically. Create real MP4 videos using React with parametrized content, server-side rendering, and scalable Lambda rendering. Used for music visualizations, captioned videos, screencasts, and year-in-review compilations. MORE

Everything Claude Code. A complete collection of battle-tested Claude Code configs from an Anthropic hackathon winner, including agents, skills, hooks, commands, rules, and MCP configurations evolved over 10+ months of intensive daily use. MORE

Guide for Physical Penetration Tests. A practical guide from an experienced pentester covering office reconnaissance, gatekeeper identification, tailgating techniques, social engineering pretexts, and the critical "gold tip" of holding a coffee while faking a phone call. MORE

Inside $180B Co-Founder's AI Agent System. A breakdown of how these AI agents work together to handle tasks from data analysis to decision-making at enterprise scale. MORE

Cowards don't fail. A provocative take on how avoiding risk and playing it safe actually prevents you from learning and growing. This mindset shift challenges the common fear of failure by arguing that those who never try never truly fail - but they also never succeed. MORE

Note-Driven Agentic Coding Workflow. Takuya Matsuyama shares how he uses Inkdrop as a backend store for Claude Code plans via MCP, getting beautiful markdown rendering, multi-device review, and real-time progress tracking instead of reading plans in the terminal. MORE

Beautiful Mermaid is a powerful tool that transforms simple text into stunning visual diagrams including flowcharts, sequence diagrams, class diagrams, and ER diagrams. It supports both SVG and ASCII output formats, making it perfect for documentation, presentations, and technical communication across different platforms. MORE

Performance Reviews Are the Scorecard of Capitalism. Cate Huston argues reviews measure your value to a specific org at a specific moment, not your worth as a person. Focus energy on growth you can control rather than position you can't, especially as companies promote fewer people in this market. MORE

A Coxswain on Your Shoulder. Tomasz Tunguz built an AI system that reviews his meetings nightly across five dimensions, coaching him on interruption patterns, question depth, and empathy scores. His wife's advice finally stuck when a machine echoed it every morning. MORE

A recruiter shares insider strategies for navigating corporate politics and advancing your career in tech companies. The thread reveals practical tactics for building influence, managing relationships, and positioning yourself for promotions in the competitive corporate landscape. MORE

22 One-minute Habits That Will Save You 25+ Hours a Week. MORE

Agentic Personal Knowledge Management with OpenClaw, PARA, and QMD. Nat Eliason explores how to build an AI-powered personal knowledge management system using OpenClaw, the PARA method, and QMD files. This thread breaks down creating an automated workflow that organizes and retrieves your notes intelligently. MORE