alp1n3 🌲

💡 Discovery of the week for me:
While reviewing code on a .Net project (CSharp language), I noticed that SemGrep, with its set of community rules, was not effective on this technology.

So I looked for a complement and found Microsoft's DevSkim tool...

Here are our July bug bounty stats!
✅174 bounty reports submitted
👥140 hackers participated in our program
💰 Awarded $103,202 in bounties

Found a vulnerability? Submit it here: bounty.github.com.

When are you going to drop links to GitHub repos that also contain 100+ links to random Medium articles???

Perplexity is using stealth, undeclared crawlers to evade website no-crawl directives Perplexity is repeatedly modifying their user agent and changing IPs and ASNs to hide their crawling activity, in direct conflict with explicit no-crawl preferences expressed by websites.

It's very cool and good that the ghouls making these things have no regard for even the most minimal of norms to identify themselves.

Now this right here? This is piracy.

blog.cloudflare.com/...

“Why use Bash, Python, or Go when you can use JS from the console!”

😂😂😂

Can’t wait until someone other than Meta makes a good pair of these. Deleted my FB account a while back and when I went back to sign up again I just got insta-banned :(

Freebies - Mastering Burp Suite Pro Freebies - Mastering Burp Suite Pro

I just added the 15-minute talk I gave at Tumpicon to the "Freebies" section.

This talk covers the extensions Piper and Scalpel, and allows users to easily manipulate encrypted data by shuffling blocks around

hackademy.agarri.fr/freebies

Just had my #bugbounty report disclosed on
#HackerOne 💪

TL;DR
RCE via path traversal in the Mozilla VPN Client through the local websocket server (developer mode).

hackerone.com/reports/2995...

Thanks for adding support for Zed! Absolutely love it as an IDE.

Sick! 🙌

What are you using to record your terminal? Super crisp, and the auto-zoom is pretty handy to show the specific commands.

How to grab subs for a target using subfinder, validate them and extract the text body from each response using httpx and jq, extract a wordlist of keywords using NLP then resolve them using puredns to find valid subdomains 👇

Made the switch from an Apple Watch to Suunto, and I’m loving it!

Still does everything I used:
- Tracking Training
- Notifications
- Alarms / Timers

I’ve had it on my wrist for 5 days, and it’s only at 47% battery. Absolutely amazing battery life, and for the price it’s a steal!

I suspect the major negative fallout of vibe coding isn’t going to be taking jobs from software developers but instead an epidemic of insecure apps that get hacked with ease

Part of the job as a cybersecurity professional is in fact arguing to purge and not log information about your customers.

Data is not oil. It's risk.

The web reader to clear up distractions in Safari is one of the best things I’ve ever used in a browser.

It’s up there with uBlock Origin.

Who's SHA is it Anyway: Bypassing Google Cloud Build Comment Control for $30,000 Overview I reported a subtle race condition in Google Cloud Build’s GitHub integration that could have allowed someone to bypass maintainer review when running pull request integrations tests. Google ...

$30,000 for a race condition on Google Cloud Build 💰 by @adnanthekhan.bsky.social

adnanthekhan.com/posts/cloud-...

If you can afford it, could always try hacking on a VDP that leans towards disclosure in between other projects.

++ for grabbing a pentesting role, you might end up liking it a lot and staying 😉

🔥 Want to think like a hacker and truly understand JavaScript?

💻 JavaScript for Hackers is your guide to breaking, bending, and mastering the language like never before.

Intigriti July XSS Challenge (0725) | Jorian Woltjer My author's writeup of the July 2025 challenge. Perform Mutation XSS to DOM Clobber an change the insertion point into an iframe, then bypass the CSP using a new useful Socket.IO gadget

I made a hard @intigriti.com XSS challenge this July 😅
But, it involves some very interesting Mutation XSS & DOM Clobbering fun combined with a CSP Bypass using the powerful SocketIO gadget.
Everything's explained in my writeup below!
jorianwoltjer.com/blog/p/ctf/i...

This is pretty cool. Things start getting really confusing when you look into the chunk extensions so... this is a huge help!

Yeah I use the Novablast 2s a lot and like them (good lock in & durability)! The way they pronate isn’t an exact match to me, but that’s because I wear barefoot shoes when I’m not running.

If you have a Fleet Feet or something similar nearby, they’re great for trying on all the brands.

Congratulations! 🍾🎉

Looking forward to the future SemGrep and security content 😁🙌

Have you tried Brooks or ASICS?

Not sure on the cost there, but I usually am able to find the generation or two behind the current release on sale for about $60-$80 USD.

haha CVE-2025-53770 whats the big deal amirite

Join the Twitch stream, and follow along with the book by @zachdaniel.dev & @sevensea.cat :
pragprog.com/titles/ldash...

Is the entry-level price still essentially around $500-$600 for a camera or two + the hub?

Checked into it a while ago because I needed just a single camera + a way to locally control it, but didn’t think it was worth the cost in that instance.

100%. Same goes for going to the ER as well.

If you have to ask yourself “Do I need to go to the ER?” or have any doubt of your status over the next day or two, you probably do.

And ER =! urgent care.

As someone who has been debugging Playwright tests primarily via page.pause() and PWDEBUG for the past five years, I am blown away by Trace Viewer and live debugging through their vscode extension.

It's just so. Much. Better.

Use those two, thank me later.

If I was a bad guy who was looking for memory vulns, I'd be ALL OVER these new hotness web browsers. (Comet, Arc, etc.)

Market share is small but much more valuable targets. - Teams behind them way smaller than ...Google

I’d bet it’s good for any vulns (in general). There’s new reports for Chrome everyday, and the add-ons these companies integrate can probably lead to some cool finds!

Saw this post right after I saw one about leaking the IPs of users using the Brave’s integrated TOR browser.