In this week's Seclog, the accelerating integration of AI into cybersecurity stands out, both as a powerful tool for defenders and a potential risk. Several reports highlight AI agents rapidly discovering vulnerabilities in complex systems like Chrome and assisting in sophisticated exploit development. However, a critical caveat emerges: while AI excels at finding potential flaws, human expertise remains indispensable for assessing true impact and exploitability. Simultaneously, traditional attack vectors persist and evolve; we see sophisticated social engineering targeting high-value individuals, supply chain compromises impacting widely used tools like Trivy, and the continued exploitation of foundational vulnerabilities in critical infrastructure like QEMU hypervisors and ITSM solutions. Discussions also touch upon the evolving landscape of security research itself, from the future of CTFs to addressing vendor dependency bloat in reverse engineering. A stark reminder of privacy implications comes from Niantic's disclosure of building a massive AI dataset through Pokémon Go, while novel XSS chains and Google Groups "Ticket Trick" attacks showcase persistent web and identity vulnerabilities. These developments collectively underscore a dynamic security environment where advanced automation meets enduring human and systemic weaknesses.

📚 SecMisc #

Introducing Sashiko Security Platform - sashiko.dev

Sashiko appears to be a new security platform or tool, based on its dedicated domain. Further details would be needed to assess its specific technical capabilities or impact on the security landscape.

📰 SecLinks #

OpenAI's Codex Security Redefines SAST - openai.com

OpenAI's Codex Security departs from traditional SAST by analyzing the repository's architecture, trust boundaries, and intended behavior directly. This approach aims to improve the signal-to-noise ratio of security findings by validating issues before human intervention, addressing a common pain point of SAST tools.

Twenty Years of Cloud Security Evolution - wiz.io

This article provides a retrospective on the evolution of cloud security research over the past two decades. It outlines key milestones and shifts that have defined different eras of cloud security, offering context for current and future challenges.

LLMs Excel at Finding, Not Proving Vulns - projectdiscovery.io

Large Language Models (LLMs) like Anthropic's Opus 4.6 and OpenAI's Codex Security are demonstrating significant capabilities in discovering numerous vulnerabilities and zero-days. While LLMs are powerful for vulnerability discovery, the critical challenge remains in proving exploitability and assessing the true impact of these findings.

AI Aids PHP Object Injection Exploit - blog.sicuranext.com

An unauthenticated PHP Object Injection vulnerability (pre-3.14.5) was discovered and exploited in the WordPress plugin "Profile Builder Pro." The researchers utilized AI to assist in identifying a novel POP chain, demonstrating AI's growing utility in complex exploit development.

ITSM Systems Targeted by Organized Threat Actors - labs.watchtowr.com

ITSM solutions like BMC FootPrints, SolarWinds, and Ivanti are increasingly targeted by sophisticated threat actors, including ransomware gangs, for pre-authentication Remote Code Execution. These systems are critical targets because they not only run privileged code but also store vast amounts of sensitive organizational information, making them high-value assets for compromise.

Future of CTF Competitions Questioned - k3ng.xyz

This post critically examines the current state of Capture-the-Flag (CTF) competitions in cybersecurity. It raises concerns about the long-term relevance and effectiveness of CTFs as a primary learning and skill-development platform in their present form.

Hyoketsu Solves Vendor Dependency RE - slcyber.io

The "Hyoketsu" research addresses the challenge of vendor dependency bloat in reverse engineering large enterprise applications, especially Java/C# monoliths. This work aims to streamline security analysis by focusing on proprietary code rather than irrelevant vendor components, improving efficiency in identifying the actual attack surface.

AI Finds Bugs, Lacks Impact Assessment - xclow3n.github.io

Experiments with four AI-assisted vulnerability research approaches quickly identified numerous bugs, with 14 confirmed vulnerabilities found in 20 minutes for one target. While AI excels at broad coverage, hypothesis generation, and code analysis, it currently struggles significantly with impact assessment, exploitability validation, and distinguishing actionable findings from noise, emphasizing its role as a force multiplier rather than a replacement for human researchers.

Google Groups Enable Ticket Trick Attacks - spaceraccoon.dev

Public Google Groups linked to official company domains can be exploited via the "Ticket Trick" attack, as demonstrated against OpenSSL.org. This technique allows attackers to intercept OTPs or verification emails, potentially leading to unauthorized account creation or access to internal portals and SaaS tenants.

QEMU Hypervisor Escape via Heap Overflow - osec.io

Researchers demonstrated a QEMU guest-to-host hypervisor escape by exploiting an uncontrolled heap overflow in virtio-snd. This exploit was made reliable by leveraging specific glibc allocator behaviors and QEMU-specific heap spray techniques, turning a seemingly unexploitable crash into a critical vulnerability.

Java Deserialization Gadgets Evolve - atredis.com

This article revisits the long-standing issue of Java deserialization vulnerabilities and the evolving landscape of gadget chains. It highlights how despite ecosystem efforts to mitigate these issues, new approaches to finding deserialization gadgets continue to emerge, affecting enterprise applications.

Tenzai's AI Hacker Excels in CTFs - blog.tenzai.com

Tenzai's autonomous AI hacking agent demonstrated exceptional performance in Capture-the-Flag (CTF) competitions, ranking within the top 1% of participants. This achievement, outperforming over 125,000 human competitors, showcases the significant advancements in AI's capability to autonomously identify and exploit vulnerabilities in complex scenarios.

Trivy Supply Chain Attack Steals Credentials - ramimac.me

Details emerged regarding the March 2026 Trivy supply chain attack, where TeamPCP compromised trivy-action and setup-trivy GitHub Actions. This attack vector allowed the threat actor to steal CI/CD credentials, highlighting the critical risks associated with compromised third-party integrations in development pipelines.

CTF-Style XSS Chain in Wild - blog.antoniusblock.net

A complex XSS chain was discovered in a real-world bug bounty target, involving DOM Clobbering, various gadgets, and a CSP bypass. This highlights that advanced, multi-stage XSS techniques, often seen in CTFs, are actively exploitable in production environments, requiring deep understanding of browser security mechanisms.

🐦 SecX #

Pokémon Go Built Massive AI Dataset - x.com

Niantic utilized Pokémon Go users' AR scans and photos to unknowingly create a 30+ billion image real-world visual dataset. This highlights a significant privacy implication of consumer applications, where user data is leveraged for large-scale AI training without explicit, clear consent for such a purpose.

Social Engineering Targets High-Value Personnel - x.com

Attackers are increasingly focusing on social engineering tactics, targeting individuals in politics, military, intelligence, and journalism. This emphasizes that human elements remain a primary attack vector, often more effective than direct system exploitation, for gaining access to sensitive information.

eSIMPal Startup Hacked; Free eSIMs Issued - x.com

A startup offering travel eSIM services, eSIMPal, reported a website hack resulting in the unauthorized issuance of multiple 50GB eSIMs. This incident underscores the immediate financial and operational impact of even seemingly minor web application vulnerabilities on nascent businesses.

AI Fuzzing Agent Finds Chrome Vulns - x.com

An AI fuzzing agent, utilizing Claude Max for $200, discovered 21 high/critical vulnerabilities in Chrome within a week. This demonstrates the emerging effectiveness and cost-efficiency of AI in automated vulnerability discovery, even for complex software like web browsers.

Chromium Release Includes 26 CVEs - x.com

A recent Chromium release addressed 26 CVEs, including multiple V8 bugs and vulnerabilities across WebRTC components. This highlights the continuous stream of critical vulnerabilities in widely used software and the active role of various contributors in their discovery and remediation.

Reflected XSS with Cloudflare WAF Bypass - x.com

A researcher detailed a sophisticated reflected XSS vulnerability achieved via a three-part CVE chain, including a Cloudflare WAF bypass. This demonstrates the complexity of modern web application attacks and the need for layered security, as WAFs alone may not prevent advanced exploits.

💻 SecGit #

SBOM Tool Compares CycloneDX/SPDX Files - github.com

This tool provides semantic diffing and TUI analysis for Software Bill of Materials (SBOMs). It allows security professionals to track component changes, dependency shifts, and identify license conflicts and vulnerabilities across different SBOM versions (CycloneDX/SPDX).

← Back to Seclog