Vulnerability analysis, proof of concepts, and code reviews
Five CVEs disclosed in Tryton ERP through responsible disclosure -- stored XSS that escalates to unauthenticated via email, access control bypasses on data exports, and stack traces handed to any logged-in user. All patched, all basic, all in production for years.
Anthropic caught three Chinese AI labs running coordinated model distillation attacks at scale—24,000 fraudulent accounts, 16 million stolen exchanges, and capabilities extraction targeting AI safety research and censorship circumvention. The AI cold war just went hot.
CVE-2025-23266 (NVIDIAScape) lets you escape Docker containers and get root on the host with a 3-line Dockerfile. Affects NVIDIA Container Toolkit used by 37% of cloud environments. Plus runc CVEs that break Kubernetes isolation.
Trust Wallet's browser extension got backdoored via supply chain attack on Christmas Eve. Attackers pushed malicious code to production that drained $7M in user funds. Binance-owned wallet, developer negligence, APT-level execution.
A victim loses $50 million USDT to an address poisoning attack because wallet developers can't be bothered to implement basic checksum validation. I demonstrate how trivial it is to generate matching addresses.
React Server Components gets absolutely demolished by CVE-2025-55182. I demonstrate root RCE because apparently Meta's security team forgot about input validation.