A single visit to one website can quietly turn your browser into part of a botnet, and the working code to do it is now still sitting out in the open.
It affects Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and almost every browser built on Chromium. Someone flagged it to Google back in 2022. Google sat on it for almost four years, and then leaked the exploit code itself, by accident, on its own bug tracker.
Your phone, your TV, your router, anything in your home with an internet connection can be put to work crawling the web for the AI industry, and nothing on the device says it is happening. Some of that traffic is harmless scraping. Some of it is not, and it leaves under your IP address either way, so it traces back to you. It’s called a residential proxy.
I came across it through the smart TV story this morning. Researchers had taken apart the software inside some free smart TV apps and found it quietly turns the television into a relay, using the home connection to pull web pages for a data company that resells that access to the AI industry. One question stuck with me. What if it does not stop at one device. So I went digging, and it does not stop there, not by a long way.
Give a running program more data than it was built to hold, and on a lot of systems that extra data does not just get thrown away. It spills into the memory right next to it. And with a little care, that spilled data ends up running as code, with full control over the machine.
A new exploit called HTTP/2 Bomb lets one ordinary home computer take down nginx, Apache, Microsoft IIS, Envoy and Cloudflare Pingora, the web servers behind a huge share of the internet, in a matter of seconds.
It forces those servers to tie up tens of gigabytes of memory until they stop responding, it abuses the configuration they ship with by default, and when the research went public three of the five still had no patch.
Hackers took over some of the most valuable accounts on Instagram over the weekend by asking Meta’s own AI support bot to hand them the keys, and it agreed without checking whether the person asking actually owned the account. They never cracked a password, sent a phishing link, or got near the victim’s inbox. They opened a support chat, typed a few polite sentences, and walked off with accounts worth hundreds of thousands of dollars.
Six working Windows attacks are sitting in the open right now, three of them already seen in a real intrusion, and the researcher who published them did it after he says Microsoft refused him, deleted the account he reported bugs through, and paid him nothing. Microsoft removed his account, called his actions criminal, and pointed at its crime unit. Both stories are out there, and the security world cannot agree on who is more to blame.
FROST lets a website time your SSD and see which sites and apps you have open, even ones running in a different browser. It needs no malware and nothing to install. Opening the page is all it takes. While you sit there reading whatever the attacker put on screen, the page is quietly measuring how busy your drive is, and from that alone it works out what else you are running.
I created Dorks Eye because I had a question. What if I could do all my dork searching straight from the terminal, fast, and without a browser or ads getting in the way?
That is how it started. The first version searched through Google only. You typed in a dork, the right results came back, and it did exactly what I wanted. Then Google tightened its policy on automated searches, and the tool stopped working. The one thing it was built for, speed and simplicity, was gone. Everything was gone.
Put a server on the internet with port 22 open and the first login attempt arrives within minutes, not days. Automated scanners sweep through IPv4 addresses around the clock, and anything with an open port gets added to a target list almost immediately. A honeypot is built to be found exactly like this, because getting found is the point. This post covers what honeypots actually are, what attackers do in the first thirty seconds after getting in, how to set one up and test it, how to recognize one during a pentest, and the advanced setups for when things get serious.
BadHost is one character in an HTTP header that bypasses authentication on FastAPI, vLLM, LiteLLM, and the Python MCP SDK. They all run on Starlette. Starlette has more than 400,000 dependent projects on GitHub. The bug is in Starlette.
It is tracked as CVE-2026-48710, disclosed on May 22. Starlette is the framework that sits underneath FastAPI and handles the basic plumbing of web requests: routing, middleware, everything that happens before your code runs. Through FastAPI it reaches vLLM, LiteLLM, Text Generation Inference, most OpenAI-compatible proxy servers, MCP servers, agent frameworks, and model management dashboards.
