A new exploit called HTTP/2 Bomb lets one ordinary home computer take down nginx, Apache, Microsoft IIS, Envoy and Cloudflare Pingora, the web servers behind a huge share of the internet, in a matter of seconds.
It forces those servers to tie up tens of gigabytes of memory until they stop responding, it abuses the configuration they ship with by default, and when the research went public three of the five still had no patch.
Hackers took over some of the most valuable accounts on Instagram over the weekend by asking Meta’s own AI support bot to hand them the keys, and it agreed without checking whether the person asking actually owned the account. They never cracked a password, sent a phishing link, or got near the victim’s inbox. They opened a support chat, typed a few polite sentences, and walked off with accounts worth hundreds of thousands of dollars.
Six working Windows attacks are sitting in the open right now, three of them already seen in a real intrusion, and the researcher who published them did it after he says Microsoft refused him, deleted the account he reported bugs through, and paid him nothing. Microsoft removed his account, called his actions criminal, and pointed at its crime unit. Both stories are out there, and the security world cannot agree on who is more to blame.
FROST lets a website time your SSD and see which sites and apps you have open, even ones running in a different browser. It needs no malware and nothing to install. Opening the page is all it takes. While you sit there reading whatever the attacker put on screen, the page is quietly measuring how busy your drive is, and from that alone it works out what else you are running.
I created Dorks Eye because I had a question. What if I could do all my dork searching straight from the terminal, fast, and without a browser or ads getting in the way?
That is how it started. The first version searched through Google only. You typed in a dork, the right results came back, and it did exactly what I wanted. Then Google tightened its policy on automated searches, and the tool stopped working. The one thing it was built for, speed and simplicity, was gone. Everything was gone.
Put a server on the internet with port 22 open and the first login attempt arrives within minutes, not days. Automated scanners sweep through IPv4 addresses around the clock, and anything with an open port gets added to a target list almost immediately. A honeypot is built to be found exactly like this, because getting found is the point. This post covers what honeypots actually are, what attackers do in the first thirty seconds after getting in, how to set one up and test it, how to recognize one during a pentest, and the advanced setups for when things get serious.
BadHost is one character in an HTTP header that bypasses authentication on FastAPI, vLLM, LiteLLM, and the Python MCP SDK. They all run on Starlette. Starlette has more than 400,000 dependent projects on GitHub. The bug is in Starlette.
It is tracked as CVE-2026-48710, disclosed on May 22. Starlette is the framework that sits underneath FastAPI and handles the basic plumbing of web requests: routing, middleware, everything that happens before your code runs. Through FastAPI it reaches vLLM, LiteLLM, Text Generation Inference, most OpenAI-compatible proxy servers, MCP servers, agent frameworks, and model management dashboards.
A SQL injection vulnerability in Ghost CMS has turned Harvard University, Oxford University, and DuckDuckGo into malware distribution platforms. Visitors arrive at a page they trust completely, a fake Cloudflare verification prompt appears, and their machine gets infected if they follow the instructions. More than 700 sites. Software that had never had an unauthenticated critical vulnerability in its entire history.
Ghost CMS is publishing software built on Node.js, used for newsletters, membership sites, and independent blogs. It is open source and free to self-host, with a paid hosted version called Ghost Pro. More than 100,000 active installations and more than 50,000 GitHub stars.
That was my question for a long time… And that’s how Shodan Eye was born.
Most people think the internet is what you browse through a browser. Websites, social media, search engines. That part is called the World Wide Web, and it is just a thin layer on top of something much larger. Underneath it, directly connected to the internet, are billions of devices that have never heard of a web page. Routers, cameras, industrial control systems, medical devices, traffic lights, refrigerators, power plants. Even devices you would never suspect. They are all online. Most of them are never meant to be found. Some of them have no password at all. Shodan Eye was built to find them.
The command server is a botnet’s one real weak point. Take it down and the bots go quiet. Operators figured this out early and built their infrastructure to survive exactly that.
This article covers how they do it. How botnets hide their command infrastructure inside Tor and I2P, how they scan for new victims without exposing themselves, and what to look for to detect it. Technical and step by step.
