News

A quiet finding with real-world impact. CVE-2026-33145 shows how xrdp's AlternateShell feature, enabled by default, passes client-supplied input directly into a shell, turning an RDP login into a clean, automatable command execution primitive.

fallback image

When “Just Logging In” Isn’t Just Logging In: A Lookat xrdp and CVE-2026-33145

A quiet finding with real-world impact. CVE-2026-33145 shows how xrdp's AlternateShell feature, enabled by default, passes client-supplied input directly into…
Mythos ai zero day discovery

Mythos found a $20,000 bug. It won’t tell you who’s already inside. 

Anthropic's Mythos has dominated the security conversation this week. But the debate about whether it's overhyped is the wrong argument.…
Red team AI division

CovertSwarm launches RAID: Our red team AI division

CovertSwarm COO Luke Potter announces RAID, our Red Team AI Division, and why real adversaries made it non-negotiable.
Preview first 90 days new CISO whitepaper

What kills new CISOs in their first 90 days – it’s not attackers. 

The pen test report. The risk register. The green dashboard. They feel like facts. They're not. They're a record of…
fallback image

CVE-2026-33727 – When “Low Privilege” Isn’t Low Enough: A Pi-hole LPE Story

Pi-hole's pihole user is low-privileged. It's configured with nologin. It looks contained. It isn't. Here's how a writable file and…
Proof of human social engineering

Proof of Human solves the bot problem. It doesn’t solve the people problem.

World ID can prove a real human is behind an account. It can't prove that human hasn't already been phished,…
US breach notification courtroom

Too many rules, no real test: Untangling US Cyber Disclosure 

The US has no single federal data breach notification law, just a growing patchwork of SEC rules, HIPAA, state obligations,…
Swarm Intelligence banner with redacted text

Swarm Intelligence: LiteLLM was the end of the chain, not the beginning.

LiteLLM's PyPI package was backdoored for under an hour on March 24. SSH keys, cloud credentials, and CI/CD secrets exfiltrated…
Football stadium breach

Dynamic Attack Surfaces: The Professional Sports Problem

Professional sports organizations face cybersecurity challenges that don't fit traditional frameworks. With seasonal spikes, constant third-party integrations, and workforce volatility,…