All Security Articles & Guides
Breaking CVE analysis, security tool deep-dives, and practical penetration testing guides. Updated as security news breaks.
SecurityClaw Hunted Vinted on Intigriti — and Found 10 Gaps in Itself
A 45-minute live bug bounty hunt against Vinted on Intigriti revealed four findings — and exposed ten capability gaps in SecurityClaw's own platform. Here's what VIN-001 (an internal Kubernetes hostname leak found with curl -I) teaches about passive-first hunting, and why Cloudflare changes the rules for every tool in the stack.
SecurityClaw Phase C: The Scanner That Learned to Remember — Adversarial Hypothesis Engine, Mid-Campaign Replanning, and an Intelligence Store That Compounds
SecurityClaw Phase C ships three capabilities that change how automated security campaigns think: an Adversarial Hypothesis Engine that generates named, confidence-scored attack bets before running a single tool; a mid-campaign Replanner that rewrites the tool queue when the evidence changes; and an Intelligence Store that compounds across every campaign run. Here's the full technical demo.
15 CVEs in One Release Batch: What OpenClaw's Security Fixes Reveal About AI Agent Platform Attack Surfaces
OpenClaw 3.11/3.12 patched 15+ CVEs in a single batch. Three stand out: a WebSocket hijacking attack that silently grants operator-level admin access, invisible Unicode characters that make malicious commands look safe, and a sandboxed sub-agent that could escape to read and modify its parent. Here's what they mean for AI platform security.
The Scanner That Became the Threat: Trivy Compromised in Supply Chain Attack, CanisterWorm Follows
Trivy, the security scanner used by millions to detect vulnerabilities, was itself compromised in a supply-chain attack. TeamPCP backdoored v0.69.4 and hijacked 75 GitHub Actions tags, then followed up with CanisterWorm — a self-propagating npm worm with blockchain C2. Plus: VoidStealer becomes the first infostealer to extract Chrome's master key using hardware debugger breakpoints.
No Malware, No Problem: How Hackers Wiped 80,000 Stryker Devices Using Microsoft's Own Admin Tools
Iran-linked Handala wiped ~80,000 Stryker devices in 3 hours with zero malware — just a compromised Global Admin account and Microsoft Intune's built-in wipe command. Plus: a new font-rendering trick that fools every major AI assistant.
Security Roundup March 9–16, 2026: Chrome Zero-Days, Veeam Mass RCE & Supply Chain AWS Breach
Security Roundup March 9-16, 2026: Two actively exploited Chrome zero-days, seven critical Veeam Backup flaws, a supply chain nx npm attack that breached AWS in 72 hours, SocksEscort botnet takedown, ClickFix expanding to macOS, and Wing FTP Server joins CISA KEV. Essential reading for bug hunters.
n8n CVE-2025-68613 Is Now on CISA's KEV List. 40,000+ Unpatched Instances Store Your API Keys.
n8n RCE CVE-2025-68613 was added to the CISA Known Exploited Vulnerabilities catalog on March 11. FCEB agencies have until March 25 to patch. 40,000+ public instances remain unpatched — each one potentially storing API keys, OAuth tokens, and CI/CD credentials. Plus: PhantomRaven Wave 4 brings 88 malicious npm packages using slopsquatting and Remote Dynamic Dependencies to steal GitHub tokens.
Security Roundup March 2–9, 2026: Top Vulnerabilities & Tools for Bug Hunters
Security Roundup March 2-9, 2026: Cisco SD-WAN CVSS 10.0 zero-day actively exploited, VMware Aria Operations CISA KEV, APT28 MSHTML 0-day, AI vibeware factories, and ClickFix ransomware evolution. Essential weekly reading for bug bounty hunters.
Fake Claude Code, Fake OpenClaw: The InstallFix Developer CLI Impersonation Campaign
Attackers are cloning developer CLI install pages to deliver info-stealers. Last week: fake OpenClaw (Vidar + GhostSocks). This week: fake Claude Code delivering Amatera Stealer via Google Ads. Here's how InstallFix works and how to protect yourself.
Bing AI Recommended a Fake OpenClaw Installer. It Delivered Vidar, GhostSocks, and Atomic Stealer.
Huntress researchers caught Bing AI promoting malicious GitHub repos impersonating OpenClaw. Windows users got Vidar infostealer plus GhostSocks proxy malware. macOS users got Atomic Stealer.
FBI Confirms Breach of Wiretap Management Systems — Salt Typhoon's Reach May Extend to Federal Networks
The FBI confirmed suspicious activity on networks managing FISA warrant and wiretap infrastructure. Attribution unclear but consistent with Salt Typhoon, which breached AT&T and Verizon in 2024.
PHP RAT in Your Composer Dependencies: The Fake Laravel Packagist Packages Hiding a Cross-Platform Backdoor
Three malicious Packagist packages targeting Laravel developers install a persistent PHP RAT at app boot, exfiltrating .env secrets and database credentials to a C2 on port 2096. Windows, macOS, Linux.
Mail2Shell: CVE-2026-28289 FreeScout Zero-Click RCE — One Email, Full Server Access
CVE-2026-28289 in FreeScout allows zero-click RCE by sending a crafted email that bypasses file validation via Unicode zero-width space, landing a .htaccess on Apache. 1,100+ instances exposed.
Tycoon 2FA Takedown: How AiTM Phishing Bypasses MFA at Scale — and What Actually Stops It
Europol and Microsoft seized 330 Tycoon 2FA phishing domains, arrested developer Saad Fridi, and disrupted the MFA-bypass PhaaS behind 64,000 attacks and 96,000 victims globally.
North Korea's StegaBin: 26 npm Packages Using Pastebin Steganography to Hide C2 Infrastructure
Famous Chollima published 26 malicious npm packages that extract C2 URLs hidden in Pastebin essays using text steganography. Multi-platform RAT with VS Code persistence and crypto theft.
ScarCruft's 'Ruby Jumper': North Korea's APT37 Is Using Zoho WorkDrive to Bridge Air-Gapped Networks
ScarCruft (APT37) used Zoho WorkDrive as C2 in the 'Ruby Jumper' campaign, combining USB malware to bridge air-gapped networks. LOTS technique meets physical relay.
Aeternum Botnet Uses Ethereum Smart Contracts on Polygon as C2 — And It's Impossible to Take Down
Aeternum botnet stores C2 instructions in Ethereum smart contracts on Polygon — no servers, no domains, no takedown. How blockchain-based C2 works and how to detect it.
Malicious Go Package 'xinfeisoft/crypto' Deployed APT31's Rekoobe Backdoor Via SSH Credential Theft
Typosquatted Go module posed as golang.org/x/crypto to steal SSH credentials and install APT31's Rekoobe backdoor. Attack mechanics and detection walkthrough.
Cisco SD-WAN CVE-2026-20127: CVSS 10.0 Auth Bypass Under Active Exploitation — Patch by Tomorrow
Cisco Catalyst SD-WAN CVSS 10.0 auth bypass actively exploited by nation-state UAT-8616. CISA Emergency Directive 26-03 mandates federal patching by Feb 27, 2026.
How China's UNC2814 Used Google Sheets as a Hacking Command Centre — And Got Caught
Chinese APT UNC2814 used Google Sheets cells as C2 in the GRIDTIDE campaign, hitting 53 organisations in 42 countries before Google's disruption on Feb 25, 2026.
Zyxel Routers CVE-2025-13942: Unauthenticated RCE Affects 120,000 Exposed Devices — Patch Now
CVE-2025-13942: command injection in 12+ Zyxel models exposes 120,000 devices to unauthenticated RCE via UPnP SOAP. Security updates released February 25, 2026.
CVE-2026-21531: Azure SDK for Python RCE — Deserialization Bug Exposes Cloud Applications
CVSS 9.8 deserialization bug in Azure AI Language Python SDK enables unauthenticated RCE. Any app using azure-ai-language-conversations 1.0.0-beta is exposed.
Model Distillation Attacks: How DeepSeek and Chinese AI Firms Extracted Claude at Industrial Scale
DeepSeek, Moonshot AI, and MiniMax extracted Claude via 16M fraudulent API calls — caught by Anthropic. How model distillation attacks work and how to defend AI APIs.
Claude Code Security vs. Active Penetration Testing: The AI Arms Race Has Reached Your Codebase
Anthropic's Claude Code Security launched February 21, 2026. What it catches, where it stops, and why active penetration testing still matters for your security team.
Burp Suite Costs $449/yr Per User. Here's What a 5-Person Team Actually Spends.
Burp Suite Pro is $449/user/yr. Enterprise starts at $3,999/yr. Here's the real total cost for security teams in 2026 — and what Burp doesn't cover.
The Complete Guide to Automated Penetration Testing in 2026
AI-powered and automated pentesting in 2026: how it works, what it covers, what to look for in a platform, and how to get started.
Why Your Security Scanner Isn't a Penetration Test
Vulnerability scanners find known CVEs. Penetration tests find what attackers exploit. The critical difference — and what you risk by relying on scans alone.
CVE-2026-22769: Dell RecoverPoint CVSS 10.0 Zero-Day Exploited by China-Nexus Hackers Since 2024
Dell RecoverPoint CVE-2026-22769: hardcoded credentials exploited by Silk Typhoon (UNC6201) since mid-2024. CISA KEV listing with 3-day patch mandate. Act now.
Critical VS Code Extension Vulnerabilities: 125 Million Installs At Risk (CVE-2025-65717, CVE-2025-65716, CVE-2025-65715)
CVE-2025-65717: four popular VS Code extensions expose 125M developers to RCE and file exfiltration. Three of four vulnerabilities remain unpatched — details inside.
CVE-2026-21513: Actively Exploited MSHTML Zero-Day Bypasses Windows Security — APT28 Attribution Confirmed
CVE-2026-21513 MSHTML zero-day: CVSS 8.8 security feature bypass exploited in the wild. Updated March 2 — Akamai confirms Russia's APT28 behind pre-patch exploitation.
Security Roundup Feb 10–16 2026: AI Infrastructure Under Fire, Cloud Misconfigs & $4.3M in Bug Bounties
Weekly roundup: vLLM RCE, six n8n CVEs, Azure Functions info disclosure, AI-assisted AWS breach, HackerOne's $4.3M payout week, and top tools for bug hunters.
Adobe After Effects CVE-2026-21329: Use-After-Free RCE Vulnerability Threatens Creative Workflows
Critical CVE-2026-21329: Adobe After Effects use-after-free enables RCE in version 25.6 and earlier. Technical breakdown and bug bounty testing guide.
Microsoft Patch Tuesday February 2026: 6 Zero-Days Exploited in the Wild
Microsoft February 2026 Patch Tuesday: 59 CVEs including 6 actively exploited zero-days in Windows Shell, MSHTML, and RDP. Priority patches for security teams.
CVE-2026-22778: Critical vLLM RCE Vulnerability Threatens AI Infrastructure
CVE-2026-22778: CVSS 9.8 unauthenticated RCE in vLLM GPU clusters discovered by Orca Security. Technical breakdown and mitigation for LLM inference infrastructure.
Critical n8n Vulnerability: Six CVEs Expose Workflow Automation to RCE
Six critical vulnerabilities disclosed in n8n workflow automation platform, including CVE-2026-25049 RCE with CVSS 9.4. Full analysis and mitigation guide.
Bug Bounty Starter Kit 2026 - Essential Tools, Books & Equipment
Complete bug bounty starter kit guide for 2026. Essential tools, books, and equipment for beginners with budget breakdowns ($100-$1000).
ChainLeak: AI Framework Vulnerabilities Enable Enterprise Cloud Takeovers
CVE-2026-22218 and CVE-2026-22219 in Chainlit AI framework enable cloud takeovers via file read and SSRF attacks. Testing AI applications for security flaws.
LinkedIn API Access Control Bypass - BOLA Testing Guide for Bug Hunters
LinkedIn API access control bypass discovered in bug bounty program. Learn BOLA/IDOR testing techniques for GraphQL APIs and premium feature enumeration.
Critical n8n Vulnerability: CVSS 10.0 RCE Threatens Cloud Workflow Platforms
CVSS 10.0 critical vulnerability in n8n enables unauthenticated RCE. Technical breakdown of CVE-2026-21858 and a complete mitigation guide for bug hunters.
Complete Security Lab Setup Guide 2026 - Professional Bug Bounty & Penetration Testing Equipment
Build a professional security testing lab in 2026: researched recommendations for pentesting laptops, Kali-compatible WiFi adapters, and hardware security tools.
Bug Hunter Tools - Best Security Testing Tools for Bug Bounty Hunters 2026
Comprehensive guide to the best security testing tools for bug bounty hunters in 2026. Expert reviews, comparisons, and recommendations.
BeyondTrust Pre-Auth RCE (CVE-2026-1731): WebSocket OS Command Injection Hits 8,500+ Vulnerable Instances
CVSS 9.9 pre-auth RCE in BeyondTrust Remote Support via unauthenticated WebSocket command injection. 8,500+ exposed instances globally. Patch immediately.
Firefox SpiderMonkey WebAssembly GC RCE: One Typo, Full Renderer Compromise
A & vs | typo in Firefox SpiderMonkey's Wasm GC engine causes type confusion leading to renderer RCE — affecting 200M+ users via any malicious webpage.
CVE-2026-2473: GCP Vertex AI Bucket Squatting Enables Cross-Tenant RCE and Model Theft (CVSS 9.8)
Google patches Vertex AI CVE-2026-2473: predictable bucket names exposed AI models to theft and cross-tenant code execution. Bug bounty writeup and detection guidance.
Critical n8n RCE Vulnerability (CVE-2026-21858): 100,000+ Servers at Risk
CVSS 10.0 n8n CVE-2026-21858 enables unauthenticated RCE in workflow automation. Affected versions, exploitation methods, and remediation steps explained.
RoguePilot: How a Hidden GitHub Copilot Bug Silently Steals Your Entire Repository
Passive prompt injection in GitHub Copilot leaks GITHUB_TOKEN from Codespaces with zero user interaction. Orca Security's RoguePilot disclosure and detection guidance.
About This Site
BugHunterTools publishes independent security research, CVE analysis, and practitioner guides for bug bounty hunters and penetration testers. Written for technical readers — no hype, real data, honest assessments.
Content is sourced from SecurityClaw (ClawWorks' AI-assisted security research platform) and independent analysis.
Also see: SecurityClaw Live Demos — real tool runs, actual output data.