Libsodium: Ed25519 point-validation bug

A low-level validation function missed a coordinate check, accepting some non-main-subgroup Edwards25519 points. High-level signing APIs remain unaffected; a one-line fix was applied and released.

Honey’s Tester Detection Exposed

Technical analysis shows Honey’s extension deliberately honors stand‑down for suspected testers and dishonors it for typical users, using deterministic rules drawn from server config, telemetry, and client code.

Doublespeak: In‑Context Hijack

Replacing a harmful keyword with a benign token in in-context examples causes model internals to adopt the harmful meaning, producing disallowed outputs while evading input-layer safety checks.

Rex — Rust kernel extensions without the eBPF verifier

Rex loads and executes safe-Rust kernel extension programs in place of eBPF, relying on the Rust compiler for safety and enabling implementations that the in-kernel verifier would reject.

MongoBleed — CVE-2025-14847

A bug in MongoDB's zlib message-compression lets unauthenticated attackers read arbitrary heap memory in versions since 2017 by abusing an oversized uncompressedSize and BSON parsing.

LangGrinch: LangChain Core CVE-2025-68664

A serialization bug in langchain-core allowed unescaped 'lc' markers to revive unsafe objects, enabling secret extraction and instantiation risks across common flows. Patches are released — update immediately.

CSRF Protection — No Tokens?

Modern browsers send Sec-Fetch-Site metadata that lets servers reject cross-site requests as CSRF protection. Microdot implements this with an Origin fallback and a configurable subdomain policy.

Snitch — Visual Network Inspector

A compact CLI/TUI that surfaces host network connections with a live TUI, styled tables, and scriptable JSON output. Install via package managers, Docker, or a single install script.

Detect Bad Redactions

x-ray scans PDFs to find visual redaction boxes that leave underlying text accessible, reporting exact page, bounding box, and recovered text via CLI or Python.

Flock Cameras Exposed

At least 60 Flock Condor PTZ people‑tracking cameras streamed without authentication, allowing anyone to view, download 30 days of footage, and access admin controls.

Passkeys: Practical Lessons

Hands‑on learnings from building passkeybot: how authenticators, attestation, JS integrity and emerging APIs shape security, privacy and UX for passkey deployments.

Working Library. Hidden Trojan.

The lotusbail npm package — a fork of the Baileys WhatsApp library with 56,000+ downloads — contained malware that captures auth tokens, full message history, contacts and media, and installs a persistent backdoor using a hardcoded pairing code.