We find the bugs
before someone else does.

The first self-propagating npm worm: stolen maintainer tokens auto-republish infected packages while a postinstall payload harvests secrets to public GitHub repos. 500+ packages hit.

A prolific MaaS stealer using "ClickFix" lures and Telegram/Steam dead-drop resolvers for resilient C2 — and how it survived the May 2025 Microsoft/DOJ takedown.

The open-source Go C2 adopted by APT29 and ransomware crews as a Cobalt Strike alternative — unique per-build implants, multi-protocol C2, and where memory analysis beats it.

The industrialised RaaS brand — intermittent encryption for speed, DLL-reflection evasion, and the Operation Cronos takedown that seized its source code and decryption keys.

A 15-year banking-trojan-turned-loader and primary ransomware on-ramp — hijacked email threads, OneNote/PDF lures. Taken down in 2023 (700k+ devices), back within months.

One of the most prolific .NET stealers — browser creds, wallets, screenshots, and Lua-bytecode evasion. Infrastructure seized in Operation Magnus (2024); variants persist.

The commodity RAT behind countless forks — keylogging, screen/audio capture, multi-stage script delivery, and living-off-the-land persistence.

A USB-spread loader with elite anti-analysis — ETW blinding, hook detection, opaque predicates — that sells footholds leading to Dridex and ransomware.

A multi-year social-engineering campaign planted a hidden backdoor in a core compression library to compromise OpenSSH pre-auth — caught days before mass rollout by a 500ms slowdown.

One logged string — ${jndi:ldap://…} — turned a ubiquitous Java logging library into unauthenticated RCE across hundreds of millions of systems.

A reintroduced signal-handler race in sshd gives unauthenticated root RCE in the default config — hard to win, but ~14M instances were exposed at disclosure.

A double-free in the netfilter nf_tables verdict path lets an unprivileged local user corrupt kernel memory and escalate to root. Actively exploited in the wild.

An uninitialised pipe-buffer flag lets an unprivileged process write into the page cache of read-only files — overwrite a setuid binary or /etc/passwd and you have root.

A world-writable log directory plus a symlink-following log writer lets a local user redirect privileged writes into /etc/passwd and escalate to root. A clean logic bug.

A frame-count vs. parse-time mismatch in the USB-camera driver lets a malicious USB device write past a kernel heap buffer. Exploited in the wild (CISA KEV).

Catastrophic regex backtracking in one of npm's most-depended-on packages — a crafted string pins a CPU core and hangs the process. Deep in countless dependency trees.

A buffer overflow in ld.so's GLIBC_TUNABLES parsing gives local root via any setuid binary on default Fedora/Ubuntu/Debian installs.

An || where an && belonged sent the anti-CSRF token to every host when withCredentials was set — handing it to third parties.

A {} index instead of Object.create(null) lets a __proto__ cookie pollute the global prototype across the whole app.