Mav Levin
@MavLevin
Followers
3K
Following
5K
Media
205
Statuses
938
Ethical hacker teaching AI to do my job; here to share how security breaks. My path: military Unit 8200 → Stanford → Trail of Bits → Anthropic → @depthfirstlabs
San Francisco, CA
Joined March 2018
I asked AI to secure OSS analytics software and it found an RCE. The story of CVE-2025-59304: I tested our Security AI agents on Swetrix, a modern, lightweight, open-source, cookie-free, quick setup, and generally pretty cool web-analytics project. The platform (and their cloud
2
5
81
found & fixed a bug in esbuild which is downloaded 70 Million times a week on npm! using escapeForHTML() caused quotes to be unescaped, which could be exploited for XSS (poc in PR). The fix is using the escapeForAttribute() function instead. credit to @depthfirstlabs this is
0
0
3
os: we have KASLR also os: static addresses in kernel space this reminds me when win7 launched kaslr with a rwx page at 0xffdf0000
We really should be talking about this more....KASLR is just not working properly on Android right now, and it hasn't for a long time. https://t.co/AE0vBXEcob
0
2
7
Captured last night- probably the coolest comet shot I've ever gotten. I've never seen such a dynamic tail on a come. Incredible active, and moving quickly, which makes photographing it a challenge. See how it moves in the reply.
874
5K
32K
🚨my AI coworker found a zero-day in Netty yes, that Netty used by Meta, Apple, Google and half the internet. the bug lets attackers send fake emails that look perfectly legit. the exploit fully bypasses email defenses. here’s the story 🧵[1/6]
3
16
38
Honestly I'm so proud of @depthfirstlabs finding zero-days in critical open source like Netty. This is not a random Github project, it's a core libraries used by companies like Apple, Netflix, Twitter, etc
0
2
20
If you use Netty, patch. If you care about security, read my linked blog post If you enjoy chaos, imagine AI finding the next zero-day in your codebase https://t.co/FzMrJ58zwM [6/6]
depthfirst.com
Our security agent found a business logic flaw in how Netty handled one of the internet's oldest and most trusted protocols. To understand the vulnerability, we need to take a quick journey back to...
0
0
2
yes, AI found a zero-day in a critical internet library; and it fixed it too. It literally wrote the patch that was merged. The future of cyber security is already here. [5/6]
1
0
2
Email security defenses: SPF: ✓ passed DKIM: ✓passed DMARC: ✓ passed Reality: hacked Your email defenses just broke from `\r\n` [4/6]
1
0
0
By injecting extra email commands via Netty. Tl;dr: Email is sent over SMTP, where `\r\n` separate email commands. The bug in Netty lets an attacker stuff in extra `\r\n` to add commands and hijack the email!
2
0
0
🚨my AI coworker found a zero-day in Netty yes, that Netty used by Meta, Apple, Google and half the internet. the bug lets attackers send fake emails that look perfectly legit. the exploit fully bypasses email defenses. here’s the story 🧵[1/6]
3
16
38
pwndbg makes hacking look the way I imagined it as a kid 💚
Btw we released Pwndbg 2025.10.10 recently with improved kernel debugging, mach-O+Objective-C (LLDB) support, new commands for dumping mallocng (musl) allocator state and much more! See the changelog here! https://t.co/uPIOS3Bjuy
0
0
5
To filter out LLM slop reports ezpz
0
0
3