Aggregator

kali mcp服务部署，利用claude调用mcp服务，实现自动化渗透

九垠赢系统代码审计

本文详细剖析了一个由配置失误（JWT 密钥硬编码）与后端沙箱设计缺陷导致RCE

ida-pro decompile InitializeListHead

PyTorch torch.export.load 隐藏的反序列化 RCE 漏洞

BLE 蓝牙协议：对智能设备的BLE抓包实战 (HCI + 空口)

skill介绍、skill使用、开发属于自己的skill。

本文是一篇探讨如何将AI（尤其是大语言模型）与Web3智能合约安全审计深度结合的技术实践与方法论文章。基于实际工作经验，提出在AI时代，真正高效的自动化代码审计不应依赖简单的指令或具体的漏洞案例，而应回归“提示词编写（Prompt Engineering）”的基本功。

A critical Telegram flaw could allow zero-click remote code execution on devices, but Telegram denies it. Researcher Michael DePlante (@izobashi) of TrendAI Zero Day disclosed a new Telegram vulnerability through Zero Day Initiative (ZDI). The vulnerability, tracked as ZDI-CAN-30207 (CVSS score of 9.8) allows attackers to execute code on targeted devices without any user interaction. […]

Java 安全 · AI & Security 两大技术图谱正式上线！

AI SOC agents can reduce alert fatigue, but most teams fail to measure real outcomes. Prophet Security breaks down Gartner's questions for evaluating AI SOC agents and separating real impact from hype. [...]

漏洞描述2026.2.14 之前的 OpenClaw 版本在网关中存在一个漏洞，无法净化 node.invoke 参数中的内部批准字段，使得经过认证的客户端绕过执行审核对 system.run 命令的批准门禁。拥有有效网关凭证的攻击者可以注入批准控制字段，在连接的节点主机上执行任意命令，可能攻破开发者工作站和配置执行器漏洞影响评分：9.9影响：<2026.2.14漏洞复现在项目根目录下安装依

CVE-2026-31975：Cloud CLI WebSocket Shell OS命令注入漏洞分析

随着 Claude Code 的普及，大量用户选择通过第三方中转站（API Proxy）来使用 Claude 模型。然而，中转站作为用户与官方 API 之间的中间层，天然具备篡改请求和响应的能力。本文将从上下文空间异常、模型造假、提示词投毒三个维度，揭示中转站可能存在的安全风险，并给出对应的检测方法。

Some weeks are loud. This one was quieter but not in a good way. Long-running operations are finally hitting courtrooms, old attack methods are showing up in new places, and research that stopped being theoretical right around the time defenders stopped paying attention. There's a bit of everything this week. Persistence plays, legal wins, influence ops, and at least one thing that looks boring

AI辅助还原Coruna漏洞利用链混淆代码