Netcrook
Research, Exploits & Offensive Security
Trusted Names, Untrusted Code: The Registry Trick Behind a Plugin Supply-Chain Slip
A scope-control failure in a plugin catalog shows how a familiar namespace can lend outsider code the look of an official integration.
When Storage Tools Turn Into Privilege Shortcuts
Three high-severity Windows CVEs in AOMEI products put kernel drivers, local access, and SYSTEM-level risk in the same frame.
Ghost Frames Turns the Endpoint’s Own Memory of Itself Into the Weak Link
A reported call-stack manipulation technique puts a rare kind of pressure on EDR: if the stack can be made to look normal, one of its best context signals can become less useful.
Attackers Found the Quiet Gaps Between Windows Stacks and EDR Eyes
A new Windows-focused technique puts call-stack-based detection under pressure and shows why endpoint security needs more than one line of sight.
When a Partition Tool Crosses the Line: Two High-Severity Bugs Put Privilege Boundaries at Risk
Public proof-of-concept material for EaseUS Partition Master 14.5 has turned a routine storage utility into a live reminder that software handling disk operations can carry security consequences far beyond the desktop.
GitHub Tightens the Checkout Line Between Convenience and Trust
A new release of actions/checkout brings safer defaults to pull_request_target workflows, a small change with outsized meaning for CI security.
GitHub’s New Checkout Guard Turns a Longstanding Workflow Trap into a Default Block
A major update to actions/checkout v7 hardens privileged GitHub Actions runs by refusing unsafe fork checkout patterns unless a maintainer explicitly opts in.
When a Fitness Band Becomes a Firmware Lab
A close look at the Mi Band 10 shows why wearables with app links and embedded silicon attract reverse-engineers: the real story is not the screen, but the software chain underneath.
Apple’s Boot Chain Gets a Pre-OS Crack: usbliter8 Targets SecureROM on A12 and A13
A hardware-level SecureROM issue on older Apple silicon shows how a bug below the operating system can outlast ordinary patch cycles.
The Attack Hiding in Plain Traffic
Man-in-the-middle attacks are less a single exploit than a class of interception tactics that abuse trust between devices, networks, and infrastructure.
The Pre-Boot Trap Hidden in Signed UEFI Code
A firmware trust flaw shows how vendor-signed UEFI applications can become an execution path before Windows or Linux even begins loading.
Apple’s Immutable First Step Turns Into the Weak Link
A reported BootROM flaw on A12 and A13 devices shows how a bug at the earliest trust layer can ripple through Apple’s boot model without becoming a simple software fix.
The Smallest Step That Can Turn Access Into Control
Privilege escalation is not the first move in an intrusion, but it is often the one that changes limited access into a much more dangerous position.
SQL Server 2025’s AI Layer Opens a New Route for Quiet Data Theft
Microsoft’s database now includes AI-oriented plumbing for RAG-style workflows, and researchers have shown that the same machinery can be bent toward sensitive data exfiltration and covert command traffic.
When the Kernel Becomes the Control Room, eBPF Becomes Both Shield and Shadow
Linux security is increasingly moving into eBPF-powered runtime controls, but the same privileged layer can also become a hiding place if an attacker reaches the host.
When the Logs Go Dark: Cloud Attackers Are Turning Audit Trails Into a Target
Cloud logging is supposed to preserve evidence, but control-plane abuse can turn that evidence into the first thing an intruder tries to silence.
When the Logbook Goes Dark: Cloud Audit Trails Become the New Target
A vendor research finding points to a worrying shift in cloud attacks: instead of only stealing data, intruders may also try to weaken the telemetry defenders depend on.
Windows' Quiet Knife: How QoS Can Starve an EDR Sensor Without Killing It
A new open-source proof of concept shows how policy-based throttling in Windows can choke the cloud link that many EDR tools rely on, creating a defense-evasion risk that looks more like network starvation than malware tampering.
A Veteran Security Figure Recasts a Malware Past as a Career Origin Story
A June 17, 2026 post featuring a YouTube video puts Nir Zuk, co-founder of Palo Alto Networks, in the spotlight for a self-described early link to virus development - a reminder that cybersecurity history can shape how the field sees credibility, risk, and technical judgment.
Reading the Network’s Answer: Why Nmap Teaches You to Think Before You Scan
Nmap’s value is not just in scanning a host, but in interpreting how that host responds to crafted packets and turning those responses into useful network clues.