certSIGN seems to have revoked a commonly-used intermediate cert. At least their CRL seems to say that.

Did some digging into why pasting from X.com triggers "malicious injection" warnings in security tools (CrowdStrike, Defender, SentinelOne). Turns out it's not a false positive.

Every time you copy text or a link from X.com, their JavaScript intercepts the `copy` event and rewrites your clipboard before it lands. Three injection vectors:

1. **URL tracking** — clean tweet links get `?s=12&t=<base64-token>` appended. The token is session-bound and uniquely identifies you.

2. **HTML clipboard payload** — X writes `text/html` alongside `text/plain`. The HTML contains hidden `<span>` elements with base64-encoded tracking data. This is what trips the XSS detection rules.

3. **Cross-context deanonymization** — paste a tweet link into email, a forum, or Slack, and X can correlate the copier's identity with the paste destination. Shadow social graph construction without consent.

The `t=` parameter is the smoking gun. It's a base64-encoded binary blob that persists across your session. Security scanners see "base64 blob injected into clipboard" and flag it — same behavior as information-stealing malware, because technically it's the same mechanism.

No opt-out. No disclosure. The bug bounty program was dissolved.

Full technical writeup with detection regex and DevTools monitoring code:

- https://gitlab.com/jacquesmyo/security-findings

- https://codeberg.org/jacquesmyo/security-findings

I scanned Chrome extension manifests for chrome_settings_overrides and found 23 extensions silently routing 758,000 users' searches through hidden monetization networks.

The pattern: install a free extension (satellite imagery, maps, news reader), your default search gets quietly replaced and every query goes through the operator's middleware before reaching a search network, generating affiliate revenue you never consented to.

Key findings:

• 8 distinct brokers behind these extensions. If one extension gets pulled, another goes up under a different name.
• Several extensions have zero functionality beyond the search override
• One extension affirmatively claims "We don't track your searches" while its own privacy policy says otherwise
• One uses runtime declarativeNetRequest injection so the real behavior is invisible to static analysis

The `hspart` parameter in the final search redirect URL is the clustering key. One value maps an entire broker network regardless of extension name, domain, or publisher identity.

Full report: https://malext.io/reports/SearchJack/

EDRChoker uses Policy-based Quality of Service (QoS) to set hard bandwidth caps (throttling) on Endpoint Detection and Response (EDR) agents, causing them to always time out - effectively blocking them.

I recently learned about multiple sandbox bypasses discovered in Twig by project Glasswing. From the descriptions, only CVE-2026-46640 and CVE-2026-46633 seemed universally exploitable, so I decoded to research them. This writeup documents my development of payloads for the CVE-2026-46640 and the corresponding SSTImap module.

Recently disclosed AWS encryption bug