Threat intel

News from the field.

Vulnerability write-ups, advisories, and research from the chaosbyte crew — what we're finding, exploiting, and fixing right now.

criticalJun 28, 2026

Next.js middleware bypass: one header to skip your auth

A crafted x-middleware-subrequest header lets attackers skip middleware entirely. If your auth lives there, patch now — we walk through detection, exploitation, and the fix.

by Zach Winchester · 6 min
Read →
advisoryJun 19, 2026

GitHub Actions supply chain: pinning tags is not enough

Mutable action tags keep getting retargeted to malicious commits. How we caught one in a client pipeline, and the SHA-pinning policy we now deploy by default.

by @cbrhex · 4 min
Read →
researchJun 05, 2026

What 500 automated pentests taught us about JWT handling

alg:none is dead, but weak secrets and unverified issuers are everywhere. The five JWT mistakes our AI finds most, ranked by real-world exploitability.

by Bogdan Chayka · 9 min
Read →
criticalMay 27, 2026

SSRF via PDF renderers: your invoice generator is an internal proxy

Headless browsers rendering user HTML into PDFs will happily fetch cloud metadata endpoints. Two clients, same bug, one week. Here is the checklist.

by Zach Winchester · 5 min
Read →
advisoryMay 14, 2026

Exposed .git directories are back — blame misconfigured CDNs

A CDN migration pattern we keep seeing re-exposes .git on production origins. One curl command tells you if you are affected; one config line fixes it.

by @cbrhex · 3 min
Read →
researchApr 30, 2026

Prompt injection is the new SQLi: attacking LLM features in prod

Support bots with tool access are the softest target we test. How our AI chains prompt injection into data exfiltration, and what actually mitigates it.

by Bogdan Chayka · 7 min
Read →