Anonymous GitHub account mass-dropping undisclosed 0-days

Posted by binyu 5 hours ago

Anonymous GitHub account mass-dropping undisclosed 0-days(github.com)

324 points | 137 commentspage 2

jdw64 4 hours ago|

I'm going through each one, and it's fascinating to see things like this. The UAF principle in c-ares is really interesting.

The problem ultimately came from not being able to prevent stale pointers. The attack works by figuring out the size of the stale pointer, then spraying memory with data of the same size, and finally achieving RCE (Remote Code Execution). How do people even come up with ideas like this?

jdw64 4 hours ago||

But do people actually find these vulnerabilities on their own, or are they using LLMs? I was curious about how these vulnerabilities work, so I tried asking my dear friend Mr. CLAUDE, but he immediately threw an error and ended the session because it was a cybersecurity question. Enterprise APIs block even the analysis itself, so it's amazing that people can actually pull this off in practice.

nicce 2 hours ago|||

People have always used tools. Some people have better tools than others. I guess the line is thin whether they found on their own or not.

raesene9 2 hours ago||||

If you want to chat with Claude about this, I'd recommend using Opus 4.6. IME it's happy to talk about (and even write) PoC exploits

lacoolj 3 hours ago||||

I imagine this is a large open model like GLM5.2 etc

ZappoMan 1 hour ago|||

[flagged]

jeffbee 3 hours ago||

le sigh, c-ares. Very predictable outcome. If you ever find yourself entertaining the idea that you will simply write non-blocking network protocol stacks in C with manual lifetime management, slap yourself. It doesn't matter if you think you are a super genius of unimpeachable taste. The job is impossible.

jdw64 3 hours ago||

Thank goodness I use a GC language

mrbluecoat 4 hours ago||

A surprising amount of documentation if the actor was just LLM-dropping these..

Retr0id 3 hours ago||

Why is that surprising? LLMs can churn out arbitrary volumes of "documentation" in an instant.

Bengalilol 1 hour ago||

This was sarcasm, meaning exactly what you wrote.

dawnerd 3 hours ago||

That seems trivial for an llm to provide.

icase 1 hour ago||

oh-days for days

hypercain 2 hours ago||

Mythos has been achieved internally

functionmouse 4 hours ago||

we have got to stop putting our bank accounts and SSNs on computers

ryandrake 3 hours ago||

We need our infrastructure to stop treating bank account numbers and social security numbers as secrets. At least in the US, bank account numbers appear on physical checks and are required to be shared in order to do an ACH transfer, and a social security number is not supposed to be used as an identifier (unless to the Social Security Administration itself) or as a secret password.

Ideally, nothing nefarious should happen if both of them were listed and queryable publicly.

silversmith 3 hours ago|||

Hang on, can you actually do something nefarious with just the bank account number?

ryandrake 3 hours ago|||

If someone has your bank account and bank’s routing number (which is also not secret), they can make fraudulent ACH transfers and payments from your account. Of course it will most likely be caught as fraud some time after the fact, but just those two bits of not-secret info are enough to grief someone.

hackermailman 1 hour ago|||

Knuth had to stop sending real checks for errors spotted in his books because they would post pics of the check and thieves abused the account https://www-cs-faculty.stanford.edu/~knuth/news08.html

rogerrogerr 2 hours ago|||

And both numbers, plus your name and address and a convenient sample of your signature, are on every check you’ve ever written.

derwiki 43 minutes ago||

I suddenly feel very clever for signing everything with “Shamu T. Whale”

mystifyingpoi 2 hours ago||||

AFAIK that's US thing. In normal countries bank account numbers are not a secret. The worst thing that can happen is someone sending you money.

jazzyjackson 1 hour ago|||

Yes but there are steep penalties for bank fraud so it is not especially common

derektank 3 hours ago|||

It’s quite ridiculous that we haven’t been able to build a modern identification system capable of replacing SSNs in the last 30 years.

dgellow 2 hours ago|||

You all need a better system than US SSNs

DANmode 2 hours ago|||

You can buy your SSN for $6-$10.

pixel_popping 3 hours ago|||

Firewalled VM, locked-in keyboard/mouse, 1 query to any agent and it's setup.

gnerd00 4 hours ago||

... support cash, tell your neighbors

Cider9986 3 hours ago|||

And Monero for online.

JohnMakin 3 hours ago|||

til you get debanked

krapp 3 hours ago||

Cash doesn't require a bank.

speedgoose 3 hours ago|||

Banks are kinda useful to avoid getting robbed all your money, on a regular basis.

Many French people with crypto money experienced that the hard way recently.

nubg 3 hours ago||

do you have links about the french people?

speedgoose 2 hours ago||

Sure, here are a few links. Use your favourite translator.

In short, it's a very active and growing activity. Many data leaks helped people to identify wealthy targets. Some just brag about having crypto.

https://www.lemonde.fr/societe/article/2026/04/24/enlevement...

https://www.franceinfo.fr/faits-divers/cryptomonnaies-la-vag...

https://www.lemonde.fr/societe/article/2025/08/19/l-ascensio... (paywall)

https://www.slate.fr/societe/enlevements-lies-cryptomonnaies...

Some random recent ones we know about:

https://france3-regions.franceinfo.fr/grand-est/haut-rhin/mu...

https://www.leparisien.fr/faits-divers/renseignes-par-des-ha...

ahoka 2 hours ago|||

Kinda does?

krapp 1 hour ago||

Doesn't at all. You can take cash, keep cash and spend cash without any bank being involved. Cash is more anonymous than crypto and (if it's USD) accepted just about everywhere.

Banks give you an advantage with transaction security and deposit insurance, but that's dealing with money and not cash.

tliltocatl 4 hours ago||

A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it. If someone publishes a PoC, it is not a 0-day, just a vulnerability.

Retr0id 3 hours ago||

No, the days start counting from the availability of a patch.

rmast 2 hours ago|||

I was thinking that the other definition was right and this correction was wrong.

Then I did some searching and found multiple examples of both definitions in use, making things murky.

So I turned to Merriam-Webster’s dictionary: “ of, relating to, or being a vulnerability (as in a computer or computer system) that is discovered and exploited (as by cybercriminals) before it is known to or addressed by the maker or vendor”

And of course they use an “or” to make it ambiguous as to whether the days start counting when the vulnerability becomes known, or when the vendor has addressed it.

0123456789ABCDE 2 hours ago|||

what if a path is never released?

richbell 3 hours ago|||

I've only heard it used as Retr0id's definition.

cubefox 1 hour ago||

> A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it.

No, the full name was always "zero-day exploit". The number 0 refers to the days between the vulnerability being known by the vendor and the public availability of the exploit. So the vendor has zero days to create a security patch before the release of the exploit.

The term "zero-day vulnerability" is a derived term to refer to a vulnerability affected by a zero-day exploit. Similarly, a "zero-day attack" is a derived term to refer to an attack carried out using a zero-day exploit.

ohadkr 4 hours ago||

Open source is the best

jmward01 3 hours ago||

I think people may miss the point of a repo like this. Individually these are small puzzle pieces that can't do anything. Put them all in one place and it becomes easier to pick up pieces and try them together to see if they fit and build something bigger. Get enough pieces to fit together and you actually have something. This is the 'FOUO' idea in security. Enough open information gathered together in one place crosses the boundary from 'just public info' to 'secret stuff here!'. Now we have automatic puzzle solvers (coding assistants) a repo like this becomes a lot more meaningful.

esikich 3 hours ago|

Yep and typically none of this is meaningful unless you have no security practices at all. You can't have it both ways. Every security team says these things are all critical even though, for example, it's only being used internally. Cool, so you somehow have our network cert, are on site physically, have compromised a laptop fully without all of our tools detecting weird shit, have a password, admin access to the repo, somehow are spoofing MFA, etc etc. Yeah it all adds up, but as an admin I'm just fucking done dropping everything for these kinds of things.

johnwheeler 3 hours ago|

That's one way to do it.

More comments...