Co-founder/Chief Security Evangelist Veracode. Former L0pht security researcher. Builds tools to find vulnerabilities in code at scale. Twitter: @weldpond
🚨 Critical React + Next.js RCE Alert 🚨
New flaws in the React Server Components “Flight” protocol (CVE-2025-55182 & CVE-2025-66478) allow unauthenticated remote code execution on default installations.
Attackers only need one malicious HTTP request to take over a server.
Wiz reports 39% of cloud environments are vulnerable.
If you're running:
• React 19.0–19.2
• Next.js 14.3.0-canary, 15.x, 16.x (App Router)
• Any framework bundling react-server (Redwood, Waku, Vite/Parcel RSC plugins, etc.)
👉 You are likely exposed. Patch immediately.
Updates now available:
React 19.0.1 / 19.1.2 / 19.2.1
Next.js 14.3.0-canary.88 / 15.0.5+ / 16.0.7
Full RCE. Remote. Unauthenticated. Near-100% exploit reliability.
Patch today. Do not wait.
Veracode Research finds that OpenAI GPT-5 writes more secure code than other models.
Delchi and I having a pre-party discussion at @L0phtHeavyInd circa 1999
I'm heartbroken to share that my friend of 30 years, Arthur Phillip Delchi, @Delchi, DJ Delchi, FIRST REGENT OF GOTHAM—has left us.
A founding force behind DEF CON’s Hackers with Disabilities village, a L0pht regular who DJed our wildest parties (two of those moments captured below), and an early researcher tearing apart IoT and other devices for the sheer love of understanding how things break.
He was just as legendary in the NYC goth scene: From the earliest days spinning ethereal sets at Parallax, Long Black Veil, Sanctum at CBGB’s Basement, and his own Bitter Paradise at Downtime… to guest spots at Absolution, Albion, The Bank, Webster Hall, and beyond… to carrying the dark flame to Vegas in recent years—Delchi was a pillar of the night.
He lived in the pages too, as “The Voltoids Guy” in Voltaire’s Oh My Goth and “Lord Delchi” in GloomCookie, before becoming a comic creator himself with his comic Noduttu.
Rest easy, old friend. The dance floor, the lab, and the shadows won’t be the same without you.
Hail and farewell, traveler.
Kociemba has launched the No Longer Evil project, an open-source initiative aimed at breathing new life into decommissioned first- and second-generation Nest thermostats. https://www.techspot.com/news/110186-hacker-launches-no-longer-evil-project-revive-discontinued.html
“Secure by design” is shifting from vision to standard. I note progress: >50% of apps now pass OWASP Top 10 checks (up from <33% in 2020) and exploitable flaws dropped from 3.6% to 2.6%. But 70% of apps still have major flaws—true success means making security part of every build, not an afterthought. https://www.forbes.com/councils/forbestechcouncil/2025/11/10/advancing-secure-by-design-from-ambition-to-industry-standard/
Veracode found a malicious npm package “@acitons/artifact” impersonating @actions/artifact (206K+ downloads). It targeted GitHub-owned repos to steal build tokens and publish malware. Six versions used a post-install hook to fetch undetected malware. Veracode blocked it and notified npm.
https://www.veracode.com/blog/malicious-npm-package-targeting-github-actions/
“If you’re being arrested at 17, you’re being weaponised at around 11. It’s not happening overnight & the entry point is gaming, which acts as a live lab for skill set development. These young people are modifying and hacking games to find the loopholes.” https://www.theguardian.com/from-play-to-purpose/2025/oct/27/ethical-hacking-for-young-gamers-cybersecurity-programme
Mother Jones on First Wap's SS7 based tracker. The old an insecure phone system keeps giving.
Was this DEFCON eBPF bug talk hallucinated?
https://www.thestack.technology/defcon-ebpf-bug-talk-was-hallucinated-what-now/
Hackers are getting younger and we need to stage an intervention
“Twenty-five years ago, you had to use unconventional talent in cybersecurity because there were no degree programmes or bootcamps”
We need to tap in to this talent like we did back then.
It's painful to write this sad note. Our community is grieving. Dylan (FreqOut/cDc) and Jo lost their child, Caspian Shea. The family now faces significant medical and funeral costs. If you’re able, please donate or boost: https://gofund.me/13b9506f0
@nonlinear Check out thehackinggames.com
Teen hackers aren’t villains-in-waiting, they’re untapped defenders. We can intercept talent early, show real career paths, and turn curiosity into cyber defense. My take on building ethical on-ramps for #cybersecurity https://www.forbes.com/councils/forbestechcouncil/2025/09/19/intercepting-talent-turning-hackers-into-cyber-defenders/
@wendynather @dildog @veracode @L0pht need a club!
30 years ago today, I saw Hackers in theaters with my hacker crew @L0pht. Later, I met my wife Deb on IRC and founded a cybersecurity company @veracode with fellow L0pht hacker @dildog What a journey! Anyone else feeling old? Post your story.
Top cybersecurity conferences are introducing new rules that require researchers to formally address ethics in their work. Starting with the 2026 USENIX Security Symposium, all submissions must include a stakeholder-based ethics analysis.
https://www.helpnetsecurity.com/2025/09/08/cybersecurity-research-ethics/
While conducting a routine cybersecurity review, the DHS CIO discovered significant security vulnerabilities that gave a threat actor access to FEMA’s network.
FEMA CIO, CISO, and 22 other FEMA IT employees terminated.
Failures included: an agency-wide lack of multi-factor auth, use of prohibited legacy protocols, failing to fix known and critical vulnerabilities, and inadequate operational visibility.
An app developer has jailbroken Echelon exercise bikes to restore functionality that the company put behind a paywall last month, but copyright laws prevent him from being allowed to legally release it. https://www.404media.co/developer-unlocks-newly-enshittified-echelon-exercise-bikes-but-cant-legally-release-his-software/