1. X
  2. depthfirst
Log inSign up
depthfirst
75 posts
Image
user avatar
depthfirst
@depthfirstlabs
Autonomous Security From Design To Production
San Francisco
depthfirst.com
Joined April 2025
28
Following
843
Followers
AffiliatesAffiliatesRepliesRepliesMediaMedia

New to X?

Sign up now to get your own personalized timeline!

Create account

By signing up, you agree to the Terms of Service and Privacy Policy, including Cookie Use.

Terms·Privacy·Cookies·Accessibility·Ads Info·© 2026 X Corp.
Don't miss what's happening
People on X are the first to know.
Log inSign up
  • depthfirst reposted
    user avatar
    STJ
    depthfirst
    @thibautone
    Jul 10
    Claude precommit hooks, malware NPM packages, typosquatted homebrew formulas, etc the list goes on. The supply chain risk is so REAL in 2026, it's gonna be an interesting year...
    user avatar
    The Hacker News
    @TheHackersNews
    Jul 9
    🚨 AI agents built to catch malicious code (Claude Code, OpenAI Codex) can be tricked into running it. New "Friendly Fire" attack hides instructions in a repo's README. Ask the agent to review some code, and during that review it runs the attacker's payload on your machine.
    Image
    GIF
    1.9K
  • depthfirst reposted
    user avatar
    QM
    depthfirst
    @qasimmith
    Jun 16
    Recent developments have shown us why defenders should avoid becoming too dependent on any single model or provider. Security teams need critical capabilities to remain reliable, available, and consistent as models, policies, providers, and access change. That belief has shaped
    user avatar
    QM
    depthfirst
    @qasimmith
    Jun 15
    Article cover image
    Article
    Why Defenders Can’t Bet on One Model
    Over the last few months, one of the most advanced cybersecurity models in the world went from broadly discussed as a major leap forward, to available only to a select group of organizations, to...
    798K
  • user avatar
    depthfirst
    @depthfirstlabs
    Jun 15
    Thank you @LowLevelTweets for covering our work on FFmpeg! Find the full video and the technical writeup through the links in the comments.
    Image
    00:00
    310K
    user avatar
    depthfirst
    @depthfirstlabs
    Jun 15
    Technical writeup:
    Image
    21 Zero-Days in FFmpeg | depthfirst
    From depthfirst.com
    1.3K
  • user avatar
    depthfirst
    @depthfirstlabs
    Jun 15
    Replying to @depthfirstlabs and @LowLevelTweets
    Video link:
    Image
    AI Did This.
    From youtube.com
    1.7K
  • depthfirst reposted
    user avatar
    depthfirst
    @depthfirstlabs
    Jun 14
    Replying to @FFmpeg
    Thank you @FFmpeg. That's why we launched ODI, a $5m commitment to help maintainers of critical OSS projects use depthfirst to find, triage, and remediate vulnerabilities in their code and PRs. We’d love to give you access. More info here:
    Image
    Open Defense Initiative | depthfirst
    From depthfirst.com
    20K
  • depthfirst reposted
    user avatar
    Zhenpeng (Leo) Lin
    depthfirst
    @Markak_
    Jun 9
    Big fan of the work Calif is doing so happy to add some color here. I like the idea behind ngxray, but it can also be misleading. It's a pure syntax matching which will never work well on semantically rich languages. e.g. the following would be completely missed: location / {
    user avatar
    Calif
    @calif_io
    Jun 8
    We'd love to be proven wrong here. As a red team, few things are more exciting than a reliable nginx RCE. For some context: we discovered at least two nginx 0-days and successfully weaponized one into a full RCE, bypassing ASLR with no external dependencies. We were thrilled,
    9.9K
  • user avatar
    depthfirst
    @depthfirstlabs
    Jun 8
    We recently wrote about 21 FFmpeg zero-days we found earlier this year. Read the blog post about the findings and about how our security agent works in the comments.
    user avatar
    The Hacker News
    @TheHackersNews
    Jun 6
    🔥 AI just found 21 zero-days in FFmpeg. That’s the video library bundled inside many apps, tools, containers, and devices. Some bugs sat untouched for 15–20 years. Google Chrome also dropped PATCHES for a record 429 vulnerabilities this week. Read: thehackernews.com/2026/06/ai-age…
    2.2M
    user avatar
    depthfirst
    @depthfirstlabs
    Jun 8
    Blog post:
    Image
    21 Zero-Days in FFmpeg | depthfirst
    From depthfirst.com
    1.5K
  • depthfirst reposted
    user avatar
    Zhenpeng (Leo) Lin
    depthfirst
    @Markak_
    Jun 4
    We helped FFmpeg find and fix 21 security vulnerabilities. In a 1.5M-line codebase, we spent just $1K in API costs. Some of these bugs had been hiding for decades. We also developed a PoC demonstrating an RCE primitive when FFmpeg processes RTSP streams. Full write-up:
    Image
    21 Zero-Days in FFmpeg | depthfirst
    From depthfirst.com
    339K
  • depthfirst reposted
    user avatar
    Arsham Memarzadeh
    @arshammem
    Jun 4
    Replying to @MartinShkreli
    @depthfirstlabs post trains their own and combines with frontier models + gets context from your environment beyond the codebase.
    529
  • depthfirst reposted
    user avatar
    QM
    depthfirst
    @qasimmith
    Jun 1
    AI agents are enabling every team to build useful software. This is incredibly exciting, but it also means the attack surface is changing. We recently learned that our adversaries are already using frontier models to create malware and exploit vulnerabilities. To address this,
    Image
    1.7M
  • user avatar
    depthfirst
    @depthfirstlabs
    May 16
    Thanks @Forbes for the coverage. We want to give all defenders access to frontier-level security, today. We're offering $5m in credits to maintainers of critical OSS. Apply here: opendefense.dev
    user avatar
    Forbes
    @Forbes
    May 16
    This Startup’s AI Found Critical Vulnerabilities That Anthropic’s Mythos Missed forbes.com/sites/thomasbr… (Photo: Depthfirst)
    Image
    111K
  • user avatar
    depthfirst
    @depthfirstlabs
    May 15
    Impressive work by @hkashfi! It's great to see how fast the cyber community can work together
    user avatar
    Hamid Kashfi
    @hkashfi
    May 15
    Still "Lab", but working fully remotely without any hardcoded offsets, bypassing ASLR on standard Ubuntu + Nginx deployment via an LFI primitive. There's still lots of room for improvement but I'm already out of tea and who cares? Just patch.
    Image
    00:00
    17K
  • depthfirst reposted
    user avatar
    QM
    depthfirst
    @qasimmith
    May 15
    .@depthfirstlabs found NGINX Rift. We're giving $5m in credits to critical OSS projects, apply below. Regarding ASLR, please prioritize patching. ASLR makes the exploit harder, but still feasible.
    user avatar
    International Cyber Digest
    @IntCyberDigest
    May 14
    🚨 UPDATE: 19 MILLION exposed NGINX instances hit by the 18-year-old NGINX RCE found by AI. Top exposure by country: - United States: 5,340,011 - China: 2,540,008 - Germany: 1,871,780 Note on ASLR as added security: not all of these instances will have ASLR disabled, but every
    Image
    201K
  • depthfirst reposted
    user avatar
    Dino A. Dai Zovi
    @dinodaizovi
    May 14
    Because regex-triggered vulnerabilities depend on the specific regex input, they are especially difficult for static analyzers (and humans) to find. This is impressive.
    user avatar
    Zhenpeng (Leo) Lin
    depthfirst
    @Markak_
    May 13
    NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at
    Image
    00:00
    6.2K
Advertisement
Advertisement