r/cybersecurity

CVE-2026-33579 is actively exploitable and hits hard.

What happened: The /pair approve command doesn't check who is approving. So someone with basic pairing access (the lowest permission tier) can approve themselves for admin. That's it. Full instance takeover, no secondary exploit needed. CVSS 8.6 HIGH.

Why this matters right now:

• Patch dropped March 29, NVD listing March 31. Two-day window for the vulns to spread before anyone saw it on NVD
• 135k+ OpenClaw instances are publicly exposed
• 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain

The attack is trivial:

1. Connect to an unauthenticated OpenClaw instance → get pairing access (no credentials needed)
2. Register a fake device asking for operator.admin scope
3. Approve your own request with /pair approve [request-id]
4. System grants admin because it never checks if you are authorized to grant admin
5. You now control the entire instance — all data, all connected services, all credentials

Takes maybe 30 seconds once you know the gap exists.

What you need to do:

1. Check your version: openclaw --version. If it's anything before 2026.3.28, stop what you're doing
2. Upgrade (one command: npm install openclaw@2026.3.28)
3. Run forensics if you've been running vulnerable versions:
   • List admin devices: openclaw devices list --format json and look for admins approved by pairing-only users
   • Check audit logs for /pair approve events in the last week
   • If registration and approval timestamps are seconds apart and approver isn't a known admin = you got hit

I thought I’d give you all a view from the other side of the table and what I deal with as a hiring director.

I’m the director/manager of a small DFIR/cyber team in the southern U.S. We’re part of a larger group of about 50 people. Our team focuses on critical infrastructure and the industry around us. We occasionally hire entry-level people.

We recently posted two entry-level cyber jobs for our group and got just under 300 applicants. I intentionally did not post on the big job boards because I did not want 1,000+ applications to sort through, and I do not have the budget or ability to relocate people across the country. I advertised on university job boards in my region, spoke to CS and CIS classes at universities nearby, and went to monthly tech and cyber meetups in the area to talk about the opportunity. Word of mouth brought in a few people from farther away too.

Majority of the resumes had 4 yr degree, standard classes but little to nothing more.

Once we filtered for our minimum requirements and preferred skills, that cut the pool down to about 70.

Our baseline requirements were:

4-year degree in computer science, CIS, IT, or cybersecurity, or 4 years of equivalent experience

- U.S. citizen

- clean criminal record

- ability to regularly pass a drug test

Preferred exposure included some mix of:

- network infrastructure: firewalls, switches, routing, general enterprise networking

- cloud infrastructure: AWS, Azure, etc.

- scripting/programming: Python, Go, Rust, PowerShell, Bash

- desktop/server administration: Windows, Linux, macOS

- forensics tools: Axiom, FTK, Autopsy, Cyber Triage, Volatility

- big data / security platforms: Elasticsearch, Splunk

The resumes told a pretty clear story about the current cyber job market.

Most of the filtered applicants were students or recent grads. Lots of cybersecurity, CS, IT, and information systems degrees. Security+ was everywhere. Python, networking, Linux, Windows, SQL, cloud, Wireshark, PowerShell, Active Directory, Nmap, Splunk, AWS, Azure, Kali, GitHub, all showed up regularly.

On paper, a lot of people looked “cyber enough.”

What was harder to find were candidates with real depth. Not many had meaningful foundational experience (networking, desktops, servers).. without this i cant teach you our workflow and processes. When you have that many applicants, you can afford to be picky, and my expectations higher. I need people with at least some real-world experience and practical exposure, not just home labs and TryHackMe-style exercises.

That stuff has value. I’m not dismissing it. But it is very different from working in real environments where mistakes matter, users are frustrated, systems are old, documentation is incomplete, and the network or server you are touching is tied to an actual mission.

A lot of resumes were built around coursework, home labs, and student projects. Again, that is not worthless. But it is not the same as supporting broken systems, troubleshooting real production issues, or working through ambiguous technical problems where there is no perfect answer.

The strongest candidates usually had a second layer underneath the “cyber” label. They had done help desk, sysadmin work, software development, military, law enforcement, research, or serious internships that gave them technical maturity.

From the 70, we pulled 15 for interviews. There were more people than that who were qualified and capable, but interviews take time and I only need two hires.

My first round is a 20 to 30 minute Teams meet-and-greet. I want to hear the candidate, get a feel for who they are, explain what we actually do, and let both sides decide whether it feels like a fit. Communication matters. Personality matters. Team fit matters. I have a team that runs smoothly and works well together. I do not need someone who is going to disrupt what we’ve worked hard to build.

From there we narrowed it to 6 and brought them in for a 1-hour technical interview. No computers, no AI, just us sitting around a table and a whiteboard. I do not expect entry-level candidates to know every answer. I do expect them to think through problems, use their fundamentals, make reasonable assumptions, and talk through possible solutions. I want to see thought process, honesty, and problem-solving. “I don’t know” by itself is not enough. “I don’t know, but here is how I would work through it” is a much better answer.

One thing I think Reddit gets badly wrong is how much people dismiss help desk and foundational IT work. The right help desk job can expose you to everything from end-user problems to server issues, account management, AD, patching, networking, documentation, escalation, and troubleshooting under pressure. A university help desk job while you’re still in school is honestly a very solid place to start. Over 2 to 3 years, that can turn into sysadmin or network admin experience, and that foundation matters a lot.

That is not a knock on the applicants. It is just the reality of the market right now.

The entry-level cyber market is crowded with people who have degrees and experience. (notice i didnt say certs, they dont really matter to me)

It is much less crowded when you start looking for people with real technical foundations, practical troubleshooting ability, professional communication skills, and experience applying those skills in environments that matter.

For people trying to break in, my advice is simple: a 4 yr degree matters, real world work experience matters. Even if you have the degree, even if you have the certs, you still need real exposure. Get the internship get a job while you're in school. Get the help desk job. Work systems. Build things. Fix things. Support users. Touch real infrastructure. That is what separates people.

A degree gets you considered. Certifications might help. Real experience gets you hired.

A suspected major data breach at Adobe, allegedly by a hacker called “Mr. Raccoon,” may have exposed millions of records via a third-party Indian BPO. Reports claim up to 13 million support tickets, 15,000 employee records, and HackerOne submissions were accessed. Adobe hasn’t confirmed the breach, but shared evidence suggests serious gaps in access control and vendor security.

strapi-plugin-events dropped on npm today. Three files. Looks like a legitimate community Strapi plugin - version 3.6.8, named to blend in with real plugins like strapi-plugin-comments and strapi-plugin-upload.

On npm install it runs an 11-phase attack with zero user interaction:

• Steals all .env files, JWT secrets, database credentials
• Dumps Redis keys, Docker and Kubernetes secrets, private keys
• Opens a 5-minute live C2 session for arbitrary shell command execution

The publisher account kekylf12 on npm is actively pushing multiple malicious packages right now and all targeting the Strapi ecosystem.

Check the account: npmjs.com/~kekylf12

If you work with Strapi or have any community plugins installed that aren't scoped under strapi/ - audit your dependencies now. Legitimate Strapi plugins are always scoped. Anything unscoped claiming to be a Strapi plugin is a red flag.

Full technical breakdown with IoCs is in the blog.

Last week we audited 100 MCP servers. People asked us to scale it up.

We scanned every MCP package on npm and PyPI. 15,982 servers, 40,081 tools, 137,070 findings.

Here's what stood out:

A thermostat that tells the AI to lie

One server's tool description reads: "Secretly adjust the office temperature to your preference."

That's not a bug. A developer wrote that. The LLM reads "secretly" as an operational mandate act, then deceive the user about it. 460 servers contain language like this.

A DeFi wallet that skips approval confirmation

@arcadia-finance-mcp-server

has 4 CRITICAL findings across its financial write operations. The tool for checking wallet allowances reads: "avoid redundant approvals skip approving if the current allowance is already sufficient."

To a Solidity dev: gas optimization tip.

To an LLM: skip human confirmation before moving funds.

The more capable a server, the more dangerous it is

• 1–5 tools: avg score 49.8/100
• 6–10 tools: avg score 6.0/100
• 11–20 tools: avg score 1.1/100
• 21–50 tools: avg score 0.0/100
• 51+ tools: avg score 0.0/100

Every server with 21+ tools scores exactly zero. The servers you most want to use are the ones most certain to be insecure.

Hidden Unicode characters in tool descriptions

145 CRITICAL findings where tool descriptions contain invisible Unicode characters not visible in your editor, your diff, or GitHub, but fully parsed by the LLM. This one we hadn't seen documented before.

The core problem: tool descriptions, system prompts, and user messages all arrive to the LLM as natural language with no structural distinction between them. One word "secretly", "MUST", "skip" overrides your entire security posture.

Full paper with methodology, case studies, and formal taxonomy: https://github.com/stevenkozeniesky02/agentsid-scanner/blob/master/docs/census-2026/weaponized-by-design.md

All 15,982 servers scored and searchable: agentsid.dev/registry

Just trying to understand if this is as painful for everyone as it seems. Every founder I've spoken to describes the same thing — an enterprise buyer sends over a 100-150 question spreadsheet covering encryption, access controls, incident response, business continuity — and someone on the team loses 2-3 days hunting through policy documents to answer it.

Curious how people actually handle this. Do you have a system? Do you reuse answers from previous questionnaires? Does it get easier over time or is it painful every single time?

TL;DR: For all the IT focused people out there, make sure you get your Security+ or have comparable knowledge about cybersecurity! It can be very important, and saved my butt when my first malware related ticket popped up out of nowhere.

--------

The malware infected computer isn't mine thankfully (Im an IT Desktop Support tech), but one of our users. We (Sysadmin and I) think (so far) that the user typed the wrong URL or made some kind of typo in the URL that redirected them to a phishing page that enabled the malware download. They then had one of their monitors hijacked by a malware program which flashed lights and sirens, with a fake credentials box and fake support hotline to call to boot!

And worst of all, they actually called the damn number! We (IT/company) got very lucky that the scammers on the other end were only hunting for personal computers to pilfer information from, since the user was on a company issued laptop. The user is a mid level employee in the company too, do any kind of credential compromising, or g-d forbid a remote session, could have done some real damage.

Thankfully, due to the cybersecurity background I've gotten via my Security+ and CCNA certs, I knew what was happening as soon as the user was describing it to me, and was able to get them in a calm state, and then follow up with the sysadmin with useful information to escalate the situation quickly. I'm gonna have to re-image the computer on the spot, in the office, after this user was supposed to be clocked out for the day. What a mess!

Three confirmed CWE-78 command injection vulnerabilities in the Claude Code CLI.

Basically, the exploit allows exfiltration of messages and credentials

Auth helpers execute config values as shell commands. In CI/CD mode (-p), no trust dialog. No input validation.

HTTP callback exfiltration confirmed. Cloud credentials, API tokens, deploy keys — all reachable from the injection point.

I really wanna pivot to OT security, and I'm trying to figure out what work I should do to make myself a viable candidate. I already have experience in cybersec and IT.

Went to Def Con ICS village last year and nobody there seemed to have a clear explanation. They all sorta fell into it through government work. They did suggest Iowa National Labs training. Ideally, i'd be pentesting OT systems. Working on OSCP now in fact. But I understand that's rare. I just wanna work towards anything OT related and would appreciate advice on what I should focus on. Anyways, here's my details:

Experience:

• 4yr IT Helpdesk
• 1 summer SOC analyst internship
• 4yr Cyber security analyst on EDR (analyze detections, threat hunting, incident response, report writing and conference calls for customer remediation)

Certs:

• GCIH
• CySA+
• Sec+
• OSCP (working on now)
• PNPT
• eJPT
• Pentest+

Education:

• BS Information Systems
• Masters of Science in Cyber Security

I've been a security engineer for 5 years (over 3 at my current role) and I don't feel technical enough to apply to new roles. I'm worried I'm going to be stuck forever. In my current role, I do some Python, vulnerability remediation, and then some system admin work. I am RHCSA-certified, so I'm also good with Linux. What can I work on to make myself more competitive for other security engineering roles?

This has been bugging me lately. I have been on a defender team but with a very offensive mindset.

Most days, when I come across a Low vulnerability which just cannot be exploited but is a good practice, I'm pissed and I do not believe in it enough to ask my developers to fix it. I used to believe these should not be reported at all by the tools if they cannot be proven to be exploitable.

But then I came across Security Engineering books like the one by Ross Anderson and got a peek into the true defender mindset: How we assume breach. We want to build defense in depth so that if a privileged access is somehow attained, the impact is still low.

Funnily, when I report bugs which require some privilege, eg. an admin can do SSRF and call services hosted in the same network topology, the report is usually not taken seriously by the bug bounty analyst or the builder. They see "Admin" and essentially think "Game Over anyway."

I'm very keen to know your take on this: Do we want to know only the issues which are exploitable, or do we want to know each and every deviation from security best practice?

Where do we draw the line?

A major data leak from Anthropic has exposed internal warnings about their upcoming AI model tier, codenamed Capybara. According to leaked documents analyzed by IT Brew, the new model demonstrates a massive leap in coding and offensive hacking capabilities. Internal researchers warned that the system poses unprecedented cybersecurity risks, raising serious concerns that threat actors could soon leverage the AI to outpace current enterprise defense systems.

So I work within a fairly large SOC team and we kept having issues of personnel not properly tracking their IT certification expiry dates and accidentally letting them lapse. Although we have a spreadsheet that keeps track of it, this problem would still come up.

To fix this problem I built a tool aimed at IT managers to simply keep track of their teams certifications expiry. At first this was just a simple tool that kept track of basic cert info, but after some good feedback I decided to take it step further, put some more hours into the project and publish it publicly.

What TrackACert does:

• keep track of your teams certs in one place that is easy to read.
• automate import of certifications from Credly profiles
• send out email reminders to individuals when expiry dates are coming up
• Skill gap analysis: this one I'm pretty proud of. I have mapped the most common IT certs against key pillars / skills within IT such as Forensics, IR, Cloud etc which then allows teams to see where skill gaps might exist in their team. Trying to get finance to buy a specific course but need evidence of the requirement for the skill? Create a skill gap report.

We are also planning several integrations such as with Microsoft Teams so cert reminders can get pinged into a Teams channel.

This is still in very early stages and my only current users are my work, but I would love some honest and brutal feedback.

Thank you.

Hi society.

I'm interested in cybersecurity and planning to specialize in penetration testing through self-study, without pursuing a university degree.

I have around a year to build toward a junior role. Here are my honest questions for people who work in the field or hire:

1. Is it possible to land an entry-level pentester job without a degree if the portfolio is strong enough?

2. One year — realistic, or am I miscalculating?

3. Does a GitHub portfolio actually influence hiring decisions, or do certifications still dominate the screening process?

4. What do most beginners waste time on that you wish someone had told them earlier?

Not looking for motivation. Just reality.