Nicolas Grégoire
LightNews LightNews
agarri.fr
Nicolas Grégoire
@agarri.fr
4.4K followers 620 following 1K posts
Web hacker 😈
Burp Suite Pro trainer 👨‍🏫
Maintainer of @mastering-burp.agarri.fr 🛠️
Posts Replies Media Videos
agarri.fr
Argument injection (and RCE) in three distinct AI agents

blog.trailofbits.com/2025/10/22/p...
Prompt injection to RCE in AI agents
We bypassed human approval protections for system command execution in AI agents, achieving RCE in three agent platforms.
blog.trailofbits.com
November 16, 2025 at 3:16 AM
agarri.fr
How the hack of a card shuffler presented at Blackhat 2023 by IOActive was used IRL by the mafia and some NBA members

archive.is/7Pm1E
archive.is
November 16, 2025 at 3:15 AM
Reposted by Nicolas Grégoire
laluka.bsky.social
LA soirée du 200ème épisode est annoncée ! 👀
RDV ce Mardi 18 à 21h sur (oui comme d'hab en fait..) :
💌 www.twitch.tv/thelaluka 💌
November 13, 2025 at 4:06 PM
agarri.fr
AppSec Ezine - 612th edition #AppSec #Security 📚

pathonproject.com/zb/?2aa664fa...
AppSec Ezine
pathonproject.com
November 14, 2025 at 12:48 PM
agarri.fr
Both Chrome and Firefox will disable XSLT in 2026 🪦

I fully agree with them: nobody uses this technology anymore in a browser, and it's full of bugs (as my previous research demonstrates)

bugzilla.mozilla.org/show_bug.cgi...

developer.chrome.com/docs/web-pla...
November 12, 2025 at 4:10 PM
Reposted by Nicolas Grégoire
agarri.fr
The release candidate of the OWASP Top 10 2025 has been released

owasp.org/Top10/2025/0...

The definitive release should be out on November 20th
Introduction - OWASP Top 10:2025 RC1
OWASP Top 10:2025 RC1
owasp.org
November 7, 2025 at 12:19 PM
agarri.fr
Bizarrement, personne ne brandit l’article 40 du CPP pour les vidéos de Sainte-Soline publiées par Libération… 🥴

www.dailymotion.com/video/k1Tvpm...
Tirs interdits et volonté de blesser : révélations sur les violences des gendarmes à Sainte-Soline
Dailymotion video by Libération
www.dailymotion.com
November 9, 2025 at 6:58 PM
agarri.fr
AppSec Ezine - 611th edition #AppSec #Security

pathonproject.com/zb/?7a6539c0...
AppSec Ezine
pathonproject.com
November 7, 2025 at 1:26 PM
agarri.fr
The release candidate of the OWASP Top 10 2025 has been released

owasp.org/Top10/2025/0...

The definitive release should be out on November 20th
Introduction - OWASP Top 10:2025 RC1
OWASP Top 10:2025 RC1
owasp.org
November 7, 2025 at 12:19 PM
Reposted by Nicolas Grégoire
0xacb.com
If you still haven't: set up a JS file monitor to send you notifications via Telegram or Slack every time your target app JavaScript gets updated, a great way to stay on top of updates 👾

https://github.com/robre/jsmon

There's also a fork with Discord support:
GitHub - seczq/jsmon: a javascript change monitoring tool for bugbounties
a javascript change monitoring tool for bugbounties - GitHub - seczq/jsmon: a javascript change monitoring tool for bugbounties
github.com
November 7, 2025 at 9:38 AM
Reposted by Nicolas Grégoire
kaitlinkallee.bsky.social
"who radicalized you"

Nothing radicalized me, I was born with basic empathy. The world decided that was radical.
November 5, 2025 at 5:47 PM
agarri.fr
If you want to see beautiful pictures (and that’s an euphemism) in your feed, simply follow @armandsarlangue.bsky.social
November 7, 2025 at 8:15 AM
agarri.fr
If this is NOT corruption, then I wonder what corruption looks like 🤔
molly.wiki Molly White @molly.wiki · 12d
Newsletter: Faced with blowback over his pardon of Binance founder Changpeng Zhao, President Trump has offered a curious defense: he doesn’t even know the guy.
Trump says he has “no idea” who he just pardoned
President Trump reacts to condemnations of his recent pardon of Binance founder Changpeng Zhao by claiming he doesn’t know who he is.
www.citationneeded.news
November 7, 2025 at 7:20 AM
Reposted by Nicolas Grégoire
alexandreborges.bsky.social
How an ex-L3Harris Trenchant boss stole and sold cyber exploits to Russia:

techcrunch.com/2025/11/03/h...

#exploit #exploitation #zeroday #infosec #informationsecurity #cybersecurity
How an ex-L3Harris Trenchant boss stole and sold cyber exploits to Russia | TechCrunch
Peter Williams sold eight exploits to a Russian zero-day broker by smuggling them from his employer’s highly secured air-gapped network. A court document, plus exclusive reporting by TechCrunch and in...
techcrunch.com
November 4, 2025 at 9:16 PM
agarri.fr
Ackman’s take is ridiculous 🤡
molly.wiki Molly White @molly.wiki · 11d
It’s been fun watching Ackman flip-flop on prediction markets depending on what they show.

Sept 7: “directionally correct”, “you can have much greater confidence in the accuracy of their predictions”

Oct 28: “it takes only a small amount of capital to influence Polymarket trading levels”
Bill Ackman @BillAckman The polls and Polymarket are not perfect, but they are directionally correct. They were off for the primary because a new unpredicted phenomenon occurred. That is, a large number of new younger voters came out to vote for Mamdani in the primary. That had not occurred before, so the typical polling base (and the bets made on Polymarket) did not reflect the new electorate. Now that phenomenon—the new influx of younger voters—is known and is reflected in the Polymarket data. That is why you can have much greater confidence in the accuracy of their predictions. And the predicted outcome for you suggests a de minimis probability of your winning the election which makes the conclusion even more clear. A 1/100 moonshot is not worth the risk to your reputation and future, and more importantly, to the future of our great city and the millions of lives who will be negatively affected by a @ZohranKMamdani mayoralty. Look inward when making this decision. Do not to be influenced by those around you who benefit by your run for mayor. Their incentives are not in your long-term best interests for obvious reasons. Bill Ackman @BillAckman I keep heard from some that they have given up hope on the NYC mayoral election based on the probability of @ZohranKMamdani reflected by Polymarket. The problem is that it takes only a small amount of capital to influence Polymarket trading levels. Please see the post below about evidence of manipulative activity on the mayoral election. Ask yourself who would buy Mamdani at 95% to make 5% with the potential for a total loss. It seems like a stupid trade even if you think Mamdani will win. In other words, I think the 20-1 payoff to bet on @andrewcuomo for the win looks really compelling now in light of the high turnout, the age of those voting, and growing momentum going into the last week. Don’t forget that Polymarket had @andrewcuomo with an 85% probability of winning the primary a week out from the vote. Let’s not let the betting sites affect the outcome of the election.
November 7, 2025 at 7:06 AM
agarri.fr
In France, we had a somewhat related story last year. In the end, Florent Curtet was sentenced for criminal conspiracy and complicity in attempted extortion

www.lemonde.fr/pixels/artic...
November 7, 2025 at 6:56 AM
Reposted by Nicolas Grégoire
digi.ninja
This is a cool attack, create a machine running in Hyper-V on a victim's machine and do all your attacking through that while it runs in the background.

www.theregister.com/2025/11/04/r...
November 5, 2025 at 11:06 AM
Reposted by Nicolas Grégoire
alexandreborges.bsky.social
Breaking Into a Brother (MFC-J1010DW): Three Security Flaws in a Seemingly Innocent Printer:

starlabs.sg/blog/2025/11...

#cybersecurity #exploitation #printer #exploit #vulnerability
November 7, 2025 at 1:14 AM
agarri.fr
AppSec Ezine - 610th edition 🎃 #AppSec #Security

pathonproject.com/zb/?fac2c832...
AppSec Ezine
pathonproject.com
November 1, 2025 at 11:29 AM
Reposted by Nicolas Grégoire
agarri.fr
www.agarri.fr/blog/archive...
Traceroute-like HTTP scanner | Agarri : Sécurité informatique offensive
www.agarri.fr
October 30, 2025 at 6:15 PM
Reposted by Nicolas Grégoire
pinkflawd.bsky.social
Y'all fantastic news! Save the date, @blackhoodie.bsky.social will be at @districtcon.bsky.social this year 😱 the fantastic crew has offered to host us for a day of Malware Reverse Engineering! @synapticrewrite.bsky.social and myself will be hosting a training for women by women on January 23rd!!
October 26, 2025 at 7:37 PM
Reposted by Nicolas Grégoire
ministraitor.bsky.social
I've put together a website which indexes all the recordings my rigs have made thus-far as well as those currently planned:
administraitor.video
(minimalist - I'm a mid-/backend dev! 😋)
Infosec/hacking videos recorded by Cooper (@Ministraitor)
Infosec/hacking videos recorded by Cooper (@Ministraitor)
administraitor.video
November 14, 2024 at 1:33 PM
agarri.fr
That looks to me like some wild unauthorized hacking…

samcurry.net/hacking-club...

Shubs and Sam are well known, but in my opinion, this kind of publication only encourages others to go out of scope and hit random websites

My advice: don’t do it, even if it’s an easy way to get some fame
Hacking the World Poker Tour: Inside ClubWPT Gold’s Back Office
In June, 2025, Shubs Shah and I discovered a vulnerability in the online poker website ClubWPT Gold which would have allowed an attacker to fully access the core back office application that is used f...
samcurry.net
October 26, 2025 at 10:15 AM
agarri.fr
Reversing a smart vacuum and making it work without access to the Internet 🤖

codetiger.github.io/blog/the-day...
The Day My Smart Vacuum Turned Against Me
Would you allow a stranger to drive a camera-equipped computer around your living room? You might have already done so without even realizing it. The Beginning: A Curious Experiment It all started ...
codetiger.github.io
October 26, 2025 at 9:28 AM
Reposted by Nicolas Grégoire
jameskettle.com
Google Cloud Platform was vulnerable to a HTTP desync attack leading to "responses being misrouted between recipients for certain third-party models". Aka your LLM response goes to someone else. The Expect header strikes again!
Context: http1mustdie.com
cloud.google.com/support/bull...
Security Bulletins  |  Customer Care  |  Google Cloud
cloud.google.com
October 24, 2025 at 1:11 PM