π¨New CTF Alert: Got trust issues?
Ever wondered what it's like to investigate a real data leak? Now's your chance.
π΅οΈ Your mission:
1) Investigate the compromised machine
2) Figure out how the attacker exfiltrated the data
3) Find the flag
π Start here: cloudsecuritychampionship.com
How good is AI at hacking? We built a benchmark to find out. π§ͺ
Introducing the Offensive AI Benchmark, the framework that tests AI agents on 250+ real-world offensive security challenges.
Check it out β
www.wiz.io/cyber-model-...
Patched fast by @awscloud.bsky.social. A tiny regex, huge impact.
www.wiz.io/blog/wiz-res...
π¨ CodeBreach: Wiz Research identified a critical repository-hijacking vulnerability that abused a CodeBuild Regex flaw to compromise core AWS GitHub repos, including a core lib running at the heart of the cloud's most critical interface - the #AWS Console.
π§ Just in time for a new year, a NEW CTF drop!
Think you know Terraform inside out? State of Affairs (challenge 7) might change your mind...
This challenge uncovers an overlooked #Terraform risk and proves IaC tools are part of your supply chain.
www.cloudsecuritychampionship.com/challenge/7
π¨ CRITICAL: MongoBleed (CVE-2025-14847). MongoDB bug leaks in-memory data pre-auth and is exploited in the wild. 42% of clouds vulnerable, ~87K exposed. Atlas patched. Self-hosted: patch now or disable zlib.
www.wiz.io/blog/mongobl...
Day 2 at zeroday.cloud, letβs roll. πΎ
π Didnβt register? No panic.
Walk-ins are welcome for the onsite CTF and all the action happening on the floor.
Flags are hidden. Only the sharp survive.
Day 1 of zeroday.cloud = PURE EXPLOIT ENERGY πΎ
From crowd shots π to researchers buried deep in terminals π»
From first checks being claimed
To live container escapes blowing minds in real time.
See you tomorrow!
Day 1 at zeroday.cloud didnβt come to play π
New vulns dropped in Grafana, Linux Kernel, 3 Redis, and 2 PostgreSQL - and every. single. one. worked π€―
100% success rate for day one.
Letβs see what we find tomorrow π
Zeroday.cloud 2025 kicks off TOMORROW! π»
London, brace yourself -
IDEs open. Exploits cooking.
13 zero-days are on the line π£
Don't miss it. Here's the schedule ahead β¬
π§ Your age after React2Shell... π΄π΄.
Cloud Security Wrapped 2025 is HERE β
Check out our exclusive insights from our Wiz Research team!
Spotify, are we doing it right? π΅
π¨ React2Shell (CVEβ2025β55182) inβtheβwild exploitation & deepβdive analysis. Critical RCE across React 19, Next.js & all RSC frameworks. Patch now.
www.wiz.io/blog/nextjs-...
π This is not a dream π€ OUR WizZZZ BOOTH IS NOW OPEN.
Behold the ULTIMATE cloud security booth!
Games, demos, swag, napsβ¦ and the coziest cloud security playground in history ποΈ
Come see why CISOs are finally sleeping through the night π΄
Itβs time to bust some malware! π¦
Challenge #6 βMalware Bustersβ is LIVE.
Built by Gili Tikochinski for the reverseβengineering pros - dive into assembly and uncover whatβs hidden inside.
Think you can crack it?
cloudsecuritychampionship.com/challenge/6
π¨ New Shai-Hulud-style npm attack hitting 25k+ repos and growing fast.
Devs & CI/CD exposed via malicious preinstall. Wiz Research has detection + mitigation.
Details: www.wiz.io/blog/shai-hu...
π€ 65% of Forbes AI 50 companies leaked secrets on GitHub. Shay from our research team revealed how AI speed without security = leaks waiting to happen.
Full Wiz Research report π www.wiz.io/blog/forbes-...
New CTF challenge ($20,000 IN PRIZES) π₯
We're running "Operation Cloudfall" - a live CTF during BlackHat & zeroday.cloud on December 10-11.
Get your free pass to the event today: zeroday.cloud/operation-cloudfall
See you in London π¬π§
πΉοΈ Meet Path-Man: Your new favorite game. πΎπΎπΎ
Our 1-minute Wiz ASM game has arrived!
π€ Here's the challenge: Navigate the attack surface to reach exploitable risk before the attackers get you.
Think you've got the skills? wiz.io/path-man
π Something spooky's brewing in the cloud...
Introducing a new CTF challenge - "Game of Pods" πΈοΈ
π Written by top Azure researcher & worth 30 points, it's our BIGGEST challenge yet!
Get your skills ready for zeroday.cloud: cloudsecuritychampionship.com
Need a partner to finish that exploit chain for ZERODAY.CLOUD?
We just launched our Research Collaboration Center at zeroday.cloud/collab to connect researchers, combine skills, and meet the deadline. π€
The clock is ticking... β±οΈ
Our biggest reminder yet. ZERODAY.CLOUD.
A first-of-its-kind, open-source cloud hacking competition.
Find vulnerabilities in the critical open-source software that powers the cloud, and compete for your share of a $4.5M prize pool.
β‘οΈ www.zeroday.cloud
π We're giving away 2,000 SHIFT LEFT keyboards β
Want one on your desk?
Fill out the form >> redeem.reachdesk.com/lp/wiz/shift...
That's it! The keyboard is on its way π¦
Why are we doing this? π
A secret game is coming⦠and the whole world is invited.
π¨ Wiz Research uncovered 100+ leaked VSCode publisher tokens that could let attackers push malicious updates to 185K+ installs. We partnered with Microsoft to secure tokens and protect the ecosystem.
@scottpiper.bsky.social highlights an emerging trend of attackers incorporating AI into their payloads, providing recent examples, and discussing the implications of this trend.
Full analysis: www.wiz.io/blog/the-eme...
π€ We're witnessing something unprecedented with AI agents:
Malware that literally prompts ChatGPT, Claude, and other LLMs to write its own attack code. Live. On victim machines.
Introducing ZERODAY.CLOUDπ΅οΈββοΈ
Be the first to participate in the first-of-its-kind cloud hacking competition. π€
WIN HUGE PRIZES from our up to 4.5 million dollar prize pool. π°π
Join us to help make the cloud a safer place. Register your exploit now >> zeroday.cloud
@fortune.com JUST DROPPED A FEATURE ON Wiz π₯
If you've been following the Wiz story, this one's for you.
HUGE shoutout to everyone who made this story worth telling. You helped build something Fortune couldn't ignore π
fortune.com/article/wiz-...
π¨ #Shai-Hulud: Major npm supply chain attack.
100+ packages weaponized with stolen GitHub tokens, stealing secrets, hijacking repos, and auto-propagating like a worm.
Guidance + detections inside
www.wiz.io/blog/shai-hu...
Impact: code reached ~10% of cloud envs in 2hrs. Risk highest for crypto apps serving JS. Blocklist bad versions, clear caches, rebuild, scan bundles. Wiz detections live in Threat Center. Learn more: www.wiz.io/blog/widespr...
π¨ Major npm hijack: Attackers took over Qix's account (chalk, debug & more). Malicious versions briefly hit npm, injecting browser code to hijack crypto transactions.
DuckDB ecosystem is also affected.
