🐝 Hive Five 209 - New Space

Hi friends,

Greetings from the hive!

I'm changing up my AI tools, I swapped my Claude Pro subscription for Raycast AI.

Now, my AI assistant is only two keybindings away, instead of the 6+ actions it required before.

Also, the $11 ($20 - $9) in savings can now be spend on API credits.

In other news, I'm still enjoying Zen browser as my daily driver. I haven't mastered it yet, but looking forward in doing so.

Let's take this week by swarm!

🐝 The Bee's Knees

• AI supercharges bug bounty hunting by automating tedious tasks, allowing hunters to focus on strategy and creativity. Transform your game by unlocking new levels of vulnerability discovery and exploit generation. MORE

• Learn how specially crafted artifacts can be used to attack Maven repository managers. This post describes PoC exploits that can lead to pre-auth remote code execution and poisoning of the local artifacts in Sonatype Nexus and JFrog Artifactory. MORE

• Get FortiRekt, I Am The Super_Admin Now - Fortinet FortiOS Authentication Bypass CVE-2024-55591. MORE

• 3 ways to escalate your XSS bugs to the next level, using reflected XSS and self XSS. MORE

• In 1958, NASA was founded, and just 11 years later, we put man on the moon. But progress stagnated until private ambition met government funding, ushering in the "New Space" era of innovation and exploration. MORE

Table of Contents

• 📰 Updates

• 💼 Work

• 🌎 Community

• 🍄 Level up

• 🛠 Explore

• 📈 Learned something?

📰 Updates

✅ Changelog

• Ghostty 1.1.0 brings crucial bug fixes and quality-of-life improvements based on user feedback - a month's work across multiple contributors. Exciting updates streamline the experience for this powerful open-source tool. MORE

• Waymore v4.9 fixes include resolving an error with external JavaScript files and ensuring status code filters handle 404 responses correctly. MORE

• Obsidian is working on dynamic tables and collaborative editing. Get ready for a game-changing leap in productivity and teamwork. MORE

💼 Work

💰 Career

• Elevenlabs boldly reshapes its org structure, abandoning traditional job titles. Now, teams like Operations and Go-to-Market define the work, empowering employees to collaborate and innovate beyond rigid roles. MORE

• Learn how to craft the perfect resume to land your dream tech job. This video covers the 5 biggest mistakes to avoid and insider tips to tailor your resume for better results. MORE

• Blueprint (Don't Die) is hiring a Director of Digital Product amongst other roles to join their team. MORE

• The Art of Calling Out Room Dynamics. Discover how naming what's happening in the room can defuse tense meetings, improve team dynamics, and elevate your leadership skills. MORE

🚀 Productivity

• Theo's made a video about his move from Arc to Zen Browser. MORE

• Smart Composer, an Obsidian plugin, streamlines your writing process by seamlessly incorporating your vault's content, eliminating the need for excessive context-setting in AI conversations. MORE

• Homebrew's top priority is improving performance, and you can get quicker results by disabling auto-updates and upgrades, though at the cost of reliability and security. MORE

• Productivity hack that boosts you from the bottom 10% to the top 10% overnight. Write down every decision on paper. MORE

• CleanMyMac appears to be a game-changer. Effortlessly reclaims system/browser caches without tedious detective work. MORE

🌎 Community

🎉 Celebrate

• With grit and determination, SinSinology overcame long hours, sacrifices, and challenges to get 1st place at the prestigious Pwn2Own 2025. MORE

• 4 NahamSec Discord members earned $30k through Netflix's bug bounty in just January, from live collaborative bug hunting sessions! MORE

• Searchlight Cyber acquires Assetnote to enhance continuous threat exposure management. MORE

⚡️ Timeline

• Feature suggestion for BB platforms: An automation that checks the scope of all programs every few days and notifies the program manager if any host is down. MORE

• InfoSec content creators thread. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

• @adrien_jeanneau | Hisxo | @yeswehack (aka Hisxo) - I love to break things (and I'm paid for that) - Bug Hunter.
• @jstnkndy | Justin Kennedy | Infosec professional & beverage snob. Vice President of Research Consulting @ Atredis Partners. Forever terrified of Kithicor.
• @albinowax | James Kettle | Director of Research at PortSwigger aka Burp Suite.
• @rootxharsh | Harsh Jaiswal | Research at @httpvoid0x2f @pdiscoveryio.
• @ustayready | Mike Felch (Stay Ready) | Red Teamer / Security Research | Prior: CrowdStrike / Current: BHIS | In Christ’s grip | Pentesting since 1997 | Security Focus: Cloud.

🍄 Level up

📰 Read

• RyotaK, security engineer at GMO Flatt Security, uncovered a GitHub bug that allows you to steal Git credentials. MORE

• During x3ctf, Jorian discovered an unintended solution. It allows you to detect the result of a selector during CSS Injection, bypassing any CSP restricting external requests. MORE

• How Google estimates the risk from prompt injection attacks on AI systems. MORE

• Bypassing character blocklists with unicode overflows. MORE

• World’s First MIDI Shellcode. Porta gained remote code execution via MIDI messages to trick the synth into playing Bad Apple on its LCD. MORE

💡 Tips

• Hate wasting time with 2FA? Install this CLI tool, configure it with your sites, then use Espanso to auto-fill OTPs with a simple :otp command - instant 2FA access without hassle! MORE

• How to generate brown noise using Python, a solution that could help other sleep-deprived parents. MORE

• Optimize your WFH lighting to reduce eye strain and improve productivity with simple, science-backed tips. Achieve a comfortable, glare-free workspace that energizes your workday. MORE

• To effectively provide context for coding projects using LLMs, create a catall alias in your zshrc that concatenates all files in a directory with their filenames. Then, copy the output, check the token count, and use AI Studio for projects exceeding 150k tokens or Claude for those under that limit. MORE

• Tons of actionable and practical SEO tips. Packed with proven tactics to boost your online visibility and drive insane traffic. MORE

🧠 Wisdom

• Professional translator Tom Gally shares a detailed workflow for using LLMs to streamline the translation process, offering a game-changing approach for linguistic experts. MORE

• Insightful tips from 9 expert writers to help you overcome writer's block and write with power. MORE

• Hackers share what keeps them going when they're struggling to find much success. MORE

📚 Resources

• A collection of Turbo Intruder scripts, specifically ones which emulate the 4 main attack types in Burp Intruder (Sniper, Battering ram, Pitchfork, and Cluster bomb). MORE

• Sub.rehab helps you find alternative platforms for Reddit communities restricted due to ongoing API protests, making it easier to connect with your favorite online spaces. MORE

• The State of the Cybersecurity Market in 2024. An in-depth look at the cybersecurity market in 2024, focusing on AI's role, funding shifts, and investment trends shaping the industry. MORE

• Aspiring developer takes on a thrilling challenge, building a NES emulator in Go to showcase their skills and prepare for an exciting summer internship at miHoYo. MORE

• How-To: Linux Process Injection. Ever wondered how to inject code into a process on Linux? MORE

🛠 Explore

🧰 Tools

• Tool for searching exploits from several exploit databases. Exploits are inserted at sqlite database(go-exploitdb) can be searched by command line interface. MORE

• HExHTTP is a tool designed to perform tests on HTTP headers and analyze the results to identify vulnerabilities and interesting behaviors. MORE

• Fast virtual host scanner that finds hidden vhosts and identifies which ones are only accessible through Host header manipulation. MORE

• Virtual host scanner that combines subfinder, dnsx, httpx, and VhostFinder to discover and validate virtual hosts, with automatic path scanning for sensitive endpoints. MORE

🎥 Watch

• Uncover a treasure trove of 11 free, no-code OSINT tools to level up your investigative skills. Dive into open-source intelligence without a single line of code. MORE

• Discover the fascinating journey of Valerio Brussani, a seasoned penetration tester and Cobalt Core member, as he shares his path from software development to bug bounty success. MORE

• Alethe Denis takes audiences on a journey of Epic Fails and Heist Tales: Red Teaming Toward Truly Tested Security. MORE

• PMing with o1 pro, v0, and DeepSeek-R1. MORE

• cRay Fernando, a former Apple engineer, gives an in-depth tutorial on DeepSeek AI and its local implementation. MORE

🎵 Listen

• Basic marketing still outperforms everything: a simple 90-minute webinar turns 200 attendees into 20 buyers, even with just 2,500 subscribers. The framework is dead simple: 20 minutes on your story, 15 minutes on the solution, 20 minutes showing the transformation. MORE

• Stanford professor Jeffrey Pfeffer shares powerful insights on building influence and accelerating your career – a must-listen for anyone seeking to maximize their impact. MORE

• Wrote this newsletter listening to Baby J on the ones and twos. MORE

• Justin and Joseph bring on Aaron Costello to discuss SaaS security and misconfigurations as a bug class. He also gives some in-depth examples from Salesforce, ServiceNow, and Power Pages. MORE

🌐 Technology

• Beehiiv's 2025 State of Email Newsletters reveals the latest data and industry trends to help you maximize your email strategy in the years ahead. MORE

• DeepSeek FAQ. DeepSeek has completely upended people’s expectations for AI and competition with China. What is it, and why does it matter? MORE

• Why hardcoding feature flags is a smart, cost-effective approach — database lookups on small tables are practically free, and caching data can boost performance. MORE

• If you still remember when Sublime Text launched you were probably one of its users. It was an innovative code editor at the time, and still used by some in 2025. MORE

• Programmatic handling of CORS-configuration errors with jub0bs/cors. MORE

👀 Interesting

• How Tynan built his E-Ink tea labeling system. MORE

• Streamline user feedback, reduce support, and efficiently manage product updates with one powerful tool. Boost your development process and delight customers. MORE

• The Good Day Fort Collins newsletter seems like a standard local news roundup, but it's actually part of a network of AI-generated newsletters targeting small-town America with hidden political agendas. MORE

• Seattle Safe Eats is a svelte-kit project that was designed to easily navigate food safety rating inspections for King County. MORE

• Anthropic has an AI Policy for Application: "While we encourage people to use AI systems during their role to help them work faster and more effectively, please do not use AI assistants during the application process. [...]"

💭 Quote

Until next week, take care of yourself and each other,

Bee 🐝

This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.

📈 Learned something?

Until next week, take care of yourself and each other,

Bee 🐝

^{This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.}