Before we get to the main content - you may notice that this issue looks different. This is because I upgraded to the paid plan on Beehiiv, which has a much better site builder and proper analytics. I’m happy to announce that Bugcrowd will be sponsoring this newsletter from the next issue! I don’t make money directly from this newsletter, and this sponsorship is just to cover the cost of the upgraded Beehiiv plan. If there are any leftover funds from the sponsorship, I’ll put them towards a giveaway or something similar, that gives back to the hacker community. I’m hoping to write more technical content this year, so look forward to that!

I got this Japanese Cherry Blossom Landscape Lego set for myself as a decorative piece after one of my friends described my apartment as “as soulless as a Soviet block”. I’m looking forward to building this thing.

I spent quite a few days this week upgrading how I use AI in my hacking workflow, after speaking with xssdoctor. I’m currently running Caido and Claude Code from my Raspberry Pi that I host in my bedroom. It’s a pretty nice setup, and I’m adding more capabilities to my AI automation at the moment. I have the architecture drawn up in my notebook, and now it’s just a matter of implementation. Raspberry Pis are amazing for scripts that don’t require much compute power. They’re cheap and consume next to no electricity.

Following this train of thought, it’s more and more clear to me that this year, the most efficient hackers will be the ones who operate agents that have high-quality notes powering them. So take good notes! Take organised, thorough notes! You’ll need them. You can’t trust just anyone’s notes - because if you do, you open yourself up to a prompt injection supply chain attack. Write them yourself, build your portfolio.

Next week, I’ll be doing a Hackalong shift for the charity Hackalong over at Critical Thinking. The imposter syndrome is kicking in a bit but I’ll do my best. Do tune in, it’s for a good cause and you’ll definitely learn something with the lineup we have for the day. More on that soon.

I read somewhere, or maybe it was in a few places, that part of the reason people feel overwhelmed is because they have “open loops” in their mind, such as unfinished tasks or projects. I like this analogy, and it certainly holds true for me, so I’m going to spend the next week closing some loops before I continue working on my startup or AI project.

0day speedrun? OpenFlagr <= 1.1.18 Authentication Bypass: My friend DreyAnd found a 0day very, very quickly. Drey is one of the best young hacker talents around - he does CTFs with Project Sekai.

Top 10 Web Hacking Techniques of 2025 - Nominations Open: Portswigger’s annual list, which is always among the best content of the year, is taking nominations for their 2025 edition. They’ve listed a few great articles there (some of which I’ve completely missed) so take a look!

Never Trust the Output: Data Pollution in AI Agents and MCP: Slonser with a new AI hacking technique! Slonser always produces excellent research.

Intigriti December 2025 XSS Challenge Writeup by J0R1AN: A gargantuan client-side hacking writeup, a masterpiece of CTF. Very very nice.