Daylila

Cybersecurity · Friday, 3 July 2026

01 · Briefing · what happened

A researcher published 30 secret flaws before telling anyone who could fix them

Cybersecurity 4 min 41 sources

A pseudonymous researcher dumped AI-found zero-day exploits for the Linux kernel, PHP, VLC and more onto GitHub — skipping the industry norm of warning the makers first. Meanwhile two freshly disclosed flaws in Cisco and Citrix gear were attacked within days, and a firewall-stealing crew started handing its stolen keys to ransomware gangs.

Key takeaways

  • A researcher published 30+ secret software flaws online without warning the makers first — leaving billions of machines' bugs public with no fix yet available.
  • Two freshly disclosed flaws, in Cisco phone systems and Citrix gear, were attacked within days — once details go public, unpatched machines are on a countdown.
  • Modern crime is now specialised: one crew steals firewall passwords, another gang uses them for ransomware — and if an email pressures you to open a file urgently, that pressure is the trap.

The dump that skipped the warning

A researcher going by “bikini” posted more than 30 working exploits onto a public GitHub page called Exploitarium. [7] Each one targets a “zero-day” — a flaw the software makers do not yet know about, so no patch exists. [7] The affected projects include the Linux kernel, PHP, 7-Zip, OpenVPN, and the VLC media player — software on billions of machines. [7]

The researcher says they found the bugs by “fuzzing”: flooding a program with junk input until it crashes, which reveals weak spots. [7] They automated the whole hunt using OpenAI’s models. [7]

Here is the part that set the security world arguing. The normal practice is coordinated disclosure: you privately tell the makers first, give them time to write a patch, then go public. [7] The Exploitarium researcher told no one. First published June 27, the page started with about 15 exploits and grew over the following days. [7] The researcher’s defence, given to Infosecurity over Discord: it’s a way to pull newcomers into the field. [7] They invited others to file the official bug reports themselves. [7]

What this means for you. Nothing you can patch — this is about the rules of the game, not your laptop. But the choice matters: for every flaw now public with no fix, defenders and attackers are reading the same page at the same time. When the referee’s whistle stops, whoever moves fastest wins.

When the details go public, the race starts the same day

Two other flaws this week show why that head start matters. Cisco confirmed that a bug in its Unified Communications Manager — the system that runs office phone networks — is being exploited in the wild. [5] Tracked as CVE-2026-20230 (a CVE is just a catalogue number for a specific flaw), it can let an attacker drop files onto the machine and work toward full control. [5] A working proof-of-concept has been public since the flaw was disclosed, and the first real attacks landed last week. [5] The fix has been out since early June; only phones with a certain service switched on are exposed, and that service is off by default. [5]

A newly disclosed flaw in Citrix gear — nicknamed “CitrixBleed,” echoing an earlier bug of the same name — was attacked immediately after it was made public. [11] The pattern is the same across both: publish the details, and exploitation follows within days, sometimes hours. The lesson isn’t “don’t disclose” — it’s that the moment a flaw is public, every unpatched machine is on a countdown.

The firewall thieves found a buyer

A campaign called FortiBleed spent last month quietly turning Fortinet firewalls into password thieves — installing a sniffer that skims credentials as they pass through. [4] Researchers at SOCRadar say the operation targeted 430,000 firewalls worldwide and currently has its sniffer running on roughly 12,000 of them. [4]

This week the crew found a way to cash in. SOCRadar traced the campaign’s infrastructure to one operator logged into the ransom-negotiation panels of two ransomware gangs, INC and Lynx. [4] That operator was “engaging directly with ransom demands.” [4] In plain terms: the group that stole the keys is now handing them to gangs that lock up your files for a fee. Stealing access and using it have become two separate jobs. [4]

What this means for you. If your workplace runs Fortinet firewalls, the IT team should treat any credentials that passed through them as compromised — reset them. For everyone else, this is the shape of modern crime: the person who breaks in rarely does the damage; they sell the door.

Cheap tricks, real arrests

Not every attack is clever. A ransomware campaign is hitting small businesses across the US, Europe, Asia, and the Middle East with fake Interpol emails. [10][13] They claim the recipient is under investigation and must open an attached “evidence” file — which is the malware. [13] Security firm Bitdefender reported it. Their point: “Even relatively simple malware can become a serious threat when paired with convincing social engineering.” [10] Fear makes people click before they think. [13]

On the enforcement side, the US Justice Department says a 19-year-old, Peter Stokes, was arrested in Finland and extradited over alleged membership in Scattered Spider. [21] The DoJ ties that crew of young, English-speaking hackers to more than 100 business breaches and over $100 million in extortion since 2022. [23] One alleged demand: $8 million from a jewellery retailer that refused to pay, “evicted” the intruders, and still lost at least $2 million cleaning up. [21]

What this means for you. If an email pressures you to open a file right now over some official-sounding threat, that pressure is the tell. Real agencies don’t email you a case file to open. Slow down, and check by another channel.

02 · Lesson · why it matters

The rule that protects everyone, kept by nobody in particular

Some of the most important rules aren't laws — they're courtesies everyone follows because everyone benefits, right up until one person decides not to.

A whistle no one is required to blow

When a security researcher finds a flaw in software the world runs on, there’s a choice that has nothing to do with code. Tell the makers quietly and give them time to fix it before anyone else knows — or post it for all to see, defenders and attackers reading the same page at the same instant.

The quiet path has a name, coordinated disclosure, but it has no force behind it. No law commands it. No one can make you do it. It works only because a large group of people, most of whom will never meet, have agreed it’s the decent thing — and keep agreeing, one flaw at a time. This week, one person did the other thing: dozens of unfixed bugs, posted, no warning given. The interesting part isn’t that it’s allowed. It’s that the whole arrangement was always this fragile, and mostly we forget.

The head start is the whole product

Think about what coordinated disclosure actually buys. The flaw exists either way — the researcher didn’t create it, they found it. What the courtesy adds is time: a window where the people who can fix a thing know about it and the people who would abuse it don’t.

That gap is the entire value. Close it — publish to everyone at once — and the defender and the attacker start the same race from the same line, except the attacker only has to win once and the defender has to win everywhere. So the courtesy isn’t softness. It’s a head start handed to the side that needs it more. Take it away and nothing is technically different; the machines have the same bugs they had yesterday. What changed is who knows, and when — and in security, that timing is the safety.

Why one defector doesn’t just cost themselves

Here is the quiet trap in any rule held up by agreement rather than enforcement. When almost everyone follows it, the rare person who doesn’t gets something the others don’t — attention, a name, a point proved — while still enjoying the safety the rule provides. The researcher who dumps flaws publicly is still protected, tomorrow, by every other researcher who quietly warns a maker before going loud.

That’s the asymmetry. The benefit of breaking the norm lands on one person; the cost spreads thin across everyone whose software just became a public target. And because it spreads thin, no single victim has the standing to be furious enough to stop it. A norm can be worth an enormous amount and still be defended by nobody in particular — which is exactly why it can be undone by one person, and why the people undoing it can tell themselves it barely matters.

The rules you can’t see because they’re working

Most of the systems that keep an ordinary life running are like this, not just this one. Drivers stop at a green-for-the-other-guy light long before any camera is watching. Strangers form a queue with no one enforcing it. A shopkeeper trusts the tap of a card. None of these are laws you feel; they’re agreements so widely kept that they’ve stopped looking like choices at all and started looking like the way things simply are.

They only become visible when someone opts out — and then you notice the thing was never a wall, just a habit a lot of people share. The researcher this week isn’t a villain in a story; he’s a reminder. The safety you move through every day, online and off, is held up less by locks and laws than by a quiet, unglamorous willingness in most people, most of the time, to do the considerate thing when no one is checking. We are all inside that arrangement, protected by it, and each of us is also one of the people it depends on. It’s steadier than it looks, and more delicate than we let ourselves remember.

03 · Lab · your turn

The Disclosure Window

Choose how long to privately warn a software's makers before publishing a flaw, and feel that the warning window — not the bug itself — is what decides whether defenders or attackers win the race.

04 · Hope · carry this

For every researcher who dumps a flaw without warning, thousands quietly send the maker a note first and wait — no law tells them to, and they do it anyway. The safety we move through is mostly built from people being decent when no one is checking, and mostly they are.

Across the beats