s

s1r1us

(he/him)

• 

  SupaPwn: Hacking Our Way into Lovable's Office and Helping Secure Supabase

  We hacked our way into Lovable's office by demoing SupaPwn — a chain that could potentially enable region-wide tenant takeover: event-trigger privilege window, DB superuser, host RCE, SUID escalation, exposed configs, orchestration takeover

  s s1r1us

  r rootxharsh

  z zayne

  l liveoverflow

  ・ November 17, 2025

  research
• 

  Introducing Hacktron AI: An autonomous penetration test of Gumroad

  At Hacktron, we're building collaborative AI agents that act as autonomous security researchers. Learn more about our approach and our AI-driven pentest on Gumroad.

  z zayne

  s s1r1us

  ・ August 14, 2025

  research essay

• How can we make AI hack like a human?

  Why does hacking feel like magic? We dive deep into how human hackers think, and how we can design AI agents to find bugs in complex systems the way top security researchers do.

  s s1r1us

  ・ April 21, 2025

  essay

• CVE-2022-23597: Remote code execution on Element Desktop

  We achieved full RCE on Element Desktop by chaining iframe injection, Electron misconfigs, and a V8 exploit to bypass sandboxing and access Node.js APIs from a subframe.

  s s1r1us

  T TheGrandPew

  ・ August 13, 2022

  research electrovolt

• Remote code execution on Discord Desktop

  How a chain of XSS, CSP bypass, and Electron misconfigs led to full remote code execution on Discord Desktop. We walk through the technical details, steps, and lessons learned.

  s s1r1us

  ・ July 29, 2022

  research electrovolt

• CVE-2021-43908: Remote code execution in VSCode restricted mode

  How we achieved remote code execution in Visual Studio Code's Restricted Mode by chaining origin leaks, CSP bypasses, and webview message handler flaws.

  s s1r1us

  T TheGrandPew

  ・ June 29, 2022

  research electrovolt