Mohan (Author) | Hacktron AI

Mohan

(he/him)

$170k in Bypasses: The Vercel React2Shell Challenge

Working with Vercel Team to Keep the Internet Secure from React2Shell

g ginoah
M Mohan
・ May 4, 2026

research browser-security
Introducing Hacktron Review

Hacktron Review is an AI security reviewer for pull requests that understands codebase context, reduces false positives, and catches exploitable vulnerabilities before they are merged.

z zayne
M Mohan
l liveoverflow
・ April 28, 2026

news product
I Let Claude Opus Write a Chrome Exploit: The Next Model (Mythos?) Won't Need My Help?

I pointed Claude Opus at Discord's bundled Chrome (version 138, nine major versions behind upstream) and asked it to build a full V8 exploit chain. The V8 OOB we used was from Chrome 146, the same version Anthropic's own Claude Desktop is running. A week of back and forth, 2.3 billion tokens, $2,283 in API costs, and about ~20 hours of me unsticking it from dead ends. It popped calc.

M Mohan
・ April 15, 2026

research
vinext: Vibe-Hacking Cloudflare's Vibe-Coded Next.js Replacement

Cloudflare built a Next.js replacement in a week with AI for $1100. We pointed Hacktron at it to find what the tests missed.

M Mohan
h hacktron
r rootxharsh
・ February 27, 2026

research
Turning Cluely Into Malware

How we found a vulnerability in Cluely's Electron app that let any website silently capture screenshots, record audio, and exfiltrate everything - all because of a missing will-navigate handler.

M Mohan
・ February 14, 2026

research electron-security
CVE-2026-1731: Pre-Auth RCE in BeyondTrust Remote Support & PRA

Hacktron AI's agents identified a critical pre-authentication remote code execution (RCE) vulnerability in BeyondTrust Remote Support (RS) and older versions of Privileged Remote Access (PRA). This has been assigned CVE-2026-1731 with a CVSS 9.9 critical score.

r rootxharsh
M Mohan
・ February 6, 2026

research
Pwning OpenAI Atlas Through Exposed Browser Internals

A critical ChatGPT Atlas Browser vulnerability: XSS on an OpenAI subdomain let attackers hijack tabs, leak browsing URLs, and steal OAuth tokens.

M Mohan
s sudi
・ December 2, 2025

research browser-security
Securing Perplexity’s AI Browser from a One-Click UXSS

How Hacktron AI Research team identified and prevented a critical UXSS vulnerability in Perplexity's AI Browser - Comet.

M Mohan
s sudi
・ November 24, 2025

research browser-security
SupaPwn: Hacking Our Way into Lovable's Office and Helping Secure Supabase

We hacked our way into Lovable's office by demoing SupaPwn — a chain that could potentially enable region-wide tenant takeover: event-trigger privilege window, DB superuser, host RCE, SUID escalation, exposed configs, orchestration takeover

M Mohan
r rootxharsh
z zayne
l liveoverflow
・ November 17, 2025

research
Introducing Hacktron AI: An autonomous penetration test of Gumroad

At Hacktron, we're building collaborative AI agents that act as autonomous security researchers. Learn more about our approach and our AI-driven pentest on Gumroad.

z zayne
M Mohan
・ August 14, 2025

research news
How can we make AI hack like a human?

Why does hacking feel like magic? We dive deep into how human hackers think, and how we can design AI agents to find bugs in complex systems the way top security researchers do.

M Mohan
・ April 21, 2025

essay
CVE-2022-23597: Remote code execution on Element Desktop

We achieved full RCE on Element Desktop by chaining iframe injection, Electron misconfigs, and a V8 exploit to bypass sandboxing and access Node.js APIs from a subframe.

M Mohan
T TheGrandPew
・ August 13, 2022

research electrovolt
Remote code execution on Discord Desktop

How a chain of XSS, CSP bypass, and Electron misconfigs led to full remote code execution on Discord Desktop. We walk through the technical details, steps, and lessons learned.

M Mohan
・ July 29, 2022

research electrovolt
CVE-2021-43908: Remote code execution in VSCode restricted mode

How we achieved remote code execution in Visual Studio Code's Restricted Mode by chaining origin leaks, CSP bypasses, and webview message handler flaws.

M Mohan
T TheGrandPew
・ June 29, 2022

research electrovolt