Hacktron autonomously reviews code, finds vulnerabilities, and writes exploits.https://www.hacktron.ai/https://www.hacktron.ai/blog/rce-in-vscode-copilot/https://www.hacktron.ai/blog/rce-in-vscode-copilot/Copilot agent mode is vulnerable to a prompt injection attack. If a repository maintainer clicks 'code with agent mode' on an issue, it will open a new codespace and copilot will automatically run the issue's description.Wed, 13 May 2026 00:00:00 GMThttps://www.hacktron.ai/blog/hacktron-review-for-open-source/https://www.hacktron.ai/blog/hacktron-review-for-open-source/We are opening up Hacktron Review for Open Source, giving qualifying maintainers free PR security reviews with inline findings, auto-resolution, and project-specific learning.Fri, 08 May 2026 00:00:00 GMThttps://www.hacktron.ai/blog/react2shell-vercel-waf-bypass/https://www.hacktron.ai/blog/react2shell-vercel-waf-bypass/Working with Vercel Team to Keep the Internet Secure from React2Shell Mon, 04 May 2026 00:00:00 GMThttps://www.hacktron.ai/blog/why-mythos-doesnt-matter-for-us/https://www.hacktron.ai/blog/why-mythos-doesnt-matter-for-us/Benchmarking Hacktron's scanning pipeline shows that for most applications, smaller models run repeatedly can outperform larger frontier models on cost-to-recall.Wed, 29 Apr 2026 00:00:00 GMThttps://www.hacktron.ai/blog/introducing-hacktron-review/https://www.hacktron.ai/blog/introducing-hacktron-review/Hacktron Review is an AI security reviewer for pull requests that understands codebase context, reduces false positives, and catches exploitable vulnerabilities before they are merged.Tue, 28 Apr 2026 00:00:00 GMThttps://www.hacktron.ai/blog/i-let-claude-opus-to-write-me-a-chrome-exploit/https://www.hacktron.ai/blog/i-let-claude-opus-to-write-me-a-chrome-exploit/I pointed Claude Opus at Discord's bundled Chrome (version 138, nine major versions behind upstream) and asked it to build a full V8 exploit chain. The V8 OOB we used was from Chrome 146, the same version Anthropic's own Claude Desktop is running. A week of back and forth, 2.3 billion tokens, $2,283 in API costs, and about ~20 hours of me unsticking it from dead ends. It popped calc.Wed, 15 Apr 2026 00:00:00 GMThttps://www.hacktron.ai/blog/openam-deserialization-pre-auth-rce/https://www.hacktron.ai/blog/openam-deserialization-pre-auth-rce/Hacktron AI discovers a critical pre-authentication RCE in OpenAM through a forgotten deserialization parameter that the original CVE-2021-35464 fix missed.Tue, 07 Apr 2026 00:00:00 GMThttps://www.hacktron.ai/blog/hacking-cloudflare-vinext/https://www.hacktron.ai/blog/hacking-cloudflare-vinext/Cloudflare built a Next.js replacement in a week with AI for $1100. We pointed Hacktron at it to find what the tests missed.Fri, 27 Feb 2026 00:00:00 GMThttps://www.hacktron.ai/blog/hacking-cluely/https://www.hacktron.ai/blog/hacking-cluely/How we found a vulnerability in Cluely's Electron app that let any website silently capture screenshots, record audio, and exfiltrate everything - all because of a missing will-navigate handler.Sat, 14 Feb 2026 00:00:00 GMThttps://www.hacktron.ai/blog/hacking-google-antigravity/https://www.hacktron.ai/blog/hacking-google-antigravity/Hacktron AI Research Team discovered a critical RCE in Google’s Antigravity IDE that lets attackers take over your system just by opening a malicious website.Sun, 08 Feb 2026 00:00:00 GMThttps://www.hacktron.ai/blog/cve-2026-1731-beyondtrust-remote-support-rce/https://www.hacktron.ai/blog/cve-2026-1731-beyondtrust-remote-support-rce/Hacktron AI's agents identified a critical pre-authentication remote code execution (RCE) vulnerability in BeyondTrust Remote Support (RS) and older versions of Privileged Remote Access (PRA). This has been assigned CVE-2026-1731 with a CVSS 9.9 critical score.Fri, 06 Feb 2026 00:00:00 GMThttps://www.hacktron.ai/blog/soc-2-type-1/https://www.hacktron.ai/blog/soc-2-type-1/Hacktron has achieved SOC 2 Type 1 compliance, demonstrating our commitment to robust security practices and protecting our customers' data.Tue, 13 Jan 2026 00:00:00 GMThttps://www.hacktron.ai/blog/hacking-openai-atlas-browser/https://www.hacktron.ai/blog/hacking-openai-atlas-browser/A critical ChatGPT Atlas Browser vulnerability: XSS on an OpenAI subdomain let attackers hijack tabs, leak browsing URLs, and steal OAuth tokens.Tue, 02 Dec 2025 00:00:00 GMThttps://www.hacktron.ai/blog/perplexity-comet-uxss/https://www.hacktron.ai/blog/perplexity-comet-uxss/How Hacktron AI Research team identified and prevented a critical UXSS vulnerability in Perplexity's AI Browser - Comet.Mon, 24 Nov 2025 00:00:00 GMThttps://www.hacktron.ai/blog/jdbc-audit-at-scale/https://www.hacktron.ai/blog/jdbc-audit-at-scale/How we used Hacktron CLI to audit JDBC drivers at scale, mapping dangerous sinks to user input and turning file primitives into real-world RCEs and bug bounties.Fri, 21 Nov 2025 00:00:00 GMThttps://www.hacktron.ai/blog/supapwn/https://www.hacktron.ai/blog/supapwn/We hacked our way into Lovable's office by demoing SupaPwn — a chain that could potentially enable region-wide tenant takeover: event-trigger privilege window, DB superuser, host RCE, SUID escalation, exposed configs, orchestration takeoverMon, 17 Nov 2025 00:00:00 GMThttps://www.hacktron.ai/blog/introducing-hacktron/https://www.hacktron.ai/blog/introducing-hacktron/At Hacktron, we're building collaborative AI agents that act as autonomous security researchers. Learn more about our approach and our AI-driven pentest on Gumroad.Thu, 14 Aug 2025 00:00:00 GMThttps://www.hacktron.ai/blog/python-zip-confusion/https://www.hacktron.ai/blog/python-zip-confusion/How a Python comment can turn a file into a ZIP polyglot, tricking the interpreter into running code. Insights from a UIUCTF 2025 challenge and Python's ZIP parsing quirks.Mon, 28 Jul 2025 00:00:00 GMThttps://www.hacktron.ai/blog/dassault-delmia-apriso-rce/https://www.hacktron.ai/blog/dassault-delmia-apriso-rce/For years, this vulnerability hid in plain sight — missed by multiple audits and even used in production by Apple. In just ten minutes, Hacktron exposed a full pre‐auth RCE path.Tue, 03 Jun 2025 00:00:00 GMThttps://www.hacktron.ai/blog/ivanti-epmm-variant-analysis/https://www.hacktron.ai/blog/ivanti-epmm-variant-analysis/Hacktron AI uncovers a new pre-authenticated RCE variant in Ivanti EPMM by identifying a fresh EL injection sink.Fri, 16 May 2025 00:00:00 GMThttps://www.hacktron.ai/blog/ai-hackers-generational-threat/https://www.hacktron.ai/blog/ai-hackers-generational-threat/AI hackers will scale cyber threats via automated exploitation, but the same technology can turn this generational risk into an industry-wide defence.Thu, 08 May 2025 00:00:00 GMThttps://www.hacktron.ai/blog/how-ai-can-hack/https://www.hacktron.ai/blog/how-ai-can-hack/Why does hacking feel like magic? We dive deep into how human hackers think, and how we can design AI agents to find bugs in complex systems the way top security researchers do.Mon, 21 Apr 2025 00:00:00 GMThttps://www.hacktron.ai/blog/element-rce/https://www.hacktron.ai/blog/element-rce/We achieved full RCE on Element Desktop by chaining iframe injection, Electron misconfigs, and a V8 exploit to bypass sandboxing and access Node.js APIs from a subframe.Sat, 13 Aug 2022 00:00:00 GMThttps://www.hacktron.ai/blog/discord-rce/https://www.hacktron.ai/blog/discord-rce/How a chain of XSS, CSP bypass, and Electron misconfigs led to full remote code execution on Discord Desktop. We walk through the technical details, steps, and lessons learned.Fri, 29 Jul 2022 00:00:00 GMThttps://www.hacktron.ai/blog/vscode-rce/https://www.hacktron.ai/blog/vscode-rce/How we achieved remote code execution in Visual Studio Code's Restricted Mode by chaining origin leaks, CSP bypasses, and webview message handler flaws.Wed, 29 Jun 2022 00:00:00 GMT