Microsoft BitLocker Backdoor Claim, Linux Kernel SSH Key Flaw, Grafana GitHub Breach
TLDR: A security researcher alleges Microsoft built a secret backdoor into BitLocker and published a working exploit to prove the claim.
The fourth Linux kernel flaw disclosed this month could allow attackers to steal SSH host keys from affected systems.
Grafana Labs confirmed a GitHub breach that exposed source code, and the company refused to pay the ransom demanded by the attackers.
Full stories below…
Got something worth sharing?
PWN is a community for hackers and security enthusiasts.
We feature the best posts in this newsletter and we’re looking for news stories, writeups, tools, tutorials, discussion threads, and questions that spark real conversation.
We are accepting submissions for: News stories; Tutorials/write-ups; Tools you built or found useful; Discussion threads; or Questions that spark good conversation.
» Create a post, and you could be featured in the next email!
Our community is growing fast, with 935,000 views a month, 33,000 members, and 200+ new people joining daily. Create a post and you could be featured.
Microsoft BitLocker Backdoor Allegedly Revealed by Security Researcher
A security researcher claims Microsoft quietly built a backdoor into BitLocker and released a proof of concept exploit to back up the accusation.
The researcher argues that the alleged mechanism could let specific parties bypass full disk encryption protections that millions of Windows users rely on. The public release of working exploit code raises the stakes by giving defenders and attackers an immediate way to test the claim. Microsoft has not yet issued a detailed technical rebuttal to the findings.
Fourth Linux Kernel Flaw This Month Risks Stolen SSH Host Keys
Qualys has flagged another Linux kernel security issue, the fourth this month, with the potential to leak SSH host keys from vulnerable systems.
The disclosure adds to a growing list of kernel level bugs that defenders are scrambling to track. SSH host keys are a foundational trust anchor for remote access, so a viable theft path could enable spoofing, man in the middle attacks, and broader lateral movement across infrastructure. Administrators are urged to monitor distro advisories and patch promptly.
Grafana Labs Hit by GitHub Breach, Source Code Stolen, Ransom Rejected
Grafana Labs disclosed that attackers used a compromised token to access its GitHub environment and exfiltrate source code, then tried to extort the company.
Grafana says no customer data or systems were affected and that it invalidated the compromised credentials and tightened controls. The group, reportedly CoinbaseCartel, demanded a ransom to prevent publication of the codebase, but Grafana declined, citing FBI guidance against paying cybercriminals. Source code theft still carries longer term risk if attackers mine it for flaws.
Join PWN on Reddit
PWN is where security people go to stay ahead.
Breach reports, exploits, vendor advisories, and the kind of conversations that make you better at your job, all in one feed.
We’re 32,000+ hackers and cybersecurity enthusiasts strong, with 935,000 monthly views and 200+ new members every day.
You’ll be in the same threads as journalists from Wired Magazine, Electronic Frontier Foundation, 404 Media, Fast Company, and The Guardian breaking the stories firsthand, plus security teams from vendors like Proton, Intigriti, and Hudson Rock sharing research and answering questions directly.
Why join:
Know what’s hitting before it hits you. Get the breach reports, exploits, and vendor advisories early so you can act before they become your problem.
Get sharper, not just busier. Skip the noise and learn from people actually doing the work, on the AI exploits, new defenses, and techniques that move your skills forward.
Make the career move you’ve been planning. Whether it’s your first paycheck in security or your jump from IT into offensive work, you’ll find members who’ve made it and are happy to help you do the same.
Be the person at work who already knows. Walk into Monday meetings ahead of the ransomware incidents and zero-days landing on your team’s radar, and earn the trust that comes with it.
Find your people. Trade ideas with hackers and pros who’ll actually answer your questions, in a community that stays high quality because the bots and noise get cleaned up.