Anonymous GitHub Account Releases Unpatched Zero-Day Exploits
Original: Anonymous GitHub account mass-dropping undisclosed 0-days
Why This Matters
Publicly available zero-day exploits significantly increase attack surface for software vendors and users before patches are available.
An anonymous GitHub user published a repository containing proof-of-concept exploits for multiple undisclosed zero-day vulnerabilities across software including 7-Zip, AnyDesk, Firefox, and others. The account states vulnerabilities were unreported at publication time.
A GitHub repository labeled 'exploitarium' under the anonymous username 'bikini' contains proof-of-concept code for zero-day vulnerabilities affecting multiple applications. The repository includes exploits for 7-Zip RAR5, AnyDesk, c-ares, Docker, FFmpeg, Firefox SmartWindow, Flowise, Ghidra, Gitea Act Runner, ImageMagick, and libssh2 among others. According to the repository description, the exploits were published before vulnerability disclosure to responsible parties. The account creator stated the purpose is educational, aiming to attract security researchers to the field and that users are encouraged to report vulnerabilities themselves and claim CVE credits. The repository has garnered 786 stars and 178 forks. The creator explicitly requested users not to abuse the exploits.