Anonymous GitHub account mass-dropping undisclosed 0-days
๐จ Anonymous GitHub User Mass-Releases Undisclosed 0-Days
An anonymous entity operating under the handle bikini has unleashed a massive collection of previously undisclosed zero-day vulnerabilities and Proof-of-Concept (PoC) exploits. The repository, titled exploitarium, serves as a centralized hub for vulnerability research and exploit code.
"I do this so to allure people into the field, and I've always found this is the most efficient way."
โ bikini
The author encourages others to report these vulnerabilities themselves to claim the associated CVE credits, essentially offering the research for "lulz" and educational recruitment.
๐ Repository Overview: bikini/exploitarium
The exploitarium is designed as a consolidated archive. It blends former standalone repositories (preserved with their original documentation) with new, direct research entries.
๐ ๏ธ Contact & Collaboration
If you wish to discuss the findings or collaborate, the author can be reached via Discord: @ashdfrkl.
๐ Detailed Contents of the Drop
The following table outlines the specific targets and the nature of the entries provided in the repository:
| Folder / Target | Source / Commit Hash | Tracked Entries |
|---|---|---|
7zip-rar5-motw-chain-poc | bd9533f532c1e4ee6af783b9bb49d1133c600e2c | 3 |
anydesk-printer-com-impersonation-poc | 7491303301093b2d40bee9dadf6b38f757ce78e0 | 4 |
c-ares-tcp-uaf-calc-poc | Direct Entry (June 24, 2026) | 7 |
docker-cp-copyout-destination-escape | d1367b1381736d7f961ac808ce88d4e24a633adc | 5 |
firefox-smartwindow-private-url-exfil-poc | Direct Entry (June 24, 2026) | 3 |
floci-apigateway-vtl-rce-poc | Direct Entry (June 23, 2026) | 3 |
flowise-mcp-env-case-bypass-poc | ed9fab0086674f1b16467990b33bb9299e93429e | 3 |
ffmpeg-rasc-dlta-calc-poc | Direct Entry (June 26, 2026) | 7 |
ghidra-12.1.2-rce-ace-calc-poc | 52dee6362990c03c0d753d074c85428824d46368 | 9 |
gitea-act-runner-container-options-poc | f06d78fb111732f3e7737f4c07e77ef94c4b64bf | 4 |
imagemagick-gs-delegate-hijack-poc | 8140e8ee0ed78beaf5e8303a795b70b138f5891b | 5 |
libssh2-cve-2026-55200-poc | Direct Entry (June 23, 2026) | 3 |
libssh2-publickey-list-calc-poc | Direct Entry (June 25, 2026) | 10 |
lunar-modrinth-chain-poc | ffd02120708b6503f115858ce3724872f3b7a7 | 6 |
mybb-limited-acp-to-admin | 1610e0373943c2f6562a99f917d3a3d1fdd9056d | 5 |
nghttp2-nghttpx-upgrade-queue-poison-poc | Direct Entry (June 26, 2026) | 3 |
nmap-ipv6-extlen-wrap-poc | Direct Entry (June 23, 2026) | 4 |
objdump-dlx-calc-poc | 7df01e4e20c7375a89e8ccf760526c52eb6ad582 | 41 |
openvpn-connect-echo-script-ace-poc | d2f904d9272d4388c9862131d40e32e072e85e38 | 8 |
php857-streambucket-soap-rce-rpoc | Direct Entry (June 26, 2026) | 6 |
rustdesk-session-permission-pocs | Direct Entry (June 25, 2026) | 17 |
systeminformer-phsvc-trusted-host-lpe-poc | Direct Entry (June 24, 2026) | 3 |
vlc-vp9-reschange-crash-poc | fae72b82f24d03cf2fb9cb55fbb2e7774f684ff3 | 3 |
โ๏ธ Technical Consolidation Process
The author performed a rigorous "Consolidation Check" on June 23, 2026, to ensure that the transition from standalone repositories to the unified exploitarium archive was lossless.
The Workflow
The process involved comparing the HEAD tree of the original repositories against the new folder structure using Git tree data.
Verification Requirements
For every tracked entry, the following criteria had to be met:
- Identical relative file paths.
- Matching Git object types.
- Consistent tree modes (including executable permissions).
- Identical Git blob IDs.
The mathematical certainty of the file integrity is represented by the identity of the blob hashes:
Result: The check covered repositories and tracked entries with .
โ ๏ธ Important Note on Metadata
While the file contents are identical, the following data was not migrated to the new archive:
starsissuespull requestsreleases- Individual Git commit histories
๐ป Implementation Example
The consolidation logic essentially ensured that for any given file :
# Conceptual check for blob identity
git rev-parse HEAD:path/to/exploit_poc.py == git rev-parse main:exploitarium/path/to/exploit_poc.py
The direct entries (such as c-ares-tcp-uaf-calc-poc and php857-streambucket-soap-rce-rpoc) were added as native folders without needing this migration check.