Last week an anonymous GitHub account called bikini pushed a repository named exploitarium and, in the space of a few days, dropped more than twenty proof-of-concept exploits against popular open source software. nmap, Ghidra, FFmpeg, VLC, Firefox, libssh2, c-ares, OpenVPN, Docker, PHP, ImageMagick. None of the bugs had been reported to the maintainers beforehand. None were patched. The README said so plainly: at the time of posting, none had been reported, and you were free to file them yourself and "take credit for the CVE."

It hit the top of Hacker News and the thread filled up fast, and the argument that broke out underneath is more interesting than the exploits themselves.

This is worth paying attention to if you build, ship, or rely on open source infrastructure. Which is most of us.

What actually got dropped

The repository is a single consolidated archive. Twenty-three folders, each one a self-contained proof of concept against a different target. Some are network plumbing you probably run without thinking about it: c-ares (the DNS resolver library behind curl and a long list of other tools), libssh2, nghttp2, OpenVPN. Some are tools developers use directly: Ghidra and objdump for reverse engineering, nmap for scanning, Wireshark-adjacent dissectors in spirit if not in this specific repo. Several are media decoders, which is a category that has been quietly dangerous for two decades: FFmpeg, VLC, ImageMagick, 7-Zip's RAR5 handling.