Conference recordings and slides from the keynote talks at Nullcon Goa 2026 are now online!

📅 Full conference agenda

🖥Keynote video recordings

We've highlighted a few talks worth checking out:

🛑The Machine with Many Faces: Identity Impersonation in SPIFFE/SPIRE. The speaker shows how SPIFFE/SPIRE misconfigurations can let one service impersonate another, steal SVIDs, and move laterally between services inside a cluster.

🛑The Meltdown Moment: CVE-2025-21533 – A Speculative Store Bypass in Oracle VirtualBox. The presenters dissect CVE-2025-21533 in Oracle VirtualBox — a flaw allowing a local low-privileged user to access sensitive data via speculative store bypass and cache-based side-channel attacks.

🛑Phantom Code: Evading Windows 11 25H2 Through POSIX-Based Self-Deletion and Stealth Injection. The authors show how NTFS changes in Windows 11 25H2 broke legacy self-deletion techniques and demonstrate a new method for complete file removal using POSIX semantics. The talk also covers working with foreign processes to evade detection.

🛑Why-So-QUIC!? Racing and Fuzzing HTTP/3 with QuicDraw-UI. The speaker explores HTTP/3 and QUIC from an attacker's angle and presents the open-source QuicDraw tool for testing the protocol. The session demonstrates exploitation of a real 1‑day vulnerability involving an HTTP/3 race condition.

🛑When Your Package Manager Became a Weapon: Anatomy of the First Self-Replicating Supply Chain Worm. The authors analyze the npm worm Shai‑Hulud, which compromised over 500 packages, and explain how to detect similar attacks without signatures or CVE databases — through source analysis and syscall‑level package behavior monitoring.

🛑Just Say Hello: Stealthy Data Exfiltration Exploiting TLS Handshake with Next Generation Firewalls. The presenters introduce the Helol tunnel technique for covert data exfiltration and C2 over a TLS Client Hello, showing how such a channel can bypass modern NGFWs.