• Kulkan Newsletter
  • Posts
  • Polyglot Files, Gitxray v1.0.19, and Other Offensive Security Takeaways

Polyglot Files, Gitxray v1.0.19, and Other Offensive Security Takeaways

In our final 2025 edition, we share a hands-on introduction to polyglot files and how they can be used to bypass upload controls and trigger unexpected behavior, along with improvements to the Gitxray open-source tool, and insights from our latest K-Talks sessions.

December 22, 2025

📝 Latest from Our Blog:

A Hands-On Introduction to Polyglot Files

An introduction to polyglot files and why they remain a powerful technique for uncovering multiple classes of vulnerabilities. You’ll learn how these files, when interpreted differently, can bypass upload controls and trigger unexpected behavior.

Felipe Raczkowski Anaya breaks down how polyglots work at a structural level, when they become especially risky in real-world upload flows, and how tools like Mitra and ExifTool can be used to create them.

Highlight:

“Polyglot files can be very sneaky, and they act as a reminder that 'file type’ can be an interpretation based on a lot of moving parts, very much tied to the complexity of the type of file being ingested and/or interpreted.”

Felipe Raczkowski Anaya - Security Consultant

🆕 Gitxray v1.0.19 is out!

The new version includes bug fixes and adds an additional cross-check between a repository’s creation date and commit timestamps.

We published a short article documenting tests with Gitxray against fabricated GitHub activity generated using the Fabricate tool. The write-up outlines which signals can be observed when comparing commit histories against GitHub-provided timestamps.

🎙️ K-Talks:

In our final 2025 K-Talk, we had a double session with Kulkanners delivering findings and methodologies to strengthen future pentesting assessments.

In the first session, Octavio Gorrini presented an overview of XXE attacks, including practical demonstrations and real-world scenarios. Then, Matias Fumega showcased his IoT security research, covering hardware analysis, reverse engineering, and cloud-based attack vectors.

Hacking 2025. Attacking 2026.

As we close out the year, we’d like to thank you for being part of the conversations that help shape stronger security practices. We look forward to continuing “hacking” 2026, helping teams validate their defenses through thoughtful, attacker-led penetration testing.

We wish you a successful and rewarding 2026. If you believe we can help secure that journey, let’s start the conversation!