- tl;dr sec
- Posts
- [tl;dr sec] #286 - Securing Vibe Coding, Finding Secrets "Oops Commits", Backdooring IDE Extensions
[tl;dr sec] #286 - Securing Vibe Coding, Finding Secrets "Oops Commits", Backdooring IDE Extensions
Rules files to vibe securely, earning $25K from dangling commits, compromising the extension marketplace of Cursor, Windsurf, and other VS Code forks
Hey there,
I hope you’ve been doing well!
Developers are leveraging AI tooling to ship code faster than ever. So it’s important for security teams to keep up.
Which is why I’m stoked to announce this upcoming free webinar I’m doing with my friend Scott Behrens, a Principal Security Engineer at Netflix.
Scott has been using AI as a force multiplier in his work helping secure a broad swathe of Netflix systems.
One specific use case has been rapidly ramping up on new code bases (Netflix has thousands) and doing targeted secure code reviews.
So in the webinar (Thursday July 31st at 10am PT) we’re going to do a live walk through of using RooCode, a free and open-source VS Code plugin, to hunt for bugs in a real open source repository.
We’ll cover:
How to use LLMs to quickly understand any repo’s purpose, core functionality, architecture, tech stack, and more.
How to create an LLM Security Assessment “persona” that can execute multi-step analyses on your behalf.
Best practices on having an agent perform secure code review.
How to have an agent run security MCP tools (e.g. Semgrep) and write a proof-of-concept reproduction script.
We’ll release all prompts and tooling used, and leave plenty of time for questions.
👉️ See you there 👈️
Sponsor
📣 Your Guide to Evaluate AI SOC Tools
Before you evaluate AI SOC solutions, make sure you’re prepared with the right questions.
This blog from Intezer provides a guide with key topics to ask vendors about such as:
✅ How do you validate the accuracy of your verdicts?
✅ Can the AI explain how it reached its conclusions?
✅ Can the platform autonomously take action (e.g., containment, ticket closure, escalation)?
✅ How do you ensure full alert coverage without sacrificing performance?
Make sure you know how to validate bold claims and determine if an AI SOC solution is enterprise-ready.
These are some thoughtful, good questions. I’m going to keep this in mind next time I’m reviewing an AI SOC tool.
AppSec
NikhilPanwar/secrets-ninja
A GUI interface tool for validating API keys and credentials. It tests these keys from your browser using JavaScript, so secrets are never collected or logged.
Introducing Kingfisher: Real-Time Secret Detection and Validation
MongoDB’s Mick Grove announces Kingfisher, a new open source secret scanner that also validates if detected secrets are active and pose immediate risk. Kingfisher is written in Rust for performance, uses Hyperscan for regex matching, tree-sitter for parsing source code across 20+ programming languages, and has over 700 rules for detecting and validating a broad range of secrets.
How Google Cloud is securing open-source credentials at scale
Google’s Eve Martin-Jones and Yuanchen Li discuss a new tool to scan open-source package and image files for leaked Google Cloud credentials. The tool scans both historical artifacts and newly published open-source artifacts (e.g. packages from Maven Central and PyPi, images on DockerHub), helping to identify exposed API keys, service account keys, and OAuth client secrets, with plans to expand to third-party credentials later this year.
💡 The tool appears to be something Google has added to their infrastructure, not something they’re open sourcing (at least at this time) :(
How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets
GitHub Archive logs every public commit, event the ones developers try to delete (e.g. force pushes). Sharon Brizinov continues his prior research on finding secrets in deleted commits: he scanned every force push event since 2020, analyzed the dangling commits, and found secrets worth $25K in bug bounties. In collaboration with Truffle Security, they’ve released the new OSS tool Force Push Scanner to identify secrets in dangling commits.
💡 Great write-up of determining a methodology, building up the tooling (evaluating options for acquiring the data, writing the scanning tooling, vibe coding a triager) and how to scale it. TIL gharchive.org has an archive of GitHub’s Event stream data.
Sponsor
📣 Start your Red Team Journey with
Altered Security
Altered Security offers multiple Red Team courses for on-prem and cloud with affordable and enterprise-like hands-on labs.
Highlights of Altered Security courses:
Industry recognized certifications like Certified Red Team Professional (CRTP), CRTE, CARTP and more.
Easy to access and huge enterprise-like labs.
Designed by Black Hat USA and DEF CON veterans.
Trained more than 40K professionals from 130+ countries and 500+ organizations.
Enjoy 20% OFF on all courses using HackerSummer20OFF (Stripe) from 1st July 2025 to 31st July 2025.
Discounts on courses and hands-on labs, treat yo’self! 🙌
Cloud Security
aws-samples/sample-visualizing-access-rights-for-identity-on-aws
A sample solution that demonstrates how to use AWS IAM Identity Center with Neptune to visualize and map relationships between identities and resources. See also the AWS re:Inforce 2025 talk by Meg Peddada and Alex Waddell: Visualizing workforce identity: Graph-based analysis for access rights.
How to get rekt using AWS Neptune
Plerion’s Daniel Grzelak explores the potential security risks of Amazon Neptune, a managed graph database service. By default, Neptune doesn’t require any authentication, but it’s difficult to make one publicly accessible, though it can be done through a network load balancer. Daniel describes how you can lock down Neptune by restricting network access with security groups, enabling IAM authentication, and restricting the operations each principal can perform. He also scanned the AWS IP range and found a number of public Neptune instances that don’t require authentication.
Profiling TradeTraitor: Tactics, History & Defenses
Invictus Incident Response profiles TradeTraitor, a DPRK-affiliated threat actor targeting AWS environments and the cryptocurrency industry. The group's tactics include supply chain compromise, credential theft, and cloud service abuse, with notable attacks including a $625 million Ronin network hack and a $1.5 billion Bybit theft.
The post describes TradeTraitor's TTPs mapped to MITRE ATT&CK, provides an incident response checklist, and offers practical steps for defending against cloud-based attacks.
Hijacking Amazon EventBridge for launching Cross-Account attacks
AWS EventBridge is a serverless event bus service that enables powerful integrations across multiple AWS accounts. Square’s Ramesh Ramani describes six attack patterns leveraging EventBridge's cross-account capabilities for infiltration and exfiltration, including persistent beaconing, command and control, reconnaissance, data smuggling, account hopping, and API borrowing.
The post provides code examples for each attack and recommends multi-layered security controls, including Service Control Policies, IAM permissions, EventBridge resource policies, VPC endpoints with restrictive policies, and event content validation, along with detection strategies using CloudWatch, CloudTrail, and behavioral analytics.
Supply Chain
Marketplace Takeover: How We Could’ve Taken Over Every Developer Using a VSCode Fork
OpenVSX is a vendor-neutral, open source extension marketplace that VS Code forks like Cursor, Windsurf, and others use. Oren Yomtov describes how he was able to compromise the secret token ( OVSX_PAT
) of the @open-vsx
GitHub service account that had the power to publish or overwrite any extension in the marketplace, which could lead to RCE on any developer machine using one of those extensions.
The flaw: a nightly GitHub Actions workflow runs npm install
to build each updated extension, but a malicious extension’s build script could exfiltrate OVSX_PAT
.
💡 TL;DR: Don’t run arbitrary user-provided code (build scripts, unit tests, …) in a context that has access to highly privileged secrets.
Can You Trust that Verified Symbol? Exploiting IDE Extensions is Easier Than it Should Be
By OX’s Nir Zadok and Moshe Siman Tov Bustan. OK I might be misinterpreting the attack and/or threat model, but I think basically it’s that IDE extensions have some unique ID(s) in the files they come bundled with that the marketplaces use to determine if the publisher + extension should be marked as “trusted.” The authors found that if you borrow those IDs from a trusted extension, and a victim side loads your malicious extension, like from GitHub (not from the marketplace), the IDE will believe it’s trusted.
In other words, marketplaces and the IDEs rely on an extension’s self-provided ID values, not a cryptographic signature.
Blue Team
Threat Hunting Introduction: Cobalt Strike
Artem Golubin describes how to find and analyze Cobalt Strike servers on the Internet based on their HTTP responses, extracting metadata from their beacons and decrypting configuration data from retrieved executables. Artem also released SigStrike, a Rust tool developed to crawl and validate potential Cobalt Strike servers 20x faster than existing methods.
Your Plugins and Extensions Are (Probably) Fine. Hunt Them Anyway.
Sydney Marrone shares five hunt ideas and one deep dive focused on browser extensions and IDE plugins. The hunt ideas: browser extensions requesting overly broad permissions that could be used for surveillance or exfil, an IDE plugin launching unauthorized scripts, an extension fetching remote code or payloads post-install, a plugin leaking credentials or API tokens, and plugins exfiltrating data via the clipboard, extension messaging, or uploads. The deep dive is on an IDE plugin launching shells or scripts, using the PEAK threat hunting framework, and includes an example SPL query.
Red Team
adgaultier/caracal
A Rust implementation of eBPF techniques that hide target BPF programs & maps (won't be visible with bpftop
, bpftool
...) and target processes (won't be visible with ps
, top
, procs
, ls /proc
).
cybersectroll/TrollBlacklistDLL
Give it a denylist and it will block DLLs from the list from loading, by patching LdrLoadDll in the local/remote process to return DLL not found. Can be used to block some AV/EDRs.
AI + Security
matank001/cursor-security-rules
By Matan Kotick: Repo with Cursor Security Rules designed to improve the security of both development workflows and AI agent usage. The rules aim to enforce safe coding practices, control sensitive operations, and reduce risk in AI-assisted development.
Secure Vibe Coding Guide
Ken Huang shares some example prompts to nudge an LLM in the right direction, but honestly a lot of these are just like guidance you’d see in OWASP or general secure coding guidelines.
BaxBench: Can LLMs Generate Secure and Correct Backends?
Paper by ETH Zurich’s Mark Vero et al that introduces a new benchmark to evaluate LLMs on secure and correct code generation. I need to read the paper in more detail, but some initial thoughts:
It’s awesome that they released the code and dataset.
There’s some nice breadth: 28 coding scenarios x 14 popular backend development frameworks x 6 programming languages = 392 tasks.
Nice experimental design and clever way to test the security and correctness of the generated code: they give the models an OpenAPI spec for the models to implement and then basically have correctness and security unit tests that automatically run against that spec. They also look for hard-coded secrets.
Interestingly they also tested including various levels of detailed security instructions in the prompt, from generic to task-specific (see page 6).
I need to read it closer but it wasn’t immediately clear to me if they tested the model’s performance in a multi-step agentic context vs just “one shot this code.”
Rules Files for Safer Vibe Coding
Wiz’s Rami McCarthy gives an overview of creating “rules” files to help AI coding assistants generate more secure code, releases a repo of baseline rules for popular languages and frameworks created via Gemini (and he includes the prompt and glue code used), and the bottom of the post lists probably the most academic papers on the security of LLM-generated code that I’ve seen in one place. Nice.
💡 See also, Rami’s LinkedIn post where he went through the various “leaked” system prompts for AI coding assistants and extracted the security guidance for Claude Code, Replit, Cursor, Bolt.dev, and Devin.
💡 Using an LLM to programmatically create secure coding guidance across a number of languages and frameworks is a clever idea. I think involving a human expert and/or being more thorough about extracting from existing best practices (e.g. OWASP) might yield better guidance. There are some papers on the impact of prompting on the security of generated code, I’m not sure if the impact of rules files would directly translate.
AI and Secure Code Generation
Lawfare blog by Dave Aitel and Dan Geer on how AI-generated code and AI-powered code analysis are transforming software security. At the end of 2024, 25% of new code at Google was written by LLMs, but they argue we haven’t truly measured: do AIs write code with more bugs, fewer bugs, or entirely new categories of bugs? We also need to be better about measuring the effectiveness of LLMs in finding vulnerabilities, prioritized based on exploitability given how the whole system works.
“As LLMs and automated code-scanning tools become widespread, previously obscure vulnerability fixes will become immediately and transparently visible. A security patch that once quietly passed unnoticed now rapidly attracts attention, scrutiny, and automated analysis by both defensive teams and adversaries.
Security teams accustomed to slow-moving disclosure processes and controlled vulnerability releases will suddenly face an environment of immediate exposure and urgency.”
AI
Anthropic - Claude Code: Best practices for agentic coding
Anthropic - How we built our multi-agent research system
hesreallyhim/awesome-claude-code - A curated list of awesome commands, files, and workflows for Claude Code.
snorting the agi with claude code - Example unconventional uses of Claude Code, including generating slide decks to explain codebases, creating weekly code change summaries with text-to-speech output, and using sub-agents from different AI labs (like OpenAI's Codex) for code improvement suggestions.
Senior Developer Skills in the AI Age: Leveraging Experience for Better Results - Three key practices: 1) Well-structured requirements that provide detailed context and implicit constraints, 2) Tool-based guard rails like static analysis and tests that the AI can run and fix issues with, and 3) File-based "keyframing" where stub files are created to guide code organization.
Hooks - Customize and extend Claude Code’s behavior by registering shell commands
Here Is Everyone Mark Zuckerberg Has Hired So Far for Meta’s ‘Superintelligence’ Team
Andrej Karpathy - "context engineering" over "prompt engineering"
The New Lean Startup — Sid Bendre, Oleve
Misc
Feelz
The Gender Attractiveness Gap - “Female faces rated significantly more attractive than male faces across rater genders, cultural backgrounds, and portrayed ethnicities.”
Matthew Hussey on how great relationships are built not found, and the search for that feeling of inner certainty
MrBeast: The Ugly Reality About Fame - Getting mobbed for photos everywhere you go
Misc
Learn OCaml - Free exercises
A Brief History of Children Sent Through the Mail - Back in my day transporting a kid only costed a nickel!
Ed Sheeran - Sapphire (Live from Marseille)
song i wrote instead of checking my answers on the ap music theory exam
Harry Mack (awesome freestyle rapper) randomly shows up when Ari at Home is improvising music in NYC
Subway takes: Rome is guilty of the original cultural appropriation
Dr. Mike - All Protein Is Not Created Equal - TL;DR your body can absorb things like casein protein powder, eggs, and whey protein isolate well, while other protein sources (grains, legumes, nuts) sometimes need amino acids from other things for your body to fully absorb. Ideally you want a Protein Digestibility Corrected Amino Acid Score (PDCAAS) > 0.9.
Politics
Prof Galloway - Why I don’t want to be a billionaire
John Oliver - Trump’s Big Beautiful Bill
Mexican drug cartel hacker spied on FBI official’s phone to track and kill informants
Chinese scientists have built a mosquito-sized spy drone that can be controlled via smartphone and has ultra-miniature cameras and microphones
New lawsuit from noyb claiming Bumble's AI icebreakers break EU law due to passing profile into to OpenAI to provide an AI-generated opening message
Hasan Minhaj interviews 4-star General Stanley McChrystal on the war on terror and his new book “On Character”
US supreme court limits federal judges’ power to block Trump orders - Fill the balancing branch of government with your people → they reduce the power of their branch to check your power ✅
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint
@clintgibler