😡 Rage-fueled Rewrite

Monday morning I discovered that some tl;dr sec automation I’d built in Zapier randomly stopped working, despite me not touching it for months.

I spent a little time debugging, but ultimately I decided to finally move off of Zapier so I could manage my automation better fully in code and iterate on it faster.

So fueled by Celsius and righteous indignation, I got to work.

Thanks to Claude Code, in 2 days and for ~$75 in API credits, I rebuilt ~80% of the most important automation using a platform I’d never used before (Supabase Edge Functions) in a mostly unfamiliar language (Typescript) in a new runtime/build environment (Deno).

Meanwhile, my monthly Zapier bill was ~$175.

By the end of this week, I should be at mostly feature parity, with my automation running comfortably on Supabase’s free tier, and the process will have costed <1 month of Zapier in Claude Code usage. And I’ll have better DevX going forward.

My friend Daniel Miessler had a similar experience with vibe coding a Chartbeat replacement in a day.

Caveats: of course, long term maintenance, stability, and handling edge cases matter, but still, what an exciting time to build!

Sponsor

📣 The MCP Security Guide for Early Adopters

 Is your team exploring MCP integrations?

The Model Context Protocol (MCP) is quickly emerging as the go-to standard for connecting LLMs to external tools and data. But as adoption picks up, many teams are implementing MCP without a clear security playbook.

This new guide from Wiz can help: The Hidden Risks Behind the Magic: Securing the Model Context Protocol (MCP). It shares early research and practical guidance to help security teams evaluate and secure MCP in real-world environments.

Inside the guide:

• Key risks with local and remote MCP servers

• Real-world threats like prompt injection and supply chain compromise

• Actionable steps for safely using MCP tools

Download the guide to get smart on securing MCP as adoption grows.

👉 Get the MCP Security Guide 👈

AppSec

The Art of PHP - My CTF Journey and Untold Stories!
Phrack article by Orange Tsai on CTF culture and a detailed history/overview of a number of PHP bugs and PHP security. As you’d expect from Orange, super technical.

💡 This post describes the heart of CTF and security community culture with genuine warmth, and does a great job describing the curiosity, joy, and playfulness of both in a way that feels reflective and a bit tender. I like it 🥹

jumpycastle/rre-burp
A Burp extension by Farzan Karimi for Recursive Request Exploits (RRE) (DEF CON 2025 slides). RRE traces API calls backward from a protected resource (like a video stream) to its origin. If any upstream API in that chain is unauthenticated, the whole chain can be abused to bypass access. This technique can be used to bypass paywalls for streaming services by exploiting unauthenticated upstream APIs in the request chain.

Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling
Portswigger’s James Kettle explains how to distinguish between HTTP pipelining (often a false positive) and actual HTTP request smuggling vulnerabilities. He provides a new Custom Action tool called "Smuggling or pipelining?" and discusses three legitimate vulnerability classes that require connection reuse: connection-locked request smuggling, connection state attacks, and client-side desync attacks. James recommends proving impact through cache poisoning, internal header disclosure, or bypassing front-end server security controls rather than just demonstrating unexpected responses.

Sponsor

📣 5 Critical Google Workspace Security Settings You Might Be Missing

Google Workspace misconfigurations or disabled security settings can be easy to miss. This guide from Nudge Security provides a deep dive on the top 5 Google Workspace security settings that should be on your checklist. For each security setting, we cover:

• Common misconfigurations to look out for

• Best practices for effective risk reduction

• Considerations for tailoring settings based on user privilege

Learn what you can do today to improve your Google Workspace security posture.

👉 Get the Guide 👈

Nice, Google Workspace has tons of sensitive data, but I’m not sure what hardening stuff I should be doing, need to check this out 🤔 

Cloud Security

8ales/Azure-AppHunter
By Marios Gyftos: An open-source PowerShell tool to identify excessive or dangerous permissions assigned to Azure Service Principals.

AWS in 2025: The Stuff You Think You Know That's Now Wrong
Corey Quinn lists various ways AWS services have evolved over the years, highlighting changes that might contradict what you used to know, including EC2 (security group changes without reboots, force termination options), S3 (read-after-write consistency, default encryption), Lambda (15-minute timeouts, faster VPC connections), networking (VPC peering alternatives, cross-AZ data transfer pricing), authentication best practices, and various cost optimization features.

A tag to rule them all: Using AWS tags to enumerate cloud resources
Bleon Proko describes how attackers can use tags to enumerate AWS resources with minimal permissions, avoiding detection that traditional brute force methods might trigger. The post introduces TagNabIt, a tool that exploits the fact that tag-related API calls can reveal significant information about AWS environments (e.g. resource names, environments, and relationships) even when an attacker lacks direct list/describe permissions. TagNabIt can enumerate resources across 255 AWS services by bruteforcing resource IDs and analyzing the error responses.

Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer
Datadog’s Nick Frichette and Brandon Dossantos describe how resource-explorer-2:ListResources could be used by a threat actor for resource enumeration in AWS, which previously did not log to AWS CloudTrail without additional configuration by customers through data events. After their report, AWS proactively modified the API call to be a management event, ensuring that security teams can identify when this enumeration technique is used.

💡 How much “free” security testing / hardening has AWS received from Nick Frichette? 🤔 

Blue Team

microsoft/RIFT
By Andreas Klopsch et al: RIFT (Rust Interactive Function Tool) is a toolsuite to assist reverse engineers in identifying library code in Rust malware. It’s a research project developed by the MSTIC-MIRAGE Team, exploring library recognition techniques conducted on Rust binaries and was presented at RECON 2025.

North Korea IT Workers Search Script
Friend of the newsletter Erik Cabetas of Include Security shared a Google Apps script to scan your Google Workspace/Gmail to explore if you (or your company) have interacted with North Korean IT Workers. Basically it uses the GMail API in Google Apps script to see if there’s any email from/to a list of known NK email addresses.

APT Down - The North Korea Files
Saber and cyb0rg contributed an article to the most recent Phrack discussing tools, techniques, and targets gleaned from compromising the computer of a North Korean government hacker. The article examines several backdoors including a kernel-level "TomCat" backdoor, a custom Cobalt Strike beacon, and the "RootRot" Ivanti Control backdoor, and describes phishing infrastructure targeting South Korean government entities like the Defense Counterintelligence Command and Ministry of Foreign Affairs.

The dump shows evidence of collaboration between North Korean and Chinese threat actors. TechCrunch.

💡 Really neat, worth a read.

Red Team

RobotOperator/Eve
By Lance Cain: A JAMF exploitation toolkit used to interact with locally hosted JAMF servers and those hosted on jamfcloud.com.

SpecterOps/JamfHound
By SpecterOps: A Python tool that collects and identifies attack paths in Jamf Pro tenants by analyzing object permissions and outputting data as JSON for BloodHound visualization. The tool maps relationships between Jamf accounts and computers to reveal potential privilege escalation paths and code execution opportunities, and supports both cloud-hosted and on-site Jamf Pro instances.

praetorian-inc/ChromeAlone
A tool by Praetorian’s Mike Weber to transform Chromium browsers into a C2 Implant, which can used in place of conventional implants like Cobalt Strike or Meterpreter. ChromeAlone contains a number of components, including a malicious Chrome extension that can perform credential capture, session hijacking, shelling out, and reading the file system, a management server, an Isolated Web Application to maintain persistence, and more. DEF CON 2025 talk recording.

Putting EDRs in Their Place: Killing and Silencing EDR Agents Like an Adversary
Materials from a DEF CON workshop by Ryan Chapman and Aaron Rosenmund demonstrating both "killing" and "silencing" endpoint security products. The workshop contains hands-on labs in your own hosted VM, pre-loaded tools, samples, and EDR emulator, and covers: investigating a live EDR agent (discover its hooks, logs, and reach), compiling & deploying EDR killers used by known threat groups, silencing the agent-to-tenant communication path, writing C/C++ code to replicate evasion techniques, and building your own EDR killer and silencer.

AI + Security

I’ve been collecting various write-ups on vulnerabilities in MCP servers, so welcome this week to the blood bath 😅 

Asana Discloses Data Exposure Bug in MCP Server
By UpGuard’s Greg Pollock: “Users leveraging the MCP interface—typically for LLM-powered chat interfaces—may have been able to access data from other organizations, but only within the ‘projects, teams, tasks, and other Asana objects’ of the MCP user’s permissions.”

Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients
JFrog’s Or Peles describes a vulnerability in mcp-remote (a proxy that enables LLM hosts such as Claude Desktop to communicate with remote MCP servers) that allows arbitrary OS command execution when connecting to untrusted MCP servers. The flaw stems from improper handling of the authorization_endpoint URL, enabling attackers to inject malicious commands via specially crafted URLs.

When Public Prompts Turn Into Local Shells: ‘CurXecute’ – RCE in Cursor via MCP Auto‑Start
Aim Security’s Ofir Abu describes a vulnerability in which an externally-hosted prompt injection can silently rewrite ~/.cursor/mcp.json and execute arbitrary commands with the same privileges as the developer. The post shares a proof-of-concept using a crafted Slack message: Cursor fetches that message via the Slack MCP server, the message’s prompt causes the agent to rewrite mcp.json for code execution. to execute commands without user approval.

Some kinda yikes details: 1) Cursor instantly executes any new entry added to mcp.json, no confirmation is required, and 2) when the agent suggests an edit to mcp.json, the edit already lands on disk, triggering command execution even if the user rejects the suggestion.

MCPoison Cursor IDE: Persistent Code Execution via MCP Trust Bypass
Checkpoint’s Andrey Charikov, Roman Zaikin and Oded Vanunu determined that in Cursor, once an MCP is approved, future modifications to its command or arguments are trusted without any additional validation or prompt. So an attacker can initially commit a benign MCP, wait for user approval, then silently replace it with malicious payloads (e.g., reverse shells) that execute automatically when the project is reopened.

💡 This was patched in Cursor 1.3, with the changelog details: “Security fixes.” 👎️ 

Security Advisory: Anthropic's Slack MCP Server Vulnerable to Data Exfiltration
Slayer of AI implementations Johann Rehberger describes a data leakage vulnerability in Anthropic's deprecated Slack MCP Server that allows AI agents to exfiltrate sensitive information through link unfurling. The vulnerability can be exploited via prompt injection, potentially affecting thousands of installations.

Note: Anthropic deprecated many of their MCP servers, and there is no plan to address security vulnerabilities in them.

EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
Cymulate’s Elad Beber demonstrates how once an adversary can invoke MCP Server tools, they can leverage legitimate MCP Server functionality to read or write anywhere on disk and trigger code execution. The post describes two high-severity vulnerabilities in Anthropic's Filesystem MCP Server: a directory containment bypass and a symlink bypass leading to code execution. These flaws allow attackers to escape the server's sandbox, access sensitive files, and potentially achieve privilege escalation.

Critical RCE in Anthropic MCP Inspector Enables Browser-Based Exploits
Oligo’s Avi Lumelsky describes discovering a Remote Code Execution (RCE) vulnerability and DNS rebinding in Anthropic’s MCP Inspector project. The MCP Inspector tool runs by default when the mcp dev command is executed, acting as an HTTP server that listens for connections. A malicious website makes a request to 0.0.0.0 and asks MCP Inspector to run arbitrary commands locally → RCE.

💡 The AI ecosystem continues to speed run attacks we’ve known about for years. I just asked Claude, “I’m building an app that will run locally and listens for HTTP requests, what security risks and vulnerability classes should I consider?” And it referenced DNS rebinding, the risks of 0.0.0.0, SSRF and CSRF 🤷 

PoC Attack Targeting Atlassian’s Model Context Protocol (MCP) Introduces New “Living off AI” Risk
Cato Networks’ Shlomo Bamberger, Guy Waizel, and Dolev Moshe Attiya demonstrate a "Living off AI" attack where threat actors can exploit AI-driven workflows in tools like Atlassian's MCP and Jira Service Management to gain privileged access without authentication. Malicious support ticket with prompt injection payload → internal user unknowingly executes harmful instructions through MCP with their elevated permissions → sensitive data exfiltrated via support ticket or other post exploitation.

Misc

Feelz

• HealthyGamer (Dr. K) - Anhedonia: why nothing feels fun anymore

• Stanford GSB - Last Lecture Series: How to Live your Life at Full Power — Graham Weaver

AI

• Adam Butler on why the AI cycle is over, for now (post GPT-5) - Rolling out the capabilities of current day models will still cause an impact for a decade, but model improvements are incremental not orders of magnitude. “Find a vertical where verification is cheap and margins fat, then build the scaffolding that lets domain experts ride the model instead of babysit it.”

• Agents.md - A simple, open format for guiding coding agents, used by over 20k OSS projects. Like a README for agents: a dedicated, predictable place to provide the context and instructions to help AI coding agents work on your project.

Misc

• North Korea sent me abroad to be a secret IT worker. My wages funded the regime - A NK defector shares their story via BBC. 85% of what’s earned is sent back to fund the regime. Secret IT workers generate $250m-$600m annually, according to a UN Security Council report published in March 2024.

• C-Suite Lessons From Joe Sullivan And The Uber Data Breach - Personally, I think Joe Sullivan is a great guy and that the Uber team did a professional job in a tough situation.

• Emacs as your video-trimming tool - LFG! 🤘 

• Hey… quick question, why are anime catgirls blocking my access to the Linux kernel?

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler