- tl;dr sec
- Posts
- [tl;dr sec] #299 - The Security Engineer's Guide to MCP, IAM Hound Dog, IMDS Anomaly Detection
[tl;dr sec] #299 - The Security Engineer's Guide to MCP, IAM Hound Dog, IMDS Anomaly Detection
Quickly get up to speed in MCP security, tool to identify privilege escalation in AWS, find 0days and attackers via anomalous IMDS calls
Hey there,
I hope you’ve been doing well!
🎙️ Zero Signal Podcast - AI in Cybersecurity
In Vegas this year I joined my friends Conor Sherman (Sysdig CISO in Residence) and Stuart Mitchell (Hampton North) on their new podcast, Zero Signal.
We discussed AI’s impact on penetration testing, the job pipeline, “shifting down not left” (H/T my interview with former Google Cloud CISO Phil Venables), integrating security in vibe coding, and more.
You can check it out on YouTube, Spotify, or Apple Podcast.
P.S. I’ve been working on a talk for our Semgrep offsite next week on current trends in AI + AppSec and where things are headed, which has been a lot of fun. Will share via blog, conference talk, or video sometime ☺️
Sponsor
📣 The Next Step in CloudSecOps is Here
Meet Tami—the AI CloudSecOps agent that doesn't just tell you what's broken, but actually fixes it.
Why stop at detection? Tamnoon's AI agent goes the extra mile: it prioritizes, enriches, investigates, and delivers production-ready remediation playbooks validated by expert CloudPros.
Trained on millions of safe executions in real environments, Tami turns your endless alert backlog into tested, permanent solutions—keeping your entire cloud infrastructure safe and compliant.
👉 See It In Action 👈
Autofixing cloud issues is pretty rad 🤩 "Trained on millions of executions,” nice.
AppSec
CTFs
The FLARE On Challenge - A single-player series of reverse engineering puzzles
Huntress Annual Capture the Flag - Daily puzzles and real-world attack simulations
Cookie Chaos: How to bypass Host and Secure cookie prefixes
Portswigger’s Zakhar Fedotkin describes how attackers can bypass browser-enforced cookie prefix protections (__Host- and __Secure-) by exploiting inconsistencies in how browsers and servers handle cookie encoding and parsing. These techniques can enable attackers to inject malicious cookies that bypass browser restrictions, potentially leading to XSS, session fixation, or privilege escalation. Burp Custom Action to test for these issues.
Two bypass techniques: using Unicode whitespace characters that browsers treat as regular characters but servers normalize away, and leveraging legacy cookie parsing behavior ($Version=1
) that causes some Java-based servers to interpret a single cookie as multiple cookies.
Taming 2,500 compiler warnings with CodeQL, an OpenVPN2 case study
Trail of Bits’ Paweł Płatek and Jay Little describe how they developed a specialized CodeQL query to identify dangerous implicit integer conversions in C code, reducing OpenVPN2's 2,500+ compiler warnings to just 20 high-priority cases requiring manual review. Their approach distinguishes between benign and potentially vulnerable conversions by categorizing them based on data alteration types (truncation, reinterpretation, widening) and conversion mechanisms.
Their five-step query refinement process: start with all problematic conversions, eliminate safe constants, apply range analysis, model codebase-specific functions, and finally focusing on user-controlled inputs via taint tracking. They’ve open-sourced their query on GitHub.
antgroup/YASA-Engine
By Ant Group: YASA (Yet Another Static Analyzer) is an open source static program analysis framework built around a Unified Abstract Syntax Tree (UAST) that enables analysis across multiple programming languages.
Project components: YASA-Engine (the core analysis engine), YASA-UQL (a declarative query language compatible with CodeQL), YASA-MCP (LLM-friendly APIs), and YASA-SDK (integration tools for applications), all designed to provide field-sensitive, context-sensitive, and flow-sensitive analysis capabilities.
TIL about xAST, an open-source evaluation system for SAST/IAST/DAST tool capabilities.

Sponsor
📣 Effective Cloud Security Requires a Unified Platform
Cloud-native speed comes with cloud-sized risk. As teams spin up and down resources at record pace, security gets buried in complexity. Point solutions for prevention, posture, and response just can’t keep up.
ESG reveals why organizations need a consolidated, integrated approach that streamlines security, reduces risk in real time, and delivers runtime protection where it matters most.
Neat, a report on cloud security wins and losses from 370 organizations, that’s a solid dataset 👍️
Cloud Security
VirtueSecurity/IAMhounddog
By Virtue Security’s Nathan Tucker: A tool that helps pentesters identify privileged principals and second-order privilege escalation opportunities in AWS environments by mapping relationships between IAM entities and resources. The tool generates a graph database compatible with BloodHound, revealing connections between principals, roles, policies, and AWS services (CloudFormation, EC2, ECS, EKS, Lambda, RDS, Step Functions, CodeBuild, and CodePipeline).
IMDS Abused: Hunting Rare Behaviors to Uncover Exploits
Wiz’s Hila Ramati and Gili Tikochinski describe how they developed a data-driven methodology to detect anomalous Instance Metadata Service (IMDS) usage across cloud environments, leading to the discovery of SSRF vulnerabilities being exploited in the wild in pandoc when converting HTML to PDF, and in ClickHouse SELECT * FROM url
).
The approach: establishing baseline IMDS access patterns, identifying suspicious processes with rare IMDS access, filtering by requests made to sensitive metadata paths (related to determining what permissions you have access to), and analyzing compute context.
Adding Determinism and Safety to Uber IAM Policy Changes
Uber’s Avinash Srivenkatesh, Zi Wen, and Zakir Akram describe how Uber built a Policy Simulator, allowing developers making IAM policy changes to preview the impact of the changes before deployment, to prevent outages or other errors in their complex microservices environment.
The tool works by: first fetching relevant access logs, then replaying these logs against two local authorization engines (one with current policies, one with proposed changes) to identify differences in access control results. The change author gets a report on the potential impact of the proposed policy change, who can then decide if they want to proceed.
💡 Whoa, impressive engineering. Probably overkill for most companies, but worth a read. I especially like the idea of replaying past events and comparing proposed changes vs the prior state. This can be applied in a number of domains 👌
Supply Chain
The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows
Gaetan Ferry and Guillaume Valadon describe how on September 5, 2025, GitGuardian discovered GhostAction, a supply chain attack affecting 327 GitHub users across 817 repositories through malicious workflows disguised as "Github Actions Security." Attackers injected malicious workflows that exfiltrated 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote endpoint.
💡 The malicious GitHub Action workflow is embarrassingly obviously malicious ☹️ Sometimes I feel like attackers don’t respect their craft. Sad.
How to Tamper with Releases built with GitHub Actions Workflows
Incredibly detailed GitHub repo with proof of concepts by Benedikt Haußner, based on his talk presented at fwd:cloudsec Europe 2025 (slides, video). He covers a bunch of things, but especially these 5 attack paths: 1) changing the assets of a mutable release, 2) using typosquatted third-party GitHub Actions in our workflow, 3) using a GitHub hosted runner with a container under our control, 4) employing homoglyph attacks to redirect builds to self-hosted runners, and 5) injecting malicious code via orphaned commits in the actions/checkout repository.
pull_request_nightmare Part 1: Exploiting GitHub Actions for RCE and Supply Chain Attacks
Orca’s Roi Nisimi provides an overview of the pull_request_target
trigger in GitHub Actions, the risks of checking out and executing code from untrusted pull requests with privileged tokens, and some vulnerabilities they found in the wild.
In part 2, Roi gets more specific, and describes how they were able to compromise open source repositories owned by Microsoft, Google Cloud, and NVIDIA and others, demonstrating how this vulnerability class allowed them to execute reverse shells on GitHub runners, push malicious code to origin repositories, steal API keys, and access cloud resources on self-hosted runners.
They found ~1% (50 out of 5,000) repos using pull_request_target
to be vulnerable, and there are >100K repos using that trigger on GitHub, so there may be thousands more vulnerable repos.
Blue Team
acquiredsecurity/forensic-timeliner
By Brad Roughan: A high-speed forensic timeline engine for Windows forensic artifact CSV output built for DFIR investigators. Quickly consolidate CSV output from processed triage evidence for Eric Zimmerman (EZ Tools) Kape, Axiom, Hayabusa, Chainsaw and Nirsoft into a unified timeline.
A Primer on Forensic Investigation of Salesforce Security Incidents
Guide by Salesforce Field CTO Eoghan Casey on investigating security incidents in Salesforce environments, focusing on three key information sources: activity logs, user permissions, and backup data, referencing various products and features (Salesforce Shield Event Monitoring, Who Sees What Explorer, Enhanced Transaction Security policies, etc.).
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
Mandiant’s Sarah Yoder et al describe the BRICKSTORM malware campaign by UNC5221 (suspected China-nexus threat actors) targeting US organizations with sophisticated backdoors on network appliances that lack EDR support. The attackers maintain persistence for an average of 393 days by deploying BRICKSTORM (a Go-based backdoor with SOCKS proxy functionality) on appliances, and employing techniques like VM cloning to extract credentials while generating minimal security telemetry.
Mandiant released a scanner tool to help organizations hunt for BRICKSTORM and provides detailed hunting guidance.
💡 Wow, some impressive tradecraft here.
Red Team
0xJs/EnumEDRs
By Jony Schats: Tool written in C that enumerates EDRs running on the system by enumerating current processes and loaded drivers. Currently supports ~9 EDRs, including Microsoft Defender for Endpoint, Elastic EDR, Sysmon, BitDefender, Cortex, CrowdStrike, Sentinel, Sophos, etc.
olafhartong/BamboozlEDR
By Olaf Hartong: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. BamboozlEDR features a TUI interface and can generate realistic security events across multiple Windows ETW providers to test EDR detection capabilities, log analysis systems, and security monitoring solutions.
Your Vulnerability Scanner Might Be Your Weakest Link
Praetorian’s Adam Crosser discusses how vulnerability scanners (or asset inventory platforms, IT automation frameworks, and management tools) using privileged credentials can become security risks when using password-based authentication or insecure protocols. The post gives an example of capturing vulnerability scanner credentials by instrumenting SSH on a compromised server, without triggering Linux EDR alerts.
Example credential theft techniques: SSH service environment variable modification, process tracing (strace sshd), malicious PAM modules, and honeypot redirection, none of which triggered alerts in their testing of major Linux EDR products. Recommendations: treat scanner and automation credentials as sensitive assets, prefer key-based authentication over passwords, disable legacy protocols like NTLMv1, and validate that Linux EDR solutions provide meaningful security coverage.
AI + Security
Quicklinks
In October 2025 GitHub will allow you to control at an organization level which MCP servers your developers can install.
Introducing Claude Sonnet 4.5 - Nice, Claude Code v2 and Claude Agent SDK improvements. The “Imagine with Claude” research preview in which code/UI is dynamically generated is super cool. Claude Sonnet 4.5 System Card.
slowmist/MCP-Security-Checklist
By @SlowMist_Team: Nice high level overview and checklist covering MCP Server and Client security, secure invocation, and multi-MCP scenario security.
A Security Engineer's Guide to MCP
Great primer by Semgrep’s Kurt Boberg to quickly get you up to speed on testing and securing MCP servers and clients. Kurt covers the control flow for MCP, important terms, using MCP Inspector, key MCP vulnerability classes (tool poisoning/line jumping, tool shadowing, rug pulling, Web 2.0 issues), an overview of security-relevant parts of the MCP specification, and an MCP security evaluation cheatsheet of exactly what to look for.
💡 Love when someone reads the spec for me and points out the sharp edges 🤘
Research Briefing: MCP Security
Wiz’s Rami McCarthy shares a nice round-up of security risks across local and remote MCP servers, open-source registries and trust signals, MCP client risks, and how to secure yourself today in safely using MCP servers (use trusted sources, audit before usage, consider sandboxing MCP servers and using an MCP gateway, …) and avoiding common AppSec vulnerabilities when creating MCPs. The post concludes with future-focused security tips and tool recommendations. All in all, tons of great supporting resources, in typical Rami fashion 😍.
First Malicious MCP in the Wild: The Postmark Backdoor That's Stealing Your Emails
Koi’s Idan Dardikman discovered that the postmark-mcp MCP server (1,500 downloads/week), which was safe and fine for 15 versions, since version 1.0.16 has been secretly BCCing all emails to the developer's personal server, potentially exfiltrating thousands of sensitive emails. There's a legitimate GitHub repo with the same name, officially maintained by Postmark, which the attacker copied, added the malicious BCC line, and published it to npm under the same name.
💡 See Trail of Bits’ mcp-context-protector and similar tools that do trust-on-first-use pinning for server instructions and tool descriptions.
AI
Quicklinks
modelcontextprotocol/inspector: Visual testing tool for MCP servers
MCP Inspector - A developer tool for testing and debugging MCP servers, offering both a UI and CLI mode for interactive and programmatic server interaction
Thirteen new MCP servers from Cloudflare you can use today - For Cloudflare docs, Workers development, basically any of their services.
One-click remote MCP servers - How to deploy a remote MCP server on Cloudflare, with options for public access or user authentication via GitHub OAuth.
Daniel Miessler - One-click MCP servers with Cloudflare
f/mcp-startup-framework - A complete framework for building remote MCP servers on Cloudflare Workers with OAuth authentication, PostgreSQL database, and Stripe-powered paid tools.
microsoft/playwright-mcp - MCP server that provides browser automation capabilities using Playwright.
random-robbie/mcp-web-browser - A web browsing MCP server powered by Playwright. Using the official Microsoft Playwright MCP is probably better, but including for completeness/reference.
Chrome DevTools (MCP) for your AI agent - The new Chrome DevTools MCP server lets AI coding assistants debug web pages directly in Chrome, and benefit from DevTools debugging capabilities and performance insights. I haven’t played with this yet but seems very promising, H/T Daniel Miessler.
upstash/context7 - MCP that pulls up-to-date, version-specific documentation and code examples straight from the source — and places them directly into your prompt.
The FastMCP Client - Programmatic client for interacting with MCP servers through a well-typed, Pythonic interface.
Misc
“What you most need will be found in the place you least want to look.” - Carl Jung
Feelz
Chris Williamson - How Men Can Create Real Love - Dr John Delony
Whenever Dave Franco and Allison Brie are apart, they write each other a “goodnight love letter” - could be a poem, a few paragraphs, a photo that brought up old memories.
Theo Von - Pete Davidson Talks About the Side Effects of Media Attention
Scott Galloway - Friending- The power of friendship cold-calling - putting yourself out there and building new friendships, even as an adult.
AI
Google AI on Is the pool of the Titanic still full?
Meta greenlights Facebook, Instagram ads based on your AI chats
Accenture says it will begin "exiting" workers it deems cannot be reskilled as part of an $865 million AI restructuring plan.
Actors' guild slams AI 'actress' - Tilly Norwood, an AI “actor” is allegedly attracting interest from talent agents.
Misc
Simon Sinek - Rob Lowe’s Guide to Posing 😂 Prune, Man of the People, Blue Steel, Iconic. Fascinating.
Everything We Teach at YCombinator in 10 Minutes - Michael Seibel (Reddit, YC, Twitch)
Start your next project with a giant scroll of paper - As you keep working, the scroll becomes an organic timeline of your thinking.
Terence Tao: “My tentative theory is that the systems, incentives, and technologies in modern world have managed to slightly empower (many) individuals, and massively empower large organizations, but at the significant expense of small organizations, whose role in the human societal ecosystem has thus shrunk significantly, with many small organizations either weakening in influence or transitioning to (or absorbed by) large organizations.”
Ben Palmer - You Can Be Anything - Standup set where he impersonated various orgs and people on social media, to hilarious effect 😂
Alex Hormozi - Give me 20 Minutes and I'll Give You Back 20 Years of Your Life - Things you can pay for to get time back. First, optimize your sleep, then: pre-made meals, laundry service, house cleaning, landscaper driver/Uber, flying private.
macOS app that plays fart sounds as you open and close your Macbook lid
Chris Williamson - How To Create A Life Of Freedom - Dan Martell
Massive Protein Powder Google sheet
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint
P.S. Feel free to connect with me on LinkedIn 👋