🫶 Friend Visit

Last weekend I visited my good friend Aaron and his partner, staying at their place in southern California, and it was delightful.

There’s something special about meeting a friend’s partner and seeing their place, you get such a lovely insight into who they are and what they value. The bookshelves, the photos from their couple trips, the unique items they’ve picked up along the way.

We played a few rounds of this board game, Forbidden Island, which was a lot of fun, would recommend. Clint analytical brain was fully engaged, and people were amused 😅 

I managed to delay doing an AI-powered Deep Research about optimal strategies until I was at the airport on the way back. It wasn’t easy.

Aaron was a work friend who became a normal friend over many Wednesday dinners. And after several months I got upgraded to his non burner phone (not a joke) 🙌 

We had talked about me coming down to stay with him for a weekend… and I actually did it! It was kind of going out on a limb, as we’d never spent more than a few hours together at a time, but I’m really glad I did. We had a great time, and I feel like we grew a lot closer in just a few days.

Maybe there’s someone you really click with at work or from some hobby, and if you put yourself out there and spend more time with them (even if it feels cringe to ask), that could end up being a great friendship 🤔 

Sponsor

📣 AI ROI: You know the AI bill, but what are the outcomes?

Leadership is asking: are we getting value from AI? Which tools are worth the spend? Where are we exposed? Right now, most teams can only answer with invoice data.

Harmonic Security Usage Explorer closes that gap. It automatically classifies every AI interaction across your organization into the use cases driving real work, specific to your business. Get actual patterns to understand how your teams use AI, how much time they spend, the cost, and where risk lives.

CIOs rationalize spend, CISOs get risk in context, & AI committees get proof of impact.

Early access is now open. Request your spot.

👉 Get early access 👈

AppSec

The Dot-Dot-Slash That Frameworks Hand You: CSPT Across Every Major Frontend Framework
Jonathan Dunn reverse-engineered the URL decoding pipelines of 8 major frontend frameworks (React Router, Next.js, Vue Router, Angular, SvelteKit, Nuxt, Ember, and SolidStart) to understand how Client Side Path Traversal (CSPT) vulnerabilities arise when encoded slashes (%2F) in dynamic route parameters get decoded and interpolated into fetch URLs. Labs GitHub repo.

💡 Wow, super detailed, awesome post. Also, this story about Jason Haddix’s mentorship 🥹

C/C++ checklist challenges, solved
Trail of Bits recently added a C/C++ security checklist to their Testing Handbook, and in this post, Graham Sutherland and Paweł Płatek share walkthroughs of two C/C++ challenges. They also released c-review, a Claude skill that runs the C/C++ checklist as LLM prompts against a codebase, tuned to the platform and threat model.

The first challenge is a Linux ping program with a command injection bug, where two undocumented behaviors in standard IP address functions (one accepting trailing garbage, the other reusing a shared buffer between calls) let an attacker bypass the input validation. The second is a Windows driver where a missing safety flag and an incomplete registry read combine to escalate from a local crash to full kernel code execution. By planting two crafted registry values, an attacker tricks the driver into copying arbitrary data onto the kernel stack and overwriting a function pointer.

Sponsor

📣 Adaptive Security: Security Awareness Training Built for AI Threats

AI is changing how attacks are executed. Deepfakes, voice clones, and AI-generated spearphishing across email, SMS, and voice are now table stakes for attackers. Adaptive Security's next-generation platform simulates these exact threats, scores individual employee risk using real behavior and OSINT exposure, and auto-delivers personalized training tied to what each person experienced. Trusted by security teams at PayPal, Ramp, Bose, and more. 

👉 Book a Demo 👈

There’s been a big rise in AI-powered deepfake attacks, it’s great to see people tackling it 👍️ 

Cloud Security

Global S3: Another C2 Channel for AgentCore Code Interpreters
Sonrai's Nigel Sood builds on Kinnaird McQuade‘s prior research on DNS-based exfiltration from sandboxed AWS Bedrock AgentCore Code Interpreters, showing that the interpreter's documented global S3 access can also serve as a bidirectional Command & Control (C2) channel. Sood extended McQuade's open-source PoC so a client inside the sandbox polls an external bucket for shell commands, executes them, and writes output back via presigned PUT URLs. Unlike the DNS path AWS has since mitigated, this isn't a Bedrock vulnerability since S3 access is intended behavior, so customers have to handle it themselves. Sood recommends VPC mode with Gateway Endpoints and strict Endpoint Policies limiting access to specific buckets.

AWS Credential Isolation for Local AI Agents
EngSecLabs' Alex Smolen walks through how to safely hand AWS credentials to local AI agents, recommending combining elhaz, a credential broker daemon that manages auto-refreshing STS credentials via Unix socket, with trailtool for generating least-privilege IAM policies from CloudTrail logs (based on what the agent actually uses).

Alex arrives at this recommendation based on challenges with other approaches: environment variables leak to every process and only capture a snapshot that expires mid-session, mounting ~/.aws/ hands over every profile on the host (and agent deny lists don't catch bash subprocesses reading the file directly), and metadata emulation breaks on macOS because Docker Desktop's loopback doesn't reach the host. Sockets sidestep all of that because the mount itself becomes the access control. If you don't bind the socket into a container, the credentials don't exist there at all, so each agent ends up with its own scoped identity by default.

What the March 2026 Threat Technique Catalog update means for your AWS environment
AWS' Shannon Brazil and Cydney Stude documented three new threat techniques the AWS Customer Incident Response Team has seen in live incidents. Attackers are abusing Cognito refresh tokens (30-day default, configurable up to 10 years) to maintain access without invalidating legitimate sessions, using ec2:DeregisterImage to permanently delete AMIs (unrecoverable unless Recycle Bin retention is enabled), and using UpdateAssumeRolePolicy to attach new principals to existing IAM roles instead of creating new ones.

The post emphasizes that attackers are increasingly using legitimate AWS API calls in illegitimate contexts rather than exploits, requiring security teams to monitor for contextual anomalies like unexpected principals or timing. Most cloud monitoring is tuned for creation events (new roles, new logins, new AMIs) and rarely covers modifications or token refreshes on what's already there. AWS published CloudTrail detection queries for each.

Supply Chain

Quicklinks

• BSidesSF 2025 talk - Scalably Securing Third-party Dependencies in Heterogeneous Environments by Anthropic’s Ziyad Edher and Chris Norman

• Are you prepared for Mythos? Stay ahead of zero-days with Chainguard - AI is finding and weaponizing zero-days faster than any disclosure process can publish them. The answer isn't patching faster. When a registry gets poisoned, you don't want to beat the clock. You want to be on a supply chain the attack never touches.*

• NIST Updates NVD Operations to Address Record CVE Growth - Due to a 264% surge in CVE submissions between 2020 and 2025, going forward NIST will only enrich CVEs: in CISA's KEV catalog, affecting critical software, and software used within the federal government.

_*Sponsored

FilippoBau/depcut
Tool by Filippo Baudanza that cuts Dependabot noise by checking whether vulnerable npm symbols are actually imported in JavaScript/TypeScript codebases. It parses imports with tree-sitter, extracts vulnerable symbols from GHSA data (with an optional LLM fallback), and matches them against a lockfile-scoped dependency graph to classify each alert as REACHABLE, UNREACHABLE, or INDETERMINATE, and outputs JSON or SARIF for CI pipelines.

Practical Package Security: The Unofficial Guide
Wiz's Rami McCarthy gives a nice survey of actionable best practices to shrink your attack surface, protect execution environments, control package ingestion, and catch compromises early. Rami recommends minimizing dependencies, adding install cooldowns via your package manager or Renovate or Dependabot so the ecosystem catches malware first, locking package versions with hash verification, using wrapper tools like Datadog’s supply-chain-firewall, and turning off install scripts via npm's ignore-scripts or pnpm's onlybuiltdependencies.

Larger organizations can add registry proxies or private package repositories, plus cloud-based development environments and zero trust production to limit damage when malicious code runs. On the detection side, plant honeytokens in CI pipelines.

Blue Team

weirdmachine64/SharkMCP
Tool by Mohamed Benchikh that wraps Wireshark's sharkd interface as an MCP server so LLMs can dig through PCAP files with natural language. Each capture gets its own sharkd subprocess for packet inspection, protocol analysis, conversation tracking, and stream reassembly across TCP, UDP, TLS, HTTP, and VoIP, while heavy queries are cached in memory so pagination stays fast.

Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet
SentinelOne's Juan Andres Guerrero-Saade and Vitaly Kamluk uncovered fast16, a 2005 sabotage framework (five years before Stuxnet) that selectively targets high-precision calculation software, patching code in memory to tamper with results to produce inaccurate calculations across an entire facility (e.g. those used in nuclear weapons research). fast16 is the earliest known Windows malware to embed a Lua VM, and combines a wormable Lua-powered binary with a kernel driver that scans executables for 101 code patterns, then surgically rewrites floating-point routines.

The fast16 name had already appeared in the 2017 ShadowBrokers leak inside NSA's Territorial Dispute list, and Unix-style source control markers in the binaries point to long-term development by government or military engineers. The main binary sat on VirusTotal for nearly a decade, missed by almost every antivirus engine, before SentinelLABS pieced it together.

Red Team

tahaafarooq/Fenrir
Tool by Taha Afarooq that uses eBPF to capture SSH, PAM, sudo, and su credentials at the kernel level. The Go agent deletes itself from disk and runs only in memory, poses as a legitimate system process, and exits if it detects defensive tools (Wireshark, Sysdig, Falco, Tetragon), or VM/container environments (Docker, Kubernetes, Cuckoo, Joe Sandbox). Captured credentials are smuggled out over encrypted network traffic to a companion fenrir-channel C2 with a web dashboard.

Mine the Gap: Open-Source Tools for Measuring the AI Offense-Defense Gap
Dreadnode's Jayson Grace and Martin Wendiggensen released two open-source tools for evaluating AI agents in head-to-head red versus blue engagements, since existing benchmarks miss what happens when both sides operate autonomously against shared infrastructure.

DreadGOAD is a fork of the GOAD Active Directory lab packaged for AWS, with Terraform/Terragrunt provisioning, golden AMIs, private networking via SSM, automated validation of 50+ AD vulnerabilities, and a variant generator that randomizes entity names so agents can't memorize their way through. Ares runs on top: seven red team agents (recon, credential access, cracking, ACL abuse, privilege escalation, lateral movement, coercion) reach domain dominance through Golden Ticket persistence in under six minutes with a 95%+ success rate, while three blue team agents (triage, threat hunting, lateral analysis) investigate the same telemetry.

Every attacker action is recorded as ground truth, so blue team agents are scored on how accurately they reconstruct what actually happened, not against static checklists or curated log dumps.

💡 Lots of really cool ideas in this post- automatically generating variants of a vulnerable environment so you can test how agents perform, measuring the performance of red vs blue autonomous agents, recording actions for future ground truth, and open sourcing the core parts 🤘 Great work.

AI + Security

OpenAI releases open-source model that strips personal data from text
OpenAI released Privacy Filter, an open-source 1.5B model that detects and redacts eight PII categories including names, emails, phone numbers, account numbers, and secrets like API keys. It runs locally on a laptop or in-browser with a 128K token context window, uses single-pass labeling instead of generation, and ships under Apache 2.0 on GitHub and Hugging Face.

💡Useful for data loss prevention and log scrubbing, though weaker on non-English text and non-Latin scripts, so keep a human in the loop.

Google wants AI defense to be as fast as AI offense
Frederic Lardinois covers Google Cloud's Next '26 security announcements. Google added three new AI agents to Google Security Operations for threat hunting, detection engineering, and third-party context, alongside an existing triage agent that has processed over 5 million alerts in the past year and reduced 30-minute analyses to roughly 60 seconds. Wiz, recently acquired by Google, extended its AI-Application Protection Platform across Databricks, AWS, Azure, and Salesforce, is adding inline AI security hooks in IDEs and agent workflows, and shipped a dynamic AI-BOM to inventory shadow AI- the AI frameworks, models, and IDE extension in your environment. Mythos Preview will be available through Google’s Vertex AI for defensive use.

Finding Zero-Days with Any Model
Niels Provos argues that discovering novel vulnerabilities with AI is not just a frontier-model capability but an orchestration problem. He demonstrates using his open-source IronCurtain framework with commercial models (Opus 4.6, Sonnet 4.6) and open-weight models (GLM 5.1) that he can replicate Anthropic's 1998 OpenBSD TCP SACK finding and discover new zero-days in widely-deployed software, with each scan costing $30-150 per codebase.

Niels was able to find these vulnerabilities using IronCurtain (which supports arbitrary workflows structured as finite-state machines (FSM) via plain YAML definitions) by building a specialized vulnerability discovery workflow that has a central Orchestrator agent that acts as a strategic router that then decides which specialized agent to dispatch next based on an append-only execution journal.

Introducing AIMap: Security Testing For AI Agent Infrastructure
Bishop Fox's Aashiq Ramachandran announces AIMap, an open-source tool that discovers, fingerprints, scores, and tests internet-exposed AI agent infrastructure by querying Shodan and fingerprinting endpoints across MCP servers, Ollama, vLLM, LiteLLM, LangServe, Gradio, ComfyUI, and other AI frameworks using Nuclei templates and live HTTP checks.

AIMap assigns risk scores (0-10) based on authentication status, exposed tools, CORS policies, TLS configuration, and system prompt leakage, and includes protocol-specific attack modules for MCP servers (tool enumeration, unauthorized tool invocation, and prompt injection via tool descriptions), Ollama instances (model listing, model weight extraction, and prompt injection), and OpenAI-compatible endpoints (model enumeration, completion abuse, and system prompt extraction).

Misc

Misc

• Tin Can - A WiFi landline for kids. It doesn’t have apps, texting, or games—just real conversation with friends, neighbors, Grandma, or whoever you add to your approved contact list.

• The Sites We Lost - Archiving quirky, old websites. Some take me back.

• Inside TIME’s Wild Day with MrBeast

• Morning Brew - Why are the boys tryna get hot all of a sudden? - On Looksmaxxing and medspas.

• Scott Galloway on Diary of a CEO - AI’s impact (or not) on the economy and jobs, the war in Iran, being a parent, and more.

  • I thought Scott had an interesting point on China purposefully “AI dumping” low cost AI via open source models into the U.S. economy to potentially undermine Anthropic, OpenAI, and other companies, as much of the U.S. stock market is essentially a bet on AI, and how that’s similar to how China previously dumped below-cost steel into the U.S. market, which largely wiped out American steel.

  • Also: “The receipts for love are grief.” 🥹

Tech

• Mitchell Hashimoto - Ghostty Is Leaving GitHub

• NPR went looking for Polymarket's Panama headquarters. It's elusive

• Joe Hudson - AI and The Return to Being Human

• Mark Zuckerberg ‘Personally Authorized and Actively Encouraged’ Meta’s Massive Copyright Infringement to Train AI Systems, Publishers and Scott Turow Allege in Lawsuit

• Coinbase CEO Brian Armstrong’s tweet on letting go of 14% of Coinbase - Is a crypto company firing a number of its employees a job rug pull 🤔 

AI

• An open-source spec for Codex orchestration: Symphony - OpenAI describes building Symphony⁠, an agent orchestrator that turns a project-management board like Linear into a control plane for coding agents. Every open task gets an agent, agents run continuously, and humans review the results. Wow, this is really cool 👍️ 

• Where the goblins came from - Fascinating story about how OpenAI investigated why GPT-5.1+ models started increasingly mentioning goblins, gremlins, and other creators in metaphors 😂 

• Anthropic - New in Claude Managed Agents: dreaming, outcomes, and multiagent orchestration

• anthropics/knowledge-work-plugins - 11 plugins bundling the skills, connectors, slash commands, and sub-agents for a specific job function. Currently: productivity, sales, customer support, product management, marketing, legal, finance, data, enterprise search, bio research, cowork plugin management.

Politics

• Politics used to be like this - Clips of Mitt Romney, John McCain, and Obama being respectful. In one of them, at a McCain event, a woman says she can’t trust Obama because he’s an Arab. McCain corrects her, “He’s a decent family man.” Let’s get back to this.

• Last Week Tonight with John Oliver - Prediction Markets

• We spoke to the man making viral Lego-style AI videos for Iran. Experts say it's powerful propaganda

• Chinese firms market Iran war intelligence ‘exposing’ U.S. forces

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋