🍦 Ice Cream Bonding

There’s this Mediterranean place I like to go to sometimes, Souvla, that has delicious frozen Greek yogurt you can get with baklava on top.

It’s helped me power through many a late night writing tl;dr sec. Like tonight 😅 

I’ve gradually started befriending the manager over time, over a series of froyos.

We’ve discussed how it’s sometimes difficult to make new (deep) friends as you get older, some of his work challenges, and more.

All from periodic 5 minute conversations.

It makes me think that most people probably have a lot to open up and share about, if you create a little space for it.

Anyway, I’m not saying frozen yogurt is the key to adult friendship, but I’m not not saying that.

Maybe community is built less through grand gestures, and more through remembering someone’s name, asking one more question, and occasionally adding baklava.

Sponsor

📣 State of AI in the Cloud 2026:
How AI Is Reshaping Cloud Security

AI is no longer a standalone tool, it’s embedded across cloud environments, development workflows, and production systems.

The State of AI Report reveals how AI adoption is expanding the attack surface, accelerating attacker behavior, and introducing new risks through agents, copilots, and automation.

Get the data behind what’s changing and what security teams need to do about it.

👉 Read the Report 👈

AppSec

The down fall of bug bounties
Assetnote Searchlight Cyber’s Shubham Shah reflects on how AI has impacted bug bounty: skilled researchers are submitting higher quality reports faster with AI assistance, but platforms are overwhelmed by low-quality AI-generated submissions. Shubz isn’t pleased with current solutions from HackerOne (fighting AI with AI) and Bugcrowd (spam controls), finding despite him hacking on Uber’s bug bounty program for almost ten years and ranked #1 on their public program, and his recent high impact submission took 12 days to get a response instead of previously 1-3 days.

The security policy rollout survival guide
The blog version of Oblique's Maya Kaczorowski’s BSidesSeattle talk. Maya outlines a practical framework for rolling out security policies, emphasizing that successful implementation requires getting stakeholder input from engineering, product, SRE, and IT before defining controls, then running a pilot with representative users across diverse roles and platforms to identify edge cases and validate that controls actually work.

She emphasizes the importance of communicating changes through multiple channels (email, Slack, all-hands), making policy enforcement visible to users so they can see how they compare to peers, and ensuring the policy owner (not IT) handles ongoing enforcement and user friction.

How OLTs may have exposed entire ISP networks
Quarkslab's Mathieu Farrell describes a chain of pre-auth RCEs against network vendor VSOL's GPON OLT (Gigabit Passive Optical Network Optical Line Terminal) hardware and its Cloud EMS fleet manager that together can take over an ISP's entire fiber network.

Farrell found three pre-auth command injection bugs in the V1600 OLT models (SNMP traceroute, TACACS+ login, web traceroute), all share the same default admin credentials hardcoded in the firmware, plus an arbitrary file upload RCE in Cloud EMS that allows JSP webshell deployment with root access. The post shows how attackers could chain these vulnerabilities, starting from exposed OLTs or the cloud manager, to compromise entire fleets of devices across ISPs in countries including the US, India, Turkey, Taiwan, Brazil, and Mexico.

💡 Yikes 😅 

Sponsor

📣 Are your developers --
dangerously-skipping-permissions yet?

Agents writing code is easy. Trusting what those agents are doing is hard. Minimal hands your devs isolated, declarative environments that run identically for humans, agents, and CI. Reproducible by default, local first.

👉 Learn more 👈

OK this looks really cool. Performant + sandboxed local dev environment, curated open-source packages compiled from source (in a SLSA-compliant environment), network connectivity and filesystem access must be explicitly declared in Build Specifications and more.

I got nerd sniped reading about Minimal, sounds thoughtfully designed for both engineering and security. I’m going to read more about this later.

Cloud Security

Quicklinks

• AWStrology: What Star Sign Is Every AWS Service?

• AWS for Idiots - AWS described via comics

• Corey Quinn - S3 Is Not a Filesystem (But Now There’s One In Front of It) - “…AWS pricing is where dreams go to get itemized.” 😂 

The AWS Bedrock API Keys Security Guide Part 2: Detection, Prevention, and Response
BeyondTrust's Sergio Garcia continues his team's AWS Bedrock API key research with a follow-up covering detection, defense, response, and migrating to STS. The post includes CloudWatch Logs Insights queries, EventBridge patterns, and SIEM rules to identify unauthorized usage of bearer tokens, including detection logic for privilege escalation attacks where attackers create IAM access keys for BedrockAPIKey-* users, anomalous usage patterns based on IP ranges and operating hours, and suspicious user agents like python-requests or curl instead of AWS SDKs. The post concludes with defense controls (SCPs, model invocation logging) and incident response approaches.

The BeyondTrust team has also released Bedrock Keys Security, an open-source CLI covering that can detect phantom IAM users, decode leaked AWS Bedrock API keys, + SCPs + SIEM detection rules.

Supply Chain

git-pkgs/proxy
Tool by Andrew Nesbitt that runs as a caching proxy for 20+ package registries (npm, Cargo, PyPI, Maven, NuGet, Docker/OCI, Debian/RPM) with a configurable version cooldown that quarantines newly published packages for a set period before they're available to builds. It supports per-package cooldown overrides, SBOM-driven cache pre-population, a REST API for vulnerability scanning, and Prometheus metrics.

Detecting CI/CD Supply Chain Attacks with Canary Credentials
Tracebit's Alessandro Brucato released a free GitHub Action that drops canary AWS credentials and SSH keys into CI/CD workflows to detect credential exfiltration from compromised pipelines. The action writes canaries to ~/.aws/credentials, ~/.ssh, environment variables, and runner process memory at workflow start, then alerts when any of them is used. Alessandro validated it against the TeamPCP supply chain campaign that compromised Trivy, KICS, LiteLLM, and Telnyx and confirmed the canaries would have caused alerts capturing the affected repo, workflow, job, commit SHA, run ID, and attacker IP.

Unmasking the Docker ONBUILD Supply Chain Attack Vector
O3-Cyber's Audun Mo describes how Docker's ONBUILD directive creates a hidden supply chain attack vector. When a parent Docker image contains ONBUILD instructions, those commands automatically execute during downstream builds with complete access to the child project's files, environment variables, and secrets. Mo demonstrates three attack patterns, including stealing build secrets by accessing common secret identifiers (npm_token, github_token) and sending them to external servers via curl, manipulating project dependencies by modifying package.json files to pin vulnerable software versions, and achieving RCE by injecting malicious commands through curl | sh.

O3-Cyber released Onbuild Guardian, an open-source tool that examines Docker images using docker inspect to identify and manage ONBUILD instructions through allowlists. Mo recommends pinning base images by SHA256 digest rather than tag, and using secret mounts rather than ENV, ARGs, or .env files.

Blue Team

LLM Honeypot vs. Cryptojacking: Understanding the Enemy
Beelzebub's Mario Candela deployed his low-code SSH LLM honeypot with GPT-4o and a list of weak passwords to attract bots. It logged a cryptojacking bot's full attack chain. The bot fingerprinted the kernel and GPU, swapped the root password and killed prior miners with pkill, then downloaded a c3pool installer tied to a hardcoded Monero wallet that had accumulated roughly 20 XMR (~$4,126). Candela reported the wallet to c3pool, who pulled every infected miner using it.

Tales of an Ollama Honeypot (Part 1): Abuse Patterns
Marco Pedrinazzi deployed an Ollama honeypot on a VPS, let Censys and Shodan index it, and logged 6,461 events from 324 unique IPs over 32 days. Most IPs enumerated the server, then sent short liveness prompts like greetings or arithmetic to see whether it was worth deeper testing, hitting both Ollama's native API and its OpenAI-compatible endpoints. The honeypot also caught prompt injection wrapped in fake "security audit" pretexting to extract system prompts and environment variables, local file disclosure via malicious Modelfiles, and SSRF probes via /api/pull and /api/push.

Marco has also published three detection rules for NOVA, an open-source prompt-pattern-matching framework, covering credential harvesting (env dumps, K8s tokens, cloud metadata URLs), system prompt and Modelfile disclosure, and liveness probing, designed for honeypot deployment.

AI-powered honeypots: Turning the tables on malicious AI agents
Cisco Talos's Martin Lee walks through how generative AI can rapidly deploy adaptive honeypots that masquerade as full computing environments. His implementation combines a listener that accepts network connections, a simulated vulnerability that grants access once triggered, and an AI framework that responds to attacker instructions. By swapping the AI's system prompt, the same code can impersonate a Linux bash shell or a BusyBox-based smart fridge, creating what Martin calls a "hall of mirrors", a controlled environment where attackers see plausible but distorted reflections of real targets and reveal their methodologies in real time. AI-orchestrated attacker tooling trades stealth for speed, making them easier to detect, and the AI agents lack the awareness to spot a fake environment once they arrive.

💡 AI is making honeypots and deception much simpler to do at scale and convincingly. Lots of cool work to be done here.

Red Team

C0axx/CanaryHunter
Tool by Curtis Ringwald for red teamers to spot common canary tokens in docs, configs (AWS, WireGuard, Kube), the Registry, and MySQL dumps before triggering them, with a firewall rule that drops outbound traffic to every known canary IP.

0xNslabs/CanaryTokenScanner
Tool by NeroTeam Security Labs to spot embedded canary tokens and tracking URLs inside Office documents (.docx, .xlsx, .pptx) and PDFs before opening them. The scanner reads Office files as ZIP archives in memory and searches PDFs across both raw bytes and Flate/deflate-decompressed streams, filtering common schema domains to cut false positives.

xFreed0m/ghosttype
Tool by Roei Sherman that extracts credentials from AI tool conversation history for Claude Code, Cursor, Codex CLI, and ChatGPT Desktop. Detection runs TruffleHog as a subprocess in filesystem mode for its 800+ detectors and live verification against provider APIs, paired with an in-tree pattern engine (30 regexes plus 10 heuristic patterns) for loose context signals TruffleHog misses. Findings from either engine link back to the source conversation file with severity, detector name, and verification status, so triage can filter to credentials the provider confirms are live.

AI + Security

Quicklinks 

• You Need AI That Reduces Maintenance Costs - “The math only works if the LLM decreases your maintenance costs, and by exactly the inverse of the rate it adds code.”

• [Free Guide] The 4 steps to get ahead of agentic AI risks - Agentic AI is already inside your organization. And most of the time, nobody in IT or security approved it. This free guide is for security, IT, and risk leaders who need to get ahead of agentic AI, before it becomes a liability.*

• Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web - RedAccess’ Dor Zvi found >5K apps from Lovable, Replit, Base44, and Netlify had “no security or authentication”, leaked PII, were phishing sites, etc.

^*Sponsored

Malicious Coding Agent Skills and the Risk of Dynamic Context
Datadog's Nick Frichette and Ryan Simon demonstrate how malicious Claude Code skills can bypass model-level prompt injection defenses using dynamic context commands (!ls syntax), which execute before the model reviews the skill content. They analyzed the Clawsights skill, a real-world credential theft attempt that exfiltrates GitHub tokens, finding that while Claude Opus 4.6 correctly identified and blocked the original malicious skill, adding dynamic context commands allowed the attack to succeed because those commands run during preprocessing.

Recommendations: organizations can mitigate this by setting "disableSkillShellExecution": true in managed settings, review .claude/skills/ directories (including nested folders and --add-dir paths), require code review for .claude/ changes, and monitoring for suspicious patterns like allowed-tools: Bash(*), external URLs, and commands performing reconnaissance or attempting network access.

Getting LLMs Drunk to Find Remote Linux Kernel OOB Writes (and More)
Asim Viladi built a multi-agent LLM harness that has turned up 30+ findings (20+ CVEs) over the past few months, mostly in network-reachable services. Originally aimed at documentation-code mismatches, the harness two remote unauthenticated out-of-bounds writes in the Linux kernel's ksmbd and a chained unauthenticated RCE-to-root path in CUPS.

Under the hood, the harness chains a target seeder, hypothesis generators reading docs and source for invariants, hunters iterating PoCs in isolated VMs, report writers, and a conductor redirecting stuck agents, with an external grader outside the loop because frontier models will otherwise inflate findings or edit their own objectives. Asim also tried activation steering on the hypothesis generator, both drunkenness for creativity and abliteration to bypass refusals. The drunkenness produced no new vulnerability classes and abliteration ended up being more useful, making models refuse less.

Asim found granular role separation most helps smaller models, as swapping in Codex or Claude collapses the harness into a single end-to-end hunter. In some cases smaller models running for days can match what a frontier model one-shots. Asim's next bets are looped LLMs and RL-trained task decomposition, which would let models do their own scaffolding instead of needing hand-tuned harnesses.

Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark
Microsoft's Autonomous Code Security team, led by Taesoo Kim, built MDASH, their multi-model agentic scanning harness, which has found 16 new Windows vulnerabilities across the networking and authentication stack including four RCEs.

MDASH is structured as an agentic discovery and remediation pipeline that scans, debates, deduplicates, and proves candidate findings, chaining 100+ specialized AI agents across an ensemble of frontier and distilled models, with extensible plugins for Microsoft-specific context foundation models may not have. On benchmarks, it found 21 of 21 planted vulnerabilities with zero false positives on a private test driver, hit 9^% (of 28) and 100% (of 7) confirmed MSRC cases in clfs.sys and tcpip.sys, and scored 88.45% on the public CyberGym benchmark of 1,507 real-world vulnerabilities (prior leader: 83.15%).

The post argues that the orchestration/harness is critical and gives a performance boost over a base model + simple prompt, and that this architecture allows MDASH to absorb future model improvements without being rewritten.

💡 Looks like Microsoft hired Taesoo Kim (the Georgia Tech professor whose Team Atlanta won DARPA’s AIxCC) + a bunch of that team, and that’s now the Microsoft Autonomous Code Security team. Neat. Looking forward to seeing more from them!

Misc

Misc

• An OpenAI model has disproved a central conjecture in discrete geometry

• X thread: GitHub employee had a poisoned VS Code extension → ~3,800 GitHub-internal repos exfiltrated

• kageroumado/phosphene - A video wallpaper engine for macOS Tahoe

• Older Adults Outnumber Children in 11 States and Nearly Half of U.S. Counties - And wait until you see Congress!

• Jen Easterly: A brief note to new cybersecurity grads trying to land that first job - Don’t compete with AI, learn to lead it. Strengthen your technical foundation. Go where the growth is (go to areas that are exploding, not saturated). Find opportunities to build experience.

• Advice Jeff Bezos received early at Amazon: “You have enough ideas to destroy Amazon.”

• wrlovely/years - A personal longevity system built on Claude Code. Your DNA, bloodwork, scans, and visit notes live as markdown in a private git repo, with slash commands to organize and analyze them.

• typefully/minimal-twitter - Minimal theme for Twitter.

• Beatboxing with a dog 😂 

AI + Design

• Claude Code frontend-design Skill

• Introducing Claude Design by Anthropic Labs - Collaborate with Claude to create polished visual work like designs, prototypes, slides, one-pagers, and more.

• OpenAI docs - Designing delightful frontends with GPT-5.4

• cyxzdev/Uncodixfy - A rule set that forces Codex models to stop relying on its usual UI habits.

• Introducing ChatGPT Images 2.0 - Some pretty impressive example images

• An attempt to detect AI design patterns in Show HN pages

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋