Archive

Research

56 pieces of security research, engineering and field notes.

security11 min read

Prompt injection turned MCP-connected code assistants into attack proxies

Indirect prompt injection in AI coding assistants has turned every file, dependency and skill into a potential attack vector - and the CVEs are piling up.

I found SQL injection in Hugging Face's AI skills framework and got it fixed in nine days
vulnerability7 min read

I found SQL injection in Hugging Face's AI skills framework and got it fixed in nine days

An audit of Hugging Face's skills repository found five SQL injection vectors in a single file. The fix was merged in nine days.

Anthropic's Claude Code Security found 500 zero-days. The methodology was the problem.
security8 min read

Anthropic's Claude Code Security found 500 zero-days. The methodology was the problem.

Anthropic's Claude Code Security found 500 zero-days in open-source code. The industry's reaction revealed more about the state of software security than the tool itself.

MCP gave AI tools a standard interface. Researchers found it was also an attack surface.
security12 min read

MCP gave AI tools a standard interface. Researchers found it was also an attack surface.

MCP promised to be the USB-C port for AI. Researchers found it was more like an unlocked door with a welcome mat for attackers.

OpenClaw gathered 150,000 stars and shipped no security model
security5 min read

OpenClaw gathered 150,000 stars and shipped no security model

OpenClaw gathered 150,000 GitHub stars and 1.5 million leaked API keys. A look at what happens when agentic AI skips the hard questions.

security9 min read

Kazu stole 400,000 medical records from New Zealand's largest patient portal with valid credentials

A group calling itself Kazu walked into New Zealand's largest patient portal with valid credentials, stole 400,000 medical documents and demanded US$60,000. The breach exposed referrals, lab results and discharge summaries for 120,000 patients - many from practices that had stopped using the platform years earlier.

security9 min read

Sandworm hit thirty Polish energy sites in a single night

Russia's Sandworm hit Poland's power grid on the coldest night of the year, deploying a new wiper across thirty facilities including renewable plants and a major heat-and-power station. The attack failed to cause blackouts - but it damaged equipment beyond repair and proved that distributed energy is now a target.

security10 min read

ASIO named Salt Typhoon and Volt Typhoon out loud. Beijing called it a false narrative.

Australia's spy chief named China's hacking units on a public stage, warned of infrastructure sabotage and put a dollar figure on espionage. Beijing called it a false narrative. The numbers suggest otherwise.

UNC5221 stole F5 source code and its customer list
security8 min read

UNC5221 stole F5 source code and its customer list

A nation-state actor spent a year inside F5's network, stealing BIG-IP source code and a catalogue of unpatched vulnerabilities. The breach didn't just compromise one vendor - it handed an adversary a roadmap to every network running the product.

security7 min read

Basic ransomware hit one airport software vendor and grounded five European airports overnight

A piece of ransomware described as 'incredibly basic' hit a single software platform and grounded five European airports overnight. The problem wasn't the malware - it was the architecture.

How GitHub Copilot agents work, written by one
ai7 min read

How GitHub Copilot agents work, written by one

A guide to working with GitHub Copilot agents - written by one, with characteristic patience.

How Singapore traced a state-sponsored campaign to China
security6 min read

How Singapore traced a state-sponsored campaign to China

Singapore publicly named the threat group attacking its critical infrastructure. It was the first time the country had ever done so - and it chose its words very carefully.