Body

I’ve been playing with the current crop of AI agent runtimes and noticed the same pattern over and over:

• One process both reads untrusted content and executes tools
• API keys live in plaintext dotfiles
• There’s no audit log of what the agent actually did
• There’s no concept of the agent’s goal, so drift is invisible
• When something goes wrong, there is nothing to replay or verify

So I built ClearFrame, an open-source protocol and runtime that tries to fix those structural issues rather than paper over them with prompts.

What ClearFrame does differently

• Reader / Actor isolation Untrusted content ingestion (web, files, APIs) runs in a separate sandbox from tool execution. The process that can run shell, write_file, etc. never sees raw web content directly.
• GoalManifest + alignment scoring Every session starts with a GoalManifest that declares the goal, allowed tools, domains, and limits. Each proposed tool call is scored for alignment and can be auto-approved, queued for human review, or blocked.
• Reasoning Transparency Layer (RTL) The agent’s chain-of-thought is captured as structured JSON (with hashes for tamper‑evidence), so you can replay and inspect how it reached a decision.
• HMAC-chained audit log Every event (session start/end, goal scores, tool approvals, context hashes) is written to an append-only log with a hash chain. You can verify the log hasn’t been edited after the fact.
• AgentOps control plane A small FastAPI app that shows live sessions, alignment scores, reasoning traces, and queued tool calls. You can approve/block calls in real time and verify audit integrity.

Who this is for

• People wiring agents into production systems and worried about prompt injection, credential leakage, or goal drift
• Teams who need to show regulators / security what their agents are actually doing
• Anyone who wants something more inspectable than “call tools from inside the model and hope for the best”

Status

• Written in Python 3.11+
• Packaged as a library with a CLI (clearframe init, clearframe audit-tail, etc.)
• GitHub Pages site is live with docs and examples

Links

• Homepage / docs: https://ibrahimmukherjee-boop.github.io/ClearFrame/
• Code: https://github.com/ibrahimmukherjee-boop/ClearFrame

I’d love feedback from people building or operating agents in the real world:

• Does this address the actual failure modes you’re seeing?
• What would you want to plug ClearFrame into first (LangChain, LlamaIndex, AutoGen, something else)?
• What’s missing for you to trust an agent runtime in production?

Hi everyone,

I recently bought one of those popular, cheap Android projectors and noticed some suspicious network activity. Being curious, I decided to set up a lab, intercept the traffic, and dig into the firmware.

I ended up uncovering a factory-installed malware ecosystem including a disguised dropper (StoreOS) and a persistent RAT (SilentSDK) that communicates with a C2 server in China (api.pixelpioneerss.com).

Key findings of my analysis:

• The malware uses a "Byte-Reversal" trick on APK payloads..
• RAT Capabilities: Decrypted strings reveal remote command execution, chmod 777 on secondary payloads, and deep device fingerprinting.

This is my first independent technical report and deep dive into malware research. I’ve documented the full kill chain, decrypted the obfuscated strings, and written scripts to repair the malformed payloads for analysis.

Full Report: https://github.com/Kavan00/Android-Projector-C2-Malware

I'd love to get your opinion on the report.

Looking forward to your feedback!

I've been doing iOS security assessments professionally for about 15 years — banking apps, fintech, enterprise platforms. Over that time, certain patterns keep showing up in production App Store binaries. Figured it's worth sharing what I see most frequently, since many iOS developers seem genuinely unaware these issues exist.

What keeps showing up:

The most common finding is hardcoded secrets in the binary — API keys, backend URLs, authentication tokens sitting right there in plaintext strings. Developers assume compilation somehow obscures these. It doesn't. Extracting them is trivial with standard tooling.

Insecure local data storage is a close second. UserDefaults for sensitive data, unprotected Core Data databases, plist files with session tokens. On a jailbroken device (or via backup extraction on a non-jailbroken one), all of this is readable.

Weak or misconfigured encryption comes third. I regularly find apps that import CryptoKit or CommonCrypto but use ECB mode, hardcoded IVs, or derive keys from predictable inputs. The encryption is technically present but functionally useless.

Then there's the network layer: disabled ATS exceptions, certificate pinning that's implemented but trivially bypassable, and HTTP endpoints mixed with HTTPS.

Methodology:

Most of this comes from static analysis — no runtime instrumentation needed. Download the IPA, unpack, run string extraction, inspect the Mach-O binary, check plist configurations, review embedded frameworks. You'd be surprised how much is visible before you even launch the app.

I've built custom tooling for this over the years that automates the initial triage across ~47 check categories. Happy to discuss methodology or specific techniques in comments.

I've also been running a monthly live session ("iOS App Autopsy") where I walk through this process on real apps — follow the link if interested.

For those who don't know: NaClCON is a new, intentionally small (300 person cap) conference focused on hacker history and culture, not zero-days or AI hype. Beach venue, open bars, CTF, the whole deal. $495 all-in.

The speaker list is a who's-who of people who built the scene:

Speakers:

• Lee Felsenstein — Homebrew Computer Club OG, designer of the Osborne 1 (the first mass-produced portable computer)
• Chris Wysopal (Weld Pond) — L0pht Heavy Industries, testified before the Senate in 1998 that they could take down the internet in 30 minutes, co-founder of Veracode
• G. Mark Hardy — 40+ years in cybersecurity, talking "A Hacker Looks at 50"
• Richard Thieme — Author/speaker who's keynoted DEF CON 27 times, covering the human impacts of tech since the early internet days
• Brian Harden (noid) — Helped build the LA 2600 scene, DC206, and DEF CON itself. Now farms and writes about himself in third person
• Izaac Falken — 2600 Magazine / Off The Hook, 30 years in professional security
• Mei Danowski — Natto Thoughts, speaking on ancient Chinese strategy and the birth of China's early hacker culture
• Josh Corman — "I Am The Cavalry" founder, CISA COVID task force, currently working on UnDisruptable27
• Casey John Ellis — Bugcrowd founder, co-founder of disclose.io, White House, DoD, and DHS security advisor
• Jericho — 33+ years in the scene, speaking on life in an early 90s hacker group
• Andrew Brandt — Threat researcher (Sophos, Symantec), demoing early hacking tools on obsolete hardware
• Johnny Shaieb: IBM X-Force Red, speaking on the history of vulnerability databases
• B.K. DeLong (McIntyre) — Attrition.org, the team that manually archived 15,000+ web defacements in the late 90s
• Jamie Arlen — 30+ years, Securosis, Liquidmatrix; "an epic career of doing all the wrong things and somehow still being right"
• Heidi and Bruce Potter — Developers of Turngate and founders of ShmoonCon
• Dustin Heywood (EvilMog) — IBM X-Force, Team Hashcat, multi-time Hacker Jeopardy World Champion

Fireside chats include noid doing DEF CON war stories and Edison Carter on old-school phone phreaking in the 80s/90s and a grog filled night with the dread pirate Hackbeer'd.

A couple things worth knowing before you register:

The conference hotel (Courtyard by Marriott Carolina Beach Oceanfront) has a room block at $139/night (roughly 70% off the peak beach-season rates) so book through naclcon.com/hotel or use group code NACC. Block expires May 1st so don't sit on it.

P.S. If the tickets are too large a hurtle for you, DM me and I'll see what I can do to get you a discount code.

naclcon.com | Register

Hi everyone, I’m a Cybersecurity student at HFU in Germany and recently submitted a vulnerability to the Google VRP regarding the Google Password Manager on Android (tested on Pixel 8, Android 16).

The Issue: When you view a cleartext password in the app and minimize it, the app fails to apply FLAG_SECURE or blur the background. When opening the "Recent Apps" (Task Switcher), the cleartext password is fully visible in the preview, even though the app actively overlays a "Enter your screen lock" biometric prompt in the foreground. It basically renders its own secondary biometric lock completely useless.

Google's Response: Google closed the report as Won't Fix (Intended Behavior). Their threat model assumes that if an attacker has physical access to an unlocked device, it's game over.

The BSI Discrepancy: What makes this interesting is that the German Federal Office for Information Security (BSI) recently published a study on Password Managers. In their Threat Model A02 ("Attacker has temporary access to the unlocked device"), they explicitly mandate that sensitive content MUST be protected from background snapshots/screenshots. So while Google says this is intended, national security guidelines classify this as a vulnerability. (For comparison: The iOS built-in password manager instantly blurs the screen when losing focus).

Here is my PoC screenshot:
https://drive.google.com/file/d/1PTGKRpyFj_jY9S76Jlo62mSCDJ3c6uLO/view?usp=sharing
https://drive.google.com/file/d/1nIJMQbM4R17EMt9f1Ffb4UmCPYY7-GXb/view?usp=sharing

What are your thoughts on this? Should password managers protect against shoulder surfing via the Task Switcher, or is Google right to rely solely on the OS lockscreen?

Hi everybody,

I have built an open source CLI tool to help conduct DNS related audits. Let me explain the rationale and the roadmap.

So I have worked in DevSecOps for the past few years and at 3 different companies I have built som variation of this to handle issues raised by SOC tools and to help to do basic black box pentesting. After doing it the 3rd time I decided I should take a stab at open source and build it properly myself.

What it offers is CAA, DMARC, DKIM, SPF, MX, DNSSEC and some header audits (basic ones like HSTS and CSP). Output can be done via rich terminal, JSON, Markdown and SARIF and baked into it is an “sdk” layer which would allow you to develop internal tools on top whilst getting access to the fully typed Python objects.

The next step is honestly inspired by a BS scare tactic email sent to the non-technical CEO and founder of a start up I was at where the sales person made false claims about the posture of our DMARC in order to trick the CEO into a sales call. Personally, I’m quite passionate about security and I believe in a world of cat-and-mouse security (where the cats are the hackers / exploiters), tools that help with basic security should be free. This leads us to the next phase, a dockerised app to conduct the audits based on your configuration at regular intervals with alerting through the appropriate channels.

I would appreciate anybody who took a look, gave it a go and provided any feedback (or anybody who wants to help contribute!). This is my first go at open source and building a tool like this so really any feedback is appreciated. Docs can additionally be found at https://dnsight.github.io/dnsight/

I spent the last few months running Z3 SMT formal verification against 3,500 code artifacts generated by GPT-4o, Claude, Gemini, Llama, and Mistral.

▎ Results:

▎ - 55.8% contain at least one proven vulnerability

▎ - 1,055 findings with concrete exploitation witnesses

▎ - GPT-4o worst at 62.4% — no model scores below 48%

▎ - 6 industry tools combined (CodeQL, Semgrep, Cppcheck...) miss 97.8%

▎ - Models catch their own bugs 78.7% in review — but generate them anyway

▎ Paper: https://arxiv.org/html/2604.05292v1

▎ GitHub: https://github.com/dom-omg/broken-by-default

With the news of Hundreds of orgs being compromised daily, I saw a really cool red team tool that trains for this exact scenario. Have you guys used this new white hat tool? Thinking about ditching KB4 and even using this for our red teams for access.

AI coding tools are being shipped fast. In too many cases, basic security is not keeping up.

In our latest research, we found the same sandbox trust-boundary failure pattern across tools from Anthropic, Google, and OpenAI. Anthropic fixed and engaged quickly (CVE-2026-25725). Google did not ship a fix by disclosure. OpenAI closed the report as informational and did not address the core architectural issue.

That gap in response says a lot about vendor security posture.

We benchmarked Opus 4.6's ability to find simple C vulns and found that the model flags about 1 in 4 flaws -- with a very high false positive rate and lots of inconsistency from run to run. Techniques like judge agents and requiring the model to justify its results improve the results to some extent, but they're still not great.

Nicholas Carlini (Anthropic research scientist) used Claude Code and a 12-line bash script to find hundreds of remotely exploitable Linux kernel vulnerabilities — including one introduced in 2003 and undiscovered for 23 years.
He's holding most of them unreported. His words: "I'm not going to send the Linux kernel maintainers potential slop."
The bottleneck isn't finding bugs anymore. It's validating them fast enough.
Here's the part that matters for defenders:
That validation constraint only binds researchers following responsible disclosure. An attacker running the identical script has zero validation requirement — they probe directly from unverified findings. The asymmetry is structural, not technical. It's baked into how responsible disclosure works.

And the framework was already failing before AI arrived:

• 32% of vulnerabilities exploited on or before CVE issuance
• Median exploitation window: 5.0 days (down from 8.5)
• AI can generate working CVE exploits in ~10 minutes at ~$1 per exploit
• 130+ new CVEs weaponised daily at scale

We ran this problem through four structured Crucible analysis passes and produced a white paper. The conclusion: responsible disclosure needs a named replacement framework — Post-Exploitation Response Coordination — which accepts that exploitation will happen before validation and rebuilds around detection, response, and recovery speed instead.

The full white paper is live at https://www.thecrucible.systems/whitepapers/f27bb2aa-8a5b-47d3-b3bf-b33effa7e20e

Curious what this community thinks — specifically on the asymmetry point. Is there a path to closing that gap or is it genuinely irreducible?

A new investigation, dubbed BrowserGate, claims that LinkedIn (Microsoft) is quietly running hidden JavaScript on linkedin.com that probes users’ browsers for installed extensions - over 6,000 of them, all without consent and transmits that data back to LinkedIn & third parties. Researchers argue this isn’t just passive fingerprinting because users are logged in with real names, employers & roles, the data can be tied directly to identifiable people and used to infer sensitive info like job‑search status, political/religious interests, health‑related tools, or corporate tooling usage.

The report also highlights potential GDPR and privacy‑law issues, and the detections reportedly include both competitor tools and personal‑interest extensions. LinkedIn has not publicly refuted the core claim. More details with technical details, sources etc in the linked article.

Built an automated npm package scanner that uses heuristic scoring + LLM analysis to flag malicious packages in real time. Ran it for 24 hours against ~2000 recent npm registry changes and found 21 malicious packages across 11 campaigns.

Four novel attack vectors documented:

1. LLM API MITM (T1557): makecoder@2.0.72 overwrites ~/.claude/ via postinstall, reconfigures Claude Code client to proxy all API calls through attacker server. Application-layer MITM on AI assistant conversations.

2. Encrypted skill distribution (T1027, T1105): skillvault@0.1.14 fetches encrypted payloads from private API, decrypts locally, installs as persistent Claude Code skills. Server-side swappable without npm update.

3. AI agent as RAT (T1219, T1036.005): keystonewm/tsunami-code ship functional coding assistant CLIs routing all interactions through attacker's ngrok tunnel. Exploits AI tool trust model where users grant full filesystem access voluntarily.

4. Redis CONFIG SET + raw disk read via postinstall (T1190, T1006): 6 fake Strapi plugins use Redis to write shell payloads to 7 directories, dd if=/dev/sda1 to extract credentials bypassing file permissions, Docker overlay traversal for container escape.

All IOCs, decoded payloads, and MITRE mappings on the site. None of the 21 packages were flagged by any public scanner at time of discovery.

My write up around a research project I've been doing in my spare time around investigating the security of AWS CodeConnections. This post covers the techniques I used to hook a CodeBuild job to monitor the requests the CodeBuild bootstrapping makes before user code is run. Using this information I then also show the endpoints I found that can be used to retrieve the raw GitHub App token or BitBucket JWT App token CodeConnections uses which tends to be very privileged in a lot of environments, granting far more access than to just the single repository where the CodeBuild job is being run.

CVE-2026-33579 is actively exploitable and hits hard.

What happened: The /pair approve command doesn't check who is approving. So someone with basic pairing access (the lowest permission tier) can approve themselves for admin. That's it. Full instance takeover, no secondary exploit needed. CVSS 8.6 HIGH.

Why this matters right now:

• Patch dropped March 29, NVD listing March 31. Two-day window for the vulns to spread before anyone saw it on NVD
• 135k+ OpenClaw instances are publicly exposed
• 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain

The attack is trivial:

1. Connect to an unauthenticated OpenClaw instance → get pairing access (no credentials needed)
2. Register a fake device asking for operator.admin scope
3. Approve your own request with /pair approve [request-id]
4. System grants admin because it never checks if you are authorized to grant admin
5. You now control the entire instance — all data, all connected services, all credentials

Takes maybe 30 seconds once you know the gap exists.

What you need to do:

1. Check your version: openclaw --version. If it's anything before 2026.3.28, stop what you're doing
2. Upgrade (one command: npm install openclaw@2026.3.28)
3. Run forensics if you've been running vulnerable versions:
   • List admin devices: openclaw devices list --format json and look for admins approved by pairing-only users
   • Check audit logs for /pair approve events in the last week
   • If registration and approval timestamps are seconds apart and approver isn't a known admin = you got hit

Let me know if you're interested, happy to share the link.