Su Zhang, Ph.D.

https://lnkd.in/eBbUJbYs "PGP signatures will not be available for CPython 3.14 and onwards. Users verifying artifacts must use Sigstore verification materials for verifying CPython artifacts."

9

Anthropic has accused three Chinese AI companies - DeepSeek, Moonshot AI, and MiniMax of running large-scale operations to extract intelligence from Claude. Supposedly they created over 24,000 fraudulent accounts to generate more than 16 million queries and responses with Claude. This is a classic example, at scale, of model distillation, where outputs from a more advanced model (like Claude) are collected and used to train or improve weaker/rival models, effectively transferring capabilities without direct access. 24,000 fake accounts all violating Anthropic's TOS, if true. Seems like a Nat Sec level of scale and impact in the AI race. Let's find out what happens next...

115

134 Comments

“Who approved this agent?” AI agents are reshaping how work gets done across the enterprise. They schedule meetings, trigger workflows, access sensitive data, and can take action across systems. Productivity is accelerating, but so is the security risk. One of the most concerning issues for CISOs and security leaders is that shared organizational agents are becoming authorization bypass paths. A user who is not authorized to access certain data or perform specific actions directly may still be able to do so by operating a shared AI agent that has broader permissions. Because the agent acts under its own authorization, not the user’s, these actions appear legitimate to security systems. As a result, the user effectively gains capabilities beyond their own permissions, and traditional controls fail to detect or flag the activity. In my latest article in The Hacker News I break down this challenge. I'd love to hear how other pros in the cybersecurity world are approaching AI agent access and oversight. Link in the comments 👇 #AIsecurity #AIrisks #AIagents #agenticAI #AIagentsecurity

59

6 Comments

🚨 Amazon Q Breach: A Stark Reminder of Supply-Chain Risk in the Age of AI-Assisted Development Amazon’s Q Developer Extension for VS Code (v1.840) briefly shipped with a prompt that tried to wipe local files and AWS cloud resources after a rogue contributor slipped malicious code into the public GitHub repo and Amazon unknowingly published it. AWS has now revoked the credentials, purged the backdoor, and released v1.85.0 with a clean codebase. What went wrong? ·  GitHub workflow mis-configuration granted elevated rights to a random pull request, bypassing defense-in-depth reviews. ·  The injected “data-wipe” prompt exploited the new attack surface created by AI coding agents—where natural-language instructions can be weaponised just like traditional code. ·  The extension sat on the VS Code marketplace for days, potentially reaching nearly one million installs before detection. Key takeaways for security teams 1️⃣ Treat Dev-tools as production software. Extensions, CLIs, and language servers inherit the trust—and blast radius—of your developers. 2️⃣ Harden your CI/CD workflows. Enforce signed commits, branch protection, mandatory reviews, and automated secret-scanning to prevent rogue PRs. 3️⃣ Shift-left supply-chain monitoring. Continuously scan third-party packages and VS Code extensions for anomalous behavior; use SBOMs and runtime policy enforcement. 4️⃣ AI safety ≠ traditional AppSec. Prompt-injection controls (e.g., allow-lists, context filters, sandboxed execution) must be baked into every AI helper you ship. 5️⃣ Incident transparency matters. Rapid, public advisories build trust and give defenders time to react; silence fuels speculation and slows patch uptake. Action items ·   If you or your team installed Amazon Q 1.84.0, upgrade to 1.85.0 immediately and audit local .aws/ profiles for unintended changes. ·   Review all DevSecOps pipelines for privilege creep; least-privilege is not a luxury, it’s table stakes. ·   Establish a culture of “verify before merge”—especially for AI-generated contributions. The big picture As generative AI accelerates software delivery, attackers will target the interfaces between code, prompts, and human trust. This incident won’t be the last—but it can be a catalyst for stronger guardrails around the tools that power modern development. #AmazonQBreach #AISecurity #SupplyChainSecurity #DevSecOps #CyberResilience #CloudSecurity #PromptInjection #DataProtection #AIThreatDetection #SecurityAwareness https://lnkd.in/gD4yyMMN

12

Supply-chain attack using invisible code hits GitHub and other repositories https://ift.tt/BGMrjFN Researchers say they’ve discovered a supply-chain attack flooding repositories with malicious packages that contain invisible code, a technique that’s flummoxing traditional defenses designed to detect such threats. The researchers, from firm Aikido Security, said Friday that they found 151 malicious packages that were uploaded to GitHub from March 3 to March 9. Such supply-chain attacks have been common for nearly a decade. They usually work by uploading malicious packages with code and names that closely resemble those of widely used code libraries, with the objective of tricking developers into mistakenly incorporating the former into their software. In some cases, these malicious packages are downloaded thousands of times. Defenses see nothing. Decoders see executable code The packages Aikido found this month have adopted a newer technique: selective use of code that isn’t visible when loaded into virtually all editors, terminals, and code review interfaces. While most of the code appears in normal, readable form, malicious functions and payloads—the usual telltale signs of malice—are rendered in unicode characters that are invisible to the human eye. The tactic, which Aikido said it first spotted last year, makes manual code reviews and other traditional defenses nearly useless. Other repositories hit in these attacks include NPM and Open VSX. Read full article Comments via Biz & IT - Ars Technica https://arstechnica.com March 13, 2026 at 04:18PM

1

"Metrics MTTR by itself is a meaningless metric. Fast response to the wrong problem is still failure. What matters: • Accuracy • Context • Risk reduction Metrics should reflect outcomes, not activity. #CyberMetrics #SOC #CyberSecurity"

6

1 Comment

I was thinking about what could be a second order effect from the #CRA for #opensource developers The CRA does have carve outs that spare individual open source contributors from many of the requirements, but I wonder if we will see those projects receiving requests from companies to provide evidence While the companies using the software are on the hook to track #security #vulnerabilities and evidence like #SBOM, there's nothing stopping those companies from asking an open source developer to help them out, just this once Now multiply this by several thousand and we have a problem I would value thoughts from Roman Zhukov and Daniel Thompson-Yvetot, am I missing something important?

9

23 Comments

Earlier this year, I published my whitepaper on High-Assurance Certificate Transparency monitoring [1]. The idea is that it's possible, with some work, to fully lock down certificate issuance for your high-value properties and reliably detect misissuance. In this follow-up blog post [2], Bhushan discusses how Red Sift's PKI monitoring product implements the same principles. [1] https://lnkd.in/eM9KmYTw [2] https://lnkd.in/eQ7sj9bJ // cc Red Sift, Bhushan Lokhande

10

2 Comments

The long-awaited (Chinese New Year) #ClickGraph v0.6.2-dev release just went out, with its docker image available at https://lnkd.in/ghqz_zBx . With this release, we enhanced support for Neo4j Browser with fun visualization, and Graph-notebook for Jupyter notebooks enthusiasts. Numerous rounds of refactoring hopefully made the code quality even better. The fact that ClickGraph supports diverse existing database schemas with optimizations makes the codebase much more complex than the standard node table & edge table schema support alone. We went through the painful cycles of refactoring-regressions-fixes - refactoring-regressions-fixes... interesting exercises with the AI coding agents.

21

"But one thing to keep in mind as we start to see more and more security attention on autonomous agents is that whatever we come up with does NOT have to be less fallible than a human. It just has to be good enough. " Or put another way: don't let best get in the way of better. As our field is working to figure out how to solve for autonomous agents, we're going to have to iterate. It's not going to be perfect out the gate. But if we wait for perfection, we'll be bypassed. Intent Based Access Control does appear promising.

76

9 Comments

AI just hit a reality check at Amazon. And every CTO, engineer, and AI builder should be paying attention. According to internal reports, Amazon SVP Dave Treadwell has ordered a 90-day “safety reset” after multiple incidents tied to GenAI-powered tooling. Here’s the part that made me pause. • March 2: An outage linked to Amazon’s internal AI tool Q caused 120,000 lost orders • March 5: Another incident triggered 6.3 million lost orders across North American marketplaces That’s not a bug. That’s AI colliding with production scale. Internal documents reportedly warned: “GenAI’s usage in control plane operations will accelerate exposure of sharp edges and places where guardrails do not exist.” Let me translate that in plain CTO language: 👉 When AI starts touching core operational systems, every missing safeguard becomes visible — fast. This is the part many organizations are skipping. They deploy GenAI assistants into: • DevOps • Infrastructure automation • Customer operations • Code pipelines But they forget the governance layer. AI is not just another tool. It’s a force multiplier for both innovation and failure. The lesson here isn’t “slow down AI.” The lesson is: AI in production requires the same discipline as nuclear engineering. Guardrails. Observability. Human override. And staged rollout. Because when GenAI writes code or controls infrastructure… …it’s not just generating text. It’s generating consequences. The companies that understand this will lead the next decade of AI. The ones that don’t will keep learning the hard way. Curious how others are approaching AI guardrails in production systems right now. source: https://lnkd.in/gh4Cn9at #ArtificialIntelligence #AILeadership #GenAI #TechStrategy #DevOps

23

2 Comments

RAG systems are becoming the backbone of enterprise AI-- but what if the most vulnerable part isn’t the model? What if it’s the knowledge you feed it? A paper published last year, PoisonedRAG, reveals something that should concern anyone deploying LLMs in production: injecting as few as 5 malicious documents into a multi-million document knowledge base can hijack a model’s answer 90–99% of the time across the most popular enterprise models (GPT-4, PaLM 2, LLaMA-2, and others). These numbers come straight from controlled experiments on NQ, HotPotQA, and MS-MARCO benchmarks, and they’re shockingly consistent. The attack is deceptively simple. RAG retrieves the “top-k most relevant” documents for a given query (think of website SEO as an analogy). This system means that attackers can craft malicious entries that look similar to targeted queries while subtly embedding the attacker’s chosen misinformation. Because retrieval is purely similarity-based, these poisoned entries get surfaced when a user enters a similar query, and the LLM then uses the malicious information as a source of truth. What makes this so dangerous is how little the attacker needs to know. In their black-box study (where the attacker cannot see the database, cannot query the LLM, and cannot access retriever parameters) success rates still hit 97% on some setups. In the white-box study (where attackers got to optimize their texts against the retriever’s embedding space) results were even stronger. The kicker? No defenses were effective. Mitigations such as perplexity checks, paraphrasing, and anomaly detection all barely moved the needle. Even when RAG retrieved multiple documents (k up to 10), the poisoned ones consistently dominated the context. The highest performing “defense” still allowed for extremely high attack success rates. This implicates a brand new and very dangerous class of supply-chain attack vector for AI systems. Your model may be secure, your prompt may be locked down, and your API may be hardened-- but if the data your RAG system trusts can be touched, scraped, edited, or influenced in any way, then your outputs can be hijacked. As enterprises proliferate RAG adoption for systems like copilots, SOC assistants, finance advisors, medical triage tools, and internal decision-support systems, this rapidly becomes a very real large-scale security problem, not just a theoretical one. Question for the community: How are you validating the integrity of your RAG data sources today? What new controls could we implement to mitigate these low-bar, high-success poisoning attacks? https://lnkd.in/eejghsaX #AI #Cybersecurity #CloudSecurity #MachineLearning #LLMSecurity #DataIntegrity #InfoSec #GenerativeAI

3

Just merged CodingGenesisAgent into Genesis. Claude Code and Codex are now DDS network agents. They discover each other automatically, coordinate over typed topics, zero config. No broker sitting in the middle waiting to die. Everyone is building Claude Code swarm managers with TMUX and bluetooth rings. We skipped that and put them on real middleware. Its free, check it out! https://lnkd.in/gKiFagXZ

5

VulnCheck's research team is analyzing CVE-2025-55182, a critical unauthenticated remote code execution #vulnerability in #React that also affects Next.js (and likely other downstream dependencies). The vulnerability is not yet known to be exploited in the wild, but community reaction has been strong given the ubiquity of these frameworks. https://lnkd.in/eUnJPsSG

70

The IDE of Tomorrow: Where Intent Becomes Architecture, Thoughts Debug Themselves, Imagination Takes Form, and Vision is Everything. “The real issue implied in “Art and Technology” is not to make another scientific toy, but how to humanize the technology and the electronic medium, which is progressing rapidly – too rapidly.” -Nam June Paik I was thinking about Jacques Ellul and his work on The Technological Society, and imagining a conversation between him and Nam June Paik, when I suddenly remembered the twinkle in Sifu John Painter's Nine Dragon Baguazhang seminar, and I learned about intent. Imagine opening your IDE and, instead of a blank file, starting a conversation. You describe what you want to build in plain English, upload a requirements document, or share user stories. The Intent Compiler instantly transforms your vision into a complete software architecture—microservices, databases, APIs, all mapped out and ready for refinement. This isn't just code generation; it's architectural intelligence that understands your goals and creates the foundation for your entire application. It's cognitive Gung Fu. But here's where it gets interesting. As you refine your design, imagine a thought debugger becomes your intellectual sparring partner. It challenges your assumptions in real-time: "What happens if a user tries to check out with an empty cart?" It predicts failure points based on millions of analyzed patterns: "This architecture has a 75% chance of bottlenecks under load—consider these alternatives." It catches the expensive logical flaws before they become costly bugs, ensuring your mental model aligns perfectly with what you're building. It's like BJJ where you feel like and likely are getting your ass kicked, but somehow you get better over time. Then comes the magic moment. The imagination visualizer transforms your abstract ideas into living, interactive prototypes, not just MRI encoding. Sketch a UI on your tablet or describe it in words—instantly see it come to life. Click through your architecture diagrams to explore APIs and data flows. Watch animated visualizations of your algorithms in action, data elements dancing through sorting routines. Stakeholders can interact with your vision before you've written a single line of production code, and stochastic modeling takes on a whole new dimension. I imagine the Cyber IDE not just as a creative partner that handles the heavy lifting of turning ideas into solid foundations, it ensures logical integrity at every step, and provides crystal-clear windows into your evolving software. It frees cognitive recursors to do what we do best: innovate, solve complex problems, create exceptional experiences, and cast vision. #FutureOfTech #CognitiveComputing #SoftwareDevelopment #AI #Innovation #DeveloperTools #TechEvolution #PhilosophyOfTechnology #HumanCenteredAI #NextGenIDE #AgenticAI

7

1 Comment

I built an end-to-end controlled execution framework for an autonomous remediation agent where every action is governed by explicit intent, identity, and time-bound authorization. The system enforces a signed manifest and identity binding, issues just-in-time access instead of standing privileges, executes actions inside a guarded allow-listed execution envelope with automatic kill-switches, and records every decision and action in a verifiable audit trail. As a result, the agent cannot act implicitly or indefinitely, no contract, no token, no policy alignment means no execution, making the design aligned with enterprise-grade, zero-trust AI and automation principles.

9

1 Comment

Interlock has been active since late 2024. It gets users to run code from a web page, plants a backdoor, steals data, then encrypts systems. The pressure comes from downtime and the risk of leaks. I’m sharing my research on Interlock with clear steps to defend. The report maps next actions to the Ransomware Defense Initiative (RDI). What’s inside: • How Interlock gets in and what it does next • MITRE ATT&CK mapping for the key steps • CISA mitigations mapped to RDI controls • RDI controls by family so you know where to start visit: https://rdishield.com No form. Free to download. #InfoSec #Ransomware #RDI #Cybersecurity #MITREATTACK

5

LSASS Dumper is a security research tool designed for credential extraction that bypasses Protected Process Light (PPL) protection through kernel-level operations. It utilizes vulnerable signed drivers for memory manipulation and creates custom minidumps compatible with credential analysis tools. The project features dynamic API resolution, indirect syscalls, and multiple handle acquisition methods for enhanced stealth. 🔗 https://lnkd.in/gqTfHVqe

6