New version of promptmap detects more issues in LLM-based apps

I've been using Claude Code and Cursor CLI for months now and I have to say: AI-generated code often looks good... but it's not. → Subtle logic bugs → Security vulnerabilities → Performance issues → Hallucinations that seem syntactically correct I've been experimenting with CodeRabbit CLI to review AI-generated code. ✓ Reviews code directly in your terminal (no context switching) ✓ Catches AI hallucinations ✓ Integrates seamlessly with Claude Code, Cursor CLI, and other agents ✓ Works with your existing Git workflow The free tier is quite generous; you can try it using this link 👇 https://lnkd.in/eYxxhRP7

𝗔 𝘀𝗶𝗻𝗴𝗹𝗲 𝗺𝗶𝘀𝗽𝗹𝗮𝗰𝗲𝗱 𝗰𝗮𝗽𝗶𝘁𝗮𝗹 𝗹𝗲𝘁𝘁𝗲𝗿 𝗶𝗻 𝗮𝗻 𝗔𝗜-𝗽𝗼𝘄𝗲𝗿𝗲𝗱 𝗜𝗗𝗘 𝘄𝗮𝘀 𝗮𝗹𝗹 𝗶𝘁 𝘁𝗼𝗼𝗸 𝘁𝗼 𝗾𝘂𝗶𝗲𝘁𝗹𝘆 𝗿𝗲𝘄𝗿𝗶𝘁𝗲 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗲𝗱 𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗮𝘁𝗶𝗼𝗻 𝗳𝗶𝗹𝗲𝘀. Lakera researcher Brett Gustafson discovered and responsibly reported this case-sensitivity flaw in #Cursor, now tracked as 𝗖𝗩𝗘-𝟮𝟬𝟮𝟱-𝟱𝟵𝟵𝟰𝟰. On #macOS and #Windows, that subtle mismatch let untrusted content slip past file protections and, in the right conditions, open a path to remote code execution. 𝗕𝘂𝘁 𝘁𝗵𝗲 𝗿𝗲𝗮𝗹 𝘀𝘁𝗼𝗿𝘆 𝗶𝘀𝗻’𝘁 𝘁𝗵𝗲 𝗽𝗮𝘁𝗰𝗵. It’s what this bug says about #agentic development, where tools don’t just write code, they 𝘥𝘦𝘤𝘪𝘥𝘦 how it runs. Even the smallest logic gap can become a behavioral exploit once #AI acts on your behalf. 👇 Read the full breakdown and responsible disclosure: 🔗 https://lnkd.in/d7Ag_QQK

“Even the smallest logic gap can become a behavioral exploit once #AI acts on your behalf.” The agentic AI revolution is evolving and more than ever the importance of having the right security guardrails is pertinent.

A very patient hacker hooked victims by building a reliable tool integrated into hundreds of developer workflows that connects artificial intelligence agents with an email platform, and issuing 15 "flawless" versions before turning the tables. https://lnkd.in/ejSRcTev

I Just Deployed a “Join Beta” Form. It’s a simple form for people who want to get early access to Foldy open beta. Using Cursor, Claude Sonnet, Google forms and Source tree. In the video, I walk through my full process. How I used AI to move from concept to deployment step by step. Things to keep in mind: → AI-generated code can introduce security vulnerabilities → Custom forms can attract bots or fake email submissions → If you use free or open-source components, remember to credit them in your GitHub license file. I can definitely list more and will keep improving it, but for now... Our open beta is launching soon!! Sign up now so you don’t miss it!

Completed: TryHackMe — DNS in Detail (lab) 🧩🔎 A compact, hands‑on primer that linked DNS theory to practical reconnaissance techniques. What I did 1. Reviewed DNS record types (A, AAAA, CNAME, MX, TXT, SOA) and practised queries with dig / host. 2. Enumerated subdomains, checked reverse DNS, and interpreted zone data and SOA/TTL values. 3. Tested scenarios where misconfigured zones leaked internal structure. Challenges 1. Translating theory into stealthy reconnaissance without triggering rate limits or noisy queries. 2. Parsing dig output quickly — improved with repetition and flag practice. Key takeaways 1. DNS is a high‑value reconnaissance source — small records reveal big context. dig is indispensable; right flags accelerate enumeration. 2. TXT and MX often expose operational fingerprints (SPF/DMARC, verification tokens). 3. Misconfigurations (open zone transfers, stale records) are common and highly useful for both attackers and defenders. Next steps Practice automated enumeration tools and study DNS security controls (DNSSEC, rate limiting).

CodeGPT Prompt Injection—A New Class of Exploit Ramiro Molina’s exploit against CodeGPT demonstrates that prompt injection is more than a novelty—it’s a new class of exploit. By abusing the extension’s prompt handling logic, he was able to extract hardcoded credentials without touching the underlying system. Security teams must treat LLMs as logic engines vulnerable to manipulation. This means applying the same rigor we use for input validation, sandboxing, and privilege separation. Read the full disclosure: https://lnkd.in/gcei7rTC #LLMExploitation #PromptInjection #SecureAI #CyberSecurityEngineering #VulnerabilityDisclosure

💰 Hack application where millions of dollars are tracked I wrote a beginner‑friendly walkthrough of CVE‑2023‑38646 (Metabase) that shows the full, responsible process: how to build an isolated Docker lab, discover the app version, find an exposed setup token, and verify whether that token can lead to code execution - without running anything against live systems or publishing exploit code. This post is for beginners who want a clear path into vulnerability analysis — and for people who love digging deeper into how things work. Read it here: https://lnkd.in/eQ9FSiJu Zero cost learning - maintain a lab and experiment safely offline. What you’ll get from the post: - A step‑by‑step lab setup (Docker + firewall + Burp) - Practical recon techniques to find endpoints and confirm versions - Why one‑time setup tokens are high‑value and how they can be mismanaged - How to verify command execution safely with small, observable tests #CVE202338646 #Metabase #RCE #InfoSec #BeginnerFriendly

LLM prompting isn’t magic. It’s just engineering. Vague prompts get vague results. You want useful output? Treat prompts like specs. We use five building blocks: 1️⃣ Persona 2️⃣ Context 3️⃣ Examples 4️⃣ Instructions 5️⃣ Format In his blog post, Mark Curphey walks through prompts built around real npm package vulnerabilities, showing how to turn hand-wavy bug reports into sharp, reliable findings. The real advantage isn’t building yet another wrapper around an LLM, but in knowing how to get the model to do real work. Link in the comments 👇🏻

Inspired by Gitlab's libbehave, I spent my weekend hacking on our xbom tool to add support for Go callgraph generation and matching. Very early stage, but the foundations are there to build upon. Added some basic signatures (YAML) to match the most common Go stdlib functions related to network, filesystem, crypto etc. We take a code analysis approach that leverages Tree Sitter to parse supported languages into an AST. Use plugins for various analysis on AST. In this specific instance, leverage a simple DFA based callgraph builder to build the callgraph along with assignment tracking for type propagation. The plugins trade-off coverage and soundness of analysis for developer experience. The goal is to make writing signature easy, fun and may even be auto-generated in future, at the cost of lack of inter-procedural type propagation across source files. All of these open source ofcourse. Ping me if you care to look into the PRs and try out the feature. This is yet to be released, so won't have a release binary or container image. p.s: Grep or regex will not propagate types so you can only match symbols. If that solves your need, you should stay away from code analysis, its crazy.