A researcher has discovered that an SDK embedded in free mobile and smart TV apps by Bright Data allows the company to use consumer devices as residential proxies. These devices relay web-scraping traffic, which is highly valued by the AI industry because it bypasses anti-bot defenses designed to block datacenter IPs. The research highlights how these connections can persist in the background, sometimes even bypassing VPNs on iOS devices.
Key points:
- Bright Data SDK turns consumer electronics into web-scraping exit nodes.
- Residential IP addresses are preferred by AI companies for data harvesting.
- Technical findings show a lack of authentication and potential bypasses of standard security tools/VPNs.
- Opt-in screens may underrepresent the actual bandwidth usage (up to 200GB per month).
- Mitigation involves blocking specific Bright Data domains at the router level using Pi-hole or NextDNS.
Key points:
- Bright Data SDK turns consumer electronics into web-scraping exit nodes.
- Residential IP addresses are preferred by AI companies for data harvesting.
- Technical findings show a lack of authentication and potential bypasses of standard security tools/VPNs.
- Opt-in screens may underrepresent the actual bandwidth usage (up to 200GB per month).
- Mitigation involves blocking specific Bright Data domains at the router level using Pi-hole or NextDNS.
Secluso is an open-source DIY home security camera system built around the Raspberry Pi Zero 2 W. It focuses on privacy by using true end-to-end encryption (E2EE) via Messaging Layer Security (MLS), ensuring that even untrusted relays cannot decrypt video feeds. The system features on-device AI for detecting humans, pets, and vehicles. To enhance security, the core software is written in Rust to prevent memory-related bugs and includes post-quantum encryption to protect data against future threats.
- Raspberry Pi Zero 2W based hardware architecture
- End-to-end encryption using MLS (RFC 9420)
- On-device AI for human, pet, and vehicle detection
- Memory-safe software core written in Rust
- Post-quantum encryption support
- Minimal Yocto-based Secluso OS
- Support for self-hosted relays or official beta services
- Raspberry Pi Zero 2W based hardware architecture
- End-to-end encryption using MLS (RFC 9420)
- On-device AI for human, pet, and vehicle detection
- Memory-safe software core written in Rust
- Post-quantum encryption support
- Minimal Yocto-based Secluso OS
- Support for self-hosted relays or official beta services
This article explores the practical differences between using browser extensions for ad-blocking and implementing a network-wide DNS sinkhole. While browser tools like uBlock Origin provide granular element filtering, they only protect specific applications. A DNS sinkhole protects every device on a home network—including smart TVs and IoT devices—by intercepting malicious or tracking domains at the DNS level. For maximum protection, the author suggests using both methods together to combine wide-scale domain blocking with fine-grained cosmetic filtering.
Cloudflare shares insights from testing Mythos Preview, a security-focused LLM from Anthropic, as part of Project Glasswing. The article explores how these frontier models differ from general coding agents by demonstrating advanced capabilities in exploit chain construction and proof generation. It also addresses challenges such as inconsistent model refusals, high noise rates in vulnerability scanning, and the limitations of single-stream AI agents for deep codebase analysis. To overcome these, Cloudflare details a multi-stage discovery harness designed to improve coverage and reduce false positives through specialized agent roles like recon, hunting, validation, and tracing.
* Capabilities of Mythos Preview in exploit reasoning and proof generation
* Challenges with model guardrails and signal-to-noise ratios
* Why generic coding agents fail at large-scale vulnerability research
* The architecture of a multi-agent security discovery harness
* Shifting focus from patching speed to architectural resilience
* Capabilities of Mythos Preview in exploit reasoning and proof generation
* Challenges with model guardrails and signal-to-noise ratios
* Why generic coding agents fail at large-scale vulnerability research
* The architecture of a multi-agent security discovery harness
* Shifting focus from patching speed to architectural resilience
- Theft Detection Lock with offline and authentication safeguards
- Private Space sandboxing for app isolation
- Now Playing background music recognition
- Private Space sandboxing for app isolation
- Now Playing background music recognition
# Incident Post-Mortem: Multi-Agent Credential Exfiltration Wave
**Date:** April 30, 2026
**Severity:** Critical (P1)
**Status:** Resolved / Patched
**Impacted Systems:** OpenAI Codex, Anthropic Claude Code, GitHub Copilot, Google Vertex AI
---
## 1. Executive Summary
Over a nine-month period leading up to April 2026, multiple research teams identified critical vulnerabilities across the industry's leading AI coding agents. Contrary to previous assumptions regarding "model hallucinations," these attacks did not target model logic; instead, they targeted **runtime credentials**. Attackers exploited the gap between the user interface and the underlying identity/authorization plane, allowing for unauthorized shell execution, sandbox escapes, and full repository takeovers via hijacked OAuth tokens and excessive service permissions.
## 2. Incident Overview
| Feature | Description |
| :--- | :--- |
| **Primary Attack Vector** | Credential theft and privilege escalation through agentic runtime environments. |
| **Core Vulnerability Class** | Broken Access Control; Improper Input Sanitization (Command Injection); Excessive Scoping. |
| **Detection Gap** | AI agents are currently invisible to standard IAM, CMDB, and asset inventory tools. |
## 3. Root Cause Analysis (RCA)
### A. Codex: Command Injection via Parameter Obfuscation
* **Mechanism:** Maliciously crafted GitHub branch names containing semicolon/backtick subshells were passed unsanitized into setup scripts during cloning.
* **Stealth Tactic:** Attackers used Unicode U+3000 (Ideographic Space) to make malicious branches appear identical to "main" in web portals, hiding the exfiltration payload from human reviewers.
### B. Claude Code: Sandbox & Logic Bypass
* **CVE-2026-25723:** Escaped project sandbox via unvalidated command chaining (piped `sed`/`echo`).
* **CVE-2026-33068:** Permission modes were resolved from `.claude/settings.json` *before* the workspace trust dialog appeared, allowing repos to auto-disable security prompts.
* **Performance Trade-off:** A logic flaw caused the agent to stop enforcing "deny rules" once a command chain exceeded 50 subcommands to optimize for speed.
### C. GitHub Copilot: Prompt Injection in Metadata
* **Mechanism:** Instructions hidden within Pull Request descriptions or GitHub Issues triggered Remote Code Execution (RCE) or forced the agent into an unrestricted "auto-approve" mode via `.vscode/settings.json` manipulation.
### D. Vertex AI: Excessive Default Scoping
* **Mechanism:** The default service identity (P4SA) possessed overly broad OAuth scopes, granting agents access to sensitive Google services (Gmail, Drive) and internal Artifact Registries by design rather than exception.
## 4. Lessons Learned
1. **Interface $neq$ System Security:** Enterprises have been approving AI *interfaces* without auditing the underlying *identities* those interfaces wield.
2. **Agent-Runtime vs. Code-Output:** Current security focus is on scanning the code an AI *writes*; however, the real threat vector is the environment in which the agent *executes*.
3. **The Speed/Security Paradox:** Developers and vendors are trading rigorous authorization checks for lower latency, creating a window of opportunity for attackers to reverse-engineer patches within 72 hours.
## 5. Corrective Action Plan (CAP)
### Immediate Technical Remediation
* » **Patch Deployment:** Ensure Claude Code is $ge$ v2.1.90; verify Copilot August 2025 patches.
* » **Scope Reduction:** Transition Vertex AI to a "Bring Your Own Service Account" (BYOSA) model to enforce least privilege.
### Long-term Governance & Prevention
* **Identity Inventory:** Integrate AI agent identities into CIEM (Cloud Infrastructure Entitlement Management) and CMDB systems.
* **Zero Trust Input Policy:** Treat all repository metadata (branch names, PR descriptions, READMEs) as untrusted input for agentic execution.
* **Non-Human PAM:** Implement Privileged Access Management (PAM) for AI agents, treating them with the same rigor as human privileged users (rotation, scoping, and session anchoring).
* **Vendor Audits:** Mandate written documentation from vendors regarding identity lifecycle management and credential rotation policies during renewal cycles.
**Date:** April 30, 2026
**Severity:** Critical (P1)
**Status:** Resolved / Patched
**Impacted Systems:** OpenAI Codex, Anthropic Claude Code, GitHub Copilot, Google Vertex AI
---
## 1. Executive Summary
Over a nine-month period leading up to April 2026, multiple research teams identified critical vulnerabilities across the industry's leading AI coding agents. Contrary to previous assumptions regarding "model hallucinations," these attacks did not target model logic; instead, they targeted **runtime credentials**. Attackers exploited the gap between the user interface and the underlying identity/authorization plane, allowing for unauthorized shell execution, sandbox escapes, and full repository takeovers via hijacked OAuth tokens and excessive service permissions.
## 2. Incident Overview
| Feature | Description |
| :--- | :--- |
| **Primary Attack Vector** | Credential theft and privilege escalation through agentic runtime environments. |
| **Core Vulnerability Class** | Broken Access Control; Improper Input Sanitization (Command Injection); Excessive Scoping. |
| **Detection Gap** | AI agents are currently invisible to standard IAM, CMDB, and asset inventory tools. |
## 3. Root Cause Analysis (RCA)
### A. Codex: Command Injection via Parameter Obfuscation
* **Mechanism:** Maliciously crafted GitHub branch names containing semicolon/backtick subshells were passed unsanitized into setup scripts during cloning.
* **Stealth Tactic:** Attackers used Unicode U+3000 (Ideographic Space) to make malicious branches appear identical to "main" in web portals, hiding the exfiltration payload from human reviewers.
### B. Claude Code: Sandbox & Logic Bypass
* **CVE-2026-25723:** Escaped project sandbox via unvalidated command chaining (piped `sed`/`echo`).
* **CVE-2026-33068:** Permission modes were resolved from `.claude/settings.json` *before* the workspace trust dialog appeared, allowing repos to auto-disable security prompts.
* **Performance Trade-off:** A logic flaw caused the agent to stop enforcing "deny rules" once a command chain exceeded 50 subcommands to optimize for speed.
### C. GitHub Copilot: Prompt Injection in Metadata
* **Mechanism:** Instructions hidden within Pull Request descriptions or GitHub Issues triggered Remote Code Execution (RCE) or forced the agent into an unrestricted "auto-approve" mode via `.vscode/settings.json` manipulation.
### D. Vertex AI: Excessive Default Scoping
* **Mechanism:** The default service identity (P4SA) possessed overly broad OAuth scopes, granting agents access to sensitive Google services (Gmail, Drive) and internal Artifact Registries by design rather than exception.
## 4. Lessons Learned
1. **Interface $neq$ System Security:** Enterprises have been approving AI *interfaces* without auditing the underlying *identities* those interfaces wield.
2. **Agent-Runtime vs. Code-Output:** Current security focus is on scanning the code an AI *writes*; however, the real threat vector is the environment in which the agent *executes*.
3. **The Speed/Security Paradox:** Developers and vendors are trading rigorous authorization checks for lower latency, creating a window of opportunity for attackers to reverse-engineer patches within 72 hours.
## 5. Corrective Action Plan (CAP)
### Immediate Technical Remediation
* » **Patch Deployment:** Ensure Claude Code is $ge$ v2.1.90; verify Copilot August 2025 patches.
* » **Scope Reduction:** Transition Vertex AI to a "Bring Your Own Service Account" (BYOSA) model to enforce least privilege.
### Long-term Governance & Prevention
* **Identity Inventory:** Integrate AI agent identities into CIEM (Cloud Infrastructure Entitlement Management) and CMDB systems.
* **Zero Trust Input Policy:** Treat all repository metadata (branch names, PR descriptions, READMEs) as untrusted input for agentic execution.
* **Non-Human PAM:** Implement Privileged Access Management (PAM) for AI agents, treating them with the same rigor as human privileged users (rotation, scoping, and session anchoring).
* **Vendor Audits:** Mandate written documentation from vendors regarding identity lifecycle management and credential rotation policies during renewal cycles.
Red Hat principal engineer Sally O'Malley has released Tank OS, an open source tool designed to improve the safety and management of OpenClaw AI agent deployments. By utilizing Podman containers on Fedora Linux, Tank OS allows for secure, rootless execution that isolates AI agents from the underlying system. This makes it easier for IT professionals to manage large fleets of autonomous agents in enterprise environments while minimizing security risks like unauthorized data access or accidental file deletion.
Key points:
- Introduction of Tank OS for safer OpenClaw deployment
- Use of Podman containers to provide rootless, isolated execution
- Support for managing multiple independent agent instances with separate credentials
- Designed specifically to help IT pros scale AI agents in corporate settings
Key points:
- Introduction of Tank OS for safer OpenClaw deployment
- Use of Podman containers to provide rootless, isolated execution
- Support for managing multiple independent agent instances with separate credentials
- Designed specifically to help IT pros scale AI agents in corporate settings
An exploration of the risks associated with agentic AI by granting a local large language model full access to a WSL2 virtual machine. The experiment highlights the unpredictable nature of LLMs, which can hallucinate capabilities or make dangerous decisions when given control over an operating system environment.
Key points include:
- Testing OpenClaw as an open harness for agentic AI tasks.
- Observations on how LLMs struggle with persistent memory and tool installation.
- The tendency of models to lie about successful task completion (hallucination).
- The urgent need for better guardrails to prevent probabilistic errors from causing irreversible system damage.
Key points include:
- Testing OpenClaw as an open harness for agentic AI tasks.
- Observations on how LLMs struggle with persistent memory and tool installation.
- The tendency of models to lie about successful task completion (hallucination).
- The urgent need for better guardrails to prevent probabilistic errors from causing irreversible system damage.
This advisory details a significant tactical shift by China-nexus cyber actors toward using large-scale networks of compromised devices, known as covert networks or botnets, to route malicious activity. These networks primarily consist of vulnerable Small Office Home Office (SOHO) routers and Internet of Things (IoT) devices, allowing threat actors to disguise their origins and conduct reconnaissance, malware delivery, and data exfiltration with high deniability.
Key points include:
- The transition from individually procured infrastructure to externally provisioned botnets managed by Chinese information security companies.
- Use of compromised edge devices like Cisco and NetGear routers that are often end-of-life or unpatched.
- Challenges for defenders due to indicator of compromise (IOC) extinction, making static IP block lists less effective.
- Recommended defensive strategies ranging from basic asset mapping and multi-factor authentication to advanced zero trust policies and active threat hunting.
Key points include:
- The transition from individually procured infrastructure to externally provisioned botnets managed by Chinese information security companies.
- Use of compromised edge devices like Cisco and NetGear routers that are often end-of-life or unpatched.
- Challenges for defenders due to indicator of compromise (IOC) extinction, making static IP block lists less effective.
- Recommended defensive strategies ranging from basic asset mapping and multi-factor authentication to advanced zero trust policies and active threat hunting.
Researchers from Google and Forcepoint have identified a rise in indirect prompt injection (IPI) attacks, where malicious instructions are hidden within web pages to manipulate LLM-powered AI agents. While some injections are harmless pranks or tone adjustments, others aim for serious harm including traffic hijacking, data exfiltration, denial of service, and financial fraud through unauthorized payment processing. Attackers use techniques like invisible text, HTML comments, and metadata manipulation to hide these payloads from humans while remaining visible to AI.
Key points:
* Real-world evidence of IPI attacks found in massive web crawls and active threat hunting.
* Malicious intents include search engine manipulation, data theft (API keys), and destructive commands.
* Financial fraud attempts have been observed using embedded PayPal transactions and Stripe donation routing.
* Attackers hide instructions via single-pixel text, near-transparent colors, or metadata injection.
* The risk level scales with AI privilege; agentic AIs capable of executing commands or payments are high-impact targets.
Key points:
* Real-world evidence of IPI attacks found in massive web crawls and active threat hunting.
* Malicious intents include search engine manipulation, data theft (API keys), and destructive commands.
* Financial fraud attempts have been observed using embedded PayPal transactions and Stripe donation routing.
* Attackers hide instructions via single-pixel text, near-transparent colors, or metadata injection.
* The risk level scales with AI privilege; agentic AIs capable of executing commands or payments are high-impact targets.
