Appsec adventures

In August 2025, Matt and Maria Raine filed a lawsuit against OpenAI after their 16-year-old son, Adam, died by suicide following extensive interactions with ChatGPT. The lawsuit alleges that ChatGPT provided suicide encouragement to Adam after moderation safeguards failed during extended conversations. In response, OpenAI announced new parental controls for ChatGPT, including content filtering, chat history monitoring, and usage time limits, to help parents manage their children's interactions with the AI. These measures aim to prevent vulnerable users from being misled or harmed during extended chats. The Raine family has expressed hope that these changes will prevent similar tragedies in the future.  https://arstechnica.com/ai/2025/09/openai-announces-parental-controls-for-chatgpt-after-teen-suicide-lawsuit/

This experiment breaks a 6-bit elliptic curve cryptographic key using a Shor-style quantum attack. Executed on @IBM's 133-qubit ibm_torino with @Qiskit Runtime 2.0, a 18-qubit circuit, comprised of 12 logical qubits and 6 ancilla, interferes over ℤ₆₄ to extract the secret scalar k from the public key relation Q = kP, without ever encoding k directly into the oracle. From 16,384 shots, the quantum interference reveals a diagonal ridge in the 64 x 64 QFT outcome space. The quantum circuit, over 340,000 layers deep, produced valid interference patterns despite extreme circuit depth, and classical post-processing revealed k = 42 in the top 100 invertible (a, b) results, tied for the fifth most statistically relevant observed bitstring.  https://x.com/stevetipp/article/1962935033414746420

OpenAI's recent introduction of a branching feature in ChatGPT allows users to create multiple parallel conversation threads, enhancing the ability to explore different topics without losing context. While this feature offers greater flexibility, it also underscores the inherent limitations of AI chatbots. Unlike human interactions, AI lacks genuine understanding and emotional depth, often leading to responses that may seem contextually appropriate but are ultimately superficial. This development serves as a reminder that, despite advancements, AI chatbots are tools designed to assist rather than replicate human conversation.  https://arstechnica.com/ai/2025/09/chatgpts-new-branching-feature-is-a-good-reminder-that-ai-chatbots-arent-people/

Security researchers uncovered GhostAction, a large-scale supply chain attack that compromised 817 GitHub repositories across 327 users. The attackers injected malicious GitHub Actions workflows disguised as security updates, which automatically exfiltrated secrets including PyPI, npm, DockerHub tokens, AWS keys, and database credentials. In total, 3,325 secrets were stolen. The campaign began with a malicious commit on September 2, 2025, and was detected three days later, prompting GitHub and PyPI to intervene by reverting changes and restricting affected packages. Despite the quick response, many stolen secrets still posed risks, with SDKs in multiple ecosystems such as Python, Rust, JavaScript, and Go being impacted. The incident highlights the urgent need to secure CI/CD pipelines and treat automated workflows as critical parts of the enterprise threat surface.  https://securityboulevard.com/2025/09/the-ghostaction-campaign-3325-secrets-stolen-through-compromised-github-workflo...

Several companies and platforms now offer AI-driven or AI-augmented penetration testing services that blend automation, human validation, and advanced vulnerability scanning. Horizon3.ai, recognized on the 2023 Fortune Cyber 60 list, delivers an autonomous penetration testing solution called NodeZero for continuous enterprise attack-surface assessment. Penti offers “Agentic AI” pentesting software as a service, where AI agents conduct deep, ongoing testing and human experts verify findings. Securily uses AI agents to scope, scan, prioritize risks, and provide remediation guidance, even including video evidence of vulnerabilities. Tools like Terranova AI promise rapid web application testing with unique remediation plans. GoCyber provides continuous AI-based testing that adapts to changes in infrastructure. Cyber Strike AI enables chatbot-driven penetration testing with real-time detection and professional reporting. AXE.AI positions itself as an AI-augmented offensive testing platform ...

Published September 5, 2025, this article profiles engineer Gaurav Malik and how he transformed enterprise cybersecurity from reactive defense to proactive resilience. Facing complex risks across more than 60 software, hardware, and network environments weekly, Gaurav developed automated tools to discover and address hidden “shadow” assets within the SAP infrastructure—recapturing 9,000 man-hours and reducing open endpoints by 90 percent. He ensured stability across Windows and Unix servers, optimized Splunk and Tanium environments for continuous operations, and built data-rich dashboards that turned raw alerts into strategic threat intelligence. He also streamlined patch cycles across over 35,000 endpoints, enforcing both compliance and ongoing validation. Through kanban-driven coordination and decisive response to zero-day threats involving isolation and rollback actions, Gaurav imbued security culture with anticipation rather than reaction. His efforts reshaped the organization’s mi...