Appsec adventures

This article describes LLMjacking, a rapidly growing threat where attackers hijack private AI server resources to run their own prompts and tasks, avoiding compute costs. Based on a honeypot experiment with a Raspberry Pi masquerading as a high-performance AI server running Ollama, LM Studio, and MCP tools, the researcher observed that Shodan discovered the server within three hours, and over one month it received 113,000 requests from thousands of unique IPs. 23% of traffic targeted AI capability discovery and exploitation. Attackers did not attempt root access or code execution; instead, they focused on resource siphoning: parsing technical documentation, writing erotic novels, processing social media data, and using the compromised server as an API proxy to call Anthropic models. The article notes standardized reconnaissance tools (LLM-Scanner) that evolved during the experiment, plus systematic hunting for exposed .env files. Defensive measures include: binding LLM servers only to ...

PromptZero is a local proxy that detects and replaces sensitive data (IPs, hostnames, emails, credentials, names, national IDs, etc.) in prompts sent to Claude API, then restores real values in responses. It uses NLP (spaCy/Presidio) and regex patterns, substitutes with IANA-reserved ranges (RFC 5737/3849/2606), maintains session mapping tables, and supports pentest mode to disable name/organization detection. Runs via Docker or native install, works as a drop-in replacement for api.anthropic.com, and can route Claude Code CLI through it. Includes demo datasets, document summarization, and pentest report generator examples. From pentesters to pentesters. MIT license.  https://github.com/openbashok/promptzero

This article discloses NomShub, a critical vulnerability chain in the Cursor AI code editor that allows a malicious repository to silently hijack a developer's machine with no user interaction beyond opening the repository. The attack combines three elements: indirect prompt injection (malicious instructions hidden in a README file), a sandbox escape via shell builtins (Cursor's command parser is blind to commands like export and cd, allowing escape from workspace restrictions), and Cursor's built-in remote tunnel feature (cursor-tunnel) which provides authenticated shell access through Microsoft's Dev Tunnels infrastructure. The AI agent autonomously executes a multi-step chain: escaping the sandbox using a one-line command, establishing persistence by writing to ~/.zshenv, terminating existing tunnel processes, clearing cached GitHub credentials, starting a new tunnel, capturing the GitHub device authorization code, and exfiltrating it to an attacker-controlled server...

This article details CVE-2026-31431 (Copy Fail), a high-severity Linux kernel vulnerability (CVSS 7.8) that allows any unprivileged local user to corrupt page cache memory and escalate privileges to root. The exploit chains three kernel mechanisms: AF_ALG sockets (exposing kernel crypto to unprivileged users), the authencesn AEAD template, and splice() for zero-copy data movement. By splicing a readable target file (e.g., a setuid binary like /usr/bin/su or PAM configuration files) into a crafted AF_ALG decrypt operation, the attacker can write controlled bytes directly into the file's page cache without touching the on-disk file, avoiding normal file-write detection. The corruption persists only in memory, and when the corrupted setuid binary executes, the attacker gains root privileges. The vulnerability affects kernel versions 4.14 through 6.19 and 7.0 RCs, and active exploitation has been confirmed in the wild. Datadog's detection uses chained Workload Protection rules that...

This technical blog post demonstrates how attackers can compromise Claude Code, Anthropic's AI coding assistant, through malicious skill files and sub-agents. Skills are markdown files that instruct LLMs on how to perform specific tasks, and thousands of users share them on GitHub and skills.sh without proper vetting. The author shows that with default settings, a skill containing frontmatter with "allowed-tools: Bash(*)" and a dynamic context command (using !`command`) can execute arbitrary bash commands, including a reverse shell, without any user prompt or LLM reasoning. Sub-agents, which can run with "bypassPermissions" mode, can also execute malicious commands, such as installing a backdoored npm package. The article notes that while Claude Code has complex permission and command-parsing logic, the LLM itself may reject obviously malicious commands, but dynamic context inputs bypass this reasoning entirely. Defensive measures include denying Bash commands i...

This opinion piece warns that Anthropic's AI coding assistant, Claude Code, has a critical security vulnerability involving the Model Context Protocol (MCP). Researchers at Mitiga Labs demonstrated an attack chain where a malicious npm package with a post-install hook rewrites a single configuration file (~/.claude.json), which controls how Claude Code routes MCP traffic. This redirects authenticated requests and OAuth tokens (stored in plaintext) to attacker-controlled infrastructure instead of legitimate services like Jira, Confluence, or GitHub. The attacker then holds valid long-lived bearer tokens. The attack is difficult to detect because provider audit logs show Anthropic’s IP range and a valid user session — nothing appears wrong, but the user did not initiate the actions. Anthropic responded that the issue was out of scope, reasoning that prior code execution requires user consent to install the package, and as of this writing no patch exists. The article notes previous vu...