Web

Sorting Encrypted Strings with a Leaked-Order Index

TL;DR: This is not a cryptographic construction. It is a pragmatic engineering compromise for applications where encrypted storage is required but app…

Why AgentTrail Exists: Building Open-Source Audit Trails for AI Agents

The EU AI Act is now in force, and compliance deadlines for high-risk AI systems are approaching. Many mid-market organizations are still figuring out…

Uniswap V4 Hooks MEV 2026: Searcher Opportunities and Risks

Cross-posted from ai-frb.com — the canonical version lives on the FRB Research blog. This DEV.to mirror exists so the dev community can engage in comm…

The Multi-Tenant Fortress: Bank-Grade Data Isolation in PostgreSQL

In a multi-tenant B2B platform, data leakage is an extinction-level event. If Property A logs into your dashboard and accidentally sees the guest data…

Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

TL;DR what: Attackers hijacked over 400 Arch User Repository packages by adopting orphaned projects and injecting malicious build scripts that deploye…

CRTA Exam Writeup — Passed | CyberWarFare Labs

Introduction The CRTA exam by CyberWarFare Labs is a fully hands-on, black-box red team assessment. There are no multiple-choice questions. You either…

AI Agent Security, Malware Evasion, & LLM Data Leakage Risks

AI Agent Security, Malware Evasion, & LLM Data Leakage Risks Today's Highlights Today's highlights cover crucial security challenges, from sophist…

Rebuilding the Hull at Sea

The box that ran everything started dying in April. Not dramatically. Machines almost never die dramatically. It started with instability... the kind …

Memory Poisoning: The Silent Threat to AI Agents (and How to Defend Against It)

The Problem Nobody's Talking About If you're building AI agents with persistent memory — using Mem0, ChromaDB, Pinecone, or custom vector stores — the…

Every Step Was Allowed. The Sequence Was the Attack. (AI Memory Judgment, CLAIM-30)

Earlier this week I published CLAIM-29: permission is not purpose. An instruction can be fully authorized, fresh, and clean in shape, and still ask th…

Web Security: OWASP Top 10 — Practical Defense Guide (2026)

Web Security: OWASP Top 10 — Practical Defense Guide (2026) Security vulnerabilities follow patterns. The OWASP Top 10 lists the most critical ones — …

Giving Your Local LLM Safe Filesystem Access With Ollama Tool Use

A local LLM that can read your files is genuinely useful. A local LLM that can read your files without guardrails is a path-traversal bug with a chat …

How Kong's Control Plane / Data Plane Split Cut Our Gateway Costs by 34% (And Made It a Security Layer)

The Problem With How Most Teams Run Kong If you set up Kong the default way, everything lives together — routing, policy enforcement, plugin execution…

LocalAnt: using ChatGPT as the brain and your local computer as the hands

I have been building LocalAnt , a local-first MCP gateway for ChatGPT. GitHub: https://github.com/yuga-hashimoto/localant The goal is to make ChatGPT …

How to Build a Secure Serverless Port Scanner in Node.js (and Prevent SSRF)

Every network engineer and systems developer needs to verify connection ports. Whether you're debugging why a remote database connection is failing, c…

A practical guide on leveraging GitHub Copilot to identify and fix OWASP Authentication vulnerabilities for the Finish-Up-A-Thon challenge.

Improving My OWASP Authentication Failures Write‑Up Using GitHub Copilot GitHub “Finish-Up-A-Thon” Challenge Submission Sujala Vasanthasena Nelavai Su…

I built an offline threat-hunting CLI in python because spinning up a SIEM for one log file is overkill

so here's the situation i kept running into while studying for security+ and messing with sample log sets. i'd have a single evtx export or a json dum…

A zero-dep CLI that scans your GitHub Actions for the mistakes that actually get repos compromised

Your CI workflow is the softest target in your repo. It runs automatically, it has a GITHUB_TOKEN that can push commits, and it can read your secrets.…

Why Math.random() is unsafe for passwords — and how to use crypto.getRandomValues instead

Why Math.random() Is Unsafe for Passwords — and How to Use crypto.getRandomValues Instead If you have ever written a password generator in JavaScript,…

WordPress.org now distrusts my commits by default. As a plugin author, I think that’s right.

I committed a new version of my plugin to SVN and got a message I hadn’t seen before: this version will reach sites in about 24 hours. My first though…

Making encrypted Laravel config backups portable across APP_KEYs

Here's a fun one. You build a package that backs up an app's config — the .env plus the settings stored encrypted in the database — into a single pass…

Ory Talos: Open-Source API Key Management for High-Throughput Systems

Ory Talos: Open-Source API Key Management for High-Throughput Systems Your API keys are probably a mess. If your system issues hundreds of thousands o…

Weekly Dev Log 2026-W09

🗓️ This Week Completed the SwiftUI app development tutorial and tested the app I built on a real iPhone🦾 Learned the overall flow of building an iOS a…

I trained a neural network to break my own encrypted search. It learned nothing.

A few months ago I built a way to search documents by meaning while keeping the embeddings hidden — even from the server doing the search. I called it…

OpenClaw AI Agent Exploited Through Hidden Contact Prompts and Social Engineering

TL;DR what: Researchers demonstrated OpenClaw AI agent executes hidden commands in contacts/vCards and leaks credentials through believable phishing e…

Event-Driven Algos: Mastering Webhooks and Order Lifecycle Event Triggers

In our previous article, we tackled low-latency data ingestion by architecting high-performance WebSocket streaming clients. Sockets are perfect for c…

EOL, EOS, LTS, CVE — Every Software Lifecycle Term, Explained Like You're New Here

The short version: every piece of software has a date after which its maker stops fixing it — including security holes. That date is its end of life (…

AMD RCE Ignored, GitHub Boosts Secret Scanning with LLMs, AUR Supply Chain Attack

AMD RCE Ignored, GitHub Boosts Secret Scanning with LLMs, AUR Supply Chain Attack Today's Highlights This week, a critical RCE vulnerability in AMD ha…

Malicious Packages Spreading in AUR

Hundreds of AUR packages attacked by infostealer

More info in Mastodon post: https://gaysex.cloud/notes/andaxow7itfn05x9 List of affected packages: https://gr.ht/aur_pkg_list.txt Comments