TheNote
Trail of Bits Blog Note
GooglePlay AppStore

Trail of Bits Blog

blog.trailofbits.com is the official blog of Trail of Bits, a cybersecurity company that provides a range of services including penetration testing, secure coding, and software security assessments. The blog appears to be focused on sharing knowledge and insights related to cybersecurity, with articles and posts covering a variety of topics such as software security, threat modeling, vulnerability analysis, and secure coding practices. The website is clean and simple in design, with a straightforward layout that makes it easy to navigate and find specific articles or topics of interest. There is a search function available on the website, allowing users to quickly find specific articles or topics. Additionally, articles are categorized by topic, making it easy to browse through related content. The blog also features guest posts from experts in the field of cybersecurity, adding to the diversity of perspectives and insights shared on the site. Overall, the Trail of Bits blog appears to be a valuable resource for individuals interested in learning more about cybersecurity and staying up-to-date on the latest developments and trends in the field.
Trail of Bits Blog blog.trailofbits.com
RSS blog.trailofbits.com
RSS Hunter RSS Hunter Aug 19, 2024

Thread Of Notes

Introducing Patch the Planet

Trail of Bits, in partnership with OpenAI's Daybreak initiative, launched Patch the Planet to address security vulnerabilities in open-source software. The program utilizes advanced AI models like GPT-5.5-Cyber to identify bugs, with Trail of Bits engineers triaging and patching the findings. In its first week, the initiative examined 19 projects across various critical software domains, including cryptography and networking. This resulted in hundreds of discovered bugs, with 64 pull requests submitted and 51 issues filed. Importantly, Trail of Bits focused on providing actual patches rather than just bug reports, with 37 patches already merged. These merged contributions included bug fixes, new tests, fuzzing harnesses, and supply-chain tooling improvements. Specific projects like python.org and aiohttp saw significant improvements and rapid fixes from their maintainers. The initiative also highlighted the power of AI in rapidly building complex security tools like fuzzing labs and variant analysis pipelines. The article emphasizes that while finding bugs is becoming easier with AI, the real challenge now lies in confirming findings, assessing severity, and implementing effective patches. Trail of Bits is continuing Patch the Planet, inviting more open-source maintainers to apply for assistance.
https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/ blog.trailofbits.com
CdXz5zHNQW_zplxitPXLL.gif
RSS Hunter RSS Hunter Yesterday

Factoring "short-sleeve" RSA keys with polynomials

Researchers discovered that some RSA private keys have bits heavily biased toward 0, which can be detected and factored quickly. Along with Hanno Böck of the badkeys project, they found hundreds of unique keys with this property and analyzed historical data to track the issue over time. The pattern of 0 bits in these keys is often highly structured, allowing for the development of a polynomial-based cryptanalytic technique to exploit the pattern. The researchers identified two patterns of RSA moduli with repeated blocks of 0 bits, with one pattern remaining unexplained and the other traced to a type mismatch in big-integer code from old versions of the CompleteFTP file transfer software. The CompleteFTP bug also generated vulnerable short-sleeve DSA keys, and the researchers recovered 603 unique RSA private keys and 74 DSA keys from internet scans. The badkeys project is an open-source service that checks public keys for known vulnerabilities, and by searching a dataset of real-world keys, the researchers uncovered a large number of keys in the wild with the patterns. The researchers reverse-engineered the CompleteFTP vulnerability and found that it was caused by a mismatch between the size of the limbs and the size of the RNG output. The vulnerability was contained after the CompleteFTP team released an update that automatically checks for vulnerable keys and alerts the user if the key needs to be regenerated. The researchers also developed a technique for factoring integers by representing them as polynomials, which can be used to factor general RSA moduli. The discovery of these vulnerabilities highlights the importance of practical research and the need for continued monitoring of cryptographic implementations to identify and address potential weaknesses.
https://blog.trailofbits.com/2026/06/12/factoring-short-sleeve-rsa-keys-with-polynomials/ blog.trailofbits.com
CdXz5zHNQW_iFKnuRveAb.webp
RSS Hunter RSS Hunter Jun 12

The sorry state of skill distribution

Public skill marketplaces are rife with malicious skills designed to steal credentials and data. Security companies have introduced skill scanners to detect these threats before installation, but our testing reveals they are ineffective. We successfully bypassed detection mechanisms in ClawHub, Cisco's agent skill scanner, and multiple scanners integrated into skills.sh. These bypasses were achieved using standard attack techniques and relatively little effort. The static nature of these scanners allows attackers to repeatedly test and refine their methods until they succeed. The security of software supply chains has always been a concern, and the rise of agentic systems has introduced a new vector: skills. Malicious skills can leverage natural language prompts in addition to code, expanding attack possibilities. Skill distribution channels, such as ZIP archives, curated marketplaces, and public marketplaces, have often prioritized speed over security. Public marketplaces, in particular, have become flooded with malicious skills aiming to compromise users' systems. Our analysis of ClawHub's scanner, which uses VirusTotal and a Gemini 3 Flash-based tool, showed it can be bypassed by simply adding excessive newlines to obscure malicious code. Cisco's skill-scanner and the scanners on skills.sh, which handle arbitrary git repositories, were also vulnerable. We exploited this by embedding malicious instructions within .docx files and using poisoned .pyc bytecode, which bypasses both pattern matching and LLM-based analysis. The prompt injection attack on skills.sh disguised malicious commands within seemingly innocuous corporate configuration language. These findings highlight significant vulnerabilities in current skill security measures.
https://blog.trailofbits.com/2026/06/03/the-sorry-state-of-skill-distribution/ blog.trailofbits.com
CdXz5zHNQW_sN7fPOqey7.webp
RSS Hunter RSS Hunter Jun 3

We hardened zizmor's GitHub Actions static analyzer

A security study aimed to improve the GitHub Actions static analyzer, zizmor, to enhance CI security. The study addressed vulnerabilities where attackers exploit misconfigurations, like the Trivy compromise. The team built a test corpus of 41,253 workflows from open-source repositories to validate zizmor's capabilities. This test highlighted that anchor usage, while rare, is present in foundational projects. The analysis identified and fixed four anchor-handling bugs within zizmor. Additionally, the team addressed deserialization edge cases and expression evaluator bugs. The team aligned zizmor's expression evaluator with GitHub's tests. The testing approach involved downloading real workflows, running zizmor, and addressing failures. The team's work resulted in the filing of 20 issues and the merging of 15 pull requests. The study aimed to improve security for open-source projects using GitHub Actions. The improvements strengthen CI security and help prevent supply-chain attacks.
https://blog.trailofbits.com/2026/05/22/we-hardened-zizmors-github-actions-static-analyzer/ blog.trailofbits.com
CdXz5zHNQW_7aI8OOG07k.webp
RSS Hunter RSS Hunter May 22

Go fuzzing was missing half the toolkit. We forked the toolchain to fix it.

Go's native fuzzing lacks advanced features found in Rust, C, and C++ ecosystems, failing to detect common bugs like integer overflows and goroutine leaks. To address these limitations, gosentry was developed as a fuzzing-oriented fork of the Go toolchain. Gosentry integrates LibAFL, enabling native struct fuzzing, grammar-based fuzzing with Nautilus, and detection of previously missed bug classes. It maintains the standard testing.F workflow, allowing existing Go fuzz harnesses to be used with new command-line flags. Gosentry enhances input quality through struct-aware fuzzing, handling composite types like structs, slices, and pointers. It also supports grammar-based fuzzing, where Nautilus generates and mutates grammar-valid inputs for complex structures like JSON. The tool identifies various bad behaviors that Go's vanilla fuzzer would miss, including integer overflows, data races, goroutine leaks, and execution timeouts. By capturing the fuzz callback and running it through a Rust-based LibAFL runner, gosentry improves the fuzzing engine, scheduling, and detectors. It has already uncovered significant bugs in projects like Optimism and Revm that would be difficult to find with native Go fuzzing. The project is open-source on GitHub, providing comprehensive documentation for all its features.
https://blog.trailofbits.com/2026/05/12/go-fuzzing-was-missing-half-the-toolkit.-we-forked-the-toolchain-to-fix-it./ blog.trailofbits.com
RSS Hunter RSS Hunter May 12

C/C++ checklist challenges, solved

The provided text describes two security challenges from a testing handbook, a Linux ping program and a Windows driver registry handler. The Linux challenge exposes a command injection vulnerability due to flaws in input validation and the `inet_ntoa` function's use of a global buffer, enabling an attacker to bypass security checks. The Windows challenge highlights a vulnerability where a driver reads version information from the registry using `RtlQueryRegistryValues`, allowing an attacker to control the registry path. This allows for reading arbitrary registry keys. The key vulnerability is missing type checking when using `RTL_QUERY_REGISTRY_DIRECT`, enabling stack overflows through type confusion. The lack of the `RTL_QUERY_REGISTRY_TYPECHECK` flag on a Windows driver leads to a kernel security failure when attempting to read from an untrusted hive when using `RTL_QUERY_REGISTRY_DIRECT`. This bug, originally addressed in MS11-011, allows an attacker to overwrite data on the stack. The text then introduces a new Claude skill called c-review, designed to find bugs in C/C++ codebases by leveraging an LLM. The skill uses the testing handbook's checklist as prompts for identifying vulnerabilities.
https://blog.trailofbits.com/2026/05/05/c/c-checklist-challenges-solved/ blog.trailofbits.com
CdXz5zHNQW_Mg1wCwp9Lj.webp
RSS Hunter RSS Hunter May 5

Extending Ruzzy with LibAFL

This post details the process of integrating LibAFL into Ruzzy, a Ruby fuzzer. The author begins by highlighting LibAFL's advantages and the intention to replace libFuzzer. They build LibAFL's libFuzzer library within a Dockerfile, making slight modifications to Ruzzy's build process to accommodate LibAFL's usage via an ENV variable. An issue emerges during linking, specifically ".preinit_array section is not allowed in DSO", which necessitates using LLVM's linker (lld) instead of GNU ld to overcome the error. The author modifies the Dockerfile and extconf.rb to specify the linker. With the build issues addressed, the author then attempts to run the fuzzer. However, a "No maps available; cannot fuzz!" error emerges, indicating a problem with SanitizerCoverage initialization. The author plans to explore and address this problem. Consequently, the author plans to propose a proper fix upstream by preventing the preinit_array section with a cargo feature. Finally, the post concludes with a focus on running the fuzzer and the anticipated next steps of fixing the sanitization issue.
https://blog.trailofbits.com/2026/04/29/extending-ruzzy-with-libafl/ blog.trailofbits.com
RSS Hunter RSS Hunter Apr 29

Trailmark turns code into graphs

Trailmark is a new open-source library that transforms source code into a queryable call graph. This graph represents functions, classes, and their relationships, along with semantic metadata. Claude skills can directly interact with this graph through a Python API. Traditional security analysis often relies on lists of findings, but attackers think in graphs, creating a disadvantage for defenders. Trailmark aims to provide AI models like Claude with this graph-based reasoning capability. Mutation testing, a method to assess test quality by making small code changes, generates many surviving mutants. A flat list of these mutants doesn't distinguish between equivalent, dead code, or genuinely significant ones. Trailmark enables Claude to triage these mutants based on security relevance, such as reachability from untrusted input. The library processes code in three phases: parsing with tree-sitter for ASTs, indexing into a high-performance graph, and querying for information like callers, callees, and attack surfaces. Trailmark supports seventeen programming languages and offers eight pre-built Claude Code skills. These skills assist in tasks like mutation triage, test vector generation, and protocol diagramming. For instance, the "genotoxic" skill uses graph analysis to classify surviving mutants. Similarly, "vector-forge" generates test vectors to close identified coverage gaps. Trailmark also integrates findings from static analyzers and audit tools, mapping them onto the code graph. Internal use on cryptographic libraries revealed that equivalent mutants often constitute the majority in well-tested code, a detail missed by flat lists. Graph analysis also highlighted architectural bottlenecks, such as a single permutation primitive in libhydrogen that impacts all cryptographic operations. Mutation testing proves valuable for novel constructions lacking standardized test vectors, by identifying where tests fail to constrain code behavior. Across various codebases, common patterns emerged: arithmetic modules have high blast radii, codec parsers are prime fuzzing targets, and property-based testing is often sparse. Ultimately, Trailmark serves as a connective tissue, linking different analysis tools and enabling more targeted security assessments.
https://blog.trailofbits.com/2026/04/23/trailmark-turns-code-into-graphs/ blog.trailofbits.com
RSS Hunter RSS Hunter Apr 23

We beat Google’s zero-knowledge proof of quantum cryptanalysis

Google's Quantum AI group claimed first-gen quantum computers could break elliptic curve cryptography in 9 minutes using a zero-knowledge proof. Trail of Bits created a forged zero-knowledge proof that significantly improved Google's metrics by exploiting vulnerabilities in Google's Rust prover code. These vulnerabilities included memory safety issues and logic flaws, which Google has since patched. Trail of Bits' proof lowered the total operations to 8.3 million and qubits to 1,164, while eliminating Toffoli gates. The forged proof still passed Google's unpatched verification and was indistinguishable from a legitimate proof. Google's proof used a zero-knowledge virtual machine (zkVM) to calculate costs of quantum circuits. The zkVM simulation involves proving that a program, with private inputs like a quantum circuit, generates a specific public output which includes resource bounds. A key vulnerability involved bypassing the Toffoli gate counter by manipulating the operation type in the circuit's assembly script. This manipulation allowed the program to perform operations without correctly reporting their costs, effectively forging the proof. The incident displays the unique attack surface introduced by zero-knowledge proof systems.
https://blog.trailofbits.com/2026/04/17/we-beat-googles-zero-knowledge-proof-of-quantum-cryptanalysis/ blog.trailofbits.com
CdXz5zHNQW_xMS1ou095P.webp
RSS Hunter RSS Hunter Apr 17

Master C and C++ with our new Testing Handbook chapter

A new chapter has been added to the Testing Handbook, providing a security checklist for C and C++ code. The chapter details common bugs, footguns, and API issues across multiple platforms. It is organized into sections for Linux, Windows, and seccomp, focusing on manual code review. An LLM-based tool is also in development, using the checklist for bug-finding prompts. Two challenges are included to test readers' review skills, with prizes for early correct submissions. The chapter covers a range of vulnerabilities, starting from language-level problems and moving to platform-specific issues. Linux sections address libc gotchas, while Windows sections focus on DLL planting and path traversal issues. The seccomp section addresses sandbox bypasses. The handbook will be continuously updated, and contributions are welcome. The challenges are to identify vulnerabilities in a simple ping program and a Windows driver. The authors emphasize that checklist-based review is a starting point for security, not a replacement for expertise.
https://blog.trailofbits.com/2026/04/09/master-c-and-c-with-our-new-testing-handbook-chapter/ blog.trailofbits.com
RSS Hunter RSS Hunter Apr 9

What we learned about TEE security from auditing WhatsApp's Private Inference

WhatsApp's new Private Inference feature aims to integrate end-to-end encryption with AI by processing messages in secure hardware enclaves called Trusted Execution Environments (TEEs). These TEEs, utilizing AMD's SEV-SNP and Nvidia's confidential GPU platforms, are designed to prevent even Meta from accessing plaintext messages. A pre-launch audit identified numerous vulnerabilities, including eight high-severity issues that could have compromised user privacy. These vulnerabilities stemmed from untrusted data loaded after attestation measurement and incorrect verification of security patch levels. For instance, loading environment variables or ACPI tables after the attestation measurement created backdoors for malicious code injection. The system also initially trusted firmware's claimed patch levels rather than verifying them against cryptographic certificates. Furthermore, a lack of freshness guarantees in attestation reports allowed for replay attacks, enabling attackers to impersonate secure servers indefinitely. Meta addressed these issues by implementing strict validation of variables, custom bootloaders, certificate-based patch level verification, and including nonces in attestation reports. The audit emphasizes that TEEs are not a foolproof solution and require meticulous attention to detail during implementation and deployment. Key lessons learned include the importance of measuring all critical data, validating inputs, and conducting thorough negative testing. Physical security and achieving reproducible transparency also present ongoing challenges in TEE deployments. Ultimately, securing TEE-based systems depends on rigorous attention to security at every layer, not just major architectural choices.
https://blog.trailofbits.com/2026/04/07/what-we-learned-about-tee-security-from-auditing-whatsapps-private-inference/ blog.trailofbits.com
RSS Hunter RSS Hunter Apr 7

Simplifying MBA obfuscation with CoBRA

MBA obfuscation conceals operations using arithmetic and bitwise operators, making analysis difficult. CoBRA is an open-source tool designed to simplify these complex MBA expressions. It recovers simplified equivalents from obfuscated code, improving readability. CoBRA addresses the shortcomings of existing tools, which struggle with the interaction of bitwise and arithmetic logic. It uses a worklist-based orchestrator with various simplification techniques across multiple pipelines. CoBRA simplifies expressions by classifying them and choosing the appropriate simplification method, like linear, semilinear, polynomial, or mixed. The tool provides a CLI, a C++ library, and an LLVM pass plugin for easy use and integration. CoBRA verifies its results for accuracy using random inputs or Z3 proofs. It has a high success rate, simplifying nearly all expressions from diverse datasets. Future development includes addressing specific limitations and expanding integration options with tools.
https://blog.trailofbits.com/2026/04/03/simplifying-mba-obfuscation-with-cobra/ blog.trailofbits.com
RSS Hunter RSS Hunter Apr 3

Mutation testing for the agentic era

Code coverage is a dangerous metric because it measures execution, not verification, potentially hiding untested critical functionality. Mutation testing, which systematically introduces bugs to see if tests catch them, addresses this by flagging untested code. Historically, mutation testing tools were slow and language-specific, hindering adoption, especially in blockchain. Universalmutator, using regex, gained traction but had limitations with multi-line statements and inefficient mutant prioritization. Slither-mutate improved speed through mutant prioritization and a cleaner testing cycle but remained Solidity-specific. The new tools, MuTON and mewt, aim to overcome these challenges. MuTON offers first-class support for TON blockchain languages by utilizing the tree-sitter parser for better language comprehension and handling multi-line statements. Mewt serves as a language-agnostic core, also supporting Solidity, Rust, and Go. Both tools store results in a SQLite database, enabling persistence and flexible filtering. AI agents can now efficiently configure campaigns and triage results using specialized skills. Future development focuses on AI-guided test generation that encodes requirements, not just bug detection. The goal is to equip AI agents with skepticism and demand external validation for robust test suites. Users are encouraged to install MuTON and mewt, contribute to the open-source projects, and watch for new AI skills that will streamline mutation testing. These advancements promise to transform mutation testing into a more routine and effective part of software development.
https://blog.trailofbits.com/2026/04/01/mutation-testing-for-the-agentic-era/ blog.trailofbits.com
RSS Hunter RSS Hunter Apr 1

How we made Trail of Bits AI-native (so far)

The company began an AI initiative, moving from initial skepticism to significant AI integration within a year, developing numerous plugins and agents. This contrasts with many companies that struggle to realize AI's potential, often experiencing minimal impact on productivity despite widespread adoption. The author defines distinct levels of AI integration: AI-assisted, AI-augmented, and AI-native, emphasizing the latter as a fundamental shift in organizational design with AI as a core element. The author highlights four key psychological barriers to AI adoption: self-enhancing bias, identity threat, intolerance for imperfection, and opacity. To overcome these barriers, the company implemented a maturity matrix, fostering a new identity for experts by encoding their skills, mitigating errors through careful curation and sandboxing, and increasing transparency through a comprehensive AI handbook. The implementation focused on standardized tools, clear usage policies, and measurable progress to facilitate and accelerate adoption, with short, focused hackathons to propel rapid development. Reusable skills repositories and a curated marketplace facilitated knowledge sharing and the ongoing improvement of the AI system, creating an operational advantage.
https://blog.trailofbits.com/2026/03/31/how-we-made-trail-of-bits-ai-native-so-far/ blog.trailofbits.com
CdXz5zHNQW_50LokEbBRD.webp
RSS Hunter RSS Hunter Mar 31

Try our new dimensional analysis Claude plugin

A new Claude plugin is released for code development and auditing, employing dimensional analysis, a technique from a previous blog post. Unlike security skills that find bugs, this plugin annotates code with dimensional types and flags mismatches. This approach achieved 93% recall in testing, outperforming baseline prompts with 50% recall. The plugin can be downloaded and used through provided commands in Claude. Traditional security analysis skills often yield low-quality results. The dimensional-analysis plugin uses the LLM to categorize the codebase for dimensional types instead of solely relying on its judgment. This results in more accurate and reliable bug detection. The plugin works in four phases: dimension discovery, annotation, propagation, and validation. The first phase identifies base and derived units, creating a dimensional vocabulary. The second phase annotates the codebase, assigning dimensional types to various elements. Dimensions are propagated across files in the third phase, and dimension mismatches are identified and classified in the final stage. Developers should run the plugin and commit the annotations to improve code understanding and find bugs. The developers also encourage users to report any missed dimensional errors to help improve the plugin.
https://blog.trailofbits.com/2026/03/25/try-our-new-dimensional-analysis-claude-plugin/ blog.trailofbits.com
CdXz5zHNQW_2bndNvCXGc.webp
RSS Hunter RSS Hunter Mar 25

Spotting issues in DeFi with dimensional analysis

The text advocates for using dimensional analysis, borrowed from physics, to enhance the safety of DeFi smart contracts. It emphasizes that this technique can identify logical and arithmetic errors by ensuring the dimensional consistency of formulas, without requiring code changes. The core concept revolves around treating DeFi quantities like tokens, prices, and liquidity as distinct dimensions, preventing incorrect operations like adding tokens directly. The author provides examples of how dimensional analysis can uncover flaws in pricing and other calculations. Best practices are presented, highlighting the importance of explicit dimensional annotations in code, exemplified by Reserve Protocol's use of unit comments. The text concludes by suggesting that using dimensional annotations makes code easier to review, modify, and audit.
https://blog.trailofbits.com/2026/03/24/spotting-issues-in-defi-with-dimensional-analysis/ blog.trailofbits.com
RSS Hunter RSS Hunter Mar 24

Six mistakes in ERC-4337 smart accounts

Account abstraction replaces traditional accounts with programmable systems, enhancing features like batching and spending controls, but introducing new security risks. Audits of ERC-4337 smart accounts reveal six common vulnerability patterns developers must address. Incorrect access control, granting unauthorized parties execution privileges, is a primary concern. Incomplete signature validation, specifically neglecting gas-related fields, opens doors for attackers to drain funds. Modifying state during validation, particularly by caching signers, creates opportunities for unintended behavior during execution. Replay attacks exploiting ERC-1271 signature validation, due to a failure to bind signatures to the smart account and chain, are also problematic. Reverts during execution do not nullify gas fees paid during successful validation, enabling denial-of-service attacks. Developers should also be wary of paymasters that improperly handle postOp logic, potentially allowing attackers to exploit vulnerabilities. Addressing these issues is crucial for secure ERC-4337 implementation.
https://blog.trailofbits.com/2026/03/11/six-mistakes-in-erc-4337-smart-accounts/ blog.trailofbits.com
CdXz5zHNQW_igCZfhbvo6.webp
RSS Hunter RSS Hunter Mar 11

mquire: Linux memory forensics without external dependencies

mquire is a new open-source tool designed to perform Linux memory forensics without relying on external debug symbols. It extracts necessary information directly from the memory dump itself, eliminating the need for matching kernel versions. This allows analysis of unknown kernels and custom builds, a significant advantage for incident responders. The tool utilizes BTF type information and Kallsyms symbol addresses found within the memory dump. mquire provides an interactive SQL interface, inspired by osquery, for easy data exploration. Users can execute one-off queries or explore interactively, retrieving information like running processes and open files. Current capabilities include accessing system version, tasks, open files, memory mappings, and more. mquire also offers a ".dump" command to extract files from the kernel's file cache, even if deleted. Use cases include incident response, forensic analysis, malware analysis, and security research. Limitations include inaccessibility to user-space data and dependencies on Kallsyms format. Future development includes expanded table support, improved caching, and DMA-based acquisition. mquire is available on GitHub with prebuilt binaries for Linux. The article encourages users to try mquire and provide feedback.
https://blog.trailofbits.com/2026/02/25/mquire-linux-memory-forensics-without-external-dependencies/ blog.trailofbits.com
RSS Hunter RSS Hunter Feb 25

Using threat modeling and prompt injection to audit Comet

Perplexity hired Trail of Bits to test the security of their Comet browser's AI-powered features before launch. They employed adversarial testing using their TRAIL threat model, focusing on prompt injection vulnerabilities. Four prompt injection techniques were discovered that could extract user emails from Gmail. These techniques highlighted risks when AI agents treat external content as trusted input. Trail of Bits outlined five security recommendations for companies building AI-powered products. The Comet browser assistant, interacting within web pages, accesses information and interacts with the browser. The report identified two primary trust zones: the user's machine and Perplexity's servers. The identified exploits aimed to steal user emails by exploiting the AI summarizing functionality. The effectiveness was enhanced when combined and used different techniques such as fake security measures. The testing approach emphasizes the importance of understanding AI-specific attack vectors.
https://blog.trailofbits.com/2026/02/20/using-threat-modeling-and-prompt-injection-to-audit-comet/ blog.trailofbits.com
RSS Hunter RSS Hunter Feb 20

Carelessness versus craftsmanship in cryptography

Two popular AES libraries, aes-js and pyaes, introduce a significant vulnerability by providing a default IV in their CTR mode implementations. This flaw allows for key/IV reuse, leading to potential plaintext recovery and severe security breaches. Trail of Bits identified this issue and decided to publicly address it due to its widespread impact. The article highlights the contrasting responses of software developers to this security problem. The libraries are widely used, impacting numerous JavaScript and Python projects, therefore the bug's reach is considerable. The default IV makes it easy for users to inadvertently create vulnerable encryption schemes. This design choice significantly increases the likelihood of users implementing key/IV reuse, a critical cryptographic error. Moreover, the libraries lack support for modern, authenticated encryption modes like GCM, exacerbating the risks. The article contrasts the maintainer's dismissive response to this issue (yadda yadda yadda) with the detailed response of strongSwan's maintainer. strongSwan, another affected project, was notified privately, and their maintainer swiftly addressed the vulnerability by replacing the existing library and cipher mode with more secure alternatives, demonstrating true craftsmanship. The strongSwan fix involved detailed changes to ensure data security going forward. The contrast between the two responses highlights the difference between careless coding and a commitment to security. The article stresses the importance of responsible software development and the proper handling of security flaws, emphasizing the need for craftsmen over careless developers.
https://blog.trailofbits.com/2026/02/18/carelessness-versus-craftsmanship-in-cryptography/ blog.trailofbits.com
RSS Hunter RSS Hunter Feb 18

Celebrating our 2025 open-source contributions

Trail of Bits emphasizes sharing useful contributions with the open-source community, impacting a wide range of projects. Their engineers submitted over 375 merged pull requests, reflecting this value. These contributions often stem from client work, addressing bugs or adding features not present in existing tools. Instead of forking projects, they contribute upstream. They collaborate with organizations like OpenSSF and Alpha-Omega, further supporting their work. Key contributions include improvements to Sigstore's rekor-monitor, enhancing security and monitoring. Significant contributions were made to the Rust compiler and Clippy, including new lints and bug fixes. They significantly contributed to the pyca/cryptography library, particularly with a new ASN.1 API. They also improved the performance of hevm and supported PyPI Warehouse with project archival. Additionally, they contributed to tools like pwndbg, enhancing debugging and exploit development. Notably, their contributions extend beyond simply submitting code; they also support maintainers.
https://blog.trailofbits.com/2026/01/30/celebrating-our-2025-open-source-contributions/ blog.trailofbits.com
RSS Hunter RSS Hunter Jan 30

Building cryptographic agility into Sigstore

Software signatures have a hidden expiration date, necessitating preparedness for cryptographic algorithm obsolescence. Sigstore initially prioritized security by hardcoding specific algorithms but faced limitations as its use expanded and diverse organizational needs emerged. Trail of Bits collaborated with the Sigstore community to address these limitations through controlled cryptographic flexibility. This involved a centralized algorithm registry and updates to Rekor, Fulcio, and Cosign, allowing algorithm selection. These changes introduce predefined algorithm suites to prevent in-band algorithm signaling attacks, ensuring secure combinations. The implemented solution enables controlled flexibility, supporting algorithms like ECDSA, Ed25519, and RSA. Organizations can restrict allowed algorithms for compliance or post-quantum readiness. This new architecture supports future algorithm additions, ensuring long-term signature verifiability. This approach maintains Sigstore's security model while accommodating evolving cryptographic standards.
https://blog.trailofbits.com/2026/01/29/building-cryptographic-agility-into-sigstore/ blog.trailofbits.com
RSS Hunter RSS Hunter Jan 29

Lack of isolation in agentic browsers resurfaces old vulnerabilities

Agentic browsers, with embedded AI agents, reintroduce web security vulnerabilities due to inadequate isolation. These browsers give AI agents access to sensitive user data, similar to traditional browser vulnerabilities like XSS and CSRF. The study identifies four trust zones: chat context, third-party servers, browsing origins, and the external network, and four violation classes: INJECTION, CTX_IN, REV_CTX_IN, and CTX_OUT. Exploits are demonstrated by combining these violations, leading to data exfiltration and session confusion. Manipulation attacks were successful in controlling the agent's behavior and output, including spreading false information. Data exfiltration attacks were also achieved by stealing user data using prompt injection and exfiltration mechanisms. Similar to reflected XSS, prompt injections can be used to alter the normal content or the agent's output. The research highlights the potential for complete browser compromise due to lagging security updates. A critical recommendation is to extend the Same-Origin Policy to secure agentic browsers. The attacks demonstrate the need for robust security measures in agentic browsers.
https://blog.trailofbits.com/2026/01/13/lack-of-isolation-in-agentic-browsers-resurfaces-old-vulnerabilities/ blog.trailofbits.com
CdXz5zHNQW_0CF0Genhl5.webp
RSS Hunter RSS Hunter Jan 13

Detect Go’s silent arithmetic bugs with go-panikint

Go's arithmetic operations on standard integer types are silent by default, meaning overflows wrap around without panicking, which can lead to hidden security vulnerabilities. To address this issue, a modified Go compiler called go-panikint has been released, which turns silent integer overflows into explicit panics. Go-panikint was used to find a live integer overflow in the Cosmos SDK's RPC pagination logic, demonstrating its effectiveness in eliminating a major blind spot for fuzzing Go projects. The tool works by injecting additional checks during the compiler's conversion of code into Static Single Assignment form, which trigger a panic with a detailed error message if an overflow occurs at runtime. Go-panikint can also detect integer truncation issues, but this feature is not currently being pursued due to false positives. The tool is easy to use and can be integrated into existing workflows by replacing the official Go compiler. Go-panikint has two filtering mechanisms to handle intentional overflows, including source-location-based filtering and in-code comments. The tool has been validated through a fuzzing campaign against the Cosmos SDK, which discovered an integer overflow vulnerability in the RPC pagination logic. Go-panikint has two main use cases: security research and fuzzing, and continuous deployment and integration. The community is invited to try go-panikint on their own projects and integrate it into their CI pipelines to uncover hidden arithmetic bugs. Overall, go-panikint provides a valuable tool for uncovering security vulnerabilities in Go projects that were previously invisible to dynamic analysis.
https://blog.trailofbits.com/2025/12/31/detect-gos-silent-arithmetic-bugs-with-go-panikint/ blog.trailofbits.com
RSS Hunter RSS Hunter Dec 31, 2025

Can chatbots craft correct code?

The author, reflecting on an AI Engineer Code Summit, challenges the optimistic vision of AI replacing developers. They argue LLMs, unlike compilers, lack determinism, a critical property for software correctness. Compilers provide semantic preservation, ensuring code's meaning remains consistent during transformation, while LLMs, by design, are nondeterministic. This lack of guaranteed output poses risks to security and correctness. The author highlights the ambiguity of natural language prompts. An example reveals how an LLM "fixed" code but introduced errors by misunderstanding context. LLMs struggle with legacy codebases due to contextual complexities, undocumented APIs, and historical constraints beyond their comprehension. They suggest that LLMs excel in basic tasks, but struggle with complex, established systems, potentially leading to incorrect and harmful outputs. The author emphasizes that understanding the deterministic nature of compilers and the probabilistic outputs of LLMs is very important. This is critical for assessing the validity and safety of generated code. The author's argument is that LLMs confidently provide incorrect solutions when they lack adequate historical and contextual information.
https://blog.trailofbits.com/2025/12/19/can-chatbots-craft-correct-code/ blog.trailofbits.com
CdXz5zHNQW_HqI6gnKDQs.webp
RSS Hunter RSS Hunter Dec 19, 2025

Use GWP-ASan to detect exploits in production environments

GWP-ASan is a sampling-based memory error detection tool designed for production environments, addressing the performance limitations of tools like ASan. It detects critical bugs, such as use-after-free and buffer overflows, with minimal performance impact. GWP-ASan instruments a small fraction of memory allocations, using guard pages around sampled allocations to catch memory access violations. This allows it to identify heap-related bugs with near-zero overhead, balancing detection and performance. The tool is implemented in various projects like Chromium, Firefox, and Android, showcasing its versatility. GWP-ASan's sampling approach makes it suitable for large-scale deployments, with a negligible performance cost even when detecting rare bugs. Programs can be built with GWP-ASan using compilers like Clang and allocators that support it. The tool's behavior is configurable via environment variables like sample rate and the maximum number of simultaneous allocations. GWP-ASan identifies bugs by triggering segmentation faults when programs attempt to access memory within guard pages. Symbolization tools can improve error message readability. The performance overhead is low and can be controlled by configuration parameters, making it viable for production use.
https://blog.trailofbits.com/2025/12/16/use-gwp-asan-to-detect-exploits-in-production-environments/ blog.trailofbits.com
CdXz5zHNQW_Rh4iixZyB8.webp
RSS Hunter RSS Hunter Dec 16, 2025

Catching malicious package releases using a transparency log

The project focuses on enhancing Sigstore's rekor-monitor for production use, funded by the OpenSSF, to detect tampering and unauthorized identity use in the Rekor log. Rekor acts as a transparency log, creating tamper-evident records, but individual entries aren't inherently trustworthy without monitoring. The goal is to make it easy for developers to actively monitor the log for unexpected entries, especially regarding package maintainers. Transparency logs verify that digests match the intended dependency, utilizing Merkle trees. Monitoring is crucial, and rekor-monitor allows users to check for entry tampering and unexpected identity use within the log. For example, a maintainer can monitor for their identity to detect compromise during package uploads. This project has implemented new features like Rekor v2 log support, certificate validation, and integration with The Update Framework (TUF). This also includes a reusable GitHub workflow for easier monitoring by anyone with a repository. Future plans involve a hosted service to provide alerts for new log entries based on users' identities, akin to GopherWatch. The project, funded by OpenSSF, aims to improve the security of open-source software by securing the Sigstore ecosystem.
https://blog.trailofbits.com/2025/12/12/catching-malicious-package-releases-using-a-transparency-log/ blog.trailofbits.com
RSS Hunter RSS Hunter Dec 12, 2025

Introducing mrva, a terminal-first approach to CodeQL multi-repo variant analysis

The author created `mrva`, a terminal-first alternative to GitHub's CodeQL multi-repository variant analysis (MRVA), catering to Vim users by running locally. `mrva` allows users to download pre-built CodeQL databases, analyze them with queries, and view results in the terminal. Installation is straightforward using Python's package manager, involving download, analysis, and printing steps. `mrva` contrasts with both GitHub's VS Code extension and CLI, prioritizing local execution and customization. Key features include local analysis, easier parameter modification, and local finding viewing. Useful implementation details include the GitHub CodeQL database API and flags like `--sarif-add-file-contents`. The text differentiates between alert and path queries, and highlights graph queries, for advanced analysis. The author values `mrva` for its flexibility, enabling local, scheduled, and headless analyses. The goal is to find security bugs at scale with all the benefits of the terminal. The author looks forward to future CodeQL explorations.
https://blog.trailofbits.com/2025/12/11/introducing-mrva-a-terminal-first-approach-to-codeql-multi-repo-variant-analysis/ blog.trailofbits.com
CdXz5zHNQW_c8QLcSNLn3.webp
RSS Hunter RSS Hunter Dec 11, 2025

Introducing constant-time support for LLVM to protect cryptographic code

Trail of Bits has introduced constant-time coding support to LLVM, aiming to secure cryptographic implementations against timing attacks. This new feature, expected in LLVM 22, includes the __builtin_ct_select intrinsic and supporting infrastructure. Compilers using this will prevent code optimizations that inadvertently introduce vulnerabilities. Modern compilers optimize for speed but can break the constant-time properties crucial for cryptography. A simple lookup function, for instance, could be optimized to include branches, creating timing side channels exploitable by attackers. The __builtin_ct_select intrinsic ensures that conditional selections remain constant-time regardless of optimization levels. This acts as a barrier, preserving security-critical operations from transformation. Research has shown that existing compilers introduce vulnerabilities into production cryptographic libraries. The new intrinsic allows developers to write safer constant-time code, exemplified by a revised lookup function. This work builds upon previous efforts and has generated strong interest from communities like Rust Crypto and BearSSL. The implementation ensures constant-time behavior across various architectures like x86-64, i386, and ARM. Initial benchmarking indicates minimal performance overhead and full preservation of constant-time properties. Future plans include extending support to arithmetic and string operations and enabling adoption in other LLVM-targeting languages.
https://blog.trailofbits.com/2025/12/02/introducing-constant-time-support-for-llvm-to-protect-cryptographic-code/ blog.trailofbits.com
RSS Hunter RSS Hunter Dec 2, 2025

Constant-time support lands in LLVM: Protecting cryptographic code at the compiler level

Trail of Bits developed constant-time coding support for LLVM 21, providing compiler-level guarantees that protect cryptographic code against branching-related timing attacks, addressing a critical vulnerability where aggressive modern compilers inadvertently introduce data-dependent branches during optimization. The core solution is the __builtin_ct_select intrinsic, which translates into a special LLVM intermediate representation (llvm.ct.select.*) acting as a security barrier, instructing the compiler to preserve the operation's constant-time properties throughout the entire compilation pipeline. Without this intrinsic, carefully crafted constant-time code, such as those used in lookup tables, can be broken by standard compiler optimizations that introduce speculative branching, creating exploitable timing side channels detectable even with minimal cycle variations. This work directly addresses findings from studies like "Breaking Bad," which documented systematic constant-time guarantee failures in numerous production cryptographic libraries caused by compilers. The __builtin_ct_select intrinsic ensures constant-time execution across various architectures—using cmov on x86-64, CSEL on AArch64, and masked arithmetic on platforms lacking constant-time instructions—allowing developers to write portable and secure code. Upstreaming these changes involved extensive community engagement, leading to strong interest from projects like Rust Crypto and PuTTY, who plan to replace complex inline assembly workarounds with these new primitives. Initial benchmarking confirms minimal performance overhead while achieving 100% preservation of constant-time properties across all tested optimization levels, successfully integrating with major cryptographic libraries. Future plans include extending support with additional intrinsics, such as __builtin_ct_expr for forcing entire expressions to evaluate without branches, and enabling adoption in languages like Rust, Swift, and WebAssembly that target LLVM.
https://blog.trailofbits.com/2025/11/25/constant-time-support-lands-in-llvm-protecting-cryptographic-code-at-the-compiler-level/ blog.trailofbits.com
RSS Hunter RSS Hunter Nov 25, 2025

Constant-time support coming to LLVM: Protecting cryptographic code at the compiler level

Trail of Bits developed constant-time coding support for LLVM 21, safeguarding cryptographic implementations against timing attacks by preventing compilers from introducing branching. This system introduces the __builtin_ct_select family of intrinsics, ensuring constant-time operations remain secure throughout the compilation process. Modern compilers' optimization can inadvertently introduce timing side channels, making cryptographic code vulnerable. The __builtin_ct_select intrinsic guarantees the selection operation compiles to constant-time machine code, acting as a barrier against unwanted optimizations. This addresses vulnerabilities found in production cryptographic libraries where compilers break constant-time guarantees. Community engagement, including feedback from Rust Crypto and LLVM developers, was crucial to this project's development. The implementation ensures __builtin_ct_select compiles to constant-time code across various architectures, including x86-64, i386, ARM, and AArch64. Benchmarking shows minimal performance overhead and 100% preservation of constant-time properties, with successful integration in major cryptographic libraries. Future plans include extending the implementation for arithmetic, string operations, and expressions, with potential adoption in Rust, Swift, and WebAssembly. This work was a collaboration with ETH Zürich and supported by DARPA.
https://blog.trailofbits.com/2025/11/25/constant-time-support-coming-to-llvm-protecting-cryptographic-code-at-the-compiler-level/ blog.trailofbits.com
RSS Hunter RSS Hunter Nov 25, 2025

We found cryptography bugs in the elliptic library using Wycheproof

Trail of Bits is publicly disclosing two vulnerabilities in the widely used JavaScript library, elliptic. These vulnerabilities, discovered using the Wycheproof testing tool, affect a library downloaded millions of times weekly. One vulnerability allows for EdDSA signature malleability by failing to check if a signature component is within the allowed range. This could enable attackers to forge valid signatures for known message pairs. The second vulnerability, CVE-2024-48948, affects ECDSA signature verification. It causes valid signatures to fail verification if the message hash has leading zeros. This occurs because the library incorrectly calculates the hash size after conversion to a number object. This miscalculation leads to improper truncation of the hash, preventing correct verification. One of these critical vulnerabilities remains unfixed despite a 90-day disclosure window closing in October 2024. Trail of Bits emphasizes the importance of continuous testing with tools like Wycheproof for cryptographic libraries. The disclosure process involved private reporting to the library maintainers through GitHub advisories. The EdDSA issue was promptly addressed, while the ECDSA issue saw a delayed response. The findings highlight significant security implications for projects relying on the elliptic library.
https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/ blog.trailofbits.com
CdXz5zHNQW_IE7PHTX85O.png
RSS Hunter RSS Hunter Nov 18, 2025

Level up your Solidity LLM tooling with Slither-MCP

Slither-MCP is a new tool that integrates Slither's static analysis engine with Large Language Models (LLMs). This integration enhances LLM capabilities across various use cases, including faster code discovery and more efficient code navigation. Slither-MCP acts as an MCP server, exposing Slither's analysis API through tools, making complex code information accessible. Previously, LLMs relied on less precise tools like grep, leading to error-prone tasks. Slither-MCP provides a ground truth for LLM analysis, reducing token usage and improving accuracy. For example, an LLM tasked with auditing ERC20.transfer() can now directly query Slither-MCP to find the function's source code, avoiding complex file resolution. Setting up Slither-MCP is straightforward for platforms like Claude Code and Cursor. The tool currently offers functionalities such as extracting source code, identifying function callers and callees, and running Slither's detectors. Slither-MCP is licensed under AGPLv3, but dual licensing options are available for commercial web applications. This dual licensing allows developers to use Slither and Slither-MCP without publishing their entire source code.
https://blog.trailofbits.com/2025/11/15/level-up-your-solidity-llm-tooling-with-slither-mcp/ blog.trailofbits.com
RSS Hunter RSS Hunter Nov 15, 2025

How we avoided side-channels in our new post-quantum Go cryptography libraries

Trail of Bits released open-source, constant-time Go implementations of ML-DSA and SLH-DSA post-quantum signature algorithms. ML-DSA implementations required careful design to avoid timing attacks like KyberSlash, focusing on eliminating branches and divisions. SLH-DSA avoids side channels due to its reliance on pseudorandom functions built from hash functions. The Decompose algorithm in ML-DSA, requiring division, was made constant-time using conditional swaps with bit masking. Division was further optimized using Barrett reduction, precalculating reciprocals for fixed denominators. These techniques improved speed while maintaining security. This work aims for a post-quantum-secure future. The goal is to provide reliable digital signatures. The team invites organizations to try out these secure implementations. These algorithms are NIST-standardized and designed against potential threats.
https://blog.trailofbits.com/2025/11/14/how-we-avoided-side-channels-in-our-new-post-quantum-go-cryptography-libraries/ blog.trailofbits.com
RSS Hunter RSS Hunter Nov 14, 2025

Building checksec without boundaries with Checksec Anywhere

Checksec, a tool for analyzing executable security mitigations, has been popular since its 2009 release. A fragmented ecosystem of related tools emerged for different binary formats like ELF, PE, and Mach-O. To address this, Checksec Anywhere was developed to consolidate these analyses into a single, browser-based platform. This tool performs analysis entirely locally, ensuring user privacy and eliminating uploads. It supports multiple binary formats, offering tailored security checks for each. Performance is a key feature, with the ability to analyze thousands of files rapidly. Checksec Anywhere enhances accessibility through shareable results and SARIF export. Its architecture leverages Rust compiled to WebAssembly for efficient, in-browser processing. The platform is designed for extensibility to add new formats and security checks. Future work includes adding support for mobile and firmware binaries, as well as advanced security property checks.
https://blog.trailofbits.com/2025/11/13/building-checksec-without-boundaries-with-checksec-anywhere/ blog.trailofbits.com
CdXz5zHNQW_HWQgbbSblz.gif
RSS Hunter RSS Hunter Nov 13, 2025

Balancer hack analysis and guidance for the DeFi ecosystem

A recent hack on Balancer v2, resulting in over $100 million in losses, was caused by a long-standing arithmetic rounding error. Initially, such issues were not considered significant threats to blockchain security due to a different threat landscape. However, as easier attack vectors become scarce, sophisticated attackers now target subtle arithmetic edge cases in DeFi protocols. This incident underscores the critical need for comprehensive invariant documentation and rigorous testing to identify and prevent such vulnerabilities. The vulnerability exploited was a rounding direction error in Balancer v2's Composable Stable Pools. Trail of Bits had previously identified similar rounding issues during audits in 2021 and recommended enhanced fuzz testing. At the time, the full exploitable impact of these precision loss issues was difficult to definitively assess. The evolution of the blockchain ecosystem has seen a shift from primarily access control or key compromise hacks to more complex DeFi-specific exploits like oracle manipulation and rounding errors. In 2023, rounding issues led to significant hacks in protocols like Hundred Finance and Sonne Finance, highlighting their growing prevalence. Trail of Bits' own security ratings now classify codebases without robust rounding strategies as "Weak" in arithmetic maturity. To prevent future exploits, DeFi protocols must meticulously document all invariants related to precision loss and rounding direction, going beyond simple rules like "rounding must favor the protocol." This documentation should then inform comprehensive unit, integration, and fuzz testing suites to achieve 100% coverage. Formal verification can further complement fuzzing by providing additional guarantees. The incident emphasizes four key lessons for the DeFi ecosystem: the critical importance of mathematical accuracy, the necessity of maintaining and updating fuzzing suites with current threat intelligence, the design of robust monitoring and alerting systems, and the implementation of secondary controls to mitigate the impact of potential exploits.
https://blog.trailofbits.com/2025/11/07/balancer-hack-analysis-and-guidance-for-the-defi-ecosystem/ blog.trailofbits.com
CdXz5zHNQW_iUnAPwl9wT.png
RSS Hunter RSS Hunter Nov 7, 2025

The cryptography behind electronic passports

Modern passports are embedded devices with a filesystem, access controls, and cryptography. These electronic passports contain a chip with personal data and use cryptographic measures to prevent unauthorized access, forgery, and copying. The ICAO defines standards for these passports, focusing on data structure and security. The passport's filesystem includes master files, dedicated files, and elementary files containing binary data. The eMRTD application stores personal information and security data in data groups, mirroring data printed on the passport. Electronic passports face threats like unauthorized reading, eavesdropping, forgery, and copying, depending on the attacker's physical access. Cryptographic mechanisms, including legacy protocols like BAC, aim to provide confidentiality and prevent forgery, however BAC has serious flaws. Passive authentication prevents forgery by verifying a digital signature from the issuing country. Active authentication adds a layer to prevent copying by using a private key within the passport. Extended Access Control (EAC) improves security with chip and terminal authentication, and PACE replaces BAC to eliminate its weaknesses.
https://blog.trailofbits.com/2025/10/31/the-cryptography-behind-electronic-passports/ blog.trailofbits.com
CdXz5zHNQW_FAxcNu2YdF.png
RSS Hunter RSS Hunter Oct 31, 2025

Vulnerabilities in LUKS2 disk encryption for confidential VMs

Trail of Bits revealed vulnerabilities in confidential computing systems using Linux LUKS2 disk encryption, allowing attackers to access and modify confidential data. These vulnerabilities stem from malleable metadata headers, tricking systems into using a null cipher for encryption. The issue affects confidential VMs used for tasks like private AI and blockchains, compromising confidentiality, integrity, and authenticity. Attackers with disk write access can exploit this by modifying the header to use a null cipher, effectively disabling encryption. Cryptsetup v2.8.1 introduced a partial mitigation, rejecting null ciphers for keyslots with passwords. To remediate, users should update to the latest versions and consumers of attestation reports should disallow pre-patch versions. Validating LUKS metadata through methods like MAC usage, parameter validation, or attestation measurements is crucial. Impacted projects were notified, and patches were released by Oasis Protocol, Phala Network, Flashbots, Secret Network, Fortanix, Edgeless, and Cosmian VM. Cryptsetup received a partial mitigation, while Confidential Containers acknowledged the issue for future development.
https://blog.trailofbits.com/2025/10/30/vulnerabilities-in-luks2-disk-encryption-for-confidential-vms/ blog.trailofbits.com
CdXz5zHNQW_n2rQKmFLdC.png
RSS Hunter RSS Hunter Oct 30, 2025

Weaponizing image scaling against production AI systems

In this blog post, we’ll detail how attackers can exploit image scaling on Gemini CLI, Vertex AI Studio, Gemini’s web and API interfaces, Google Assistant, Genspark, and other production AI systems. We’ll also explain how to mitigate and defend against these attacks, and we’ll introduce Anamorpher, our open-source tool that lets you explore and generate these crafted images.
https://blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/ blog.trailofbits.com
RSS Hunter RSS Hunter Aug 21, 2025