Archive - ToxSec - AI and Cybersecurity

CIA Triad for LLM Security: Real-World AI Attack Failures

Confidentiality, integrity, and availability map every documented LLM attack failure. Here’s how prompt injection breaks each pillar.

May 18 • ToxSec

Is Vibe Coding Safe? 3 Security Checks Every AI Coder Needs

Hardcoded secrets, hallucinated packages, and insecure code patterns ship by default. Here’s the free tooling that catches all three.

May 15 • ToxSec

Mozilla Mythos Harness: AI Bug Hunting Without The Slop

Inside the agentic loop Mozilla wrapped around Mythos to surface 271 Firefox bugs, and why the harness mattered more than the model.

May 12 • ToxSec

40:52

Promptfoo Red Teaming: DAST for Your LLM Pipeline

YAML config, one command, 50+ attack plugins. OpenAI just bought the company. Still MIT licensed.

May 9 • ToxSec

Garak Vulnerability Scanner: Nessus for LLMs

Point it at a model. Pick your probes. Watch every guardrail break in JSONL.

May 6 • ToxSec

PyRIT AI Red Teaming: Metasploit for LLMs

Microsoft’s AI red team framework breaks down targets, converters, scorers, and orchestrators for bug bounty work.

May 3 • ToxSec

April 2026

What is Slopsquatting? AI Hallucinations Ship Malware

Attackers pre-register the fake package names AI coding tools invent, then wait for the copy-paste. slopcheck blocks it at the install boundary.

Apr 28 • ToxSec and Karen Spinner

Is Claude Code Secretly Installing Spyware?

A researcher caught Claude Desktop installing browser bridges silently. Plus the MCP RCE Anthropic won’t patch.

Apr 26 • ToxSec and Exploring ChatGPT

47:15

Token-Level AI Security: The Opus 4.7 Tokenizer Graveyard

A new tokenizer ships fresh dead zones, and every model now carries a graveyard of glitch tokens nobody has mapped yet.

Apr 24 • ToxSec

How to Jailbreak Claude Opus 4.7: A Bug Bounty Field Guide

Five jailbreak families, the tools bounty hunters actually use, and the mindset that turns a prompt into a payday.

Apr 20 • ToxSec

You Downloaded Gemma 4 from Hugging Face. Is It Safe to Run?

Pickle files, backdoored weights, and sleeper agents turn your privacy win into an attack surface. Gemma 4 security.

Apr 15 • ToxSec

6:49

Is Your Local AI Model Backdoored by Your Politics? Sleeper Agents Exposed

Pickle file exploits, sleeper agents, and typosquatting turn the local AI privacy play into an open attack surface.

Apr 12 • ToxSec and Exploring ChatGPT

49:51

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts