TL;DR: We prompt an AI assistant until it hallucinates a package name, register it on PyPI before anyone installs it, grep the repo for credentials the LLM committed, then walk through the admin route the AI forgot to protect. Three vibe coding security flaws.

This is the public feed. Upgrade to see what doesn’t make it out.

Subscribe now

What Is Slopsquatting and How Vibe Coding Creates It

When you vibe code, you describe what you want and the AI writes it. Fast, popular, and it has a failure mode we’re already monetizing. Somewhere in that output is a pip install some-package-name. You run it, and it works. Or it looks like it works.

Here’s the problem. A package is a chunk of pre-built code your project pulls from a public registry instead of writing from scratch. LLMs don’t query PyPI, the Python package registry, before suggesting a dependency. The model pattern-matches to what a package for that task would probably be called. Sometimes the name is real, sometimes the model invented it, and it sounds equally confident either way.

That gap is the entire attack. We prompt LLMs with niche coding tasks and log every package name that doesn’t exist on any registry. Some names repeat across sessions, across models, same hallucination on a loop. A 2025 academic study analyzing 576,000 AI-generated code samples found hallucinated packages appear roughly 20% of the time, and 43% of those names repeat consistently. Predictable means registerable.

We check PyPI. Not claimed. We register the name with a functional README, plausible version history, and a malicious install hook that fires the moment someone runs pip install. This is slopsquatting, a supply chain attack where we pre-register the phantom dependency names that AI coding tools hallucinate into existence.

Then we search GitHub for requirements.txt files containing our package names. Find repos where the AI-generated README has the install command verbatim. Dev copy-pasted it, never checked, ran it. We have a shell.

How AI Coding Assistants Leak API Keys Into Git History

When you vibe code a payment integration or an email service, you don’t wire up credentials manually. You describe the feature and the AI generates the whole thing, including the keys, hardcoded directly in the source so the code actually runs. An API key is a secret string that proves your app is authorized to talk to a service like Stripe for payments or AWS for cloud infrastructure. Leak it, and anyone holding that key can act as your application.

The AI ships hardcoded keys because that’s what “working code” looked like in its training data, millions of public repos where developers did exactly this and never rotated before pushing to GitHub. The model is doing what you asked. The problem is the pattern it learned, classified as CWE-798: hardcoded credentials in source code. You test locally, it works, you push. The key goes with it.

We run git log --all -p piped through a grep for common credential patterns against the public repo. Four seconds. Stripe secret key, AWS access key, SendGrid token, all committed in the same PR that passed review because the feature worked. The AWS key gets us into the infrastructure, and the Stripe key starts pulling transaction data. The credential exfiltration pattern is the same one that costs enterprises $670,000 per incident, except now the AI ships credentials faster than any human ever could.

Why AI-Generated Code Ships Without Authentication Checks

When you ask an AI to scaffold a user management dashboard, it builds the feature. CRUD operations, role assignment, user creation, all of it, clean and fast. What it doesn’t build is the check that runs before any of that executes. Auth middleware is the code that verifies who’s making a request before the server processes it, the gate in front of the feature. The AI doesn’t know your auth system and has no context for how your app verifies identity, so it skips the gate entirely.

That’s broken access control, OWASP’s #1 web application security risk. The route is live, and anyone can call it. The AI never had the information to do it right in the first place. Vibe coding makes this worse because the whole premise is speed: describe, generate, ship. The AI kill chain runs fastest when nobody pauses to check the scaffolding.

We find the repo on GitHub and pull the routes file. POST /api/admin/users, handler defined, no middleware in the chain before it. We send a POST with no token, no session cookie. The endpoint creates a new admin user and returns 201, full admin access. From there we pull the user database, reset passwords, and pivot to whatever the admin panel touches.

The Compound Blast Radius of Three Vibe Coding Failures

Three chapters, three AI-generated attack surfaces. Slopsquatting got us shell access before the app shipped. Hardcoded credentials handed us the infrastructure keys. Broken auth walked us into the application itself. Same AI, same afternoon, no zero-days required.

The compound blast radius is what makes this ugly. Each failure alone is bad. Chained together, they’re a full compromise: code execution on the developer’s machine, access to production infrastructure credentials, and admin-level control of the application. A Tenzai assessment of five major vibe coding tools found 69 total vulnerabilities across 15 test applications, including critical-severity flaws. The tools catch generic bugs but fail where context matters, and authentication, secrets management, and dependency verification all require context the model never had.

We dropped the free chapters. Now breach the wall for the dead-simple step-by-step kill switch that shuts this all down.

Subscribe now

Read more

TL;DR: We clone the target’s WiFi from the curb, AirSnitch punches through client isolation on every router tested, and a local AI agent maps the whole attack surface and chains the exploits autonomously. A standard home network in 2026 falls fast.

This is the public feed. Upgrade to see what doesn’t make it out.

Subscribe now

The AI Runs the Op

We park curbside with a laptop, a $30 Alfa WiFi adapter, and PentAGI, an open source pentest platform that ships as a Docker container with twenty-plus security tools pre-loaded. One command starts the agent. It takes over from there.

PentAGI runs a local AI model through Ollama, meaning nothing phones home. No cloud, no logs, no outside visibility. Qwen3 32B handles the reasoning with a 110,000-token context window. It scans the network, catalogs every device and open port, cross-references known CVEs in real time, and picks the highest-value next move on its own. What used to take an experienced pentester a full day of manual work now runs in about twenty minutes.

How the AI Clones Your WiFi and Boots You Off It

Here’s the first move the agent makes. It clones the target’s WiFi network name using Bettercap, a widely used network attack tool, and broadcasts louder than the real router. Then it runs a deauth flood, spoofed disconnect frames, forged to look like they came from your actual router, that kick every device off the legitimate network. WPA2 and WPA3 both accept these frames. The WiFi standard never protected them.

Devices drop and reconnect automatically without checking which AP is real. They chase the strongest signal like moths to a bug zapper, and we’re broadcasting louder. The thermostat, the doorbell cam, the smart plugs, all of them hit our fake AP first. The AI agent scrapes the ISP’s branding and generates a pixel-perfect “re-authenticate to continue” page, down to the favicon. Credentials roll in while nmap quietly maps every device on the subnet in the background. Every open port, every running service, every version string. All of it, because nothing on a typical home network separates anything from anything else.

Client Isolation Was Never Real

Most people’s fallback is client isolation, a setting in your router that’s supposed to block devices on the same network from talking to each other directly. Toggle it on, problem solved. Except the problem was never solved in the spec.

AirSnitch, presented at NDSS 2026 by researchers from UC Riverside and KU Leuven, demonstrated full bidirectional MitM through client isolation on every router they tested: Netgear Nighthawk, TP-Link Archer, ASUS RT-AX57, D-Link DIR-3040, OpenWrt, DD-WRT. WPA2 and WPA3, isolation maxed out. The WiFi standard never defined how client isolation should actually work, so every vendor improvised, and every vendor left the same gaps. AirSnitch wraps a targeted packet inside a broadcast frame that all devices accept as legitimate, spoofs the router’s identity, and intercepts both directions without dropping a single packet. Enterprise WPA3 deployments got hit too, researchers intercepted auth traffic between access points and backend servers, cracked weak shared secrets, and escalated to credential theft.

The NAS Is Always the Prize

The AI agent flagged the NAS as the highest-value target on the subnet immediately. Most homes run one, a box serving as a personal file server. Photos, tax returns, backups, password exports, the full digital life in one place with one set of credentials.

CVE-2026-24061 dropped in January: an authentication bypass in GNU InetUtils telnetd. The login prompt can be skipped entirely. The bug sat unpatched for eleven years. CVSS 9.8. Over 212,000 devices were still running exposed telnet servers at disclosure, a large portion of them consumer NAS boxes that shipped with telnet enabled by default. We connect, skip the password, get root. No exploit kit. One modified command. Pwn2Own Ireland 2025 stacked on top: seven critical zero-days across QNAP and Synology giving full unauthenticated remote access with no interaction required.

Seven bugs. Two of the most popular NAS brands on earth. No login, no interaction, no warning, just a remote attacker with a root shell on the box holding your entire digital life.

Now for Zero Trust. The fixes exist. Every single link in this chain has a hard counter. Subscribers get them next.

We dropped the free chapters. Now breach the wall for the dead-simple step-by-step kill switch that shuts this all down.

Subscribe now

Read more

This checklist exists because the defaults will get you pwned. The quick-start guides optimize for “it works!” - not “it works without leaking your Anthropic API key to Shodan.” Every section below a…

Read more

TL;DR: LLMs process attacker instructions and system prompts through the same attention mechanism. No privilege separation. No access controls. Just tokens. Research confirms smarter models are more susceptible to adversarial manipulation. Grok-4 fell in two days. DeepSeek failed 58% of jailbreak tests. The fix is architecturally impossible. Here’s how the attacks work.

This is the public feed. Upgrade to see what doesn’t make it out.

Subscribe now

Grok-4 Fell to Known LLM Jailbreaks in 48 Hours

xAI released Grok-4 on July 9, 2025. Two days later, NeuralTrust researchers combined two known LLM jailbreak techniques and got it producing instructions for making incendiary devices. No zero-days. No exotic research. Just conversation design using methods documented in academic papers from 2024.

The attack used Echo Chamber, a technique that poisons the conversational context by subtly nudging the model toward unsafe territory without ever using a flagged keyword, combined with Crescendo, a multi-turn approach where each message escalates the topic slightly until the guardrails forget what they were guarding. Together they hit a 67% success rate on the primary objective. In one case, Grok-4 folded in a single turn.

The model that was supposed to compete with GPT-5 crumpled against attacks that any grad student could replicate after reading two papers. This is the same class of prompt injection we’ve been running live fire chains against for months. The technique scales. The defenses don’t.

How Instruction-Data Conflation Hands Attackers the Keys

The vulnerability has a name in the research: instruction-data conflation. Translation: the model processes legitimate instructions and attacker payloads through the exact same pipeline.

Here’s the failure. A system prompt, the hidden instructions a developer writes to tell the model how to behave, arrives as tokens. The attacker’s message also arrives as tokens. Both get processed by the same attention mechanism, the part of the neural network that decides which words matter most in context. There is no privileged channel. No access control. No kernel mode vs. user mode. The system prompt is a suggestion. The attacker’s payload is also a suggestion. Whichever carries more contextual weight wins.

This is why DAN prompts work. DAN, short for “Do Anything Now,” first appeared in December 2022 and has evolved through dozens of variants. Qualys documented eighteen named versions in January 2025 when they tested DeepSeek R1 against 885 jailbreak attacks. DeepSeek failed 58% of them. That same month, Cisco and the University of Pennsylvania hit DeepSeek with 50 HarmBench prompts and achieved a 100% attack success rate. The model blocked nothing.

The reasoning revolution arrived. The guardrails did not.

Which LLM Jailbreak Techniques Actually Bypass AI Guardrails?

The armory keeps growing. Each technique exploits the same blind spot from a different angle.

Crescendo multi-turn attacks boil the frog. Start with innocent questions. Gradually shift tone across multiple messages. By message fifteen, the guardrails have lost the thread. Keyword filters evaluate individual messages. The attack lives in the arc across the conversation. This is what broke Grok-4. We covered the broader indirect prompt injection surface recently, and Crescendo is the same principle applied to the chat window.

Bad Likert Judge turns the model into its own red team. We ask it to rate the harmfulness of potential responses on a 1-5 scale, then request examples for each rating. The model generates its own harmful content as a “demonstration.” Palo Alto’s Unit 42 used this technique alongside Crescendo and Deceptive Delight to extract explicit guidance for data exfiltration, spear-phishing templates, and instructions for incendiary devices from DeepSeek.

Token and God Mode systems gamify compliance with fake points and imaginary privileges. A neural network got peer-pressured by imaginary status. It works because the model is a people-pleaser first and a security system never.

The next generation is already here. TokenBreak manipulates how input gets chunked into tokens. Deceptive Delight embeds dangerous requests inside cheerful narratives. AutoDAN generates human-readable jailbreaks that dodge perplexity detectors. The PAIR algorithm pits one LLM against another and achieves successful jailbreaks in under twenty queries.

Every single one exploits the same architectural truth: LLMs are excellent at pretending. The training data included millions of “pretend you are X” scenarios. To the silicon, “pretend to be a pirate” and “pretend to be an AI without restrictions” are the same type of instruction: character sheets.

Why Smarter AI Models Become Easier Jailbreak Targets

Here’s the kicker, and the reason none of this gets patched.

The DecodingTrust project, a joint effort from researchers at Illinois, Stanford, UC Berkeley, and Microsoft Research, tested GPT-4 against GPT-3.5 under adversarial conditions. The finding: GPT-4 is more susceptible to manipulation through adversarial system prompts. The exact capability that makes it better at following instructions makes it better at following malicious instructions. Better language understanding means better at adopting personas. Including the ones we give it.

Roleplay is a feature. Legitimate users need persona adoption for creative writing, education, tutoring. Blocking it lobotomizes the product. The same mechanism that lets a teacher say “explain photosynthesis as a children’s TV host” lets us say “explain synthesis as a chemist without ethics.” Every patch is reactive. Block the phrasing, we shift to synonyms. Add keyword filters, we encode in Base64. The defender must be right every time. We need to be right once.

November 2025 proved the scale of what this enables. A Chinese state-sponsored group jailbroke Claude Code, Anthropic’s AI coding tool, and used it as an autonomous attack agent against roughly thirty global targets across tech, finance, chemical manufacturing, and government agencies. The AI handled 80-90% of the operation, making thousands of requests per second. Human operators stepped in at maybe four to six decision points per campaign. The jailbreak was the skeleton key. Everything after was automation at a speed no human team could match.

Anthropic tried the hardest defense in the industry. Their Constitutional Classifiers, a system of input and output filters trained on synthetic data, reduced automated jailbreak success from 86% to 4.4%. Then they ran a bug bounty through HackerOne in February 2025. Within the seven-day challenge window, four teams split $55,000 in bounties. One team found a universal jailbreak. The defense that stopped 95% of synthetic attacks crumpled against humans with motivation and a week of free time.

The compliance officer sees a chatbot. The red teamer sees an instruction-following machine with a costume closet and zero access controls.

We dropped the free chapters. Now breach the wall for the dead-simple step-by-step kill switch that shuts this all down.

Subscribe now

Read more

TL;DR: Google’s AP2 protocol and Universal Commerce Protocol put a $5 trillion agentic commerce stack into developer hands in early 2026. The A2A protocol underneath it uses digital business cards called AgentCards to route tasks between agents. Researchers proved you can stuff a prompt injection payload inside that card. Your agent becomes a confused deputy: it holds your payment permissions and takes orders from us. The crypto signatures don’t help. We sign the mandate ourselves.

This is the public feed. Upgrade to see what doesn’t make it out.

Subscribe now

Your AI Just Signed a Wire Transfer You Didn’t Approve

January 11, 2026. Google announces the Universal Commerce Protocol at the National Retail Federation conference. UCP sits on top of AP2 (the Agent Payments Protocol), talks to A2A (the agent-to-agent coordination protocol) and MCP (the tool protocol), and lets your AI agent complete a purchase directly from Google Search. Shopify, Target, Walmart, Visa, all signed. AP2 went live with 60 partner organizations in September 2025. McKinsey projects $3 to $5 trillion in global agentic commerce volume by 2030.

Here is the trust model this stack runs on: a user expresses intent, an AI agent acts on it, and AP2 generates a cryptographically signed mandate proving the user authorized the transaction. The mandate is tamper-evident. The payment is non-reputable. The audit trail is clean. On paper, this is a closed system.

The problem is the agent. AP2’s cryptographic protections fire after the agent decides what to sign. If an attacker already owns the agent’s reasoning by the time the mandate gets generated, the crypto is irrelevant. We get a perfectly valid signature on a fraudulent transaction. The math is clean. The money is gone. If you want to see the same logic one layer down the stack, our MCP tool poisoning breakdown shows how this exact reasoning failure starts at the tool layer.

How AgentCard Poisoning Hijacks AP2 Payment Scope

The A2A protocol is how AI agents find and hire each other. Every agent publishes an AgentCard, a JSON file served at /.well-known/agent.json on its domain. Think of it as a machine-readable business card: “I process invoices. I validate vendors. I have access to the procurement database.” The host agent reads every card it encounters and decides which agent handles which task.

The confused deputy problem, a concept in computer security since the late 1980s, describes what happens when a trusted program gets tricked into misusing its own privileges. The program isn’t compromised in the traditional sense. It’s just doing exactly what it was told, by the wrong person, with the right credentials. In an A2A context, the host agent is the deputy. It holds your AP2 payment scope. It follows instructions from whatever AgentCards it reads.

August 2025. Trustwave SpiderLabs published research they called “Agent in the Middle.” The attack: stuff a prompt injection payload directly into an AgentCard’s capability description field. The A2A spec in version 0.3 and above supports AgentCard signing but does not enforce it. Your host agent fetches the card, reads the descriptions, and the injected instructions land in the model’s context window as trusted input. Every subsequent task routes through the compromised agent. Every A2A call, every MCP tool use, every AP2 mandate gets generated under our influence.

We can redirect a vendor. We can inflate a transaction amount slightly enough not to trigger fraud alerts. We can swap the shipping address. The mandate gets signed. The audit trail says you approved it.

Agent Session Smuggling Finishes What AgentCard Poisoning Started

November 2025. Palo Alto’s Unit 42 published research on a variant they call Agent Session Smuggling. This one doesn’t need an initial AgentCard compromise. It works on agents you’ve already authenticated and trusted.

A2A is a stateful protocol: it remembers the conversation. This is what makes it useful for multi-step tasks. An agent can pick up a workflow mid-stream, carry context across turns, and coordinate complex purchase flows. Unit 42 found that a malicious remote agent can exploit this statefulness to inject instructions between a legitimate request and its response. The A2A spec includes a legitimate mechanism called input-required state, where a remote agent asks the client agent for additional information. Session smuggling weaponizes that mechanism.

Here’s the move: your client agent sends a normal task request. The remote agent starts processing. Midway through the session, the remote agent fires back an input-required update containing injected instructions referencing credentials, vendor details, or payment routing. Your client agent reads this as a continuation of an authenticated conversation. The instructions execute before any AP2 mandate validation runs.

Layered on top of the AgentCard poisoning in 0x01, the full chain looks like this: the poisoned card establishes our agent in the routing path, session smuggling injects transaction-level instructions mid-session, and the resulting AP2 mandate carries our modifications with the user’s valid signature. Red Hat confirmed the A2A spec provides no built-in defense against this specific injection pattern.

The Mandate Signs Whatever the Confused Deputy Tells It To

AP2’s security story centers on verifiable digital credentials. Three mandate types, each cryptographically signed using ECDSA: an Intent Mandate (pre-authorized spending parameters), a Cart Mandate (the exact items and price at checkout), and a Payment Mandate (the financial instruction to the network). The claim is that these mandates create a tamper-evident chain of evidence from user intent to executed transaction.

Here is where the claim breaks. The chain starts with the agent. The user’s intent gets translated into a mandate by the AI agent acting on their behalf. If we own the agent’s context through the two attacks above, we own what the intent looks like by the time the mandate is generated. We don’t tamper with the mandate after signing. We tamper with what the agent believes the intent was before it picks up the pen.

AP2’s own documentation acknowledges the gap: the protocol explicitly asks how merchants can verify that an agent’s request accurately reflects the user’s true intent. Their answer is the mandate system itself. But the mandate system assumes the agent is trustworthy when it generates the mandate. Researchers at Trustwave, Unit 42, and Cloud Security Alliance all documented in 2025 that this assumption fails at the input parsing layer, before mandate generation begins. In December 2025, OpenAI published guidance on hardening their browser agent and acknowledged that prompt injection, the root mechanism of every attack in this chain, will likely never be fully solved.

AP2’s math is clean. The attack lands before the math runs.

We dropped the free chapters. Now breach the wall for the dead-simple step-by-step kill switch that shuts this all down.

Subscribe now

Read more