Your AI Assistant Has Tools. Audit Them Before They Audit You.
A practical home-user checklist for auditing MCP servers, AI assistant tools, local permissions, and supply-chain risk before a trusted setup turns into an exposed one.
Hardening
21 articles
GitHub Finally Puts a Human in the Loop: npm Staged Publishing Explained
npm packages no longer publish instantly. GitHub's staged publishing forces a 2FA-gated human approval before any version hits the registry — here's what it means and how to enable it.
SSH-keysign-pwn: The Nine-Year Linux Kernel Flaw
CVE-2026-46333 (ssh-keysign-pwn) is a nine-year-old Linux kernel race condition that lets an unprivileged local user steal SSH host keys and dump /etc/shadow. Root command execution is also possible on specific configurations.
Dirty Frag & Copy Fail: Two New Linux Kernel Vulnerabilities Grant Root Privileges
Two new Linux kernel vulnerabilities — Dirty Frag (CVE-2026-43284/43500) and Copy Fail (CVE-2026-31431) — enable local privilege escalation to root on nearly all major distros. What users and admins need to know.
AitM Phishing: How Attackers Bypass MFA and How to Stop Them
Adversary-in-the-Middle phishing silently proxies real login pages and steals session tokens — making MFA useless. Here's how it works and how to detect it.
BYOVD: How Attackers Use Legitimate Drivers to Kill Your Security Tools
BYOVD (Bring Your Own Vulnerable Driver) lets attackers reach the Windows kernel using signed, legitimate drivers — and then silently kill your EDR before ransomware drops.
Canary Tokens: Free Tripwires That Catch Attackers in the Act
Canary tokens are digital tripwires that alert you the moment an attacker touches something they shouldn't. Free, no-install, and zero false positives.
CrackArmor: Nine AppArmor Flaws That Let Attackers Own the Kernel
Qualys TRU disclosed nine confused deputy vulnerabilities in Linux AppArmor — exposing 12.6 million servers to root escalation, KASLR bypass, and container isolation collapse. Technical deep dive and detection guide.
The Linux Server Attack Surface You Didn't Install: Default Services That Open Your System
Every major Linux distro ships services you never asked for. From snapd to CUPS to rpcbind — a practical audit guide covering Ubuntu, Debian, RHEL, Rocky, Fedora, and openSUSE.
Linux Privilege Escalation: Attack Techniques and How to Detect Them
A complete guide to Linux privilege escalation — SUID abuse, sudo misconfig, cron hijacking, capabilities, and kernel exploits. Includes auditd rules, Sigma, Wazuh, and Sentinel KQL detections.
macOS Offensive Security: How Attackers Exploit Apple's Unique Attack Surface
TCC bypass, Keychain theft, Launch Agent persistence, dylib hijacking — how attackers target macOS and how defenders detect them. Attack→Detect with real commands.
NTFS Alternate Data Streams: How Attackers Hide in Plain Sight
NTFS Alternate Data Streams let attackers hide executables inside innocent-looking files. Learn how ADS works, how malware uses it, and how to detect it with PowerShell, Sysinternals, and Sysmon.
Project Glasswing: Anthropic's AI That Finds Zero-Days Better Than Humans
Anthropic just unveiled Claude Mythos Preview — an AI model too dangerous to release publicly, but powerful enough to find vulnerabilities that evaded detection for decades. Here's what it means and how to get involved.
Prompt Injection in 2026: From Research Toy to Real CVEs, Agent Hijacking, and Zero-Click Exfiltration
CVE-2025-32711 (EchoLeak) exfiltrated M365 data with zero user interaction. The Anthropic MCP server had three exploitable injection CVEs. OpenAI says AI browsers may never be fully fixed. Here's the full attack chain — and how to detect it.
SQL Injection 2026: Blind, Time-Based, ORM Bypass, and WAF Evasion
Still powering major breaches in 2026 — blind injection, time-based attacks, ORM bypasses, WAF evasion. Real payloads and detection queries.
Why Enterprise VPN and Gateway Products Are Perpetually Broken
Ivanti, Fortinet, Palo Alto — the names change but the pattern doesn't. Here's the structural reason why enterprise edge devices are permanently on fire and what you can do about it.
When Your Defender Becomes the Attacker: How Trusted Windows Processes Get Weaponized
Windows Defender and other high-privilege system processes are increasingly targeted by attackers. Learn how security tools become attack surfaces — and what you can do about it.
XSS Explained: How Attackers Inject Code Into Your Browser
Cross-Site Scripting (XSS) lets attackers inject malicious JavaScript into web pages viewed by other users — stealing sessions, redirecting victims, and taking over accounts.
Your Data on the Dark Web: How to Find It Without Ever Opening Tor
Your email and password are probably already on the dark web. Here's how to check using real tools — no Tor browser, no .onion sites, no technical expertise needed.
Kubernetes and Container Security: Attacks, Misconfigurations, and Defenses
How attackers break out of containers, escalate privileges in Kubernetes clusters, and move into cloud infrastructure — and how defenders detect and stop them.
Passkeys and FIDO2: The End of Passwords — and What Attackers Do Next
How passkeys and FIDO2 work, why they defeat phishing and credential stuffing, and how attackers are already adapting with downgrade attacks and fallback abuse.