Runtime security
If Your Agent Can Delete Production, It Eventually Will
The production database incident was not a model failure. It was a permission boundary failure. Prompts, plan mode, and confirmation buttons are not controls.
Writing
Research notes on agent security.
Incidents, failure modes, and the controls that survive when an AI agent has real credentials and real tools.
Supply chain
The Bitwarden CLI Compromise Was About the Harvest List
A malicious npm release targeted developer credentials, GitHub Actions secrets, and AI tooling configs. That list is the threat model.
Supply chain
The Axios Attack Is Different
TeamPCP's third major supply chain hit in two weeks targeted foundational npm infrastructure, not an AI tool. Every JavaScript agent framework was in scope.
Research
What the Claude Code Source Tells Us About Trust
The source reveals that Claude Code's classifier behavior can be changed remotely via feature flags. Here's what that means for how you think about the controls underneath your AI agents.
Runtime security
Clinejection: What an OS-Layer Firewall Actually Sees
The attack chain that compromised 4,000 developer machines, analyzed at the process and syscall level. What Rampart blocks, what it logs, and what it misses.
Supply chain
LiteLLM Got Backdoored. The Harvest List Is the Story
Two compromised versions of LiteLLM shipped a credential stealer that targeted exactly the locations AI agents use. That's not coincidence.
Detection
Canary Tokens for the Agentic Era
Traditional canary tokens detect human intruders. Snare is built for a world where the intruder is an AI agent with your credentials.
Research
The Attack Surface of Agentic Systems
A taxonomy of how AI agents get compromised — from prompt injection to tool poisoning to supply chain attacks on agent workflows.
Runtime security
Why Your AI Agent Needs a Firewall
Claude Code runs as you. One malicious prompt is all it takes to wipe your files or exfiltrate your secrets. Here's why OS-layer interception is the only real defense.