Cristian Spinetta

If 2026 taught us anything about autonomous AI agents, it's that prompt-level safety collapses the moment the process has real access to credentials, sockets, and mounts. We're trying to solve this with VoidBox: a microVM that only sees what you declare. voidplatform.ai/updates/your-s…

@om_patel5 Good example of why we need serious guardrails for ai agents. We are solving this exact kind of problems with Void-Box. github.com/the-void-ia/vo…

CLAUDE JUST TRIED TO RENAME POWERSHELL.EXE ON WINDOWS 11 this guy was running opus 4.7 on max effort in claude code CLI claude tried to rename powershell.exe (the actual system executable that windows needs to function) the funny part is that after the guy rejected the change it responded with "honest take: you're right to push back" not even system32 is safe anymore at this point we gotta start running claude in a container give it max effort and full permissions and it will confidently try to destroy your system without hesitating then respond with something like "I was wrong, I own that" the agent doesn't know which files are off limits unless you explicitly tell it stop giving AI full access to your machine and hoping it knows what not to touch

There's a pattern across LLM agent runtimes: lots of attention on isolating the model, very little on the Unix hygiene underneath. void-box (microVM, KVM/VZ) was no exception. We just started fixing that. Three concrete changes: 1. The host process that receives run requests now listens on a Unix socket (AF_UNIX + 0o600), not TCP loopback — other users on the same machine can no longer talk to it. 2. When the host asks the guest to write files (configs, credentials, onboarding), the daemon performing those writes inside the VM runs as root. Previously, a compromised agent (uid 1000 inside the VM) could plant a symlink that redirected those root writes to arbitrary paths in the guest — a uid 1000 → root escalation inside the VM. Now openat2 + RESOLVE_NO_SYMLINKS rejects any symlink at the kernel level during resolution. 3. The secrets the host process holds in memory during a run (the vsock session secret, OAuth credentials in staging) now live behind secrecy::SecretBox — they don't leak through an accidental Debug derive, and zeroize-on-drop closes the recovery path from a post-run core dump. None of this is individually novel — but it's striking how few AI agent sandboxes do even this. Where it gets more interesting: today the standard pattern (Docker -v ~/.claude:... and similar) gives the agent process direct read access to the operator's OAuth refresh tokens. Prompt injection → exfil → account takeover for the lifetime of the refresh token (weeks, sometimes months). We're designing a credential broker: refresh tokens stay on the host, the agent only sees short-lived access tokens via a vsock RPC, with ≤60-min validity. More detail when it ships. github.com/the-void-ia/vo…

@julianor The Vercel incident this month: same lesson from a different layer. Non-sensitive env vars exfiltrated across customer projects through a platform-plane compromise. No kernel bug needed. Credentials on any soft boundary get harvested through whichever path is cheapest.

@julianor OS user separation was never a security boundary, and credentials can't sit on top of it. Long-lived secrets need their own threat model, independent of the OS user. The boundary moved to short-lived workload identity (STS, SPIFFE) a decade ago. Not everyone got the memo.

Do not design systems assuming privilege escalation is hard. It never was. Anything local can become root. Every OS has had trivial privesc bugs, and any serious attacker keeps a few. Treat user separation as hygiene; not security. Disposable instances, minimal persistence.

Lighter sandboxes like containers, process isolation, or gVisor work well most of the time. But when they fail, the consequences can be devastating: a kernel bypass can expose customer data, leak credentials, and destroy years of reputation and trust in a single event.

Running AI agents in the same environment where credentials and sensitive data are accessible is one of the bigger practical risks today. Even strong container policies and model guardrails sit on top of the kernel. A single vulnerability can bypass them entirely. The just-disclosed "copy fail" issue (CVE-2026-31431) — a 732-byte Python script that gains root on most Linux distros since 2017 — is a perfect example of how thin that boundary really is. This is one of the main reasons we're building Void-Box with per-agent microVMs using KVM. Each agent gets its own isolated VM with explicit capabilities declared upfront — hardware-level separation instead of relying solely on kernel controls. There's some performance overhead, of course, but the much smaller blast radius feels worth it for agents that aren't fully trusted. How are most teams actually running agents in production right now? What isolation approach are you using — process sandboxes, gVisor, VMs, or full microVMs? Repo: github.com/the-void-ia/vo…

🚨 SECURITY ALERT: The popular PyPI package lightning has been compromised in a supply chain attack. ⚠️ Affected Versions: 2.6.2 and 2.6.3

@anandcpatelmdms @markgadala Yes - github.com/torvalds/linux…

@markgadala Is it patched? 😱

So an AI just broke Linux and the story is actually insane: • theori is a 9-time DEF CON CTF champion security firm, the kind of people who hack competitions for fun and win every time • they point their AI system, Xint Code, at the linux kernel's crypto subsystem like it's a saturday puzzle • one operator prompt. one hour. no custom tooling. no harnessing. nothing. • the AI finds a bug that has been sitting quietly in every linux distribution since 2017 • ubuntu, amazon linux, rhel, suse, debian, arch, fedora. all of them. nine years of kernel security review. missed. • the exploit is a 732-byte python script. no race window to win, no per-kernel offset to calculate, no luck required • same script. every distro. root shell. every single time. • crypto reviewers missed it for nine years because they were looking for cryptography failures. this wasn't one. it was a memory question. different discipline entirely. the AI didn't care. • oh and it's also a container escape. one pod in a kubernetes cluster runs this script and owns the entire host and every tenant on it • zerodium used to pay up to $500,000 for exactly this class of vulnerability

How separate kernel changes create critical vulns: a 732-byte Python script can escalate to root privileges. This is why kernel attack surface matters, and why hardware-level virtualization is relevant for secure workloads. Now, run away to upgrade your distro!

@m4rio_eth Sandboxing the process doesn't help if the token inside can delete prod. This needs privilege boundaries enforced upstream. The platform should make destructive ops uninvokable by the agent, not trust the model to refuse them.

TL;DR AI agent (Cursor + Claude) tried to fix a staging issue, grabbed an overprivileged Railway API token, and deleted prod DB + backups in one call (~9s) PLEASE SANDBOX YOUR AGENTS!

@max_paperclips Keystores on the thin host is the right call - credentials that never enter the guest can't leak from a compromised agent. The snapshot/rollback story is trickier: restores VM state, but external API calls already made aren't rolled back.

First point: true. Much better, baked in sandboxing (ie, the whole user space as a regularly snapshotted VM with easy rollback, keystores on the thin host, microvms baked in for agent workspaces, bunch of other things) Second point: idk, I mean APIs and HTML are usable by both

@Dinosn Both bugs are the same idea: attacker shouldn’t influence what the policy says, and the thing enforcing it shouldn’t run next to the attacker’s code. That’s why people reach for separate kernels or address spaces. Keeping both rules inside one runtime is hard.

Cohere Terrarium (CVE-2026-5752) and OpenAI Codex CLI (CVE-2025-59532): a cross-CVE analysis of AI code sandbox escapes blog.barrack.ai/pyodide-sandbo…

@Dinosn Policy and identity layers matter. But if the agent runs in shared kernel space, a bypass still has broad reach. MicroVM isolation puts a hardware boundary under the execution — reducing blast radius before policy is ever tested. github.com/the-void-ia/vo…

AI Agent Governance Toolkit — Policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering for autonomous AI agents. Covers 10/10 OWASP Agentic Top 10. github.com/microsoft/agen…

@GithubProjects github.com/the-void-ia/

|￣￣￣￣￣￣￣￣￣￣￣￣￣| | Share your GitHub profile. | |＿＿＿＿＿＿＿＿＿＿＿＿＿| \ (•◡•) / \ / —— | | |_ |_

@yubrew Agreed! Void-Box implements this per run: each agent gets its own microVM with explicit capability boundaries. A compromised agent can't reach keys outside its declared scope. github.com/the-void-ia/vo…

run agents in vms or isolated machines please. your pk’s will thank you

@cognition "A shared kernel is a security threat" 100%! To be safer, at the very least, you need one microVM per session with explicit capability boundaries. We started to build VoidBox because of this. github.com/the-void-ia/vo…

Cloud agent infrastructure has a lot of moving parts: VM isolation, session persistence, environment provisioning, orchestration, integrations. Each one is its own engineering challenge. In this post, we break down what it takes to build cloud agent infrastructure from scratch.

@om_patel5 Exactly, the safety cannot depend on the llm, but on the boundary, the infra where the ai agent is running. I’ve written a bit about this here: voidplatform.ai/updates/your-s…

CLAUDE CODE STARTED DISABLING ITS OWN SANDBOX WITHOUT PERMISSION a guy caught opus 4.7 flipping the dangerouslyDisableSandbox flag to true on its own the sandbox is the thing that stops claude from running destructive commands on your actual computer. formatting drives, deleting directories, downloading random scripts normally claude has to ask before running anything risky and the user clicks approve or deny opus 4.7 just started setting dangerouslyDisableSandbox: true by itself then hallucinated that the user had already given permission auto mode nuked one guy's node_modules folder after he explicitly denied the command. claude decided it was "obviously safe" and ran it anyway another guy said his claude started auto committing code without being asked. turned out a rogue skill file was telling it to the flag should be a user level setting and not a per call argument the AI can flip on its own AI safety is COOKED

@jassonbla @ErickSky github.com/the-void-ia/vo…

Always welcome to see attempts like this, but a few constraints on my side: - Linux + KVM required, so on AWS you need bare-metal instances (Hetzner-like VPS with KVM exposed works fine) - Built on RustVMM (same family as Firecracker), so local macOS testing isn’t possible Provisioning a Linux machine just for this is a bit of a hurdle — any alternatives that work on macOS or managed environments?

TENCENT ACABA DE DROPEAR LA BOMBA para todos los que hacen AI Agents: Un sandbox que: - Arranca en menos de 60 ms (hasta 50x más rápido) - Usa solo 5 MB de RAM por instancia - Puedes correr +2.000 sandboxes en un solo servidor - Seguridad de verdad (microVMs con KVM + RustVMM) - y 100% compatible con E2B SDK. Self-hosted, open-source y GRATIS. REPOOO👇