Colin

Introducing deepsec, an open source coding security harness. • CLI-first • Sandbox-based scaling • Pluggable coding agents • Designed for large-scale repos • Use AI Gateway or your own subscription After months of successful internal use, we put it to the test on some of the largest open source codebases. vercel.com/blog/introduci…

Wondering if EDR vendors can iterate fast enough, even with AI on their side, to keep up with offensive tooling like this.

@hrkrshnn Great point. In your opinion what’s the highest leverage activity web3 teams can employ?

@contracthaxor Before standardizing security: we need to figure out how we're gonna handle the looming cyber threat. Nobody quite knows how to handle it right now: look at large well funded orgs like Vercel getting hacked.

Blockchain orgs have been the most targeted in the world because if you're a hacker, you instantly make money from your hack. There's no need to negotiate on breach forums nor hold hospital computers hostage until they pay a ransom. Just straight-up hack money itself. In fact, North Korea funded most of their nuclear program with money they stole from blockchain companies. Cybersecurity is going through an apocalyptic moment right now, and this is only going to become widespread this year. Remember, we're barely scratching the surface here. I haven't yet heard of instances of North Korea using AI to pull of crazy exploits. We're less than six months away from mythos-like hacking openly out in public on Hugging Face. Use that time to harden your systems if you manage other people's money or data.

@ret2basic what ecosystems are you seeing the most demand in?

After ~3.5 years in web3 security, I finally achieved 300 crit/h/m count!😂Here is my updated portfolio: ret2basic.me/audits.html Any firm looking for contract-based auditor with move/solana/cosmwasm/daml experience? Happy to chat😁

@WhiteHatMage time for teams to adopt security practices being used for over a decade by boring web2 companies 😅

Improve your OpSec, fellow whitehats and auditors. It's the same story with projects that were safe just because they weren't targeted. Adversaries can now run basic attacks at scale. Don't rely on luck.

Exploit every 6 hours. "Is this mythos?" No. Security through obscurity isn't a strategy anymore...

#PeckShieldAlert @wasabi_protocol has been exploited for $5M+ across multiple chains, including Ethereum, Base, Berachain, & Blast.

If your team touches npm or PyPi - literally number 1 priority should be figuring out your playbook of defenses and response to these supply chain attacks. The threat actors aren't slowing down and they're SCREAMING their MO from the rooftops. Lock it down.

Attention Aftermath community - We’ve identified an exploit affecting the protocol. Our team is actively investigating alongside leading security partners. As a precaution, the protocol has been paused and measures are being taken to minimize potential impact to user funds. We’ll continue to share updates as we learn more. Thank you for your patience.

NEW: @AftermathFi ANNOUNCES "WE HAVE BEEN EXPLOITED" - "ONLY PERPS WAS EXPLOITED"

@aymanalabdul For the security piece, Daybreak is a great partner to embed in the process. Fractional security engineer working alongside the implementation team, focused on AI and agentic systems. Eight years of audits and cloud security behind it. daybreaksec.com

Getting requests from clients for real AI implementation partners. All I'm finding are Vibe Code Bros or Zapier shops. I want firms that: • Diagnose the actual business problem • Bring PMs + Product + AI talent • Build + integrate into real workflows • Care about security and stability • Ship and iterate Who’s best in the world at this?

The "specs to code" movement says: write a spec, let AI generate the code, ignore the code itself. Iterate the compiler enough times and you get garbage. Fundamentals matter more in the AI age. 7 takeaways from a recent talk by @mattpocockuk : 1. Bad code is the most expensive it's ever been. AI does great work in a good codebase and produces compounding garbage in a bad one. Code is not cheap. Treat the codebase like the multiplier it is. 2. Reach a shared design concept before AI writes anything. Default plan mode is too eager to ship assets. Matt created a "grill me" prompt that interviews you until you share an understanding works better. Sometimes 60+ questions before any code gets written. 3. Build a ubiquitous language file. A markdown file of terms you and the AI both use to describe the codebase. Stops the LLM from being verbose. Keeps planning and implementation aligned. Borrowed from DDD. 4. The rate of feedback is your speed limit. AI outruns its headlights. Writes huge chunks before checking anything. Force smaller steps with TDD, static types, and browser access for frontend work. The constraints are the point. 5. Deep modules, not shallow ones. A few large modules with simple interfaces beat dozens of tiny ones with complex interfaces. Easier for humans to read, AI to navigate, tests to cover. Shallow modules are why your AI gets lost in your codebase. 6. Design the interface, delegate the implementation. Once a module has a clean boundary, you stop reading what's inside it. Test from the outside. This is what saves your brain when AI ships code faster than you can review. 7. Invest in design every day (Kent Beck). "Specs to code" is divestment from design. AI is the sergeant on the ground. You're the strategy. That requires the same fundamentals that have always mattered. youtube.com/watch?v=v4F1gF…

Breaking: The results of Mythos’s audit of the Rust standard library have been leaked #rust-standard-library-audit-findings" target="_blank" rel="nofollow noopener">github.com/Swival/securit…

🚨 Community Alert: Ongoing exploit on @ZetaChain cross-chain contracts! Please revoke any approval for any ZetaChain GatewayEVM contract on all EVM chains.

Audits aren't going anywhere. But they're a snapshot, not a lifecycle. Someone needs to be reviewing the PRs, threat modeling, threat hunting, improving opsec, and picking up the phone when something looks wrong. That's a security engineer, not an auditor. Serious teams need both.

This GitHub incident is insane. Merge queue commits have been reverting previously merged commits at random. This not only breaks the mental contract teams have with Git in general, but is subtle enough to be really hard to unravel after the fact. githubstatus.com/incidents/zsg1…

Almost 75% of exploited vulnerabilities are now zero-days, meaning that an exploit occurred before disclosure. That number was at around 50% last year, and 16% in 2018

🚨 Bitwarden CLI 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline. We’ll continue updating our coverage as more details are confirmed. socket.dev/blog/bitwarden…