Mr.M

@liran_tal Sandbox is table stakes. I’d treat skills as executable dependencies with identity attached, then make provenance and token scope the control plane. The ugly part is egress, because a harmless skill becomes interesting once it can call out with someone else’s context.

how many devs and AI builders understand the risks with Agent Skills? curious to hear how do you prevent against this security sink I assume sandbox is going to be in the answers but that by itself isn't broad mitigation, it only isolates the execution layer

@santtiagom_ Para cambios chicos en repo, Codex me está resultando más rápido. Para pensar arquitectura o aterrizar criterios, Claude Code. El cacho aparece cuando cualquiera de los dos corre con permisos amplios y nadie mira el diff.

Qué están usando más en su día a día: Claude Code o Codex? Me gustaría saber por qué están eligiendo uno sobre el otro.

@learnk8s @learnk8s Good identity map. The failure mode I see in real clusters is stale service account assumptions surviving after federation arrives. If token audience, lifetime, and cloud role binding are not reviewed together, the blast radius just moves.

🚀 New: User and workload identities in Kubernetes. Learn how the API server authenticates users and pods, how service account tokens work, why projected tokens matter, and how Kubernetes identities can federate with AWS IAM. learnkube.com/authentication…

@tuckner Extensions sit at a weird trust boundary. They see browser state, page content and sometimes SSO-adjacent workflows. Treating them like a theme pack is how this gets embarrassingly far.

Hidden AI SEO poisoning -> install hidden Chrome extension They go to these lengths because people don't take extensions seriously. They could push anything but choose an extension.

@OpenAIDevs This is the right direction. The control that matters is not only killing long-lived keys, it is making service ownership and break-glass paths visible before the next integration grows around a shared secret.

Workload Identity Federation brings cloud-based identity to the OpenAI API platform. Teams can manage access through IAM workflows while reducing the need to distribute permanent API keys across services. 🔗 developers.openai.com/api/docs/guide…

Private MCP servers 🤝 OpenAI products Your team can keep MCP servers inside your network while ChatGPT, Codex, and the Responses API connect through outbound-only HTTPS. 🔗 developers.openai.com/api/docs/guide…

@liran_tal @isguyra Useful framing. The part that matters operationally is where ownership sits. Skills and MCPs behave like software supply chain plus delegated identity, so checks need to happen before install and again at runtime.

@isguyra Agentic Development Security is what we're calling the sort of security concerns of building with agents at Snyk, composed of: - AI Supply Chain (Skills, MCP, etc) - Ensuring Trusted Output (Snyk MCP Server, scanning LLMs generated code) - AI-SPM (AIBOM)

We at Snyk conducted this research in February 2026 when ClawHub was a registry of less than 5000 agent skills has there been any new study since then? would love to review new data

@techspence That’s the part many asset inventories still miss. The blast radius now includes whatever developers install to move faster, well outside the software IT formally deploys.

I’ve been on the record saying identity is the perimeter. But that’s not entirely true. There is no ONE perimeter anymore. Thanks to… IDE extensions Browser extensions Programming language libraries And the crazy part is, attacks on these are just warming up.

@powerhdeleon Medir tokens como ranking termina premiando ruido. Para gobierno de IA sirve más mirar costo por caso resuelto, control aplicado y retrabajo que no volvió al equipo.

Lo de los leaderboard en las empresas para ver un ranking de quien gasta más tokens, es de las cosas más idiotas que han pasado en este año. Regresamos a la epoca de medir el precio de un Software contando las líneas de código.

PAN-OS, el sistema de firewalls Palo Alto, vuelve a poner acceso remoto en la mesa. CVE-2026-0257 afecta GlobalProtect portal y gateway, con explotación vista por el vendor. Si operas VPN expuesta, revisa versión y mitigación. security.paloaltonetworks.com/CVE-2026-0257

El cacho real no es Nx. Es la confianza muda que le damos a extensiones, CLIs y plugins que viven al lado del código, los secretos y el pipeline. Fuente: github.com/nrwl/nx-consol…

CISA agregó CVE-2026-48027 a KEV el 27 de mayo. Eso cambia la prioridad: ya no es “revisemos extensiones cuando haya tiempo”, es asumir que el IDE puede haber sido una pista de entrada a credenciales de producción.

El entorno del developer acaba de quedar un poco menos confiable.

@SEI_CMU The chart is the easy part. The hard part is deciding which model behavior changes business risk before anyone owns the break-glass path. That handoff is where the blast radius starts.

Detect and respond to #ML drift before it causes harm. Our latest SEI Blog post explores what causes drift and how to identify it early - sei.cmu.edu/blog/expecting…

@techspence The high-value bit is not the fake object itself. It’s the routing afterwards. If every canary page lands in the same noisy SIEM queue, the signal dies before anyone touches the keyboard.

If I were a sysadmin these would be the first few deception assets I would setup: 1. Fake unattend.xml file on all hosts 2. Fake mRemote config file in an IT access only share 3. Fake server admin account with the password in the description field 4. Fake Kerberoastable admin account 5. JS on all login pages to detect cloning Super quick and easy to set all those up and all would be super high fidelity alerts.

@BertJanCyber This is the kind of dull response plumbing that saves time during the ugly part of an incident. Local accounts are where cleanup gets messy, especially when ownership is unclear and the EDR view is thin.

New response script 🛡️ LocalUserResponse.ps1 helps in local account response scenarios to list, rotate, delete and stop related processes. A blog with more details and live response integration will be published tomorrow. github.com/Bert-JanP/Inci…

@FastAPI The operational miss here is the contact path, not the scanner. If automated tooling can mark critical OSS as malicious, it needs a fast owner-verification lane before the blast radius reaches downstream teams.

Your FastAPI is safe 🔒 Today, FastAPI was incorrectly flagged as malicious by automated tooling from a large company, among several other packages. FastAPI was not compromised. It was a false positive. We were not contacted before publication. This should not happen to OSS.

@hkashfi The useful split is prevention versus inspection. Scanners tell you what already landed; age gates, scoped registries, and deny-by-default installs reduce what can land in the first place.

Supply-chain attack hitting companies every other week, makes projects like Bumblebee great. But that's passive scanner only, and by the time it warns you of something, it might be already too late. A good side effort is to harden your package manager configs to apply age gated installations. Most of us do it manually. I thought it would be easier to have an automated script that would automatically scan for, detect and harden package manager configs, so here it is: gist.github.com/Hamid-K/9ce980…

@cyb3rops This is the right baseline to separate demo value from SOC value. Generic model scores don't tell you whether the thing can kill noise without burying the finding that ruins your week.

I spent the last weeks building LLM benchmarks for a very specific reason: We want to use AI in RuneAI to help with THOR finding triage, and I needed a better baseline for model selection than generic LLM leaderboards. Security-event triage is its own thing. A model can be great at coding, reasoning or vulnerability writeups and still be a bad fit for deciding whether a messy endpoint finding should be suppressed, reviewed or escalated. In real deployments this will likely happen inside agentic workflows with tools, memory, context handling and feedback loops. But before testing the whole system, I wanted a clean baseline: How does the model behave when it only gets the enriched finding itself? Blog post with the reasoning and methodology: @cyb3rops/why-i-built-my-own-llm-benchmark-for-thor-finding-triage-c8492e3997dc" target="_blank" rel="nofollow noopener">medium.com/@cyb3rops/why-… Interactive benchmark results: nextron-labs.github.io/thor-ai-benchm… Repo: github.com/Nextron-Labs/t… Maybe useful for others building SOC / security-event triage benchmarks.

@arekfurt The policy object is not the magic. The useful bit is making privileged access depend on where the session is born. Break glass still needs a clean path, but this kills a lot of 'admin from random laptop' debt.

Auth policy silos in AD are so, so massively underutilized. Especially when it comes to securing privileged accounts by requiring them to be used only from certain groups of hardened devices.