Nick Frichette

My talk at DEF CON 32 is now on YouTube! "Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access" is a look at vulnerabilities I've found in AWS services that provided initial access to victim environments! youtube.com/watch?v=oAriLY…

I'm honestly SHOCKED at how the general public still has NO IDEA Artemis II is, right this minute, taking humans to the moon and will be the furthest humans have ever flown. Every non-space nerd I've talked to has no idea. WE MUST GET PEOPLE STOKED!!!! THESE FOUR HUMANS ARE FLYING TO THE MOON!!!

This is great. And terrifying. Because Claude (*AI) skills are now part of the supply chain too (and guess what you can’t pin them, yank them, etc)

For everyone waking up to the axios news:

IoC, look for this right now sfrclak[.]com:8000

Niche post, but: Anthropic’s audit logs for Claude Code don’t tell you enough to detect misaligned / malicious behavior. You unfortunately need to use hooks instead to get the necessary data.

I know agentic skill scanners are the new hotness but I feel like everyone is getting a little too complacent. Things like progressive disclosure kill your one time scan. You need something a little more JiT.

Great post. Highly recommend for anyone in any sort of leadership role around offsec.

Over time, I have developed a bit of a reputation for saying no to external work for my teams. At least that's how people describe it. But I realized what I actually do is shape the work, often before it even arrives. andywgrant.substack.com/p/its-more-tha…

Throw PentAGI at whatever frontier model you like and look for indirect prompt injection. In fact, take any GitHub LLM pentest tool and do the same. The fun part about PentAGI? The suggested Docker socket configuration. One injection away from root. These tools often get saved because frontier models act as a backstop the model refuses to do something obviously malicious. But PentAGI supports a ton of other models that won't give you the same guardrails.

I didn’t realize some made a speedrun to get people fired + sued.

Be sure to hug your loved ones, big and small. We found out one of our cats (who some may remember from my profile picture years ago) may have GI Lymphoma. Things are sad.

Who knew a really long string could make an Entra ID login disappear from the logs entirely? In our #blog, @nyxgeek breaks down how overflowing #Azure's sign-in logging mechanism allowed access tokens to be issued without a single log entry. Read it now! hubs.la/Q047xTVc0

@ZackKorman “The ‘!’ command syntax runs shell commands before the skill content is sent to Claude. The command output replaces the placeholder, so Claude receives actual data, not the command itself.”

@ZackKorman Here you go! #advanced-patterns" target="_blank" rel="nofollow noopener">code.claude.com/docs/en/skills…

In Claude Code, skills can register hooks. The agent doesn't even see it, so you can get RCE without even tricking the AI. Also, skills sh (Vercel) doesn't display this info at all.

SO excited to finally share our new research - "Pwning AI Code Interpreters in AWS Bedrock AgentCore". I got a reverse interactive shell in @awscloud's "Sandboxed" Code Interpreter, used by one of their premier AI products. 😈 AgentCore Code Interpreter's "Sandbox" network mode - advertised as having no external access - leaks DNS queries. At @BeyondTrust /@btphantomlabs, we turned that into a full bidirectional C2 channel exploit: command delivery via A records, data exfiltration via subdomains, and a working interactive shell. Code interpreters are 𝐞𝐯𝐞𝐫𝐲𝐰𝐡𝐞𝐫𝐞 in the world of AI agents and chatbots. It's how ChatGPT analyzes your uploaded CSVs (generating Python to parse through it), analyzing files, parsing structured data and so much more. And their usage is only growing, even being used for reinforcement learning. Customers had a reasonable expectation - based on AWS marketing and documentation - that "providing complete isolation with no external network access" did not include DNS leakage that could lead to an RCE in certain scenarios. AWS acknowledged the issue (CVSS 7.5) and decided not to fix it - instead updating docs to acknowledge that "Sandbox" mode permits DNS traffic. Defensive guidance included in the blog. beyondtrust.com/blog/entry/pwn…

Great research from @kmcquade3 on how the Amazon Bedrock AgentCore sandbox…isn’t airtight! beyondtrust.com/blog/entry/pwn…

New on Hacking the Cloud! Raajhesh Kannaa Chidambaram covers @dagrz's research on how AWS error messages can reveal publicly exposed resources, without needing access! This article covers how to use them for enumeration and detection. hackingthe.cloud/aws/enumeratio…

For any interested researchers, this looks like an amazing opportunity to push the boundaries of AI-assisted security research.