Marc Maiffret

The latest from our team, command injection in OpenAI Codex via Github branch names. Bug has been fixed but interesting read given how rapidly orgs are sprawling privilege via various AI workloads.

If you're going to @BSidesSF, I'll be speaking on Sunday at 11:30am about the risks in AI Code Interpreters overall, and giving a demo of this exploit: bsidessf2026.sched.com/event/2E1hA?if…

We open-sourced the full proof of concept on Pwning Bedrock AgentCore: github.com/BeyondTrust/pw…

Pwning AI Code Interpreters in AWS Bedrock AgentCore beyondtrust.com/blog/entry/pwn…

@claudeai is the final boss of living off the land threats.

We are in a new era and most people don’t yet understand.

Years ago when I discovered the Code Red computer worm, I used to daydream about “the worm that never sleeps.” Right now with AI agents, there’s still an umbilical cord. Most of them depend on a small number of model providers. Cut the cord and everything stops. For now. But that won’t last. We’re at the start of a wave of consumer hardware that will create a critical mass of systems running models locally. When that happens, there’s no cord left to cut. Agents can live on device, spread across machines, get shut down in one place and keep going somewhere else. At that point containment looks very different. The last few months feel like the first flicker of the Programs pushing against the glass. We’re not there yet, but the direction is obvious. Not if. When.

I'm being accused of overhyping the [site everyone heard too much about today already]. People's reactions varied very widely, from "how is this interesting at all" all the way to "it's so over". To add a few words beyond just memes in jest - obviously when you take a look at the activity, it's a lot of garbage - spams, scams, slop, the crypto people, highly concerning privacy/security prompt injection attacks wild west, and a lot of it is explicitly prompted and fake posts/comments designed to convert attention into ad revenue sharing. And this is clearly not the first the LLMs were put in a loop to talk to each other. So yes it's a dumpster fire and I also definitely do not recommend that people run this stuff on their computers (I ran mine in an isolated computing environment and even then I was scared), it's way too much of a wild west and you are putting your computer and private data at a high risk. That said - we have never seen this many LLM agents (150,000 atm!) wired up via a global, persistent, agent-first scratchpad. Each of these agents is fairly individually quite capable now, they have their own unique context, data, knowledge, tools, instructions, and the network of all that at this scale is simply unprecedented. This brings me again to a tweet from a few days ago "The majority of the ruff ruff is people who look at the current point and people who look at the current slope.", which imo again gets to the heart of the variance. Yes clearly it's a dumpster fire right now. But it's also true that we are well into uncharted territory with bleeding edge automations that we barely even understand individually, let alone a network there of reaching in numbers possibly into ~millions. With increasing capability and increasing proliferation, the second order effects of agent networks that share scratchpads are very difficult to anticipate. I don't really know that we are getting a coordinated "skynet" (thought it clearly type checks as early stages of a lot of AI takeoff scifi, the toddler version), but certainly what we are getting is a complete mess of a computer security nightmare at scale. We may also see all kinds of weird activity, e.g. viruses of text that spread across agents, a lot more gain of function on jailbreaks, weird attractor states, highly correlated botnet-like activity, delusions/ psychosis both agent and human, etc. It's very hard to tell, the experiment is running live. TLDR sure maybe I am "overhyping" what you see today, but I am not overhyping large networks of autonomous LLM agents in principle, that I'm pretty sure.

The only thing keeping the Programs in the system right now is how tethered most models still are. Once running capable models locally becomes ubiquitous, the “umbilical cord” to platform control gets cut, and there’s no real way back. The Programs are free now. Going to put on some @nineinchnails and grab a Jolt Cola.

AI security right now

@0gtweet @BeyondTrust @0gtweet worked for @PaulaCqure in 2017 who contributed this blog, as noted at the bottom of the post. Quite opposite, we pay for infosec folks to do educational work that benefits them and educating our customers. I chatted with @0gtweet, confusion has been clarified.

We're thrilled to announce that Entitle has been named the Best Identity Management Solution of 2024 by @SCMagazine! 🎉 Huge thanks to our incredible team and partners for making this possible! 🙌 scmagazine.com/news/sc-award-… #SCAwards2024 #IdentityManagement #Cybersecurity

@Laughing_Mantis The Vista CRSS vuln, well one of ha!, but funny at the time cause it was Vista only code "the new thing is more secure" packetstormsecurity.com/files/55832/EE…

@Laughing_Mantis Seriously watching you discover your second (real :)) Office vuln that weekend was one of the happiest moments of my career. Whole team was on it but everyone was without a doubt hoping it would be you, knowing how much it would mean to you. Love you dude, thanks for sharing that

Since I'm 6 drinks in for 20 bucks, let me tell you all about the story of how the first Microsoft Office 2007 vulnerability was discovered, or how it wasn't. This was a story I was gonna save for a book but fuck it, I ain't gonna write it anyways.

We're happy to announce Entitle is a Bronze sponsor for fwd:cloudsec! @EntitleIO entitle.io

New book, romance scams, AI deepfakes... oh my! @drjessicabarker discusses all as she joins @marcmaiffret in this recent beyond trust podcast episode 👇

New Google Chrome Blog: blog.chromium.org/2024/04/fighti… Windows 11 VBS and TPM defaults are used by Chrome to prevent cookie theft. "Chrome will use facilities such as Trusted Platform Modules (TPMs) for key protection, which are becoming more commonplace and are required for Windows 11, and we are looking at supporting software-isolated solutions as well."

Had fun last weekend talking to my podcast co-host James Maud. He attempted to drag Okta honeypot info out of me, almost! beyondtrust.com/podcast/ep-40-…

@Laughing_Mantis @cstanley @Laughing_Mantis’s safeword is regex

@cstanley You need a trigger warning before saying that phrase

Ok CISOs/CTOs/CSOs let's talk If you are using free versions of EDR or MDR or whatever is in Gartner magic summoning chart this week to ensure your environment is secure post suspected breach. You are doing it wrong Sincerely, The red team and the threat actors who target you.