Trail of Bits

Over 700,000 repos ship crypto libraries that default to a static IV, creating widespread key reuse. We also released mquire, a Linux memory forensics tool, and added 12 new open-source Claude Code skills for security engineering. March Tribune: mailchi.mp/trailofbits/ma…

Wonderland CTF prizes are in: $30,000 on the line. $15k, $10k & $5k for the top 3. Plus a few surprises. May the best teams win.

They also recovered an RSA private key from partial fields intercepted over satellite, with no modulus. The solution is in the appendix of the CCS 2025 paper. satcom.sysnet.ucsd.edu

Keegan Ryan spent years on a San Diego rooftop intercepting satellite traffic, military locations, industrial control data, and government communications. All in the clear. youtube.com/live/v_AFtbWr1…

HTTPS protected browsers. But satellites broadcasting military positions and cell tower audio in plain text? Nobody fixed that.

@attilagyorffy Sorry about that! here's the correct links for those that were broken in the newsletter: Agentic actions auditor-github.com/trailofbits/sk… Seatbelt sandboxer-github.com/trailofbits/sk… Skill improver-github.com/trailofbits/sk… Supply chain risk auditor- github.com/trailofbits/sk…

@trailofbits In today's newsletter, the link to the skill-improver is pointing to a 404 on GitHub. Too bad, it sounded like a very useful Claude skill that the comunity would make use of. Care to check? Thanks.

Notable new skills updated links: Agentic actions auditor-github.com/trailofbits/sk… Seatbelt sandboxer-github.com/trailofbits/sk… Skill improver-github.com/trailofbits/sk… Supply chain risk auditor- github.com/trailofbits/sk…

Over 700,000 repos ship crypto libraries that default to a static IV, creating widespread key reuse. We also released mquire, a Linux memory forensics tool, and added 12 new open-source Claude Code skills for security engineering. March Tribune: mailchi.mp/trailofbits/ma…

We engaged @trailofbits to audit the cryptography powering Charon’s cluster edit commands, the new feature that makes DVT clusters mutable for the first time. Nine findings. Zero high-severity. All resolved. Learn more ⏬

I solemnly swear I'm up to no good. cc: @dguido @DanielMiessler Let's see what PAI + Trail of Bits skills can get up to.

Liquidium has completed a security review of the ICP canisters powering Cross Chain Loans. The review was conducted by @trailofbits, a leading security research firm. Review completed September 2025, with a fix review completed November 2025.

We’re grateful to @trailofbits for supporting Offensivecon again as a Diversity Sponsor — and for joining as a Gold Sponsor too this year!

The future's pretty rad. New favorite thing this morning is @trailofbits Seatbelt-Sandboxer skill. Having the AI help you make seatbelt policies makes doing the right thing easy. Paired with process tree rules which ensure you're running under seatbelt-exec w/the policies 😎

If you're working with smart accounts, each pattern includes safe code examples so you can reference them for your own implementation: blog.trailofbits.com/2026/03/11/six…

A single bug in an ERC-4337 smart account can be as catastrophic as leaking a private key. We've audited dozens of smart accounts and found six vulnerability patterns that consistently reappear across codebases. 🧵

Researching supply chain threats is goofy because you’ll find a clever technique, be impressed by it, and think “wow, for once an attacker in the wild is doing something smart”, and then you dig into it more and it’s a researcher at Trail of Bits 😂

"Uniswap v4 Hooks: A Security Guide for Builders and Breakers" with nisedo (@nisedo_) at the Security track. Understanding hook vulnerabilities now could save your protocol from becoming tomorrow's exploit headline.

@SuiNetwork @DeepBookonSui 3/ We bring deep expertise to Move-based applications. If you’re building on Sui, join us for office hours. We'll help you work through your hardest security problems. share.hsforms.com/1VVGPLTjiRduOp…

@SuiNetwork 2/ We’ve been breaking blockchain protocols and dApps for 14 years. Just last year, our team analyzed @DeepBookonSui flash loans to show how the Move language serves as a primary security guard. blog.trailofbits.com/2025/09/10/how…

We’re now an official ecosystem security partner for @SuiNetwork. Sui builders get a direct line to our team for architecture reviews and security assessments. 🧵

Trail of Bits is sponsoring Rekt Security Summit. They've audited some of the most critical infrastructure in crypto. They've published research that changed how the industry thinks about security. Exactly the kind of partner this summit needs.