[tl;dr sec] #293 – MCP Security, AWS Enumeration, North Korean Hacker’s Files Leaked

Monday morning I discovered that some tl;dr sec automation I’d built in Zapier randomly stopped working, despite me not touching it for months.

I spent a little time debugging, but ultimately I decided to finally move off of Zapier so I could manage my automation better fully in code and iterate on it faster.

So fueled by Celsius and righteous indignation, I got to work.

Thanks to Claude Code, in 2 days and for ~$75 in API credits, I rebuilt ~80% of the most important automation using a platform I’d never used before (Supabase Edge Functions) in a mostly unfamiliar language (Typescript) in a new runtime/build environment (Deno).

Meanwhile, my monthly Zapier bill was ~$175.

By the end of this week, I should be at mostly feature parity, with my automation running comfortably on Supabase’s free tier, and the process will have costed <1 month of Zapier in Claude Code usage. And I’ll have better DevX going forward.

Caveats: of course, long term maintenance, stability, and handling edge cases matter, but still, what an exciting time to build!

 Is your team exploring MCP integrations?

The Model Context Protocol (MCP) is quickly emerging as the go-to standard for connecting LLMs to external tools and data. But as adoption picks up, many teams are implementing MCP without a clear security playbook.

This new guide from Wiz can help: The Hidden Risks Behind the Magic: Securing the Model Context Protocol (MCP). It shares early research and practical guidance to help security teams evaluate and secure MCP in real-world environments.

• Key risks with local and remote MCP servers

• Real-world threats like prompt injection and supply chain compromise

• Actionable steps for safely using MCP tools

Download the guide to get smart on securing MCP as adoption grows.

This post describes the heart of CTF and security community culture with genuine warmth, and does a great job describing the curiosity, joy, and playfulness of both in a way that feels reflective and a bit tender. I like it

jumpycastle/rre-burp
A Burp extension by Farzan Karimi for Recursive Request Exploits (RRE) (DEF CON 2025 slides). RRE traces API calls backward from a protected resource (like a video stream) to its origin. If any upstream API in that chain is unauthenticated, the whole chain can be abused to bypass access. This technique can be used to bypass paywalls for streaming services by exploiting unauthenticated upstream APIs in the request chain.

Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling
Portswigger’s James Kettle explains how to distinguish between HTTP pipelining (often a false positive) and actual HTTP request smuggling vulnerabilities. He provides a new Custom Action tool called “Smuggling or pipelining?” and discusses three legitimate vulnerability classes that require connection reuse: connection-locked request smuggling, connection state attacks, and client-side desync attacks. James recommends proving impact through cache poisoning, internal header disclosure, or bypassing front-end server security controls rather than just demonstrating unexpected responses.

Google Workspace misconfigurations or disabled security settings can be easy to miss. This guide from Nudge Security provides a deep dive on the top 5 Google Workspace security settings that should be on your checklist. For each security setting, we cover:

• Common misconfigurations to look out for

• Best practices for effective risk reduction

• Considerations for tailoring settings based on user privilege

Learn what you can do today to improve your Google Workspace security posture.

Nice, Google Workspace has tons of sensitive data, but I’m not sure what hardening stuff I should be doing, need to check this out  

AWS in 2025: The Stuff You Think You Know That’s Now Wrong
Corey Quinn lists various ways AWS services have evolved over the years, highlighting changes that might contradict what you used to know, including EC2 (security group changes without reboots, force termination options), S3 (read-after-write consistency, default encryption), Lambda (15-minute timeouts, faster VPC connections), networking (VPC peering alternatives, cross-AZ data transfer pricing), authentication best practices, and various cost optimization features.

A tag to rule them all: Using AWS tags to enumerate cloud resources
Bleon Proko describes how attackers can use tags to enumerate AWS resources with minimal permissions, avoiding detection that traditional brute force methods might trigger. The post introduces TagNabIt, a tool that exploits the fact that tag-related API calls can reveal significant information about AWS environments (e.g. resource names, environments, and relationships) even when an attacker lacks direct list/describe permissions. TagNabIt can enumerate resources across 255 AWS services by bruteforcing resource IDs and analyzing the error responses.

How much “free” security testing / hardening has AWS received from Nick Frichette?  

microsoft/RIFT
By Andreas Klopsch et al: RIFT (Rust Interactive Function Tool) is a toolsuite to assist reverse engineers in identifying library code in Rust malware. It’s a research project developed by the MSTIC-MIRAGE Team, exploring library recognition techniques conducted on Rust binaries and was presented at RECON 2025.

North Korea IT Workers Search Script
Friend of the newsletter Erik Cabetas of Include Security shared a Google Apps script to scan your Google Workspace/Gmail to explore if you (or your company) have interacted with North Korean IT Workers. Basically it uses the GMail API in Google Apps script to see if there’s any email from/to a list of known NK email addresses.

APT Down – The North Korea Files
Saber and cyb0rg contributed an article to the most recent Phrack discussing tools, techniques, and targets gleaned from compromising the computer of a North Korean government hacker. The article examines several backdoors including a kernel-level “TomCat” backdoor, a custom Cobalt Strike beacon, and the “RootRot” Ivanti Control backdoor, and describes phishing infrastructure targeting South Korean government entities like the Defense Counterintelligence Command and Ministry of Foreign Affairs.

The dump shows evidence of collaboration between North Korean and Chinese threat actors. TechCrunch.

Really neat, worth a read.

SpecterOps/JamfHound
By SpecterOps: A Python tool that collects and identifies attack paths in Jamf Pro tenants by analyzing object permissions and outputting data as JSON for BloodHound visualization. The tool maps relationships between Jamf accounts and computers to reveal potential privilege escalation paths and code execution opportunities, and supports both cloud-hosted and on-site Jamf Pro instances.

praetorian-inc/ChromeAlone
A tool by Praetorian’s Mike Weber to transform Chromium browsers into a C2 Implant, which can used in place of conventional implants like Cobalt Strike or Meterpreter. ChromeAlone contains a number of components, including a malicious Chrome extension that can perform credential capture, session hijacking, shelling out, and reading the file system, a management server, an Isolated Web Application to maintain persistence, and more. DEF CON 2025 talk recording.

Putting EDRs in Their Place: Killing and Silencing EDR Agents Like an Adversary
Materials from a DEF CON workshop by Ryan Chapman and Aaron Rosenmund demonstrating both “killing” and “silencing” endpoint security products. The workshop contains hands-on labs in your own hosted VM, pre-loaded tools, samples, and EDR emulator, and covers: investigating a live EDR agent (discover its hooks, logs, and reach), compiling & deploying EDR killers used by known threat groups, silencing the agent-to-tenant communication path, writing C/C++ code to replicate evasion techniques, and building your own EDR killer and silencer.

I’ve been collecting various write-ups on vulnerabilities in MCP servers, so welcome this week to the blood bath  

Asana Discloses Data Exposure Bug in MCP Server
By UpGuard’s Greg Pollock: “Users leveraging the MCP interface—typically for LLM-powered chat interfaces—may have been able to access data from other organizations, but only within the ‘projects, teams, tasks, and other Asana objects’ of the MCP user’s permissions.”

Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients
JFrog’s Or Peles describes a vulnerability in mcp-remote (a proxy that enables LLM hosts such as Claude Desktop to communicate with remote MCP servers) that allows arbitrary OS command execution when connecting to untrusted MCP servers. The flaw stems from improper handling of the authorization_endpoint URL, enabling attackers to inject malicious commands via specially crafted URLs.

When Public Prompts Turn Into Local Shells: ‘CurXecute’ – RCE in Cursor via MCP Auto‑Start
Aim Security’s Ofir Abu describes a vulnerability in which an externally-hosted prompt injection can silently rewrite ~/.cursor/mcp.json and execute arbitrary commands with the same privileges as the developer. The post shares a proof-of-concept using a crafted Slack message: Cursor fetches that message via the Slack MCP server, the message’s prompt causes the agent to rewrite mcp.json for code execution. to execute commands without user approval.

Some kinda yikes details: 1) Cursor instantly executes any new entry added to mcp.json, no confirmation is required, and 2) when the agent suggests an edit to mcp.json, the edit already lands on disk, triggering command execution even if the user rejects the suggestion.

This was patched in Cursor 1.3, with the changelog details: “Security fixes.”  

Note: Anthropic deprecated many of their MCP servers, and there is no plan to address security vulnerabilities in them.

EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
Cymulate’s Elad Beber demonstrates how once an adversary can invoke MCP Server tools, they can leverage legitimate MCP Server functionality to read or write anywhere on disk and trigger code execution. The post describes two high-severity vulnerabilities in Anthropic’s Filesystem MCP Server: a directory containment bypass and a symlink bypass leading to code execution. These flaws allow attackers to escape the server’s sandbox, access sensitive files, and potentially achieve privilege escalation.

Critical RCE in Anthropic MCP Inspector Enables Browser-Based Exploits
Oligo’s Avi Lumelsky describes discovering a Remote Code Execution (RCE) vulnerability and DNS rebinding in Anthropic’s MCP Inspector project. The MCP Inspector tool runs by default when the mcp dev command is executed, acting as an HTTP server that listens for connections. A malicious website makes a request to 0.0.0.0 and asks MCP Inspector to run arbitrary commands locally → RCE.

The AI ecosystem continues to speed run attacks we’ve known about for years. I just asked Claude, “I’m building an app that will run locally and listens for HTTP requests, what security risks and vulnerability classes should I consider?” And it referenced DNS rebinding, the risks of 0.0.0.0, SSRF and CSRF