[tl;dr sec] #299 – The Security Engineer’s Guide to MCP, IAM Hound Dog, IMDS Anomaly Detection

In Vegas this year I joined my friends Conor Sherman (Sysdig CISO in Residence) and Stuart Mitchell (Hampton North) on their new podcast, Zero Signal.

We discussed AI’s impact on penetration testing, the job pipeline, “shifting down not left” (H/T my interview with former Google Cloud CISO Phil Venables), integrating security in vibe coding, and more.

P.S. I’ve been working on a talk for our Semgrep offsite next week on current trends in AI + AppSec and where things are headed, which has been a lot of fun. Will share via blog, conference talk, or video sometime

Meet Tami—the AI CloudSecOps agent that doesn’t just tell you what’s broken, but actually fixes it. 

Why stop at detection? Tamnoon’s AI agent goes the extra mile: it prioritizes, enriches, investigates, and delivers production-ready remediation playbooks validated by expert CloudPros. 

Trained on millions of safe executions in real environments, Tami turns your endless alert backlog into tested, permanent solutions—keeping your entire cloud infrastructure safe and compliant.

Cookie Chaos: How to bypass Host and Secure cookie prefixes
Portswigger’s Zakhar Fedotkin describes how attackers can bypass browser-enforced cookie prefix protections (__Host- and __Secure-) by exploiting inconsistencies in how browsers and servers handle cookie encoding and parsing. These techniques can enable attackers to inject malicious cookies that bypass browser restrictions, potentially leading to XSS, session fixation, or privilege escalation. Burp Custom Action to test for these issues.

Two bypass techniques: using Unicode whitespace characters that browsers treat as regular characters but servers normalize away, and leveraging legacy cookie parsing behavior ($Version=1) that causes some Java-based servers to interpret a single cookie as multiple cookies.

Cloud-native speed comes with cloud-sized risk. As teams spin up and down resources at record pace, security gets buried in complexity. Point solutions for prevention, posture, and response just can’t keep up. 

ESG reveals why organizations need a consolidated, integrated approach that streamlines security, reduces risk in real time, and delivers runtime protection where it matters most.

Neat, a report on cloud security wins and losses from 370 organizations, that’s a solid dataset  

VirtueSecurity/IAMhounddog
By Virtue Security’s Nathan Tucker: A tool that helps pentesters identify privileged principals and second-order privilege escalation opportunities in AWS environments by mapping relationships between IAM entities and resources. The tool generates a graph database compatible with BloodHound, revealing connections between principals, roles, policies, and AWS services (CloudFormation, EC2, ECS, EKS, Lambda, RDS, Step Functions, CodeBuild, and CodePipeline).

The approach: establishing baseline IMDS access patterns, identifying suspicious processes with rare IMDS access, filtering by requests made to sensitive metadata paths (related to determining what permissions you have access to), and analyzing compute context.

The tool works by: first fetching relevant access logs, then replaying these logs against two local authorization engines (one with current policies, one with proposed changes) to identify differences in access control results. The change author gets a report on the potential impact of the proposed policy change, who can then decide if they want to proceed.

Whoa, impressive engineering. Probably overkill for most companies, but worth a read. I especially like the idea of replaying past events and comparing proposed changes vs the prior state. This can be applied in a number of domains  

The malicious GitHub Action workflow is embarrassingly obviously malicious Sometimes I feel like attackers don’t respect their craft. Sad.

How to Tamper with Releases built with GitHub Actions Workflows
Incredibly detailed GitHub repo with proof of concepts by Benedikt Haußner, based on his talk presented at fwd:cloudsec Europe 2025 (slides, video). He covers a bunch of things, but especially these 5 attack paths: 1) changing the assets of a mutable release, 2) using typosquatted third-party GitHub Actions in our workflow, 3) using a GitHub hosted runner with a container under our control, 4) employing homoglyph attacks to redirect builds to self-hosted runners, and 5) injecting malicious code via orphaned commits in the actions/checkout repository.

In part 2, Roi gets more specific, and describes how they were able to compromise open source repositories owned by Microsoft, Google Cloud, and NVIDIA and others, demonstrating how this vulnerability class allowed them to execute reverse shells on GitHub runners, push malicious code to origin repositories, steal API keys, and access cloud resources on self-hosted runners.

They found ~1% (50 out of 5,000) repos using pull_request_target to be vulnerable, and there are >100K repos using that trigger on GitHub, so there may be thousands more vulnerable repos.

acquiredsecurity/forensic-timeliner
By Brad Roughan: A high-speed forensic timeline engine for Windows forensic artifact CSV output built for DFIR investigators. Quickly consolidate CSV output from processed triage evidence for Eric Zimmerman (EZ Tools) Kape, Axiom, Hayabusa, Chainsaw and Nirsoft into a unified timeline.

A Primer on Forensic Investigation of Salesforce Security Incidents
Guide by Salesforce Field CTO Eoghan Casey on investigating security incidents in Salesforce environments, focusing on three key information sources: activity logs, user permissions, and backup data, referencing various products and features (Salesforce Shield Event Monitoring, Who Sees What Explorer, Enhanced Transaction Security policies, etc.).

Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
Mandiant’s Sarah Yoder et al describe the BRICKSTORM malware campaign by UNC5221 (suspected China-nexus threat actors) targeting US organizations with sophisticated backdoors on network appliances that lack EDR support. The attackers maintain persistence for an average of 393 days by deploying BRICKSTORM (a Go-based backdoor with SOCKS proxy functionality) on appliances, and employing techniques like VM cloning to extract credentials while generating minimal security telemetry.

Wow, some impressive tradecraft here.

0xJs/EnumEDRs
By Jony Schats: Tool written in C that enumerates EDRs running on the system by enumerating current processes and loaded drivers. Currently supports ~9 EDRs, including Microsoft Defender for Endpoint, Elastic EDR, Sysmon, BitDefender, Cortex, CrowdStrike, Sentinel, Sophos, etc.

olafhartong/BamboozlEDR
By Olaf Hartong: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. BamboozlEDR features a TUI interface and can generate realistic security events across multiple Windows ETW providers to test EDR detection capabilities, log analysis systems, and security monitoring solutions.

Your Vulnerability Scanner Might Be Your Weakest Link
Praetorian’s Adam Crosser discusses how vulnerability scanners (or asset inventory platforms, IT automation frameworks, and management tools) using privileged credentials can become security risks when using password-based authentication or insecure protocols. The post gives an example of capturing vulnerability scanner credentials by instrumenting SSH on a compromised server, without triggering Linux EDR alerts.

Example credential theft techniques: SSH service environment variable modification, process tracing (strace sshd), malicious PAM modules, and honeypot redirection, none of which triggered alerts in their testing of major Linux EDR products. Recommendations: treat scanner and automation credentials as sensitive assets, prefer key-based authentication over passwords, disable legacy protocols like NTLMv1, and validate that Linux EDR solutions provide meaningful security coverage.

A Security Engineer’s Guide to MCP
Great primer by Semgrep’s Kurt Boberg to quickly get you up to speed on testing and securing MCP servers and clients. Kurt covers the control flow for MCP, important terms, using MCP Inspector, key MCP vulnerability classes (tool poisoning/line jumping, tool shadowing, rug pulling, Web 2.0 issues), an overview of security-relevant parts of the MCP specification, and an MCP security evaluation cheatsheet of exactly what to look for.

Love when someone reads the spec for me and points out the sharp edges  

Research Briefing: MCP Security
Wiz’s Rami McCarthy shares a nice round-up of security risks across local and remote MCP servers, open-source registries and trust signals, MCP client risks, and how to secure yourself today in safely using MCP servers (use trusted sources, audit before usage, consider sandboxing MCP servers and using an MCP gateway, …) and avoiding common AppSec vulnerabilities when creating MCPs. The post concludes with future-focused security tips and tool recommendations. All in all, tons of great supporting resources, in typical Rami fashion .

First Malicious MCP in the Wild: The Postmark Backdoor That’s Stealing Your Emails
Koi’s Idan Dardikman discovered that the postmark-mcp MCP server (1,500 downloads/week), which was safe and fine for 15 versions, since version 1.0.16 has been secretly BCCing all emails to the developer’s personal server, potentially exfiltrating thousands of sensitive emails. There’s a legitimate GitHub repo with the same name, officially maintained by Postmark, which the attacker copied, added the malicious BCC line, and published it to npm under the same name.

See Trail of Bits’ mcp-context-protector and similar tools that do trust-on-first-use pinning for server instructions and tool descriptions.

• modelcontextprotocol/inspector: Visual testing tool for MCP servers

• MCP Inspector – A developer tool for testing and debugging MCP servers, offering both a UI and CLI mode for interactive and programmatic server interaction

• Thirteen new MCP servers from Cloudflare you can use today – For Cloudflare docs, Workers development, basically any of their services.

• One-click remote MCP servers – How to deploy a remote MCP server on Cloudflare, with options for public access or user authentication via GitHub OAuth.

• Daniel Miessler – One-click MCP servers with Cloudflare

• f/mcp-startup-framework – A complete framework for building remote MCP servers on Cloudflare Workers with OAuth authentication, PostgreSQL database, and Stripe-powered paid tools.

• microsoft/playwright-mcp – MCP server that provides browser automation capabilities using Playwright.

• random-robbie/mcp-web-browser – A web browsing MCP server powered by Playwright. Using the official Microsoft Playwright MCP is probably better, but including for completeness/reference.

• Chrome DevTools (MCP) for your AI agent – The new Chrome DevTools MCP server lets AI coding assistants debug web pages directly in Chrome, and benefit from DevTools debugging capabilities and performance insights. I haven’t played with this yet but seems very promising, H/T Daniel Miessler.

• upstash/context7 – MCP that pulls up-to-date, version-specific documentation and code examples straight from the source — and places them directly into your prompt.

• The FastMCP Client – Programmatic client for interacting with MCP servers through a well-typed, Pythonic interface.

“What you most need will be found in the place you least want to look.” – Carl Jung

• Simon Sinek – Rob Lowe’s Guide to Posing  Prune, Man of the People, Blue Steel, Iconic. Fascinating.

• Everything We Teach at YCombinator in 10 Minutes – Michael Seibel (Reddit, YC, Twitch)

• Start your next project with a giant scroll of paper – As you keep working, the scroll becomes an organic timeline of your thinking.

• Terence Tao: “My tentative theory is that the systems, incentives, and technologies in modern world have managed to slightly empower (many) individuals, and massively empower large organizations, but at the significant expense of small organizations, whose role in the human societal ecosystem has thus shrunk significantly, with many small organizations either weakening in influence or transitioning to (or absorbed by) large organizations.”

• Nine Things I Learned in Ninety Years

• Ben Palmer – You Can Be Anything – Standup set where he impersonated various orgs and people on social media, to hilarious effect  

• Alex Hormozi – Give me 20 Minutes and I’ll Give You Back 20 Years of Your Life – Things you can pay for to get time back. First, optimize your sleep, then: pre-made meals, laundry service, house cleaning, landscaper driver/Uber, flying private.

• macOS app that plays fart sounds as you open and close your Macbook lid

• Chris Williamson – How To Create A Life Of Freedom – Dan Martell

• Illustrations for the Soviet version of The Hobbit

• Improv Rapper Chris Turner on America’s Got Talent

• Massive Protein Powder Google sheet

• When Bruce Lee Trained With Kareem Abdul-Jabbar

• Top 10 Hacker Movies You’ve Missed

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them

P.S. Feel free to connect with me on LinkedIn