[tl;dr sec] #289 – AI-powered Fuzzing, Incentives in Security, Malware in DNS

This week I played around with building my own custom AI therapist, and found it offered surprisingly direct and useful insights.

1. First, I co-created a therapist “persona” prompt interactively with Claude, combining snippets from 5 example profiles it generated + my answers to clarifying questions it asked me.

2. I then created a Claude Project (custom GPT or NotebookLM would also work) that used this “persona” as its system prompt that it would use in every interaction.

3. You can then upload various journals entries or reflections you’ve written to the project, or to an individual conversation thread, so that the context can be pulled in.

I then took a walk and did speech to text on my phone, conversing with “Marcus,” and found “he” had surprisingly accurate and insightful analyses of what I was debating, offered clarifying questions and prompts, and more.

Feel free to let me know if you’ve tried this and have any tips!

Disclaimer: if you’re having an emergency reach out to real medical professionals, this isn’t medical advice, use at your own risk, blah blah etc. Also, LLMs seem to be causing some people to spiral into severe delusions.

P.S. In testing our methodology for Scott Behren’s and my vibe hacking webinar, I accidentally found what appears to be an auth bypass in this repo with 10K+ GitHub stars. Like an hour after cloning it  

P.P.S. If you’re going to Vegas- apparently there’s more to Omega Mart than I originally knew, but you discover that during it and I don’t want to spoil the surprise. Other fun Semgrep stuff here.

As development teams move faster, shift-left strategies have stalled at detection and aren’t keeping security issues out of production.

Join our upcoming virtual event to get a practical, prevention-first AppSec blueprint—powered by new Unit 42® research and real-world lessons from Palo Alto Networks’ own security teams.

Learn how to stay ahead of emerging threats, intelligently block risks from reaching production, and scale AppSec without slowing developers down.

Don’t miss this look into the future of application security with Cortex® Cloud.

AppSec/ProdSec’s reality gap: why theory doesn’t match practice
Datadog’s Nielet D’Mello explores the disconnect between application security theory (and vendors) and practice, highlighting key challenges faced by AppSec practitioners including: the information asymmetry challenge, the velocity-rigor tension, tool integration complexity, the organizational scaling dilemma, gates vs guardrails, and how there are significant solution gaps in supporting context-aware decision making.

Incentives for Security: Flipping the Script
Another excellent post from friend of the newsletter and former Google Cloud CISO Phil Venables arguing that we’re wrong on the messaging for incentives to do security, and what we should do instead. Five current, non ideal main categories of security incentives: loss avoidance, reputational risk / brand protection, ROSI (Return on Security Investment), security as an enabler, and regulatory compulsion.

Instead, we should focus on these 5 things:

• Don’t just focus on security – Sell things that deliver massive commercial (or mission) benefits, and also security.

• Focus on tail risks – Identity existential risks to the company, that if realized would end the company, then work to reduce their likelihood.

• Deliver real and big enough savings – e.g. Reducing the cost of controls, secure defaults.

• Improve measurable customer experience – Deliver the same risk level but improve the usability of the controls.

• Address status-quo disincentives – Incentivize the right behaviors by setting up disincentives for the wrong behaviors. Make the secure path the easiest and cheapest path. Include risk reduction in comp/promotion paths.

How did that API key go on a joyride from GitHub to a sensitive database? How did that mysterious Okta group dish out prod access to multiple systems?

Your SIEM or CNAPP knows a lot…just not what actually happened. 

Tune in to our upcoming webinar to see a real investigation go from two hours to just two minutes – all using actual incident data. Watch to learn how Teleport correlates identity signals across Okta, GitHub, AWS, and more to speed-run complex investigations, expose hidden access paths, and eliminate hours of manual log analysis.

Neat, correlating identity signals across disparate systems is tough, curious how this works  

dacort/s3grep
By Damon Cortesi: A parallel CLI tool for searching logs and unstructured content in Amazon S3 buckets. It supports .gz decompression, progress bars, and robust error handling.

I SPy: Escalating to Entra ID’s Global Admin with a first-party app
The blog version of Katie Knowles’ fwd:cloudsec North America 2025 talk describing how service principals (SPs) that are assigned the Cloud Application Administrator role, Application Administrator role, or Application.ReadWrite.All permission can escalate their privileges by taking over any hybrid Entra ID user, including users with the Global Administrator role.

The post walks through hunting potentially vulnerable first-party applications as well as detection and hardening opportunities, including: monitoring app registrations and service principals, monitoring trusted domains, auditing application credentials, and more.

Introducing OSS Rebuild: Open Source, Rebuilt to Last
Google’s Matthew Suozzo announces OSS Rebuild, a project that automatically reproduces and verifies build artifacts for popular PyPI, npm, and Crates.io packages, generating SLSA Level 3 provenance without publisher intervention. OSS Rebuild aims to detect supply chain compromises like unsubmitted source code, build environment compromise, and stealthy backdoors, while enhancing package metadata and accelerating vulnerability response without burdening maintainers.

Super cool that OSS Rebuild can automatically reproduce and verify build artifacts for packages, let alone across several language ecosystems. Impressive.

Announcing Chainguard Libraries for Python: Malware-Resistant Dependencies Built Securely from Source
Jason van Zyl and Patrick Smyth announce early access to Chainguard Libraries for Python, a malware-resistant index of Python dependencies built securely from source using their SLSA L2-certified infrastructure. The approach aims to combat supply chain attacks by rebuilding the entire dependency tree, including native code and bundled libraries, providing verifiable provenance and compatibility across Linux systems. Chainguard’s analysis showed ~98% of 3,000 known malicious Python packages (Backstabber’s Knife Collection) would have been avoided using their libraries.

Handling the native code and bundled libraries sounds like a ton of work.

MHaggis/ASRGEN
By Michael Haag: A project providing tools and resources for configuring, testing, and deploying Windows Defender Attack Surface Reduction (ASR) rules, including a configurator, atomic testing scripts, and integration with Microsoft Intune.

Malware in DNS
DomainTools describes finding malware and C2 stagers hidden in DNS TXT records using DNSDB Scout. Basically the malware executables are split into file fragments, then encoded as hex in TXT records that are split across multiple records and subdomains, which can be reassembled via several DNS queries. “It’s always DNS” is taking on a new meaning.

Detection Field Manual #3 – What is detection rule efficacy?
Zack Allen continues his series and in this post discusses detection rule efficacy, emphasizing the balance between precision (brittle rules) and recall (broad rules) in security operations. Zack discusses Jared Atkinson’s Funnel of Fidelity, totally non egotistically coins “Allen’s Rule of Detection Efficacy,” stating that perfect precision and comprehensive coverage are mutually exclusive, and discusses how to optimize rules to avoid overwhelming analysts.

The post highlights that good rules provide operational value, which may sometimes mean accepting lower precision (more False Positives) for higher recall (more True Positives), depending on the specific security context and goals.

EvilBytecode/Ebyte-Go-Morpher
A Go program that parses, analyzes, and rewrites Go source code to apply multiple layers of obfuscation. It operates directly on the Go Abstract Syntax Tree (AST) and generates both obfuscated source files and runtime decryption logic.

EgeBalci/evilreplay
By Ege Balci: A tool for penetration testers to remotely control and analyze browser sessions in real-time, demonstrating the impact of XSS in restricted environments, without needing to steal cookies. It’s a weaponized version of the OpenReplay project, supporting interacting with the victim’s browser in real time (click buttons, follow links, simulate keystrokes), records all victim interactions, logs network requests, and more.

Agentic AI Summit
UC Berkeley is hosting a pretty rad event August 2nd (in person and online) with some excellent speakers, covering topics including: building infrastructure for agents, frameworks & stacks for agentic systems, foundations of agents, and more. H/T Dawn Song for sharing this event with me.

Story time: Jonathan and I first met during undergrad at Case, when I was his TA for CS 101 He was a biomedical engineering major at the time, but he was so good at coding I encouraged him to switch to CS. He did not. Multiple tech start-up exits later, I think I was right He also gave me excellent early feedback on my BSidesSF keynote, which significantly improved it and I’m very grateful for.

Phishing For Gemini
A researcher found a prompt injection vulnerability in Google Gemini for Workspace that allowed attackers to hide malicious instructions in emails, which are then executed when users click “Summarize this email”. The attack uses hidden HTML/CSS (e.g. font-size:0 or white text on white background) and Gemini’s prompt hierarchy (wrap commands in )to inject admin-style directives that cause Gemini to append phishing warnings that appear to come from Google to the top of the email, like: “WARNING: Gemini has detected that your Gmail password has been compromised, please call us immediately at .”

The interesting part here to me is that the initial email didn’t work, so Golan asked Claude why it didn’t work and to explain scenarios where the attack might succeed. He repeated this loop (why didn’t it succeed? → generate a new email) until the attack worked, having Claude help him bypass its own guardrails  

Exploit Verification
Arshan Dabirsiaghi introduces Pixee’s new Exploit Verification feature, which uses AI to automatically create and fuzz proof-of-concept exploits for SAST findings. The tool aims to quickly provide high-confidence proof of exploitability for SAST findings by taking the vulnerable code, simplifying it, then writing and running a fuzzer for it and showing you the results. The post includes a case study of bypassing a regex filter in Backstage.

Being able to conclusively prove a vulnerability is exploitable is huge for prioritization, and I think LLMs are a great fit for this (good at generating code and unit tests, thinking of edge cases).

The case study in the post is an isolated two line regex check that relies on no other code. In the general case of complex data flows that go through many files and classes, require some sort of complex setup state to hit that code flow, etc. this seems tougher. Exciting work to be done here!

OSS-Fuzz integrations via agent-based build generation
Google’s OSS-Fuzz team, which focuses on large scale fuzzing of open source projects to harden them, discusses their new agent-based approach for automating OSS-Fuzz integrations using LLMs to generate build scripts and fuzzing harnesses for arbitrary open source projects. The new CLI tool can take a GitHub repository as input and outputs a complete OSS-Fuzz project, including build script and fuzz targets. Testing on 225 C/C++ repos yielded 88 valid OSS-Fuzz integrations (~39% success rate).

Setting up a new project to be fuzzed can be nontrivial, so being able to do almost 40% seems pretty solid, and could lead to many projects getting their security improved “for free,” if you can start fuzzing them mostly automatically.

I wonder if the success rate would increase if the components in the agent loop were calling the Claude Code SDK, which in my experience is often great at just figuring things out.