[tl;dr sec] #308 – MCP Security, AWS re:Invent Recaps, Detecting Malicious Pull Requests with AI

Some recent anecdotes from my life:

• I caught up with my friend David Molnar, who leads the program analysis team at Meta. Lots of neat stuff in the works. I remember meeting David when I was a grad student, over a decade ago Careers are long, and the security industry is small.

• In a recent musical improv comedy show I sang a poignant ballad about how I was the only survivor of 100 passengers in a tragic clown car accident. Super stoked for BSidesSF’s musical theme next year  

• Next week I’m going back home to the Midwest to visit family for the holidays. We always get an (arguably dangerously) tall fresh tree. Ready to hit the gym with my bro  

P.S. In case you missed it, here is the recording and slides for the webinar with my bud Daniel Miessler on his personal AI setup that enables him to much more productive. Super cool slides (shout-out nano banana) and neat live demos!

Like everyone else, we’ve been curious about how useful AI agents really are for day-to-day security work. So we threw one in the deep end and asked it to write new vulnerability checks from scratch. It started strong—until it introduced a vulnerability of its own.

The irony wasn’t lost on us.

In our latest research, we break down what happened, why it matters, and how to safely mitigate the risks that come with AI-assisted coding.

Let’s Stop Hacklore!
Bob Lord announces hacklore.org to combat outdated cybersecurity advice, backed by 80+ security practitioners who recognize that common “hacklore” myths distract people from the correct security basics. He emphasizes focusing on fundamentals like strong MFA, password managers, and keeping software updated instead of worrying about unlikely threats.

Some solid, straightforward advice Good for sharing with the non technical people in your life after you fix their printer over the holidays.

SVG Filters – Clickjacking 2.0
Lyra describes “SVG clickjacking,” a new technique that takes traditional clickjacking from just tricking users into making a click or two, to supporting complex interactive attacks and data exfiltration through SVG filters. Using SVG filter elements, Lyra shows how attackers can create convincing fake interfaces, read pixel data from cross-origin iframes, implement logic gates for multi-step attacks, and even generate QR codes for data exfiltration. Lyra got a $3133.70 bug bounty from demonstrating this technique on Google Docs.

This is some impressive web chicanery My description here does not do it justice.

React2Shell: Everything You Need to Know About the Critical React Vulnerability
Wiz’s Gili Tikochinski, Merav Bar, and Danielle Aminov describe the unauthenticated RCE vulnerability in the React Server Components (RSC) “Flight” protocol, stemming from insecure deserialization in RSC payload handling, allowing attackers to execute privileged JavaScript code through a simple HTTP request. React 19 and frameworks like Next.js affected. Wiz Research data shows 39% of cloud environments contain vulnerable instances, and attackers are actively exploiting it to harvest cloud credentials and deploy cryptocurrency miners. Patch ASAP.

AppSec teams often struggle to prevent issues without slowing developers. A lack of context makes it hard to set targeted controls, so issues slip into production faster than teams can fix them – leaving teams with ever growing backlogs and applications persistently at risk.

Discover a practical, five-stage framework to enable teams turn security gates into guardrails, allowing teams to accelerate secure development.

This guide has some good advice and nice maturity checklists. Understand your environment, standardize dev tooling, ensure coverage and provide a secure baseline, and how to prevent risk at scale.

AWS pre:Invent security highlights: what changed and why it matters
Adan Alvarez describes three AWS pre:Invent security announcements: AWS local development using console credentials (aws login), IAM Outbound Identity Federation, and attribute-based access control (ABAC) for S3. For each, Adan discusses how it can improve security, potential attacker abuse vectors, and specific CloudTrail events to monitor.

Top AWS re:Invent Announcements for Security Teams in 2025
Wiz’s Scott Piper highlights key AWS security announcements from re:Invent 2025, including the new aws login command for simplified credential access, IAM Outbound Identity Federation for authenticating to non-AWS services using AWS principals via JWT, and the ability to transfer accounts between AWS Organizations without the previous complications. Other honorable mentions: IAM Policy Autopilot for policy generation, IAM temporary delegation, and org-level S3 Block Public Access settings.

re:Invent 2025 recap
Chris Farris shares a nice overview with a generous side of snark on AWS re:Invent 2025 announcements, grouped into: Security Features, Cloud Governance & Costs, Serverless Stuff, GenAI & Bedrock, and the other random stuff.

One nice update: server-side encryption with customer-provided keys (SSE-C), which can be used to ransomware resources in AWS accounts, will be disabled for all existing buckets in AWS accounts that do not contain any SSE-C-encrypted data.

“I’m shocked that laying off tens of thousands of people and replacing them with GenAI has slowed innovation,” “Friends still don’t let friends run Control Tower,” “using GenAI to answer questions about the data might be a useful reason to make polar bears homeless.”

We should all be using dependency cooldowns
William Woodruff argues that dependency cooldowns are a free, easy, and incredibly effective way to mitigate the large majority of open source supply chain attacks. The vast majority of malicious dependencies are caught by vendors within ~a week, so if you just wait 1-2 weeks to update dependencies, 80-90% of these attacks won’t affect you. You can add cooldowns with Dependabot, Renovate, or zizmor: dependabot-cooldown , or use pnpm’s minimumReleaseAge or uv’s exclude-newer.

Basically the standard PwnRequest attack where user input is used unsafely in a GitHub Action, but the dangerous place where user input is passed to is an AI agent CLI. This AI usage pattern seems super useful though from a maintainer point of view (e.g. doing code review on a PR, summarizing an issue, etc.) so I’d guess this will continue popping up a lot. It’d be great to see a “secure” pattern for this.

Also, given how model nondeterminism, I’d be curious to see if it takes a number of attempts to reliably exploit these, and if that makes them “noisier” and easier to detect?

Lessons learned (copied verbatim for my future reference):

• Prompt engineering matters: Carefully framing context, exclusions, and known pitfalls drastically improved reliability. We saw double-digit accuracy gains across multiple iterations of the prompt design.

• Curated datasets and suppression rules are critical: Our team spent months improving accuracy through careful creation and curation of malicious data and system-level prompts. These were incremental improvements and represented much of the day-to-day work of improving this system.

• Chasing benchmarks leads to diminishing returns: Although we continue to test against SOTA models, most of our real improvements have come from better prompts and better data. Changing across SOTA models ends up being most interesting for cost optimization.

• Dogfooding accelerates tuning: Using the tool on Datadog’s own codebase gave us realistic data and quick feedback cycles.

• Testing must be adversarial: Only by simulating real attacker behavior could we measure true malicious-detection performance.

LinkPro: eBPF rootkit analysis
Synacktiv’s Théo Letailleur analyzes LinkPro, a sophisticated Linux eBPF rootkit discovered during an AWS infrastructure compromise investigation. The rootkit uses two eBPF modules: a “Hide” module that conceals its presence by intercepting getdents and sys_bpf system calls, and a “Knock” module that activates the backdoor only upon receiving a specific TCP packet with window size 54321. Tons of great technical details + YARA rules at the bottom.

Why the MITRE ATT&CK Framework Actually Works
Nice intro/overview article by John Vester on why the MITRE ATT&CK framework has become so successful, highlighting its value in providing a common language for describing adversary behaviors and techniques. The post covers how ATT&CK helps organizations prioritize security efforts by focusing on the most relevant threats to their environment, enabling teams to map their existing security controls against known attack techniques and identify coverage gaps. The framework allows security teams to develop more targeted detection and response capabilities based on real-world attack patterns, rather than theoretical vulnerabilities.

EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks
The Sysdig Threat Research Team describes EtherRAT, a sophisticated implant exploiting the React2Shell vulnerability that uses Ethereum smart contracts for C2 resolution, implements five Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org. The four-stage attack chain includes blockchain-based command and control using consensus voting across nine Ethereum RPC endpoints. “Rather than hardcoding a C2 server address, which can be blocked or seized, the malware queries an on-chain contract to retrieve the current C2 URL.”

Not content to be used only for rug pulls, stolen to fund North Korea’s weapons program, and used as ransomware payments for criminals, the blockchain is now being used for C2. Obligatory web3isgoinggreat.com reference.

Implementing the Etherhiding technique
Onhexgroup shares a step-by-step tutorial for implementing the “Etherhiding” technique, a new technique reported by Google where threat actors leverage public blockchains to distribute malware. The post walks through creating a simple Solidity smart contract on the Sepolia test network (testnet) that stores and returns a message, then building a web interface to retrieve this data from the blockchain.

Fairy Law
Orange Cyberdefense’s Ogulcan Ugur describes “Fairy Law,” (GitHub PoC) a technique that disables EDR components by globally enabling the MicrosoftSignedOnly policy to block non-Microsoft signed DLLs from loading into processes. This technique bypasses anti-tamper protections since the OS blocks EDR components before they can protect themselves, resulting in reduced telemetry, disabled hooking, and compromised user-mode monitoring. EDR vendors with Microsoft-signed components (like CrowdStrike) can still maintain some functionality, while those without Microsoft signatures lose significant monitoring capabilities.

Intuition-Driven Offensive Security
My bud Andy Grant shares his philosophy for building an offensive security program based on his experiences at Zoom. Three core principles: deep understanding of the target (understand the target systems more than the devs who built it), seeking technical truth (verify security claims- what’s in the code, not just what’s claimed), and hunting critical risk, not just counting bugs. Overall Andy advocates for giving security teams freedom to follow intuition and uncover meaningful vulnerabilities, without artificial constraints around scope or time boxing the assessment.

Andy was my manager at NCC Group for awhile, and played a critical role in my career and me being where I am today. I am and will always be grateful for him believing in me. I had the opportunity to tell him this recently, and it was really nice  

I had a great chat with 1Password CISO Jacob DePriest at a recent dinner, super nice guy. I like what they’re building. H/T Decibel’s Dan Nguyen-Huu for organizing  

It has five detection engines: pattern matching with detection signatures (YARA), protocol validation with specification compliance (validates agents against the official A2A protocol specs), behavioral analysis with heuristics, runtime testing with an endpoint analyzer, and semantic interpretation with an LLM analyzer.  

The paper also proposes a set of practical controls, including per-user authentication with scoped authorization, provenance tracking across agent workflows, containerized sandboxing with input/output checks, inline policy enforcement with DLP and anomaly detection, and centralized governance using private registries or gateway layers.

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them

P.S. Feel free to connect with me on LinkedIn