Product teams must own software supply chain risk as third-party dependencies become the primary attack surface. Learn how provenance, attestations, and SLSA make trust explicit, enforceable, and verifiable.

Learn to hack and defend AI systems through hands-on labs. Practice prompt injection, RAG poisoning, and tool exploitation against real LLMs.

A lightweight command sandbox for Linux, secure-by-default, built on Landlock. - dwisiswant0/sandboxec

Summary Source code review of the Novarain/Tassos Framework revealed three critical primitives – unauthenticated file read, unauthenticated file deletion, and SQL injection leading to arbitrary database read – across five widely deployed Joomla! extensions…

Today, a weird malware distribution campaign targeting users of omg.lol and Triton, an open-source macOS client of omg.lol, was found. The attack leverages the trust of GitHub, creating a malicious fork where the download link has been replaced with malware…

Security audit for LLM skill files in GitHub repositories

OS-enforced capability sandbox for running untrusted AI agents. No escape hatch. Works with any AI agent.

A pre-auth SSRF in TRUfusion Enterprise (CVE-2025-32355) allows external attackers to reach internal-only services via a misconfigured reverse proxy. This …

Introduction We recently found ourselves looking into OpenText Directory Services (OTDS). We had seen it present on our customer's attack surface, and it seemed to be an interesting target. OTDS is a Java web application providing authentication and user…

Explore Lasso’s prompt injection taxonomy, distinguishing text-based techniques from attacker intent to standardize AI security defenses.

Explore Lasso’s prompt injection taxonomy, distinguishing text-based techniques from attacker intent to standardize AI security defenses.