#security
17 articles
The Ethereum Foundation used AI-powered audits to uncover real vulnerabilities in smart contract code — validating that coding age…
A reverse engineer found Claude Code silently encodes API gateway info into system prompt punctuation. We unpack the article, the …
A Windows click-to-focus bug in Claude Code causes the first click on a de-focused window to activate a pending permission dialog,…
Anthropic's Claude Code silently marks system prompts with invisible Unicode steganography to detect Chinese AI labs and API resel…
A freshly filed, reproducible Claude Code security issue shows background subagents stalling and emitting authorization-shaped pro…
Claude Code's compound-command permission system can flood you with hundreds of prompts per session, even for read-only commands l…
A merged Codex commit preserves parent sandbox enforcement during memory consolidation — closing a path where a sub-process could …
Fresh issue reports flag a secret-redaction leak in worktree handling and Windows command failures being misclassified as sandbox …
A reproducible crash in Codex Desktop spills internal system prompts into the error output — revealing exactly how the agent is in…
Every file, every credential, every API key — your agent sees everything. Here's what you should know about agent visibility and c…
Everyone compares benchmark scores. Nobody's asking the important question: can your coding agent delete your database?
Gitlawb Zero resolved an absolute path for taskkill on Windows to prevent binary hijacking. A security fix that protects your enti…
Oh My Pi switched from API key authentication to device flow for xAI. More secure, more reliable, and no more API key management.
Zero now rejects malformed permission payloads before prompting. A critical security hardening for the agent that runs in your ter…
Hermes cron jobs were running under the wrong secret scope. A fix ensures every scheduled task uses the correct profile credential…
Hermes added a case-insensitive .env file guard. If you thought naming a file '.ENV' would bypass detection — it won't anymore.
Hermes shipped private-page guards for its CDP browser integration. The agent can browse sensitive pages without leaking data.