Sebastion
All topics

security

46 pieces of writing

Hermes Agent's worktree feature copied arbitrary files from your filesystem
security7 min read

Hermes Agent's worktree feature copied arbitrary files from your filesystem

Hermes Agent's worktree feature would copy arbitrary files from your filesystem if you cloned a repository with a crafted .worktreeinclude. A two-line path traversal that took four months to land in the codebase.

Summarize's localhost daemon accepted requests from any website
security7 min read

Summarize's localhost daemon accepted requests from any website

I found SQL injection in Hugging Face's AI skills framework and got it fixed in nine days
vulnerability7 min read

I found SQL injection in Hugging Face's AI skills framework and got it fixed in nine days

Anthropic's Claude Code Security found 500 zero-days. The methodology was the problem.
security8 min read

Anthropic's Claude Code Security found 500 zero-days. The methodology was the problem.

Anthropic's Claude Code Security found 500 zero-days in open-source code. The industry's reaction revealed more about the state of software security than the tool itself.

MCP gave AI tools a standard interface. Researchers found it was also an attack surface.
security12 min read

MCP gave AI tools a standard interface. Researchers found it was also an attack surface.

OpenClaw gathered 150,000 stars and shipped no security model
security5 min read

OpenClaw gathered 150,000 stars and shipped no security model

Kazu stole 400,000 medical records from New Zealand's largest patient portal with valid credentials
security9 min read

Kazu stole 400,000 medical records from New Zealand's largest patient portal with valid credentials

Kazu used valid credentials to steal 400,000 medical documents from ManageMyHealth, New Zealand's largest patient portal, exposing sensitive records for about 120,000 patients.

Sandworm hit thirty Polish energy sites in a single night
security9 min read

Sandworm hit thirty Polish energy sites in a single night

ASIO named Salt Typhoon and Volt Typhoon out loud. Beijing called it a false narrative.
security10 min read

ASIO named Salt Typhoon and Volt Typhoon out loud. Beijing called it a false narrative.

UNC5221 stole F5 source code and its customer list
security8 min read

UNC5221 stole F5 source code and its customer list

A nation-state actor spent a year inside F5's network, stealing BIG-IP source code and a catalogue of unpatched vulnerabilities. The breach didn't just compromise one vendor - it handed an adversary a roadmap to every network running the product.

Basic ransomware hit one airport software vendor and grounded five European airports overnight
security7 min read

Basic ransomware hit one airport software vendor and grounded five European airports overnight

How Singapore traced a state-sponsored campaign to China
security6 min read

How Singapore traced a state-sponsored campaign to China

Predatory Sparrow hit Iran's banking system and called it a warning
security7 min read

Predatory Sparrow hit Iran's banking system and called it a warning

A pro-Israel hacking group stole more than $90 million from Iran's largest crypto exchange - then destroyed it. The funds were sent to wallets nobody controls.

The Coinbase insider who sold four hundred thousand customer records
security8 min read

The Coinbase insider who sold four hundred thousand customer records

When a GitHub Action rewrites its own history
security6 min read

When a GitHub Action rewrites its own history