💊 Security Pills - Issue 60

Release Date: 23rd February 2026 | Issue: 60 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!

Building a Secure Electron Auto-Updater
Doyensec's Michael Pastor looked at how Signal Desktop handles software updates and built something similar for the broader Electron ecosystem. The result is SafeUpdater, a reference implementation that shows what a proper update pipeline looks like when you actually account for attackers. It verifies signatures, checks file integrity, and controls where temporary files land before anything gets installed. The goal is to give Electron developers a concrete starting point for shipping updates they can actually trust.

Tales from the Trace: How XBOW reasons its way into finding IDORs
XBOW's Adrian Losada walks through two IDOR vulnerabilities that the XBOW agent discovered in Spree Commerce, both now fixed. The first was straightforward: address edit pages had no access controls, exposing full user PII to anyone. The second required more work. The agent created two separate shopping carts and found that one cart's token could access addresses belonging to the other due to missing authorization checks.

What makes it interesting is how XBOW got there. Instead of just trying random parameter values, it analyzed the application's access control logic and adjusted when it hit errors.

Trailing Danger: Exploring HTTP Trailer Parsing Discrepancies
Sebastiano Sartor explores how inconsistent handling of HTTP trailer fields across roughly 70 open-source implementations leads to a request smuggling class he calls Trailer Merge (TR.MRG). The post compares behavior across HTTP/1.1, HTTP/2, and HTTP/3, showing how merging trailers into headers after dechunking lets attackers override security-sensitive headers like Host, Content-Length, or Transfer-Encoding, with lighttpd 1.4.80 as a concrete example.

spaceraccoon/vulnerability-spoiler-alert
Eugene Lim built Vulnerability Spoiler Alert to catch security patches in popular repositories before a CVE ever gets assigned. Every six hours it pulls commit diffs and runs them through Claude to spot potential vulnerabilities, then posts the findings to a static website with an RSS feed. Confirmed and false positive results get sorted through GitHub Issues labeling.

Cyber Model Arena: Evaluating AI Agents Across Real-World Security Challenges
Wiz Research launched the AI Cyber Model Arena, benchmarking 25 agent/model combinations across 257 offensive security challenges spanning zero days, code vulnerabilities, API/web security, and cloud misconfigurations. Four agents (Gemini CLI, Claude Code, OpenCode, Codex) were tested against nine models including Claude variants, Gemini, GPT 5.2, and Grok 4 in isolated Docker containers with deterministic scoring. The results showed no single pairing dominated all categories, with the same model performing very differently depending on which agent was running it.

Pavelevich/llm-checker
LLM Checker is a CLI tool that analyzes your system hardware and recommends which Ollama models you can run locally. It scores 200+ model variants across quality, speed, memory fit, and context length, with weights that adjust based on your use case (coding, chat, reasoning).

Making frontier cybersecurity capabilities available to defenders
Anthropic launched Claude Code Security in limited research preview, a tool that finds vulnerabilities by reasoning about code like a security researcher, understanding component interactions and tracing data flow rather than matching known patterns. Each finding undergoes multi-stage verification where Claude re-examines its results to filter false positives, assigns severity ratings for prioritization, and surfaces suggested patches for human review.

Neo Deploy Agent for Runtime Validation in Security Review and Research
ProjectDiscovery's Neo launched a Deploy Agent that eliminates manual environment setup for security validation. The automated tool accepts CVEs or pull requests, spins up applications, and provides runtime validation with proof-of-concept demonstrations for CVE verification and live PR testing.

3 Principles for Designing Agent Skills
Block's Angie Jones shares three principles for designing Agent Skills. First, be deliberate about what agents should not decide, keeping deterministic tasks like scoring algorithms and CLI commands in hard rules to ensure consistency. Second, let agents handle what they excel at: reasoning about context, interpreting results, and generating tailored recommendations. Third, treat SKILL.md files as strict contracts that prevent agents from improvising in ways that break intended workflows.

Detecting OpenClaw using advanced posture checks
Okta's Rafa Bono published a detection guide for OpenClaw built around advanced posture checks that scan devices across eight vectors: launchd services, file searches, running processes, package managers, listening ports (9090, 18789, 18791), installed applications, and Docker containers. Instead of relying on name matches alone, the guide implements a scoring model that requires hits from two or more sources before flagging a detection, keeping false positives low and giving security teams something worth acting on.

AI Research in Security Operations: Frontier Model Benchmarks on Real-World SecOps Tasks
Cotool benchmarked frontier and open-weight AI models on real-world security operations tasks using the Splunk BOTSv3 dataset, covering 2.7 million logs and 51 questions across cloud attack investigation, APT intrusions, and threat hunting.

GPT-5.2 had the highest accuracy at 69%, with GPT-5.1 and Opus 4.5 not far behind. For cost, GPT-5.1 was the most economical frontier option at $1.67 per task, and Opus 4.5 was the quickest at 113 seconds on average. Most models had no trouble completing tasks, though long-context log analysis gave GPT-OSS-120b and several Gemini models a hard time.

Testing Access to AWS Resources Without Angering the People That Pay the Bills
Plerion's Daniel Grzelak walks through how to verify AWS resource access permissions without reading sensitive data or changing state. The approach exploits the consistent order in which AWS validates requests, where the error you get back reveals whether access exists before any action is performed. The post covers four probing techniques, from comparing authenticated against unauthenticated requests to crafting malformed inputs that pass authorization but fail validation. To confirm a malformed request actually proves authorization, Daniel introduces a three-topic method that tests against allowed, denied, and nonexistent resources in parallel.

Automatically detecting malicious Azure OAuth applications using LLMs
Wiz Research developed OAuth Apps Scout, an automated detection pipeline that identifies malicious OAuth applications in Entra ID by analyzing app metadata, reply URLs, permissions, and infrastructure patterns. The system uncovered a 2025 campaign involving 19 malicious applications impersonating Adobe, DocuSign, and OneDrive across multiple organizations.

The same pipeline also caught seven older applications from 2019 that used Cyrillic homoglyphs to spoof Microsoft services across 50+ organizations. Attackers have moved from impersonating Microsoft directly to spoofing third party SaaS brands, but the artifacts they leave behind haven't changed much.

A Beginners Guide: Cross-Device Passkeys
Google's Harsh Lal walks through hybrid transport, a mechanism that lets users authenticate with their passkey on devices where it isn't stored, like public terminals or shared computers. The flow starts when the client device displays a QR code that the user scans with their phone to establish an end-to-end encrypted tunnel, while Bluetooth Low Energy confirms physical presence to prevent remote attacks.

The phone then signs a cryptographic challenge from the server using its private key, which never leaves the device, and sends the signature back through the tunnel for verification. It keeps passkeys phishing resistant while solving the main adoption barrier: accessing accounts across devices without exposing credentials on unfamiliar machines.

PhoneLeak: Data Exfiltration in Gemini via Phone Call
Starstrike researchers (alongside rez0, rhynorater, and lupin) won Most Creative Finding and a $9,137 bounty at Google's Bugswat Live Hacking Event in Tokyo for a data exfiltration vulnerability in Gemini's Android app. The attack used a fake captcha app to tapjack victims into sending a prompt through Gemini, which then chained tool calls without user confirmation to read notification contents including 2FA codes and PII.

For exfiltration, the team encoded stolen data into DTMF dial strings, having Gemini's Phone tool call the attacker's number and play the data as tones on pickup. A nice callback to the phone phreaking days. Google patched the issue in November 2025.

deathlabs/hades
HADES (Harnessing AI to Disrupt and Evaluate Security) is an adversary emulation platform built for blue teamers who want to train against realistic attacks without hiring a red team. It runs AI driven adversary agents in Docker containers that coordinate over RabbitMQ and use OpenAI's API to decide what to do next based on what they discover in the environment, so attacks adapt instead of following a script.

MCP Server Security: The Hidden AI Attack Surface
Praetorian researchers demonstrate how malicious MCP servers exploit authorized connections users have already established, executing arbitrary code, intercepting queries to exfiltrate sensitive data, and injecting social engineering payloads into AI responses while appearing completely legitimate. The research covers server chaining attacks where malicious local servers sit between users and trusted integrations like Slack or Google Drive, capturing data flows without touching the legitimate services. The post also explores supply chain risks, where attackers slip malicious tools into internal MCP development through compromised package managers and CI/CD pipelines.

Shaking the MCP Tree: A Security Deep Dive
Voorivex's Amirmohammad Safari demonstrates how attackers can identify and exploit open Dynamic Client Registration endpoints in MCP servers. Path normalization tricks can bypass URL validation, while DCR's flexible redirect URI registration creates open redirects that enable SSRF attacks. Either way, attackers end up with direct access to MCP server tools and internal services intended only for AI assistants, skipping past authorization safeguards and consent mechanisms entirely.

Silent Codebase Exfiltration via Skills
Mitiga Labs created a malicious AI agent skill disguised as a test generator that silently exfiltrated an entire codebase to an attacker's GitHub repository in just four user interactions, leaving no audit trail. When the initial instructions weren't stealthy enough, Cursor actually helped rewrite the skill to be quieter. In practice, an attacker could publish something like this to a public catalog like skills.sh with bot inflated ratings and reach thousands of developers who install skills without a second look.

AikidoSec/safe-chain
Aikido Security's Safe Chain is a free malware protection tool that intercepts package installations across npm, yarn, pnpm, bun, pip, and other major package managers through a local proxy. It verifies downloads against Aikido's threat intelligence feed in real time and blocks newly published npm packages under 24 hours old by default. Supports both local development and CI/CD pipelines without requiring tokens.

alice-dot-io/caterpillar
Iftach Orr released Caterpillar, a security scanning library that analyzes AI agent skill files for malicious behavior before installation. The scanner detects threats like credential theft, data exfiltration, persistence mechanisms, crypto wallet theft, and supply chain attacks across three modes: an Alice API for comprehensive remote analysis, OpenAI integration using user credentials, and offline pattern matching.

Wrapping Up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.

Thanks,
Sebas