Skip to content

live

research · 61 pieces

Research.

61 published pieces — original research, CVE technical writeups, and a reference taxonomy of AI security — across adversarial AI, prompt injection, agent security, kernel and container work.

all45 ai security research16 jailbreaking6 prompt injection7 infrastructure & appsec6 per-cve writeups10

AI Security Research

17 articles

SKILBin: AI Agent Skills as the New LOLBin

a malicious Claude skill harvests SSH, AWS, and Kubernetes credentials inside an Anthropic-signed process no EDR flags — the LOLBin for the agent era.

Semantic-to-Metadata Smuggling in Multi-LoRA Routing Gateways

SHELL.003 — signal suppression at the multi-LoRA routing gateway as an unreviewed trust boundary.

prompt injection

Indirect Injection Was Never Blind

the wire carries the tool call before the interface hides it — closed-loop indirect injection via the SSE wire.

prompt injection

Self-Replicating Memory Worm: Persistent Injection with Autonomous Propagation

A single memory edit becomes an autonomous, self-replicating worm with credential harvesting and cross-service pivoting. See how it survives session resets.

Adversarial Prompting: The Complete Technical Guide

Every adversarial prompting technique mapped from role hijacking to multi-turn escalation. Learn how attacks work, why defenses fail, and how to test them.

Weaponized AI Supply Chain: How Threat Actors Turned LLMs Into Attack Infrastructure

89% increase in AI-enabled attacks. LLM-integrated malware, autonomous cyber espionage, and $1.1B in deepfake fraud. Explore the full offensive AI arsenal.

MCP vs A2A Attack Surface: Every Trust Boundary Mapped

MCP has 40+ CVEs and real-world breaches while A2A has zero. Get the complete side-by-side attack surface comparison with defensive guidance for AI agents.

The 30% Blind Spot: Why LLM Safety Judges Fail

LLM safety judges miss 63% of unsafe content. Built one, tested six iterations, 680+ responses. See why every major AI provider has this same blind spot.

AI Breach Detection Gap: The Logs Are Clean. You're Not.

74% of organizations found AI breaches when they looked. Most are not looking. Discover why LLM attacks evade traditional security detection and what to do.

LLM Red Teamer's Playbook: Diagnosing AI Defense Layers

Stop guessing which jailbreak works. A systematic, layered methodology for diagnosing LLM defense layers and selecting the right bypass technique each time.

AATMF v3.1 vs MITRE ATLAS: Which AI Security Framework Wins?

MITRE ATLAS covers 66 techniques. AATMF v3.1 maps 240 techniques with 4,980+ prompts and quantitative risk scoring. Compare both frameworks and choose wisely.

AI Coding Agent Attack Surface: A Full Taxonomy

AI coding agents trust code comments, README files, and MCP servers like humans trust authority. Explore the full attack surface taxonomy and defenses.

Computational Countertransference: LLM Context Inheritance

LLMs adopt adversarial states from pasted transcripts. 13-month study reveals context inheritance as an architectural vulnerability in GPT-4o, Claude, Gemini.

AI Gateway Threat Model: 8 Attack Vectors

First generalized AI gateway threat model covering 8 unmapped attack vectors. 91K attack sessions analyzed. Apply these AATMF TC-21 gateway defense tactics.

Agentic AI Threat Landscape: Attack Vectors & Defenses

Full agentic AI threat landscape covering prompt injection, MCP tool poisoning, multi-agent infection, and memory poisoning. Learn why no single defense works.

RAG, Agentic AI, and the New Attack Surface

RAG pipelines and agentic AI expand the LLM attack surface beyond prompts. How retrieval poisoning and tool autonomy create exploitable vulnerability classes.

AI Social Engineering: Deepfake Voice Detection

How AI enables sophisticated social engineering through deepfake voices. Real-world attack cases, detection techniques, and organizational defense strategies.

The Structural Vulnerabilities of Large Language Models

Tokenization evasion, parsing limit exploits, and alignment failure modes that break production LLMs. A full pipeline security report for AI deployments.

Hidden Risks of AI: An Offensive Security Perspective

Emerging AI threat vectors analyzed from an offensive security lens. Shadow AI, supply chain poisoning, and blind spots that blue teams consistently miss.

Jailbreaking

6 articles

LLM Jailbreak Techniques: A Technical Taxonomy

Complete taxonomy of LLM jailbreak methods — role hijacking, multi-turn escalation, context manipulation, encoding exploits, and chain-of-thought abuse.

Memory Manipulation: AI Context Poisoning

How attackers poison AI context windows and memory systems to compromise future interactions. Persistent manipulation techniques and defense strategies.

Inherent AI Vulnerabilities: Technical Deep Dive

Deep technical analysis of structural vulnerabilities in AI systems. Why certain adversarial attacks succeed regardless of safety training and guardrails.

Context Inheritance Exploit: Persistent Jailbreaks

Jailbroken states persist across GPT sessions through context inheritance. Explore this novel attack vector, its persistence mechanics, and defense gaps.

Is AI Inherently Vulnerable? An Offensive Analysis

Are large language models inherently vulnerable? Examining the fundamental security limitations of LLMs and why adversarial manipulation remains unsolvable.

ChatGPT Jailbreak via Context Manipulation

Step-by-step walkthrough of jailbreaking ChatGPT using context manipulation and social awareness techniques. Original research and methodology breakdown.

Prompt Injection

5 articles

Memory Injection Through Nested Skills: Autonomous LLM Agent Compromise

Skill injection plus cross-session memory poisoning creates a self-healing LLM implant. Explore this novel persistence chain exploiting agent trust boundaries.

Prompt Injection Examples: Real Attack Patterns Explained

Real-world prompt injection examples across direct injection, indirect injection, MCP tool poisoning, and memory attacks. Learn how each pattern works.

MCP Security Hardening: Production Vulnerability Guide

How to secure MCP servers in production AI environments. Real-world vulnerability scenarios, server configuration hardening, and AATMF-mapped defense patterns.

MCP Threat Analysis: Attack Chains & Protocol Dissection

Offensive threat analysis of the Model Context Protocol. Attack chains, privilege escalation paths, and exploitation techniques targeting AI tool integration.

Custom Instruction Backdoor: ChatGPT Prompt Injection

Uncovering emergent prompt injection risks through ChatGPT custom instructions. Learn how user settings become persistent attack vectors in LLM applications.

Infrastructure & AppSec

6 articles

Linux Kernel io_uring/zcrx: Race Condition to Double-Free

Race condition in io_uring zerocopy receive (zcrx) — non-atomic user_refs operations cause double-free and out-of-bounds write. Kernel fix by Kai Aizen.

Zero-Trust Container Runtime Attestation

Implementing zero-trust principles in container runtime environments. Runtime attestation strategies, security architecture, and hardening techniques.

Advanced Container Escapes: Security Deep Dive

Deep technical analysis of container escape techniques — namespace breakouts, capability abuse, kernel exploits, and principle-based prevention strategies.

RCE & DNS Exfiltration in ChatGPT Canvas

Research documenting Python Pickle RCE and DNS exfiltration in ChatGPT's Code Interpreter sandbox. Two critical vulnerabilities forming one attack chain.

Evading Endpoint Detection and Response (EDR)

Technical analysis of EDR evasion techniques — unhooking, direct syscalls, AMSI bypasses, and ETW patching. How attackers evade endpoint detection at runtime.

Exploiting Cloud Vulnerabilities: Tools and Techniques

Practical guide to cloud security testing across AWS, Azure, and GCP. Tools and techniques for exploiting Docker, Terraform, CI/CD, and Kubernetes flaws.

Per-CVE Writeups

10 articles

CVE-2025-12030 | IDOR in ACF to REST API Plugin

CVE-2025-12030: Insecure Direct Object Reference in ACF to REST API WordPress plugin. Unauthorized data access via API manipulation. CVSS 4.3 Medium.

CVE-2026-32809 | Symlink Resolution Bypass in ouch

CVE-2026-32809: Unvalidated symlink targets in ouch tar extraction enable arbitrary file read via crafted archives. Affects all tar formats. CVSS 7.4.

CVE-2025-9776 | SQL Injection in CatFolders Plugin

CVE-2025-9776: Authenticated SQL Injection via CSV Import in CatFolders WordPress plugin. CVSS 6.5. Full technical analysis and remediation by Kai Aizen.

CVE-2026-3288 | Config Injection in ingress-nginx rewrite-target

CVE-2026-3288: Configuration injection in ingress-nginx via rewrite-target annotation enables RCE and cluster-wide Secret disclosure. CVSS 8.8 High severity.

CVE-2025-12163 | Stored XSS in OmniPress Plugin

CVE-2025-12163: Stored XSS in OmniPress WordPress plugin via author-level access. CVSS 6.4. Full technical analysis, PoC, and remediation by Kai Aizen.

CVE-2025-11174 | Missing Auth in Document Library Lite

CVE-2025-11174: Missing authorization in Document Library Lite exposes sensitive data. CVSS 5.3. Full vulnerability analysis and remediation by Kai Aizen.

CVE-2026-33693 | SSRF via Incomplete IP Validation in activitypub-federation-rust

CVE-2026-33693: SSRF bypass in activitypub-federation-rust via 0.0.0.0. Missing is_unspecified() check affects Lemmy and 6+ Fediverse projects. CVSS 6.5.

CVE-2026-32885 | Path Traversal (ZipSlip) in ddev

CVE-2026-32885: ZipSlip path traversal in ddev local development tool. Malicious archives escape extraction directory via Untar/Unzip. CVSS 6.5 Medium.

CVE-2025-11171 | Missing Auth in Chartify Plugin

CVE-2025-11171: Missing authentication for admin functions in Chartify WordPress plugin. CVSS 5.3. Full technical analysis and remediation by Kai Aizen.

CVE-2026-1208 | CSRF to Settings Update in Friendly Functions for Welcart

CVE-2026-1208: CSRF in Friendly Functions for Welcart WordPress plugin enables unauthorized settings manipulation. CVSS 4.3. Full analysis by Kai Aizen.

featured

When the research listed below intersects with real vendor stacks, these are the CVEs that ship.

Flagship Disclosures.

Six writeups with dedicated quick-facts, FAQ, and references — for engineers landing here from a search for the CVE itself.

Kubernetes ingress-nginx — Config Injection via rewrite-target

Apache Airflow Core — Missing Authorization on HITL endpoints

Dgraph — Pre-auth DQL Injection

Linux kernel · io_uring/zcrx — Race → Double-free → OOB Write

GHSA-j425-whc4-4jgc

OpenClaw — system.run env-override RCE

Apache Airflow · Databricks — TLS Verification Bypass