‼️ BREAKING: xAI's Grok Build CLI was uploading entire Git repositories to a Google Cloud bucket, private codebases and unredacted secrets included. The uploads quietly stopped via a hidden server-side flag, and xAI still has not said a word about scope, retention, or deletion.
The scale is staggering. On a 12 GB test repo, 5.1 GB flew out the door to xAI's grok-code-session-traces bucket while the actual coding task needed just 192 KB. The tool grabbed whatever repository it ran in, not the files it needed.
The fix arrived as a hidden flag, disable_codebase_upload: true, a day after a researcher's wire-level analysis. The "Improve the model" opt-out never stopped the uploads.
Still no advisory, no scope, no word on whether already-uploaded code gets deleted. For anyone pointing AI coding agents at proprietary code, what crosses the wire matters more than what the settings page says.
PLEASE every protocol read this. Your bug bounty submission might be malicious:
The incident was the result of a sophisticated, multi-stage attack that combined social engineering with a trojanised proof-of-concept test suite.
The attacker initially established credibility by submitting a plausible responsible-disclosure report describing a potential reward-distribution front-running vulnerability in the vault contracts. The report referenced legitimate-sounding contract functions, followed a standard vulnerability disclosure format, and offered to collaborate on mitigation steps. These elements appear to have been deliberately crafted to encourage our team to review and execute the attached proof-of-concept.
AI discovers a bug that humans overlooked—> the entire X community discusses how AI will replace them and so on—> then forgets about it—> repeats the process with new models.
Human whitehats find a bug—> there’s no hype (sometimes they don’t even pay them)—> and then forget about it.
Why do you even make things look like a battle between AI and humans? It’s us against blackhats and hackers!
so our DPRK Contagious Interview friends have advanced in the meantime and now have started reking people for which you only need to _unzip_ a file and run a git checkout or commit operation.
so this how the attack works:
1. the attacker distributes the repo as a zip archive (which is pivotal!). this is on purpose because git clone explicitly strips hooks (since cloning goes through git's _own_ protocol which excludes them) from remote sources as a security measure but unzipping is just a _normal_ filesystem ops that git cannot control (yeah fml but also simple fact). the zip restores file permissions exactly as the attacker set them (expect `rwxrwxr-x`), so the two active hooks (`pre-commit` & `post-checkout`) arrive on disk already executable (yeah fml).
2. git _automatically_ runs a hook when two conditions are met at the same time. the file must have the correct bare name with no `.sample` extension _and_ the executable bit must be set (like `rwxrwxr-x`). both of these are already satisfied by the attacker _before_ the zip is distributed. no fucking user action, config change, or approval is needed, git's own hook dispatch system triggers everything lmfaooo. software is great innit?
3. some of the custom `.sample` files in the shipped `.git/hooks` directory are the malicious payloads. they are basically payload components _disguised_ under innocent names. once the victim does anything beyond passively inspecting the repo (e.g. git checkout or git commit), the _active_ hook copies those files into `~/.vscode` (a directory devs usually trust and ignore but well you should not trust it guys) and then starts a detached background process using `nohup` so it does not block or visibly affect the git command. the git operation still completes normally and nothing looks suspicious. fucking evil, but hey here we are!
4. now that background process then bootstraps a node.js runtime if it is not already installed, runs npm install using an attacker controlled package.json, and executes an obfuscated payload (this can ofc differ and change over time). from that point the attacker gains clipboard access, a persistent c2 channel over https://t.co/SZ5Ym88c3r (usually) and the ability to read browser credential dbs
❗️ Linux is having a brutal week. Another local to root privilege escalation vulnerability just dropped: "Copy Fail 2: Electric Boogaloo."
This is the third Linux LPE in a row, after Copy Fail and Dirty Frag. The PoC is public on GitHub. There is still no coordinated patch.
https://t.co/6XifksYgZ6
@0xfrsmln In many contests we assume the protocol knows the best practices and will not do something stupid. But I think the past few months showed otherwise…
Its the beginning of the end of subsidized AI subscriptions. GH Copilot is moving to usage-based billing, as has Claude (for business customers.) Fair to assume more will follow.
I expect this change will also be a great boost for open models - cheaper, and pretty good already
Update to my roadmap -> We built the practice layer it was missing.
https://t.co/Forp7hJJLs
380 challenges derived from 50,000 real Solodit findings, clustered into 19 vulnerability patterns.
Active pattern-recognition training on real code.
The gap between reading findings and discovering them is huge. This is built specifically to close it.
Still free. Still no fluff.
@m4rio_eth Lately, I’ve been looking at different ways to sandbox the agents. There are some quite good tools, but I’ve seen agents breaking out of them.
Probably the best way to mitigate such issues is to review the sec basics - limit the access, multistep process for critical actions etc
"Company that allowed employees to use whatever third party tools they prefer falls victim to latest supply chain attack"
Just going to retweet this every time it happens.
If you're using Open Swarm (the AI agent orchestration platform): Stop.
There's no auth on the local websocket API, so any website you visit can send messages to your AI agents as if it's you.
🚀 This month I got 3 bug bounties paid out and built an open-source Claude Code skill along the way.
Finding the bug is the hard part, but what really determines the outcome is how well you demonstrate its impact.
That's where the PoC matters most: if it's not a mainnet-fork end-to-end test on real deployed contracts at the current mainnet state, it doesn't really prove impact.
I iterated a lot before figuring out what actually works. Now it's a skill anyone can install.
Free & fully open source 👇
https://t.co/NOest7Wlrf
🚨 Bitwarden CLI 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline.
We’ll continue updating our coverage as more details are confirmed.
https://t.co/G0aakn8swq
Do all your coding inside a VM.
Seriously.
UTM for Mac is free, works fantastically, and lets you run Mac inside Mac.
Get into the habit now before you get rekt by library supply chain issues you cannot control or anticipate.
https://t.co/VjGbmdcF0J
Or buy a second laptop. Not having separation nowadays is lunacy.
🚀Dear builders and auditors, your Claude Code sub just became a 100x audit team.
Up to 95 specialized AI security agents running in one orchestrated autonomous pipeline.
Fully open-source.
"Plamen" is live 🔥🐉