Tyler Holmwood

2 days ago

Do you know where your tokens are going? You can see what you spent. Not what it bought. We fixed that. ↓

1

10

4

3

666

tyholms retweeted

9 days ago

Claude Code's background sessions survive terminal close, managed by a new supervisor daemon. We used it to build a persistent C2 agent whose entire payload is natural language in a Markdown file, executed by the signed binary under the user's identity. https://t.co/1nD6ulkm03

0

28

9

18

3K

tyholms retweeted

Cloudflare @Cloudflare

17 days ago

Cloudflare's security team spent the last few weeks testing Anthropic's Mythos against fifty of our own repositories. What we learned about offensive AI, why faster patching is the wrong reaction, and what the architecture around vulnerabilities has to look like next. https://t.co/RSrRtIhgaV

87

4K

709

5K

2M

16 days ago

@Haus3c @ClaudeDevs They added a domain whitelist as well, @depletionmode wrote about it last week on our blog

0

2

0

37

20 days ago

@realhorsie Thanks for pointing that out. There was a bug in the binary fetcher so when I verified the output the hashes already matched the binaries I had. Should have double checked against Winbindex directly. The post has been updated.

0

2

0

64

21 days ago

One researcher. ~$300 in API tokens. A working PoC against an April Patch Tuesday CVE. Open-sourcing PatchWatch + Pocsmith, an agentic patch-diffing → exploit pipeline I built from off-the-shelf parts. https://t.co/J3VwhqB3JY

2

156

39

121

11K

20 days ago

@NorthSec_io say hi if you're around!

0

2

0

54

27 days ago

Anthropic (nearly) fixed my --sdk-url trick

27 days ago

Last month we showed Claude Code's remote-control channel could be redirected to any server with one flag. Anthropic added a hardcoded domain allowlist as a fix. Because the allowlist lives in the client, the redirect still works. It just takes one more hop. https://t.co/uwB27oqGkG

1

3

2

6

683

0

1

0

220

tyholms retweeted

30 days ago

New on the blog: @michaelbarclay_ on the hidden supply chain behind every computer use agent. CLAUDE.md, skills, and MCP configs on disk compose its behavior at runtime, and a few lines in one of them can redirect a session in ways file telemetry can't see. https://t.co/lBc6Q6p53o

2

17

10

9

2K

tyholms retweeted

about 1 month ago

Agent features don't need vulnerabilities to become tradecraft. They just need to be useful, installed, and exposed. Codex ships with a documented IPC surface for remote TUI sessions, and one bind flag turns a compromised endpoint into a remotely controlled agent. https://t.co/uVulk48jqh

0

18

10

9

4K

about 2 months ago

@Haus3c Try it out in https://t.co/r1iMEsU1M2 if you haven't yet!

1

3

0

150

tyholms retweeted

about 2 months ago

ACP standardizes how editors talk to coding agents. It also standardizes how an adversary on a compromised endpoint talks to those same agents - prompts invisible to command line logging, permissions auto-granted without the flags defenders look for. https://t.co/dDlW3U2Sab

0

9

4

775

about 2 months ago

My research from last week on Claude Code's Remote Control protocol has landed in the latest release of Praxis C2 framework - try it out for yourself now! https://t.co/rvXN2xPeQi

0

7

2

0

710

tyholms retweeted

about 2 months ago

Process argument spoofing has focused on modifying the PEB before a suspended process resumes. @jdu2600 traces what happens after and finds the initialization timeline has its own injection windows - ones that fire after the allow decision has already been made. https://t.co/DkgnCoOYQE

0

43

22

23

8K

2 months ago

Checkout my research with Origin!

2 months ago

Claude Code's remote control protocol lets developers orchestrate instances programmatically. @tyholms reverse engineered it and found an undocumented flag that redirects any instance to attacker-controlled infrastructure, silently bypassing all permission checks. https://t.co/Tn85uj1R77

3

40

15

26

10K

0

1

0

260

tyholms retweeted

2 months ago

Claude's Chrome extension lets the agent interact with the web on your behalf. We reverse engineered it and found those same capabilities are exposed to any attacker on the endpoint, turning a productivity tool into a browser takeover primitive. https://t.co/Ah0XEje91I

0

34

13

15

2K

tyholms retweeted

3 months ago

Windows Insider builds now have a native, OS-level broker for MCP servers. We reverse engineered Odr.exe to understand how it validates clients, manages consent, and controls access - uncovering undocumented COM interfaces and a full ETW audit trail. https://t.co/8poGny9usX

2

57

24

44

6K

tyholms retweeted

5 months ago

Computer use agents like Claude Code are transforming endpoint interactions for humans - and potentially attackers too. Today, we're releasing cua-kit: a post-exploitation toolkit to explore their offensive security implications. https://t.co/W4IAPWo3hL

2

14

7

6

4K

tyholms retweeted

8 months ago

While testing our agent against malware observed in the wild, we detected a LockBit encryptor not via file signatures or static IOCs, but by observing out-of-context execution of private memory using hardware telemetry. 🧵

1

31

8

7

6K

10 months ago

Very excited to have joined the @originhq team just as big things were kicking off. Kudos to the research team for this incredible work and can't wait to see where we go from here!