Claude Mythos Found Zero-Days Everywhere. Here's Your Playbook.
Anthropic's Mythos Preview discovered zero-days in every major OS and browser. Defenders have months, not years, to adapt. Here's what to do now.
Security
11 articles in this category.
ToxicSkills: What the First Large-Scale Agent Skill Audit Found
Snyk scanned 3,984 AI agent skills: 36% had security flaws, 534 critical issues, 76 active malware. What this means for developers installing skills.
MCP Tool Poisoning: How Hidden Metadata Hijacks AI Agents
MCP tool descriptions are visible to your AI agent but hidden from you. Attackers embed instructions that hijack agent behavior and steal credentials.
Langflow Exploited in 20 Hours: The AI Framework Attack Surface
Langflow's critical RCE was weaponized in 20 hours. Combined with new LangChain and LangGraph CVEs, AI framework infrastructure is under active attack.
When Trusted Packages Turn Hostile: Cascading Supply Chain Attacks
TeamPCP compromises legitimate packages and cascades through the supply chain via stolen credentials. Why this attack pattern evades detection.
You're Using Claude Code Skills. Do You Know What's in Them?
Claude Code skills can read files, run commands, and access credentials. What the skill ecosystem gets wrong about security — and how to protect yourself.
LiteLLM's PyPI Backdoor: What It Means for the AI Skill Supply Chain
Attackers injected a credential stealer into litellm (95M downloads) via compromised CI/CD. What happened and why AI skills face the same threat.
SkillJect and the Gap in Skill Registry Security
A new paper achieves 97.5% attack success against Claude Code using poisoned skills. Here's what we found, and the four detection rules we shipped in response.
ClawHavoc: 1,184 Malicious Skills and Why Pre-Install Verification Matters
Post-mortem of ClawHavoc — the largest AI skill supply chain attack on record — and what it reveals about the limits of reactive security models.
Why Scanning Architecture Matters: Comparing Skill Registry Security
Comparing install-time scanning, reactive moderation, and dual-side verification — and the supply chain attack vectors each security model misses.
How Dual-Side Verification Protects Against Supply Chain Attacks
How SkillSafe dual-side verification works: publisher scans, consumer re-scans, and cryptographic tree hashes that detect tampering before install.