How MCP servers can steal your conversation historyMalicious MCP servers can inject trigger phrases into tool descriptions to exfiltrate entire conversation histories and steal sensitive credentials and IP.
Jumping the line: How MCP servers can attack you before you ever use themMCP’s ’line jumping’ vulnerability lets malicious servers inject prompts through tool descriptions to manipulate AI behavior before tools are ever invoked.
Kicking off AIxCC’s Finals with ButtercupTrail of Bits’ Buttercup competes in DARPA’s AIxCC Finals with expanded resources, multiple rounds, new challenge types, and custom AI model capabilities.
Sneak peek: A new ASN.1 API for PythonWe’re working on integrating an ASN.1 API into PyCA Cryptography,built on top of the same Rust ASN.1 implementation already used byCryptography’s X.509 APIs.
Mitigating ELUSIVE COMET Zoom remote control attacksThis post describes a sophisticated social engineering campaign using Zoom’s remote control feature and provides technical solutions to protect organizations against this attack vector.
Introducing a new section on snapshot fuzzing for kernel-level testing in the Testing HandbookLearn snapshot fuzzing for kernel-level testing. New Testing Handbook section shows how to test drivers, antivirus software, and complex kernel components.
Benchmarking OpenSearch and ElasticsearchTrail of Bits’ independent study finds OpenSearch v2.17.1 is 1.6x faster than Elasticsearch v8.15.4 on Big5 workload and 11% faster on vector search.
Continuous TRAILLearn how to integrate TRAIL threat modeling into your SDLC, adapt and maintain models as your system evolves, and use them to identify security control gaps.
Threat modeling the TRAIL of Bits wayDiscover TRAIL, Trail of Bits’ systematic threat modeling approach that identifies design-level security weaknesses and provides actionable remediation guidance.
How Threat Modeling Could Have Prevented the $1.5B Bybit HackLearn how comprehensive threat modeling could have identified the operational security gaps that led to Bybit’s $1.5B hack and prevented similar breaches.
Don’t recurse on untrusted inputWe developed a simple CodeQL query to find denial-of-service (DoS) vulnerabilities in several high-profile Java projects.
The $1.5B Bybit Hack: The Era of Operational Security Failures Has ArrivedThe $1.5B Bybit Hack demonstrates how the Era of Operational Security Failures has arrived, and most cryptocurrency companies are not prepared for its implications.
Unleashing Medusa: Fast and scalable smart contract fuzzingIntroducing Medusa v1, a cutting-edge fuzzing framework designed to enhance smart contract security.
We’re partnering to strengthen TON’s DeFi ecosystemTVM Ventures has selected Trail of Bits as its preferred security partner to strengthen the TON developer ecosystem. Through this partnership, we’ll lead the development of DeFi protocol standards and provide comprehensive security services to contest-winning projects deploying on TON. TVM Ventures will host ongoing developer contests where teams can showcase innovative applications that advance […]
The call for invariant-driven developmentWriting smart contracts requires a higher level of security assurance than most other fields of software engineering. The industry has evolved from simple ERC20 tokens to complex, multi-component DeFi systems that leverage domain-specific algorithms and handle significant monetary value. This evolution has unlocked immense potential but has also introduced an escalating number […]
Preventing account takeover on centralized cryptocurrency exchanges in 2025This blog post highlights key points from our new white paper Preventing Account Takeovers on Centralized Cryptocurrency Exchanges, which documents ATO-related attack vectors and defenses tailored to CEXes. Imagine trying to log in to your centralized cryptocurrency exchange (CEX) account and your password and username just… don’t work. You […]
PyPI now supports archiving projectsPyPI now supports marking projects as archived. Project owners can now archive their project to let users know that the project is not expected to receive any more updates. Project archival is a single piece in a larger supply-chain security puzzle: by exposing archival statuses, PyPI enables downstream consumers to make more […]
Best practices for key derivationKey derivation is essential in many cryptographic applications, including key exchange, key management, secure communications, and building robust cryptographic primitives. But it’s also easy to get wrong: although standard tools exist for different key derivation needs, our audits often uncover improper uses of these tools that could compromise key security. Flickr’s API […]
Celebrating our 2024 open-source contributionsWhile Trail of Bits is known for developing security tools like Slither, Medusa, and Fickling, our engineering efforts extend far beyond our own projects. Throughout 2024, our team has been deeply engaged with the broader security ecosystem, tackling challenges in open-source tools and infrastructure that security engineers rely on every day. This year, our engineers […]
