Weaponizing image scaling against production AI systemsIn this blog post, we’ll detail how attackers can exploit image scaling on Gemini CLI, Vertex AI Studio, Gemini’s web and API interfaces, Google Assistant, Genspark, and other production AI systems. We’ll also explain how to mitigate and defend against these attacks, and we’ll introduce Anamorpher, our open-source tool that lets you explore and generate these crafted images.
Marshal madness: A brief history of Ruby deserialization exploitsThis post traces the decade-long evolution of Ruby Marshal deserialization exploits, demonstrating how security researchers have repeatedly bypassed patches and why fundamental changes to the Ruby ecosystem are needed rather than continued patch-and-hope approaches.
Trail of Bits' Buttercup wins 2nd place in AIxCC ChallengeOur team won the runner-up prize of $3M at DARPA’s AI Cyber Challenge, demonstrating Buttercup’s world-class automated vulnerability discovery and patching capabilities with remarkable cost efficiency.
Buttercup is now open-source!Now that DARPA’s AI Cyber Challenge (AIxCC) has officially ended, we can finally make Buttercup, our CRS (Cyber Reasoning System), open source!
AIxCC finals: Tale of the tapeWhile the AIxCC winner has not yet been announced, differences in the finalists’ approaches show that there are multiple viable paths forward to using AI for vulnerability detection.
Prompt injection engineering for attackers: Exploiting GitHub CopilotPrompt injection pervades discussions about security for LLMs and AI agents. But there is little public information on how to write powerful, discreet, and reliable prompt injection exploits. In this post, we will design and implement a prompt injection exploit targeting GitHub’s Copilot Agent, with a focus on maximizing reliability and minimizing the odds of detection.
Uncovering memory corruption in NVIDIA Triton (as a new hire)In my first month at Trail of Bits as an AI/ML security engineer, I found two remotely accessible memory corruption bugs in NVIDIA’s Triton Inference Server during a routine onboarding practice.
The Unconventional Innovator ScholarshipTrail of Bits founder Dan Guido establishes a $2,500 scholarship at his alma mater, Mineola High School, to recognize students who demonstrate the hacker spirit through self-driven learning, creative problem-solving, and unconventional technological exploration. The scholarship celebrates tomorrow’s security innovators who push boundaries and think differently about technology.
Hijacking multi-agent systems in your PajaMASWe’re releasing pajaMAS: a curated set of MAS hijacking demos that illustrate important principles of MAS security.
We built the security layer MCP always neededToday we’re announcing the beta release of mcp-context-protector, a security wrapper for LLM apps using the Model Context Protocol (MCP). It defends against the line jumping attacks documented earlier in this blog series, such as prompt injection via tool descriptions and ANSI terminal escape codes.
Exploiting zero days in abandoned hardwareWe successfully exploited two discontinued network devices at DistrictCon’s inaugural Junkyard competition in February, winning runner-up for Most Innovative Exploitation Technique. Our exploit chains demonstrate why end-of-life hardware poses persistent security risks.
Inside EthCC[8]: Becoming a smart contract auditorAt EthCC[8], Trail of Bits blockchain security engineer Nicolas Donboly laid out a clear, actionable path for aspiring smart contract auditors, drawing from his own experience transitioning from a non-technical background into a leading security role.
Detecting code copying at scale with VendetectVendetect is our new open-source tool for detecting copied and vendored code between repositories. It uses semantic fingerprinting to identify similar code even when variable names change or comments disappear. More importantly, unlike academic plagiarism detectors, it understands version control history, helping you trace vendored code back to its exact source commit.
Building secure messaging is hard: A nuanced take on the Bitchat security debateThe release of Bitchat last week was met with a mixture of glowing praise and sharp criticism. Both extremes bear some truth, but they also miss the mark and reveal gaps in how we discuss security in emerging products.
Investigate your dependencies with DeptectiveDeptective, our new open-source tool, automatically finds the packages needed to install software dependencies. It does so not based on the software’s self-reported requirements, but by observing what the software needs at runtime.
Buckle up, Buttercup, AIxCC’s scored round is underway!Our CRS (Cyber Reasoning System), Buttercup, is now competing in the one and only scored round of DARPA’s AI Cyber Challenge (AIxCC) against six other teams to see which autonomous AI-driven system can find and patch the most software vulnerabilities.
Maturing your smart contracts beyond private key riskPrivate key compromise accounted for 43.8% of crypto hacks in 2024, yet traditional smart contract audits rarely address architectural access control weaknesses. This post introduces a four-level maturity framework for designing protocols that can tolerate key compromise, progressing from single EOA control to radical immutability, with practical examples demonstrating multisigs, timelocks, and the principle of least privilege.
Unexpected security footguns in Go's parsersFile parsers in Go contain unexpected behaviors that can lead to serious security vulnerabilities. This post examines how JSON, XML, and YAML parsers in Go handle edge cases in ways that have repeatedly resulted in high-impact security issues in production systems. We explore three real-world attack scenarios: marshaling/unmarshaling unexpected data, exploiting parser differentials, and leveraging data format confusion. Through examples, we demonstrate how attackers can bypass authentication, circumvent authorization controls, and exfiltrate sensitive data by exploiting these parser behaviors.
What we learned reviewing one of the first DKLs23 libraries from Silence LaboratoriesIn October 2023, we audited Silence Laboratories’ DKLs23 threshold signature scheme (TSS) library—one of the first production implementations of this then-novel protocol that uses oblivious transfer (OT) instead of traditional Paillier cryptography. Our review uncovered serious flaws that could enable key destruction attacks, which Silence Laboratories promptly fixed.
A deep dive into Axiom’s Halo2 circuitsOver two audits in 2023, we reviewed a blockchain system developed by Axiom that allows computing over the entire history of Ethereum, all verified by zero-knowledge proofs (ZKPs) on-chain using ZK-verified elliptic curve and SNARK recursion operations. This system is built using the Halo2 framework—a complex, emerging technology that presents many challenges when building a secure application, including potential under-constrained issues resulting from its low-level API.
The Custodial Stablecoin Rekt TestIntroducing the Custodial Stablecoin Rekt Test; a new spin on the classic Rekt Test for evaluating the security maturity of stablecoin issuers.
The cryptography behind passkeysThis post will examine the cryptography behind passkeys, the guarantees they do or do not give, and interesting cryptographic things you can do with them, such as generating cryptographic keys and storing certificates.
Datasig: Fingerprinting AI/ML datasets to stop data-borne attacksDatasig generates compact, unique fingerprints for AI/ML datasets that let you compare training data with high accuracy—without needing access to the raw data itself.This critical capability helps AIBOM (AI bill of materials) tools detect data-borne vulnerabilities that traditional security tools completely miss.
Making PyPI's test suite 81% fasterSee how we slashed PyPI’s test suite runtime from 163 to 30 seconds.The techniques we share can help you dramatically improve your own project’stesting performance without sacrificing coverage.
Insecure credential storage plagues MCPThis post describes how many examples of MCP software store long-term API keys for third-party services in plaintext on the local filesystem, often with insecure, world-readable permissions.
