Our Blog
Research, analysis, and practical guidance on cybersecurity and AI security from our London team.
Why 'Cognitive Debt' From AI Coding Agents Is a Security Problem
A widely-shared talk from Notion design engineer Geoffrey Litt argues that as agents write more code, understanding it becomes the real bottleneck — and for security teams, that understanding gap is where review controls quietly fail.
Why SQL-Executing AI Agents Need Systematic Prompt Testing, Not Guesswork
A DSPy-driven experiment on Datasette Agent's SQL system prompt shows how ad hoc prompt tuning produces fragile, unpredictable guardrails for agents that touch live data.
Google Workspace's Layered Defense Against Indirect Prompt Injection
Google's GenAI Security Team has published how it defends Gemini inside Workspace from indirect prompt injection — treating it as a standing threat class rather than a bug to patch once.
Aztec Connect: $2.1M Stolen From a Bridge With No One Left to Fix It
A proof-verification flaw let an attacker drain a DeFi privacy bridge that Aztec Labs deprecated three years ago and can no longer patch, pause, or upgrade — a case study in what "immutable" really costs.
Natural-Language Video Search Is Rewriting the Surveillance Threat Model
New AI tools let analysts ask CCTV networks plain-language questions about behaviour instead of running a fixed menu of preset searches — and the Israel-Iran-Russia episode shows how fast that capability is spreading to adversaries as well as allies.
Agents That Film Their Own Work: The Security Read on shot-scraper video
Simon Willison's shot-scraper 1.10 lets coding agents record video "proof" of browser-driven work using Playwright's new screencast API — a convenience that quietly expands the credential and trust surface security teams need to govern.
Short-Sleeve RSA: How Zero-Block Prime Structure Exposed 603 Private Keys in the Wild
Trail of Bits and the badkeys project have uncovered a new class of factorable RSA key — one defined by evenly spaced zero-bit blocks in its prime factors — and found hundreds already deployed in real TLS, SSH, and PGP infrastructure.
Ornith-1.0: What Self-Scaffolding Agentic Code Models Mean for Security Teams
DeepReinforce's Ornith-1.0 is the first open-weights model family trained to write its own agentic scaffolding. That capability shift has direct implications for prompt-injection blast radius and autonomous-agent attack surfaces.
Sacramento Police Drone Disarms Suspect — and Opens a New Cyber-Physical Attack Surface
On 22 June 2026, a Sacramento County Sheriff's drone stripped a knife from a suspect's hand using a high-powered magnet. Security practitioners should read this less as a policing milestone and more as the opening of a new attack surface.
Taiko Bridge Drained $1.7M After SGX Signing Key Exposed on GitHub
An attacker leveraged a publicly committed SGX enclave key to forge withdrawal proofs on Taiko's Ethereum L2 bridge, draining $1.7 million before block production was halted on 22 June 2026.
Secret Network–Axelar Bridge Drained $4.67 M via Infinite-Mint Bug Hidden for Seven Days
An attacker exploited a removed source-validation check to mint unbacked wrapped tokens on Secret Network, redeeming them through Axelar's legitimate channel — and nobody noticed for a week.
Counter-MEV Honeypot Drains jaredfromsubway.eth of $7.5 Million
Ethereum's most-active sandwich-attack bot was beaten at its own game — tricked by 66 fake token contracts into handing over real WETH, USDC, and USDT in a single sweep transaction.
Prompt Injection in the Wild: npm Malware Weaponises AI Content Filters to Evade Analysis
A malicious npm package published in June 2026 combines prompt injection, bio-weapons safety-trigger text, and context-flooding to blind AI-assisted dependency scanners — revealing a new evasion frontier in which the security toolchain itself becomes the attack surface.
AI Writes the CI/CD Pipeline: Auditing AI-Generated GitHub Actions Workflows
Simon Willison's browser-compat-db used two AI models to generate a complete build pipeline — a sign of where development is heading and a prompt to ask whether security review has kept pace.
Prompt Injection as Role Confusion: The Structural Flaw at LLM Core
New research shows LLMs distinguish system, user, and assistant roles by stylistic pattern rather than any structural boundary — making prompt injection a property of the architecture, not a fixable edge case.