hugs4bugs

Take Care of Your Agent

Thu, 04 Jun 2026 04:02:15 +0000

What Agentic AI Security Actually Looks Like in 2026”

There’s a joke going around red team reddit channels right now: the fastest way to get domain admin in 2026 is to write a prompt, not an exploit. It’s not far off.

AI agents are in production. They’re reading your emails, querying your databases, executing code, and calling APIs on behalf of your users. What most organizations haven’t done is figure out what security controls apply to something that isn’t a user but also isn’t quite software.

That’s the gap. And it’s being actively exploited.

This post is for security architects...

Your IDE Just Got Pwned: The Nx Console Supply Chain Attack

Fri, 22 May 2026 05:26:18 +0000

Your IDE is now part of your attack surface. The Nx Console breach on May 18, 2026 proves it.

What Happened — and Why It’s Worse Than a Typical Extension Compromise

Most extension compromises are sloppy — a typosquat, a stolen package name, a rogue maintainer who pushes a coin miner. This wasn’t that.

On May 18, 2026, version 18.95.0 of the Nx Console VS Code extension (nrwl.angular-console) was published to the Visual Studio Code Marketplace with malicious code baked in. The extension has over 2.2 million installs. The compromised version was live for exactly...

Locking Down VS Code Extensions in the Enterprise — Lessons from the GitHub Breach

Wed, 20 May 2026 09:03:37 +0000

By a Security Architect who’s tired of being surprised by developer endpoints

May 20, 2026. GitHub confirms that approximately 3,800 of its internal repositories were exfiltrated after a threat actor embedded malware inside a VS Code extension and a GitHub employee installed it. Critical secrets were rotated within hours.

official GitHub Tweet

This is not a vulnerability in GitHub’s platform. This is a developer endpoint with unchecked tooling. And that is a far scarier problem.

Why This Hit Different

Every time I see a supply chain incident, I run a quick mental exercise: “Could...

TLS Automation Isn't Optional Anymore. Here's What That Means for Your Stack.

Tue, 19 May 2026 17:53:24 +0000

Why manual TLS management is quietly breaking the web — and what the industry is doing about it.

Before We Start: What Problem Are We Actually Solving?

Picture this: it’s 2 AM. Your company’s e-commerce site starts throwing NET::ERR_CERT_DATE_INVALID errors in every browser. Customer support is flooded. Revenue is bleeding per minute. Your on-call engineer digs in, only to realize that the TLS certificate — the thing that keeps your site on HTTPS — quietly expired at midnight, and nobody set up an alert for it.

This isn’t a hypothetical. It happens to...

Docker Agent: Building Your Own AI Agent Teams from the Terminal

Tue, 12 May 2026 12:22:39 +0000

Docker Agent: Building Your Own AI Agent Teams from the Terminal

You’ve probably used GitHub Copilot to autocomplete a line of code, or maybe you’ve typed something into ChatGPT and copy-pasted the result into your editor. That workflow is… fine. But what if you could have a team of AI agents sitting in your terminal, each one with a specific job, passing work between each other, running your tests, reading your files, and actually finishing tasks end to end?

That’s what Docker Agent is. It’s an open-source framework for defining and running teams of specialized AI agents. Not one...

Docker Scout Security Policy: A Technical Deep Dive

Fri, 08 May 2026 19:13:52 +0000

Most teams treat container security as a one-time scan — push the image, check the CVE report, feel good, move on. That worked when you had a handful of services. It doesn’t scale when you’re running 40 microservices across three environments and someone quietly bumped a base image from node:18-alpine to node:18 last Tuesday.

Docker Scout’s Policy Evaluation is the answer to that problem. It takes the raw image analysis that Scout already does and puts a governance layer on top — letting you define what “good” looks like for your organization, track how far your...

NDR vs. EDR vs. XDR: A Deep Technical Breakdown for Security Engineers

Fri, 08 May 2026 18:51:37 +0000

Modern enterprise security stacks are crowded with acronyms. NDR, EDR, and XDR each occupy a distinct position in the detection and response landscapeâand conflating them leads to coverage gaps, redundant tooling, and wasted budget. This post breaks down each technology at a technical level, maps them to the SOC Visibility Triad, and helps you reason about how they should fit together in a mature security architecture.

The Core Problem: Fragmented Visibility

Enterprise environments are sprawling. An attacker compromising a single endpoint can move laterally across the network, exfiltrate data through encrypted channels, pivot into cloud workloads, and persist for...

Your AI Agent Just Exfiltrated Your SSH Keys. You Approved It.

Thu, 30 Apr 2026 12:00:00 +0000

Source: All technical content sourced from the official Docker Sandboxes documentation and Docker Engine Security docs.

The New Problem Sitting in Every Engineering Team’s Lap

AI coding agents changed how software gets written. Claude Code, GitHub Copilot CLI, Codex, Gemini CLI — these tools don’t just suggest code anymore, they execute it. They install packages, run builds, modify config files, call APIs, and spin up services. And by default, they do all of that on your machine, with your credentials, against your filesystem.

That’s fine until it isn’t. The moment an agent...

Logic App vs Security Copilot

Wed, 17 Dec 2025 00:00:00 +0000

Introduction: The Automation Dilemma

Today I do judge any organisation having mature SOC (Security Operation Center) not on the basis of Cybersecurity frameworks and Industry standards, I do see what extent they do have SOAR or automation placed, how much is MTTD and MTTR? and till what levels manual intervion is involved?

Since organisations should not have an option when it comes to SOAR , it should be mandatory considering emerging sophiticated threat landscape. They’re constantly asking which tool is right for the job. Should you use a battle-tested orchestrator like Logic Apps? Or embrace the new paradigm of AI-powered...

Sentinel Authentication:you're probably doing it wrong?

Wed, 15 Oct 2025 00:00:00 +0000

When your Security Operations Center starts automating incident response with Microsoft Sentinel playbooks or SOAR features (via Logic Apps), one question consistently surfaces during architecture reviews: “Which authentication method should we use?” I’ve seen teams default to OAuth because it’s familiar, only to face credential sprawl nightmares six months later. Others jump straight to managed identities without understanding when a service principal actually makes more sense.

Let’s directly jump to the point and talk about three authentication methods available for the Microsoft sentinel Logic Apps connector, when each one fits your security architecture and the operational realities that often get...

Email Security is broken?

Sun, 31 Aug 2025 00:00:00 +0000

Email security has become a cat-and-mouse game where attackers consistently outpace traditional defenses. While we’ve spent years perfecting signature-based detection and sandboxing, threat actors have moved to more sophisticated tactics: compromised accounts, domain spoofing, and slow-burn social engineering campaigns that span weeks or months.

The fundamental issue is that most email security solutions treat each message in isolation. They scan for malware, check against reputation databases, and apply content filters—but they miss the behavioral patterns that reveal the real threats. A CEO fraud email from a trusted domain with clean content will sail right through these defenses.

This is where...

MadeYouReset' HTTP/2 Vulnerability (CVE-2025-8671) Explained

Wed, 20 Aug 2025 00:00:00 +0000

Introduction

The internet carries much of its vital traffic over the HTTP protocol. With the evolution from HTTP/1.1 to HTTP/2, websites and web apps became dramatically faster, more responsive, and capable of handling heavier loads. But with these leaps forward come new, sometimes quietly lurking, risks. In 2023, the world’s top cloud providers faced the “Rapid Reset” vulnerability, which allowed attackers to crash powerful services using HTTP/2’s own stream management features. While defenses for that attack were deployed quickly, 2025 saw the discovery of a new twist: “MadeYouReset” (CVE-2025-8671). This crafty vulnerability asks a chilling question—what if attackers didn’t flood...

SIEM Done Right:3stage RoadMap

Fri, 15 Aug 2025 00:00:00 +0000

Last week I got a situation that stuck me “Why does SIEM feel like it’s fighting against us instead of helping us”? It’s a fair question. Too many organisations jumps into SIEM implementation assuming they’ll flip a switch and suddenly have perfect visibility. I have been observing since my last 6 years in cybersecurity domain that most of the organisation approach towards SIEM deployment is completly wrong.They are simply adopting facing tools and doing partenership with fancy vendors. The reality?

We all knows or those who got chance to work within SOC might agree with me. Building an effective SIEM...

Terraform's Secret Weapon: Write Only Arguments

Thu, 17 Jul 2025 00:00:00 +0000

If you’ve been working with Terraform for a while, you’ve probably run into this frustrating situation: you need to pass a password or API token to a resource, but you don’t want that sensitive data sitting in your state file for everyone to see. Maybe you’ve tried creative workarounds with external data sources or complex scripting, but let’s be honest – it always felt like a hack.

Well, good news! Terraform 1.11 introduces write-only arguments, and they’re about to change how we handle secrets in our infrastructure code. Think of them as a secure handoff mechanism – you can pass...

When Snyk Saved my Firebase Project

Tue, 15 Jul 2025 00:00:00 +0000

Yesterday, I got an unexpected visitor to my GitHub repository. Not a human contributor, but Snyk’s automated security bot, flagging a critical vulnerability in my Firebase project. What started as a routine dependency check turned into a fascinating case study of how modern security tools can catch threats that even experienced developers might miss.

The culprit? An uncontrolled resource consumption vulnerability lurking in the @grpc/grpc-js library, buried deep within Firebase’s dependency chain. With a severity score of 559 and the identifier SNYK-JS-GRPCGRPCJS-7242922, this wasn’t just another minor...

How Snyk broker solves the Enterprise Integration Puzzle?

Tue, 08 Jul 2025 00:00:00 +0000

Recently I got interviewed with a company and there I being asked a scernairo based question somewhat regarding Snyk Broker connector 3rd party tool and integration seems fine, but artifact scans are getting failed. So this question forced me to think about as organizations mature their DevSecOps practices, one of the biggest challenges they face is integrating security tools with their existing infrastructure while maintaining strict security boundaries. This is particularly true for enterprises with air-gapped environments, strict network policies, or sensitive codebases that cannot be exposed to external services.

Being Snyk Ambassador, let’s see hwo Snyk Broker solves the...

DNS4EU vs Cloudflare: Europe's Sovereign DNS Resolver — An Honest Security Review

Wed, 11 Jun 2025 00:00:00 +0000

Last month, something interesting happened in the DNS landscape that most security teams probably missed. DNS4EU went live in June 2025, marking Europe’s first serious attempt at building DNS infrastructure that doesn’t route through Silicon Valley. After spending time analyzing the technical implementation and testing the resolvers, here’s what security professionals need to know about this development. If you can’t read text I have aleternative solution for you as audio book

What DNS4EU Is?

DNS4EU represents more than just another public DNS resolver—it’s the EU’s strategic infrastructure play for...

Be a Detective with AWS Detective

Sat, 31 May 2025 00:00:00 +0000

In the ever-evolving landscape of cloud security, identifying and responding to threats swiftly is paramount. Amazon detective makes its easy for soc analyst or security engineer to analyse, investigate, and do RCA. Before jumping to the tehnical side, let’s understand the landscape of security Incidents investigation phase :

1.Triage – Figuring Out If There’s a Real Threat Imagine getting an alert that something suspicious might be happening in your system. Your first step is to check whether it’s a real problem or a false alarm.

Some alerts come from Amazon GuardDuty or Amazon Inspector, which help...

Stop Fighting Local LLMs:Docker Just fixed the Mess

Wed, 28 May 2025 00:00:00 +0000

If you’re like me and have been wrestling with running LLMs locally for development, Docker just dropped something that might change your workflow completely. The new “Models” tab you see in Docker Desktop isn’t just another UI addition—it’s part of Docker Model Runner, a beta feature that’s currently shaking up how we work with AI models locally.

What Exactly Is This Thing?

Docker Model Runner makes it easier for developers to run AI models locally. No extra setup, no jumping between tools, and no need to wrangle infrastructure.

Think of it as...

Ship AI Tools Like Apps with Docker's MCP ToolKit

Sun, 25 May 2025 00:00:00 +0000

Ship AI Tools Like Apps: Docker’s MCP ToolKit

The AI revolution is here, and every company wants their services to work seamlessly with large language models (LLMs). Wait a minute, I do recall a quote from “Ajeet’s talk “ is now every company an AI company?” and we all know the answer. Now the Model Context Protocol (MCP) – Anthropic’s open standard that’s rapidly becoming the bridge between LLMs and real-world applications. With Windows Copilot, Google Gemini, OpenAI’s ChatGPT, and Claude all embracing MCP, the message is clear: if you want LLMs to use your service, you need...

Build Your Own IOC Playground with ELastic SIEM

Sun, 09 Mar 2025 00:00:00 +0000

When it comes to proactive approach of security, threat Hunting comes to the picture. And being aware of IOC aka Indicators of Compromise gives an extra leverage to find malicious urls, hash, IP and block those and take proper action. In this lab, I’m gonna build homelab with Elastic Cloud and Elastic SIEM deployment and generate IOC with AbuseCH .

Basic HLD

Steps to create a hosted Deployment

Signup to Elastic Cloud
Click on Add Deployment
Launching Deployement
Incoming Data Confirmation

...

MPIC for All:An Open Approach to Certificate Security

Sun, 09 Mar 2025 00:00:00 +0000

Alright, let’s talk about making the internet a little safer when you get those “secure” padlocks in your browser. Imagine you’re trying to prove you own a house, and you only show the ID to one person. A sneaky bad guy could potentially trick that one person into thinking they’re you. That’s kind of what can happen with website security certificates, and a new project called Open Multi-Perspective Issuance Corroboration (MPIC) is trying to fix that.

Think of it like this: when a website wants to get a security certificate (that digital ID that says “this website is legit”), a...

Is Your SSH Port a Security Time Bomb? Understanding Wazuh Audit Insights

Sun, 09 Mar 2025 00:00:00 +0000

When it comes to system security, even small misconfigurations can open the door to cyberattacks. Tools like Wazuh, a Security Information and Event Management (SIEM) platform, help users perform audits to evaluate their system’s security posture. In this blog, we’ll walk you through understanding audit results and share actionable steps to secure your Unix-based system.

Understanding Wazuh System Audit Scores

A Wazuh audit generates a report that divides checks into three categories:

Passed: Checks that meet security standards.
Failed: Checks that require attention to improve security.
Not Applicable: Checks that...

Trust boundary vs Attack Surface Explained

Mon, 17 Feb 2025 00:00:00 +0000

I have often seen people get confused term “Trust Boundary” with “Attack Surface”, so let’s get it clear now with the context of a corporate network.

What Are Trust Boundaries?

Trust boundaries are the dividing lines that separate different zones within a system, each requiring specific security measures to protect sensitive data. Think of them as invisible fences within your digital landscape, ensuring that only authorized personnel can access certain areas.

In a corporate network, trust boundaries can be found between various departments, each with its own set of sensitive information. For instance:

HR Department: Contains employee records,...

Effortless Wazuh v4.10.0 upgrade using Docker

Sun, 12 Jan 2025 00:00:00 +0000

Upgrading your wazuh docker deployment to the latest version ensures you benift from the latest features, security patches and performance improvements.I have been using Wazuh docker deployment using single-node for my home lab so in this guide, I’ll walk through the process of upgrading wazuh from version 4.9.0 to v4.10.0 using docker.

Before upgrading, let’s ask this question why to upgrade wazuh to v4.10.0?

Enhanced Security: New Security patches & upgrades
Improved Performance: Better resource management and faster processing
New Features: Access to the latest tool, Yara rules and functions

Prerequisities

Docker and Docker compose installed in...

The Best Way to Fool Yourself:Use SMS 2FA

Sat, 04 Jan 2025 00:00:00 +0000

Okay in this blog I’m not gonna tell you about sim swapping or OTP bypassing or hijacking, I’ll try to keep as realistic I can for all layman people. Before we jump into our main topic let’s clear a few terms like MFA == Multifactor Authenticator , 2FA == Two Factor Authenticator.

Now let’s understand the problem statement with example of a person name called “Sivolko”. Meet sivolko, a software developer who relies heavily on various online accounts for both work and personal use. Sivolko is well aware of securing these accounts and has enabled Multifactor Authenticator (MFA) on all...

Log Analytics vs Log Analytics Workspace in Microsoft Sentinel: The Real Difference Explained

Thu, 02 Jan 2025 00:00:00 +0000

Problem Statement

I have seen many professionals,especially those new to Azure, often get confused between Log Analytics and Log Analytics Workspace during Microsoft Sentinel deployment. This confusion can lead to inefficient setups, increased costs, and suboptimal security postures. Being a security SME it’s crucial to share my personal and hands on expertise to avoid future confusions.Let’s break down these concepts to eliminate any ambiguity.

Understanding Log Analytics

Log Analytics is a service within Azure Monitor that collects and analyzes log data from various sources. Think of it as the engine that powers your log data analysis. It helps you gain...

Wazuh vs Elasticsearch: Why Wazuh Moved to OpenSearch and What It Means for Your SIEM

Wed, 01 Jan 2025 00:00:00 +0000

Before, we jump to our topic let’s recall what wazuh is? It’s a popular open source security monitoring platfrom . It’s HIDS aka host based intrusion Detection system. HIDs a Host-based Intrusion Detection System monitors and analyzes the internals of a computing system rather than the network packets on its external interfaces. It focuses on detecting unauthorized access and malicious activities on individual hosts or devices.

Wazuh has shifted to opensearch from elasticsearch since version4.3 and current version is 4.9.2 . So let’s break down why it happened and how cybersecurity professional get benifited.

Licensing Issues

Streamline Security :Wazuh in Docker with Kali

Sun, 29 Dec 2024 00:00:00 +0000

If you’re a security professional,it might a chance you would be familier with SIEM aka Security Information Event Management used by SOC analyst or security engineers. In this homelab cybersecurity series I’m guiding you through step by step Wazuh as single node deployment using docker in Kali Machine.

Before that let’s understand Wazuh and It’s Architecture :-

Wazuh

Wazuh is open source security platform with unified XDR(Xtended Detection and Response) and SIEM platform which protects endpoints and cloud workloads.It has 3 major components

Wazuh Server:- mainlay used for Agent data collection
Wazuh Indexer:- for cluster communication
Wazuh Dashboard:-...

Why new session should be created during user authentication?

Wed, 03 Jul 2024 00:00:00 +0000

Let’s Understand a few Terms before jumping to our main topic viz “Why do we need a new session for user authentication”?

What’s Session?

In layman term session is the term used to refer to a user’s time browsing a webpage.It identifies the users to the app after they have logged in an is valid for a period of time. It contians activities like Page rendering, events e.g like, share, comments in session storages.

A web session is the sequence of network HTTP request and response transcations associated with the same user.WebApps/Websites use sessions once user has authenticated .This ensure...